Analysis Overview
SHA256
f05388cdf43a0d1a2c044028bae15f37daf248f56f0c90b935a0a1c54531b578
Threat Level: Known bad
The file 2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
xmrig
Cobaltstrike family
Cobalt Strike reflective loader
Xmrig family
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-28 00:05
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-28 00:05
Reported
2024-06-28 00:07
Platform
win7-20240611-en
Max time kernel
142s
Max time network
146s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\AmIFHXM.exe | N/A |
| N/A | N/A | C:\Windows\System\KtnzCzO.exe | N/A |
| N/A | N/A | C:\Windows\System\ozMNUaQ.exe | N/A |
| N/A | N/A | C:\Windows\System\LLiCfdG.exe | N/A |
| N/A | N/A | C:\Windows\System\TZCJWiw.exe | N/A |
| N/A | N/A | C:\Windows\System\uktMksu.exe | N/A |
| N/A | N/A | C:\Windows\System\yOwFeQX.exe | N/A |
| N/A | N/A | C:\Windows\System\ChIESgi.exe | N/A |
| N/A | N/A | C:\Windows\System\mxfYWBr.exe | N/A |
| N/A | N/A | C:\Windows\System\VzJIbAi.exe | N/A |
| N/A | N/A | C:\Windows\System\tPuXsFw.exe | N/A |
| N/A | N/A | C:\Windows\System\CFQeLdh.exe | N/A |
| N/A | N/A | C:\Windows\System\CTiOIiT.exe | N/A |
| N/A | N/A | C:\Windows\System\OgDTiSL.exe | N/A |
| N/A | N/A | C:\Windows\System\WnxErXS.exe | N/A |
| N/A | N/A | C:\Windows\System\RnHFHMt.exe | N/A |
| N/A | N/A | C:\Windows\System\QQUoClO.exe | N/A |
| N/A | N/A | C:\Windows\System\vENbMVM.exe | N/A |
| N/A | N/A | C:\Windows\System\oqETHEn.exe | N/A |
| N/A | N/A | C:\Windows\System\djOZiUV.exe | N/A |
| N/A | N/A | C:\Windows\System\QFeoVts.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\AmIFHXM.exe
C:\Windows\System\AmIFHXM.exe
C:\Windows\System\KtnzCzO.exe
C:\Windows\System\KtnzCzO.exe
C:\Windows\System\ozMNUaQ.exe
C:\Windows\System\ozMNUaQ.exe
C:\Windows\System\LLiCfdG.exe
C:\Windows\System\LLiCfdG.exe
C:\Windows\System\TZCJWiw.exe
C:\Windows\System\TZCJWiw.exe
C:\Windows\System\uktMksu.exe
C:\Windows\System\uktMksu.exe
C:\Windows\System\yOwFeQX.exe
C:\Windows\System\yOwFeQX.exe
C:\Windows\System\ChIESgi.exe
C:\Windows\System\ChIESgi.exe
C:\Windows\System\mxfYWBr.exe
C:\Windows\System\mxfYWBr.exe
C:\Windows\System\VzJIbAi.exe
C:\Windows\System\VzJIbAi.exe
C:\Windows\System\tPuXsFw.exe
C:\Windows\System\tPuXsFw.exe
C:\Windows\System\CFQeLdh.exe
C:\Windows\System\CFQeLdh.exe
C:\Windows\System\CTiOIiT.exe
C:\Windows\System\CTiOIiT.exe
C:\Windows\System\OgDTiSL.exe
C:\Windows\System\OgDTiSL.exe
C:\Windows\System\RnHFHMt.exe
C:\Windows\System\RnHFHMt.exe
C:\Windows\System\WnxErXS.exe
C:\Windows\System\WnxErXS.exe
C:\Windows\System\QQUoClO.exe
C:\Windows\System\QQUoClO.exe
C:\Windows\System\vENbMVM.exe
C:\Windows\System\vENbMVM.exe
C:\Windows\System\oqETHEn.exe
C:\Windows\System\oqETHEn.exe
C:\Windows\System\djOZiUV.exe
C:\Windows\System\djOZiUV.exe
C:\Windows\System\QFeoVts.exe
C:\Windows\System\QFeoVts.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2312-0-0x000000013FB50000-0x000000013FEA4000-memory.dmp
memory/2312-1-0x0000000000080000-0x0000000000090000-memory.dmp
\Windows\system\AmIFHXM.exe
| MD5 | dd7a5bc3f6731f507532219539a3023b |
| SHA1 | 7ada8ed66fe65949dd31e4131c176c63b034a88f |
| SHA256 | 6e59326f057ed34ec83a49a3a46c5cd04d55405846bddf4270318824ef398fa5 |
| SHA512 | 97fe9b0ed5f6d69319c291405ea209baa918b95bc9f03f5a2bdec7253a255b5c920860796c5ade225c066b297cec8f4fa4422a240ddd6150eeaf78c46dd2f6bb |
C:\Windows\system\KtnzCzO.exe
| MD5 | ef096a231130c1303f78de3b727c6a9b |
| SHA1 | e11fe955dd2d103dca264119ad919ba843c2f745 |
| SHA256 | 168b302617a60abe4bb1b85972c1c43fc49b4127f8aa17977ddcf1d4bdd540b2 |
| SHA512 | 35a592a0e35f278f1682d1e73bd102d3dc445c8bce917ff288471632f1a9c2081ba578e4ee499b7d153881b0ddd5e4671eab93b1fdc63b04412dcaaa5a9e57af |
\Windows\system\ozMNUaQ.exe
| MD5 | 2e0c0c7b8c75282633391d679087c90f |
| SHA1 | f2f62a53d06f51ad616394b70ca063d5968b1d82 |
| SHA256 | b394922c926a1bb5f57164e75ee8c72c9c8899ce7b0c5bcd62ae91957021c797 |
| SHA512 | c8f242c496d308e2048afcd74489bbd43530502ee3498809c3253bc7f5d6da5cab8300a891c6a86fa8dfa37d41e9ffb0f74590ef55f3035f52efd87bb1858f79 |
memory/2312-25-0x000000013F3B0000-0x000000013F704000-memory.dmp
\Windows\system\TZCJWiw.exe
| MD5 | 55bcb11d35054c88ffe8687d03000ac0 |
| SHA1 | 7d65072a3b2e40032ccf1bdc86b611ca65c0ea9c |
| SHA256 | 665aab2b9daf77f7fa17470d319a78c7994625ee44808066619074c0f9def981 |
| SHA512 | 9fb8e01535b22063f395bbf12593c804f9c9a9d5916fc699f1755af8367b2e825bec2ee79ebc7b11ee10e7f5d5fca3b11533c0e511c2bd6b2e76643bd498743b |
memory/2312-21-0x0000000002430000-0x0000000002784000-memory.dmp
memory/1688-36-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/2008-34-0x000000013FD10000-0x0000000140064000-memory.dmp
C:\Windows\system\uktMksu.exe
| MD5 | c3d1c73bd82842b6f8b6a0beff25d9fb |
| SHA1 | 2038da6baa81a33a00732abbbd7a3c4d7e036f2b |
| SHA256 | 5398c4a918106ae6402997d04b1e335d6f631d3a49d2686bbc8905fab7b2b958 |
| SHA512 | 9a0e390ea8375fba67a1b53f30eb01ae03fb7263e21dab6c9736a732b149caf49561ad5bd176d209433ff4327906e0e830438fa2e52a340c9883517ab4e7dee9 |
memory/2312-41-0x0000000002430000-0x0000000002784000-memory.dmp
memory/2636-42-0x000000013FC50000-0x000000013FFA4000-memory.dmp
C:\Windows\system\ChIESgi.exe
| MD5 | 3fdac4f9b57b8f85dfc80a6f756cc7c0 |
| SHA1 | 217d6aa70ce5bd349ef86b0c35f3106a6eb2a061 |
| SHA256 | c0b7acbb7b52fdd54af9343167c651e858f37e284a65a8291251166ff9d21af9 |
| SHA512 | d1a0ac8cc5b6b7f9d93bca60f0a430198daa08a8ce2353896fdbc5c7ddfb0528a2c8540a845b53e906ea50d3190e5d156f6e1720d4fc85aabb48940aaf026b52 |
memory/2632-57-0x000000013F100000-0x000000013F454000-memory.dmp
memory/2312-52-0x000000013F100000-0x000000013F454000-memory.dmp
memory/2212-69-0x000000013F3B0000-0x000000013F704000-memory.dmp
memory/2744-70-0x000000013FCD0000-0x0000000140024000-memory.dmp
memory/2312-85-0x000000013F4E0000-0x000000013F834000-memory.dmp
memory/2584-94-0x000000013FC60000-0x000000013FFB4000-memory.dmp
memory/2344-101-0x000000013FD40000-0x0000000140094000-memory.dmp
memory/2312-100-0x0000000002430000-0x0000000002784000-memory.dmp
C:\Windows\system\oqETHEn.exe
| MD5 | bf577045d5b9dc534f0aae6999c3191c |
| SHA1 | a264f1210abb387f0215518234786e3a56a35cf1 |
| SHA256 | c4136518f5d809dd11a070e415aa1d46a6d61f6c36797334b720e512ec364475 |
| SHA512 | ac4f5c15ad78c8a2ad6600b86572397ba0a7374d2f163200993f7172f0f5a291b050ce0d6ea4accfb0f2b9c0f68c8be458f56055394da46427408168f1eadac0 |
\Windows\system\QFeoVts.exe
| MD5 | f4318d14c24c63aee7e7d0317755ed5d |
| SHA1 | 6674e72e9e506cf5f8311a7176473d811c8bec4c |
| SHA256 | c213dc2ac3ac9e3abefd7cf2126149612b5bf2f090a1ea7ee606c371bdd937df |
| SHA512 | 2874d542735e8528849ce968bb6c308407603bcde6e10caeaed6bd6a7eaf5d3030189e32181eb818d4005d0f8fd150b00885330524edc625dd6a0e051ea792c1 |
C:\Windows\system\djOZiUV.exe
| MD5 | 90a9fcc86a3aa0e9066d39a940202313 |
| SHA1 | 66e2544f20ace57d9c0449ee39be1e3dff8b3ad7 |
| SHA256 | 0907b145ccd902177cde951903ba36add005d6d982ff63f33611eac0c8c73253 |
| SHA512 | da50a8230c8f242d53cb4146803245806dcad93d1b6c36c5c0dfb574ccb59b3f217664e69dbda5e86586f67c64e8feac32c04e78c70a335ae99e8944b7238ba5 |
C:\Windows\system\QQUoClO.exe
| MD5 | 3568c4e5a878a52dca7bb05867efbca1 |
| SHA1 | 7a9204b70cfd41c4e28c9b0ac9f8da78317a769e |
| SHA256 | fbaee43a0397033ff03ae813f1688a65d2d2234952f33b2d47e6abcb01bb969a |
| SHA512 | 026aca1e8af077f3237c0fc7aa1aa4e0eba00067351dcef5402109a60438d5818ecca56132a9aa634c46247a3261b0c302f8baf3331b03f8f18aacc2dbd12f1e |
C:\Windows\system\RnHFHMt.exe
| MD5 | d83d341bbf3c5e277ab600efd29b244c |
| SHA1 | 38fa9c3ccbd6d18d83048aef1c645de3805bfea6 |
| SHA256 | 1004d81b8108529f682a216777210daac2811ffd42efabfa73de381f8893eea9 |
| SHA512 | 8c9c6a6b9d7f3a3be6225a4d29c2497e1dcaa5b2b68c8e1ee5a6d9f9c731b8e15cdce8cf0e136be2c6d0f46e12aaba030a6ea3e8a660265eec39db2289aba5c3 |
memory/2312-107-0x000000013F610000-0x000000013F964000-memory.dmp
memory/2636-106-0x000000013FC50000-0x000000013FFA4000-memory.dmp
C:\Windows\system\vENbMVM.exe
| MD5 | 6118f8fe1063767319d994a20d92ebd6 |
| SHA1 | ca4ebde8c16319452f2af385ba9b9184c6affcb3 |
| SHA256 | 32f6133b994eb6c8d89ba7cb1f64793f2ded0d03fd63f1e5b0fc1ffdc965c2ea |
| SHA512 | 19598bcab5778056a343c58407b87c012b2b1a8f5e64c0c2aefa7dfd697561ba2fa0c6a20756186c9c7d15e91241f533d0b231fbfc9ae5ad077ccd3a2b8516dd |
C:\Windows\system\WnxErXS.exe
| MD5 | 67dc7e9ea6031deabb56f15061e8e8d5 |
| SHA1 | cf496b65cd87de7da990ab3942790c9f084da754 |
| SHA256 | 84ebfa50b2f0b214970bbaad4151266a441075cb6657df9a97c4216cc7caef0b |
| SHA512 | b9ed72bc829c9b44ffa7d66239b41f6f4549c94f6edd33e48f2a4c0824b18ff64f5d168237f87973d2de74cfa4ad875c3bd1671d281357b28f5a228216f79eb1 |
memory/1688-99-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/2312-93-0x0000000002430000-0x0000000002784000-memory.dmp
C:\Windows\system\OgDTiSL.exe
| MD5 | 462c54b01918502a5ed1b474afe48907 |
| SHA1 | 967b5da5e3ccbe1129455f9588022f44cd7b3e80 |
| SHA256 | eba33156debd0b6fd06925bda27a1fbece5a36d2fb8d2bfa9978c19b74cb3559 |
| SHA512 | b9fc3600c7d1e4882714103433e82398d532da70d6266f59a9e989d96026aab20d12c35cfe9620ac5cc65f54d712db0fb88070d64f89c898be5754616f07e30e |
C:\Windows\system\CTiOIiT.exe
| MD5 | 87b3dd1516dba00f2977f84553583d0c |
| SHA1 | a7188940c6e9e4742095522bb754c6af6dd9f429 |
| SHA256 | 1ed5669a3a1aa0636d3b53fd70cdbc08f2710548786b23b85081ca1f4c08deb2 |
| SHA512 | 7119ab66f20a6f29656f4e82000098025b9806b56eb94901c3df285d7372f1dfcc28627ebc81b4732abd50c1aef6b0b3d32d0a7be5b0daf762e961222192dbd7 |
memory/2512-86-0x000000013F4E0000-0x000000013F834000-memory.dmp
memory/2676-78-0x000000013F240000-0x000000013F594000-memory.dmp
memory/2312-77-0x000000013F240000-0x000000013F594000-memory.dmp
memory/2312-76-0x000000013F3B0000-0x000000013F704000-memory.dmp
C:\Windows\system\tPuXsFw.exe
| MD5 | 4c4ccfc04e6ea5a043fc46df3255d35b |
| SHA1 | 8f2b15dc0ba881dcdc7f216d8da00df5ee702a8e |
| SHA256 | a832c8ff37aedb34fd407faec1f344411a91749d63e9419f71ce20d33da62a48 |
| SHA512 | ed798b5870e51feab14082ad61a699a7dadb118895a7703ba5c9fd729f9a4f3805e31a4523eb89cd737215b84679648bbb91262ad37e0594277403f5f77e4e03 |
C:\Windows\system\CFQeLdh.exe
| MD5 | 7a7c5839632f94e25d84c8f0bd27631d |
| SHA1 | ddf9edac1181f686904c5551bd87a0fc049c2cea |
| SHA256 | 584ad761d5cd6391cb01a81fe01c29c6928a6ab5e09eee574ead7781d17fd604 |
| SHA512 | 6f4f245f157507877d9df39599a12882da8b1523aa14292ba880c932b1798507ecdcac5d901447d7befabfd0f0523245c73a9f10805813a8ecc2dd04a250e6cb |
memory/1424-64-0x000000013F5B0000-0x000000013F904000-memory.dmp
memory/2312-63-0x000000013FB50000-0x000000013FEA4000-memory.dmp
C:\Windows\system\mxfYWBr.exe
| MD5 | 8552d4493ec0356276df99b5694747dd |
| SHA1 | 129ea6198f076f6213e025392010241f0540244d |
| SHA256 | c2c4a901cb1b38e523d7eea1692a47067c8a87f73c2b450b9a858425b0c78402 |
| SHA512 | ba51f81506abe2747b8483ecfb8a140e2c07eea73eb154d2f879f4438acdb8f67d669772bab1a3f30e6b7c6add39430b8503b36bda2ae8616e9b23af94fb69bf |
memory/2220-68-0x000000013F8D0000-0x000000013FC24000-memory.dmp
C:\Windows\system\VzJIbAi.exe
| MD5 | 221eb3ba97534a15321b657e44f0409f |
| SHA1 | 647e3c6fbcc59fe9ff0cc89dbeacad512802a48a |
| SHA256 | 2d3c0570c6c50968bcabd0e1665b2757485fbef3ee80fb8872957262396d6eee |
| SHA512 | 178ba13488b316b3ba9f67a2f59040c91ae2bc52c2465176c75948d61f0e2c5be6ef0cb2e30f586cfef85139fd76e8ad4ecaf7b3d64d5cd5fe6e4d0f5b5dd086 |
memory/2796-50-0x000000013F5D0000-0x000000013F924000-memory.dmp
memory/2312-49-0x000000013F5D0000-0x000000013F924000-memory.dmp
C:\Windows\system\yOwFeQX.exe
| MD5 | 7a2fb44900e5550f9026ae7f5559ad76 |
| SHA1 | 8e972f77fe73391cd8eb1c760f716c1ac0cf70a0 |
| SHA256 | c9a96e25e63c93d3a4131e83f1c2eba5067a061302009aaa4b4b31e7a9190b6e |
| SHA512 | 68f52b6d6babd93030182fb9dc5d167f71d2022b2890db9ce3230aa1707c9ae3a75414952f41fc49f381fd8267ed7c24d1c96bb838701f82dd734ac5724adf01 |
memory/1700-32-0x000000013F850000-0x000000013FBA4000-memory.dmp
memory/2312-31-0x000000013F1B0000-0x000000013F504000-memory.dmp
C:\Windows\system\LLiCfdG.exe
| MD5 | dba357c746d6ba431431c054d4d67aa3 |
| SHA1 | 7eccefe4248a59c1cced2c07700f2fe4d5d7b44e |
| SHA256 | ac7cc97ceccf92bfc3308c4e3df96ca741b63f33a228d8e497b8b40d7de6761f |
| SHA512 | f30858b6ed36da54ef6dff84b1e127bc8657bed6cbe05ed0b87a6cfb14d502e898715515e3f16d1bf8bcb14ed2356010c45b39a308043cfc443c4c3734c08cbb |
memory/2312-26-0x0000000002430000-0x0000000002784000-memory.dmp
memory/2212-20-0x000000013F3B0000-0x000000013F704000-memory.dmp
memory/2220-12-0x000000013F8D0000-0x000000013FC24000-memory.dmp
memory/2312-139-0x0000000002430000-0x0000000002784000-memory.dmp
memory/2744-140-0x000000013FCD0000-0x0000000140024000-memory.dmp
memory/2312-141-0x000000013F240000-0x000000013F594000-memory.dmp
memory/2676-142-0x000000013F240000-0x000000013F594000-memory.dmp
memory/2312-143-0x000000013F4E0000-0x000000013F834000-memory.dmp
memory/2512-144-0x000000013F4E0000-0x000000013F834000-memory.dmp
memory/2344-145-0x000000013FD40000-0x0000000140094000-memory.dmp
memory/2312-146-0x000000013F610000-0x000000013F964000-memory.dmp
memory/2220-147-0x000000013F8D0000-0x000000013FC24000-memory.dmp
memory/2212-148-0x000000013F3B0000-0x000000013F704000-memory.dmp
memory/2008-149-0x000000013FD10000-0x0000000140064000-memory.dmp
memory/1700-150-0x000000013F850000-0x000000013FBA4000-memory.dmp
memory/1688-151-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/2636-152-0x000000013FC50000-0x000000013FFA4000-memory.dmp
memory/2796-153-0x000000013F5D0000-0x000000013F924000-memory.dmp
memory/2632-154-0x000000013F100000-0x000000013F454000-memory.dmp
memory/1424-155-0x000000013F5B0000-0x000000013F904000-memory.dmp
memory/2744-156-0x000000013FCD0000-0x0000000140024000-memory.dmp
memory/2676-157-0x000000013F240000-0x000000013F594000-memory.dmp
memory/2512-158-0x000000013F4E0000-0x000000013F834000-memory.dmp
memory/2584-159-0x000000013FC60000-0x000000013FFB4000-memory.dmp
memory/2344-160-0x000000013FD40000-0x0000000140094000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-28 00:05
Reported
2024-06-28 00:07
Platform
win10v2004-20240508-en
Max time kernel
139s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\AmIFHXM.exe | N/A |
| N/A | N/A | C:\Windows\System\KtnzCzO.exe | N/A |
| N/A | N/A | C:\Windows\System\ozMNUaQ.exe | N/A |
| N/A | N/A | C:\Windows\System\LLiCfdG.exe | N/A |
| N/A | N/A | C:\Windows\System\TZCJWiw.exe | N/A |
| N/A | N/A | C:\Windows\System\uktMksu.exe | N/A |
| N/A | N/A | C:\Windows\System\yOwFeQX.exe | N/A |
| N/A | N/A | C:\Windows\System\mxfYWBr.exe | N/A |
| N/A | N/A | C:\Windows\System\ChIESgi.exe | N/A |
| N/A | N/A | C:\Windows\System\VzJIbAi.exe | N/A |
| N/A | N/A | C:\Windows\System\tPuXsFw.exe | N/A |
| N/A | N/A | C:\Windows\System\CFQeLdh.exe | N/A |
| N/A | N/A | C:\Windows\System\CTiOIiT.exe | N/A |
| N/A | N/A | C:\Windows\System\OgDTiSL.exe | N/A |
| N/A | N/A | C:\Windows\System\RnHFHMt.exe | N/A |
| N/A | N/A | C:\Windows\System\WnxErXS.exe | N/A |
| N/A | N/A | C:\Windows\System\QQUoClO.exe | N/A |
| N/A | N/A | C:\Windows\System\vENbMVM.exe | N/A |
| N/A | N/A | C:\Windows\System\oqETHEn.exe | N/A |
| N/A | N/A | C:\Windows\System\djOZiUV.exe | N/A |
| N/A | N/A | C:\Windows\System\QFeoVts.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\AmIFHXM.exe
C:\Windows\System\AmIFHXM.exe
C:\Windows\System\KtnzCzO.exe
C:\Windows\System\KtnzCzO.exe
C:\Windows\System\ozMNUaQ.exe
C:\Windows\System\ozMNUaQ.exe
C:\Windows\System\LLiCfdG.exe
C:\Windows\System\LLiCfdG.exe
C:\Windows\System\TZCJWiw.exe
C:\Windows\System\TZCJWiw.exe
C:\Windows\System\uktMksu.exe
C:\Windows\System\uktMksu.exe
C:\Windows\System\yOwFeQX.exe
C:\Windows\System\yOwFeQX.exe
C:\Windows\System\ChIESgi.exe
C:\Windows\System\ChIESgi.exe
C:\Windows\System\mxfYWBr.exe
C:\Windows\System\mxfYWBr.exe
C:\Windows\System\VzJIbAi.exe
C:\Windows\System\VzJIbAi.exe
C:\Windows\System\tPuXsFw.exe
C:\Windows\System\tPuXsFw.exe
C:\Windows\System\CFQeLdh.exe
C:\Windows\System\CFQeLdh.exe
C:\Windows\System\CTiOIiT.exe
C:\Windows\System\CTiOIiT.exe
C:\Windows\System\OgDTiSL.exe
C:\Windows\System\OgDTiSL.exe
C:\Windows\System\RnHFHMt.exe
C:\Windows\System\RnHFHMt.exe
C:\Windows\System\WnxErXS.exe
C:\Windows\System\WnxErXS.exe
C:\Windows\System\QQUoClO.exe
C:\Windows\System\QQUoClO.exe
C:\Windows\System\vENbMVM.exe
C:\Windows\System\vENbMVM.exe
C:\Windows\System\oqETHEn.exe
C:\Windows\System\oqETHEn.exe
C:\Windows\System\djOZiUV.exe
C:\Windows\System\djOZiUV.exe
C:\Windows\System\QFeoVts.exe
C:\Windows\System\QFeoVts.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| IE | 52.111.236.23:443 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2328-0-0x00007FF6A5E70000-0x00007FF6A61C4000-memory.dmp
memory/2328-1-0x00000247D72D0000-0x00000247D72E0000-memory.dmp
C:\Windows\System\AmIFHXM.exe
| MD5 | dd7a5bc3f6731f507532219539a3023b |
| SHA1 | 7ada8ed66fe65949dd31e4131c176c63b034a88f |
| SHA256 | 6e59326f057ed34ec83a49a3a46c5cd04d55405846bddf4270318824ef398fa5 |
| SHA512 | 97fe9b0ed5f6d69319c291405ea209baa918b95bc9f03f5a2bdec7253a255b5c920860796c5ade225c066b297cec8f4fa4422a240ddd6150eeaf78c46dd2f6bb |
C:\Windows\System\KtnzCzO.exe
| MD5 | ef096a231130c1303f78de3b727c6a9b |
| SHA1 | e11fe955dd2d103dca264119ad919ba843c2f745 |
| SHA256 | 168b302617a60abe4bb1b85972c1c43fc49b4127f8aa17977ddcf1d4bdd540b2 |
| SHA512 | 35a592a0e35f278f1682d1e73bd102d3dc445c8bce917ff288471632f1a9c2081ba578e4ee499b7d153881b0ddd5e4671eab93b1fdc63b04412dcaaa5a9e57af |
memory/1596-13-0x00007FF600510000-0x00007FF600864000-memory.dmp
C:\Windows\System\ozMNUaQ.exe
| MD5 | 2e0c0c7b8c75282633391d679087c90f |
| SHA1 | f2f62a53d06f51ad616394b70ca063d5968b1d82 |
| SHA256 | b394922c926a1bb5f57164e75ee8c72c9c8899ce7b0c5bcd62ae91957021c797 |
| SHA512 | c8f242c496d308e2048afcd74489bbd43530502ee3498809c3253bc7f5d6da5cab8300a891c6a86fa8dfa37d41e9ffb0f74590ef55f3035f52efd87bb1858f79 |
memory/1660-7-0x00007FF76A690000-0x00007FF76A9E4000-memory.dmp
memory/4524-20-0x00007FF760EE0000-0x00007FF761234000-memory.dmp
C:\Windows\System\LLiCfdG.exe
| MD5 | dba357c746d6ba431431c054d4d67aa3 |
| SHA1 | 7eccefe4248a59c1cced2c07700f2fe4d5d7b44e |
| SHA256 | ac7cc97ceccf92bfc3308c4e3df96ca741b63f33a228d8e497b8b40d7de6761f |
| SHA512 | f30858b6ed36da54ef6dff84b1e127bc8657bed6cbe05ed0b87a6cfb14d502e898715515e3f16d1bf8bcb14ed2356010c45b39a308043cfc443c4c3734c08cbb |
C:\Windows\System\TZCJWiw.exe
| MD5 | 55bcb11d35054c88ffe8687d03000ac0 |
| SHA1 | 7d65072a3b2e40032ccf1bdc86b611ca65c0ea9c |
| SHA256 | 665aab2b9daf77f7fa17470d319a78c7994625ee44808066619074c0f9def981 |
| SHA512 | 9fb8e01535b22063f395bbf12593c804f9c9a9d5916fc699f1755af8367b2e825bec2ee79ebc7b11ee10e7f5d5fca3b11533c0e511c2bd6b2e76643bd498743b |
memory/464-29-0x00007FF74F040000-0x00007FF74F394000-memory.dmp
C:\Windows\System\uktMksu.exe
| MD5 | c3d1c73bd82842b6f8b6a0beff25d9fb |
| SHA1 | 2038da6baa81a33a00732abbbd7a3c4d7e036f2b |
| SHA256 | 5398c4a918106ae6402997d04b1e335d6f631d3a49d2686bbc8905fab7b2b958 |
| SHA512 | 9a0e390ea8375fba67a1b53f30eb01ae03fb7263e21dab6c9736a732b149caf49561ad5bd176d209433ff4327906e0e830438fa2e52a340c9883517ab4e7dee9 |
C:\Windows\System\yOwFeQX.exe
| MD5 | 7a2fb44900e5550f9026ae7f5559ad76 |
| SHA1 | 8e972f77fe73391cd8eb1c760f716c1ac0cf70a0 |
| SHA256 | c9a96e25e63c93d3a4131e83f1c2eba5067a061302009aaa4b4b31e7a9190b6e |
| SHA512 | 68f52b6d6babd93030182fb9dc5d167f71d2022b2890db9ce3230aa1707c9ae3a75414952f41fc49f381fd8267ed7c24d1c96bb838701f82dd734ac5724adf01 |
memory/3896-48-0x00007FF788AF0000-0x00007FF788E44000-memory.dmp
C:\Windows\System\VzJIbAi.exe
| MD5 | 221eb3ba97534a15321b657e44f0409f |
| SHA1 | 647e3c6fbcc59fe9ff0cc89dbeacad512802a48a |
| SHA256 | 2d3c0570c6c50968bcabd0e1665b2757485fbef3ee80fb8872957262396d6eee |
| SHA512 | 178ba13488b316b3ba9f67a2f59040c91ae2bc52c2465176c75948d61f0e2c5be6ef0cb2e30f586cfef85139fd76e8ad4ecaf7b3d64d5cd5fe6e4d0f5b5dd086 |
C:\Windows\System\ChIESgi.exe
| MD5 | 3fdac4f9b57b8f85dfc80a6f756cc7c0 |
| SHA1 | 217d6aa70ce5bd349ef86b0c35f3106a6eb2a061 |
| SHA256 | c0b7acbb7b52fdd54af9343167c651e858f37e284a65a8291251166ff9d21af9 |
| SHA512 | d1a0ac8cc5b6b7f9d93bca60f0a430198daa08a8ce2353896fdbc5c7ddfb0528a2c8540a845b53e906ea50d3190e5d156f6e1720d4fc85aabb48940aaf026b52 |
C:\Windows\System\tPuXsFw.exe
| MD5 | 4c4ccfc04e6ea5a043fc46df3255d35b |
| SHA1 | 8f2b15dc0ba881dcdc7f216d8da00df5ee702a8e |
| SHA256 | a832c8ff37aedb34fd407faec1f344411a91749d63e9419f71ce20d33da62a48 |
| SHA512 | ed798b5870e51feab14082ad61a699a7dadb118895a7703ba5c9fd729f9a4f3805e31a4523eb89cd737215b84679648bbb91262ad37e0594277403f5f77e4e03 |
C:\Windows\System\mxfYWBr.exe
| MD5 | 8552d4493ec0356276df99b5694747dd |
| SHA1 | 129ea6198f076f6213e025392010241f0540244d |
| SHA256 | c2c4a901cb1b38e523d7eea1692a47067c8a87f73c2b450b9a858425b0c78402 |
| SHA512 | ba51f81506abe2747b8483ecfb8a140e2c07eea73eb154d2f879f4438acdb8f67d669772bab1a3f30e6b7c6add39430b8503b36bda2ae8616e9b23af94fb69bf |
C:\Windows\System\CFQeLdh.exe
| MD5 | 7a7c5839632f94e25d84c8f0bd27631d |
| SHA1 | ddf9edac1181f686904c5551bd87a0fc049c2cea |
| SHA256 | 584ad761d5cd6391cb01a81fe01c29c6928a6ab5e09eee574ead7781d17fd604 |
| SHA512 | 6f4f245f157507877d9df39599a12882da8b1523aa14292ba880c932b1798507ecdcac5d901447d7befabfd0f0523245c73a9f10805813a8ecc2dd04a250e6cb |
memory/3480-70-0x00007FF7B6ED0000-0x00007FF7B7224000-memory.dmp
C:\Windows\System\CTiOIiT.exe
| MD5 | 87b3dd1516dba00f2977f84553583d0c |
| SHA1 | a7188940c6e9e4742095522bb754c6af6dd9f429 |
| SHA256 | 1ed5669a3a1aa0636d3b53fd70cdbc08f2710548786b23b85081ca1f4c08deb2 |
| SHA512 | 7119ab66f20a6f29656f4e82000098025b9806b56eb94901c3df285d7372f1dfcc28627ebc81b4732abd50c1aef6b0b3d32d0a7be5b0daf762e961222192dbd7 |
C:\Windows\System\RnHFHMt.exe
| MD5 | d83d341bbf3c5e277ab600efd29b244c |
| SHA1 | 38fa9c3ccbd6d18d83048aef1c645de3805bfea6 |
| SHA256 | 1004d81b8108529f682a216777210daac2811ffd42efabfa73de381f8893eea9 |
| SHA512 | 8c9c6a6b9d7f3a3be6225a4d29c2497e1dcaa5b2b68c8e1ee5a6d9f9c731b8e15cdce8cf0e136be2c6d0f46e12aaba030a6ea3e8a660265eec39db2289aba5c3 |
C:\Windows\System\WnxErXS.exe
| MD5 | 67dc7e9ea6031deabb56f15061e8e8d5 |
| SHA1 | cf496b65cd87de7da990ab3942790c9f084da754 |
| SHA256 | 84ebfa50b2f0b214970bbaad4151266a441075cb6657df9a97c4216cc7caef0b |
| SHA512 | b9ed72bc829c9b44ffa7d66239b41f6f4549c94f6edd33e48f2a4c0824b18ff64f5d168237f87973d2de74cfa4ad875c3bd1671d281357b28f5a228216f79eb1 |
memory/2084-90-0x00007FF608C80000-0x00007FF608FD4000-memory.dmp
memory/4828-95-0x00007FF6A0660000-0x00007FF6A09B4000-memory.dmp
C:\Windows\System\QQUoClO.exe
| MD5 | 3568c4e5a878a52dca7bb05867efbca1 |
| SHA1 | 7a9204b70cfd41c4e28c9b0ac9f8da78317a769e |
| SHA256 | fbaee43a0397033ff03ae813f1688a65d2d2234952f33b2d47e6abcb01bb969a |
| SHA512 | 026aca1e8af077f3237c0fc7aa1aa4e0eba00067351dcef5402109a60438d5818ecca56132a9aa634c46247a3261b0c302f8baf3331b03f8f18aacc2dbd12f1e |
memory/1436-98-0x00007FF64D3B0000-0x00007FF64D704000-memory.dmp
memory/1704-92-0x00007FF799B40000-0x00007FF799E94000-memory.dmp
memory/3060-89-0x00007FF70A110000-0x00007FF70A464000-memory.dmp
C:\Windows\System\OgDTiSL.exe
| MD5 | 462c54b01918502a5ed1b474afe48907 |
| SHA1 | 967b5da5e3ccbe1129455f9588022f44cd7b3e80 |
| SHA256 | eba33156debd0b6fd06925bda27a1fbece5a36d2fb8d2bfa9978c19b74cb3559 |
| SHA512 | b9fc3600c7d1e4882714103433e82398d532da70d6266f59a9e989d96026aab20d12c35cfe9620ac5cc65f54d712db0fb88070d64f89c898be5754616f07e30e |
memory/1768-82-0x00007FF6A7380000-0x00007FF6A76D4000-memory.dmp
memory/4856-73-0x00007FF6CF210000-0x00007FF6CF564000-memory.dmp
memory/3208-71-0x00007FF693150000-0x00007FF6934A4000-memory.dmp
memory/4420-39-0x00007FF6097C0000-0x00007FF609B14000-memory.dmp
memory/2812-30-0x00007FF703570000-0x00007FF7038C4000-memory.dmp
memory/2328-104-0x00007FF6A5E70000-0x00007FF6A61C4000-memory.dmp
memory/4648-105-0x00007FF7321B0000-0x00007FF732504000-memory.dmp
memory/1596-121-0x00007FF600510000-0x00007FF600864000-memory.dmp
memory/3764-125-0x00007FF673650000-0x00007FF6739A4000-memory.dmp
C:\Windows\System\QFeoVts.exe
| MD5 | f4318d14c24c63aee7e7d0317755ed5d |
| SHA1 | 6674e72e9e506cf5f8311a7176473d811c8bec4c |
| SHA256 | c213dc2ac3ac9e3abefd7cf2126149612b5bf2f090a1ea7ee606c371bdd937df |
| SHA512 | 2874d542735e8528849ce968bb6c308407603bcde6e10caeaed6bd6a7eaf5d3030189e32181eb818d4005d0f8fd150b00885330524edc625dd6a0e051ea792c1 |
C:\Windows\System\djOZiUV.exe
| MD5 | 90a9fcc86a3aa0e9066d39a940202313 |
| SHA1 | 66e2544f20ace57d9c0449ee39be1e3dff8b3ad7 |
| SHA256 | 0907b145ccd902177cde951903ba36add005d6d982ff63f33611eac0c8c73253 |
| SHA512 | da50a8230c8f242d53cb4146803245806dcad93d1b6c36c5c0dfb574ccb59b3f217664e69dbda5e86586f67c64e8feac32c04e78c70a335ae99e8944b7238ba5 |
memory/4796-126-0x00007FF7BC1C0000-0x00007FF7BC514000-memory.dmp
memory/3628-124-0x00007FF626860000-0x00007FF626BB4000-memory.dmp
C:\Windows\System\oqETHEn.exe
| MD5 | bf577045d5b9dc534f0aae6999c3191c |
| SHA1 | a264f1210abb387f0215518234786e3a56a35cf1 |
| SHA256 | c4136518f5d809dd11a070e415aa1d46a6d61f6c36797334b720e512ec364475 |
| SHA512 | ac4f5c15ad78c8a2ad6600b86572397ba0a7374d2f163200993f7172f0f5a291b050ce0d6ea4accfb0f2b9c0f68c8be458f56055394da46427408168f1eadac0 |
memory/3800-113-0x00007FF72A590000-0x00007FF72A8E4000-memory.dmp
memory/1660-111-0x00007FF76A690000-0x00007FF76A9E4000-memory.dmp
C:\Windows\System\vENbMVM.exe
| MD5 | 6118f8fe1063767319d994a20d92ebd6 |
| SHA1 | ca4ebde8c16319452f2af385ba9b9184c6affcb3 |
| SHA256 | 32f6133b994eb6c8d89ba7cb1f64793f2ded0d03fd63f1e5b0fc1ffdc965c2ea |
| SHA512 | 19598bcab5778056a343c58407b87c012b2b1a8f5e64c0c2aefa7dfd697561ba2fa0c6a20756186c9c7d15e91241f533d0b231fbfc9ae5ad077ccd3a2b8516dd |
memory/2812-131-0x00007FF703570000-0x00007FF7038C4000-memory.dmp
memory/3480-132-0x00007FF7B6ED0000-0x00007FF7B7224000-memory.dmp
memory/1768-133-0x00007FF6A7380000-0x00007FF6A76D4000-memory.dmp
memory/2084-134-0x00007FF608C80000-0x00007FF608FD4000-memory.dmp
memory/1436-135-0x00007FF64D3B0000-0x00007FF64D704000-memory.dmp
memory/3764-136-0x00007FF673650000-0x00007FF6739A4000-memory.dmp
memory/4796-137-0x00007FF7BC1C0000-0x00007FF7BC514000-memory.dmp
memory/1660-138-0x00007FF76A690000-0x00007FF76A9E4000-memory.dmp
memory/1596-139-0x00007FF600510000-0x00007FF600864000-memory.dmp
memory/4524-140-0x00007FF760EE0000-0x00007FF761234000-memory.dmp
memory/464-141-0x00007FF74F040000-0x00007FF74F394000-memory.dmp
memory/4420-142-0x00007FF6097C0000-0x00007FF609B14000-memory.dmp
memory/2812-143-0x00007FF703570000-0x00007FF7038C4000-memory.dmp
memory/3896-144-0x00007FF788AF0000-0x00007FF788E44000-memory.dmp
memory/3480-148-0x00007FF7B6ED0000-0x00007FF7B7224000-memory.dmp
memory/1704-147-0x00007FF799B40000-0x00007FF799E94000-memory.dmp
memory/4856-146-0x00007FF6CF210000-0x00007FF6CF564000-memory.dmp
memory/3208-145-0x00007FF693150000-0x00007FF6934A4000-memory.dmp
memory/3060-149-0x00007FF70A110000-0x00007FF70A464000-memory.dmp
memory/4828-150-0x00007FF6A0660000-0x00007FF6A09B4000-memory.dmp
memory/1768-151-0x00007FF6A7380000-0x00007FF6A76D4000-memory.dmp
memory/2084-152-0x00007FF608C80000-0x00007FF608FD4000-memory.dmp
memory/1436-153-0x00007FF64D3B0000-0x00007FF64D704000-memory.dmp
memory/4648-154-0x00007FF7321B0000-0x00007FF732504000-memory.dmp
memory/3800-155-0x00007FF72A590000-0x00007FF72A8E4000-memory.dmp
memory/3628-156-0x00007FF626860000-0x00007FF626BB4000-memory.dmp
memory/3764-158-0x00007FF673650000-0x00007FF6739A4000-memory.dmp
memory/4796-157-0x00007FF7BC1C0000-0x00007FF7BC514000-memory.dmp