Analysis Overview
SHA256
7e0ad8c2d8110217e8130a8d6cba6fcd287672fb11fda49a0508d5cddde68777
Threat Level: Known bad
The file 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
Xmrig family
Cobaltstrike family
Detects Reflective DLL injection artifacts
XMRig Miner payload
Cobaltstrike
xmrig
UPX dump on OEP (original entry point)
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-28 00:04
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-28 00:04
Reported
2024-06-28 00:06
Platform
win7-20240611-en
Max time kernel
140s
Max time network
145s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\AfIKQkq.exe | N/A |
| N/A | N/A | C:\Windows\System\lSkkmgx.exe | N/A |
| N/A | N/A | C:\Windows\System\rTlZodY.exe | N/A |
| N/A | N/A | C:\Windows\System\RJpBvDA.exe | N/A |
| N/A | N/A | C:\Windows\System\SYqRnmI.exe | N/A |
| N/A | N/A | C:\Windows\System\ORJJRxU.exe | N/A |
| N/A | N/A | C:\Windows\System\YkPibec.exe | N/A |
| N/A | N/A | C:\Windows\System\DVUzMfy.exe | N/A |
| N/A | N/A | C:\Windows\System\UtJfWal.exe | N/A |
| N/A | N/A | C:\Windows\System\vltasxn.exe | N/A |
| N/A | N/A | C:\Windows\System\DVwUCzH.exe | N/A |
| N/A | N/A | C:\Windows\System\LdnpXhe.exe | N/A |
| N/A | N/A | C:\Windows\System\ZTVtEEm.exe | N/A |
| N/A | N/A | C:\Windows\System\NDCJOrc.exe | N/A |
| N/A | N/A | C:\Windows\System\BmsBCoH.exe | N/A |
| N/A | N/A | C:\Windows\System\HiwCTjN.exe | N/A |
| N/A | N/A | C:\Windows\System\UqQajjJ.exe | N/A |
| N/A | N/A | C:\Windows\System\xhskZQj.exe | N/A |
| N/A | N/A | C:\Windows\System\qtQyqvo.exe | N/A |
| N/A | N/A | C:\Windows\System\kauFuMH.exe | N/A |
| N/A | N/A | C:\Windows\System\bmGZnOz.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\AfIKQkq.exe
C:\Windows\System\AfIKQkq.exe
C:\Windows\System\lSkkmgx.exe
C:\Windows\System\lSkkmgx.exe
C:\Windows\System\rTlZodY.exe
C:\Windows\System\rTlZodY.exe
C:\Windows\System\RJpBvDA.exe
C:\Windows\System\RJpBvDA.exe
C:\Windows\System\ORJJRxU.exe
C:\Windows\System\ORJJRxU.exe
C:\Windows\System\SYqRnmI.exe
C:\Windows\System\SYqRnmI.exe
C:\Windows\System\YkPibec.exe
C:\Windows\System\YkPibec.exe
C:\Windows\System\DVUzMfy.exe
C:\Windows\System\DVUzMfy.exe
C:\Windows\System\UtJfWal.exe
C:\Windows\System\UtJfWal.exe
C:\Windows\System\DVwUCzH.exe
C:\Windows\System\DVwUCzH.exe
C:\Windows\System\vltasxn.exe
C:\Windows\System\vltasxn.exe
C:\Windows\System\ZTVtEEm.exe
C:\Windows\System\ZTVtEEm.exe
C:\Windows\System\LdnpXhe.exe
C:\Windows\System\LdnpXhe.exe
C:\Windows\System\NDCJOrc.exe
C:\Windows\System\NDCJOrc.exe
C:\Windows\System\BmsBCoH.exe
C:\Windows\System\BmsBCoH.exe
C:\Windows\System\HiwCTjN.exe
C:\Windows\System\HiwCTjN.exe
C:\Windows\System\UqQajjJ.exe
C:\Windows\System\UqQajjJ.exe
C:\Windows\System\xhskZQj.exe
C:\Windows\System\xhskZQj.exe
C:\Windows\System\qtQyqvo.exe
C:\Windows\System\qtQyqvo.exe
C:\Windows\System\kauFuMH.exe
C:\Windows\System\kauFuMH.exe
C:\Windows\System\bmGZnOz.exe
C:\Windows\System\bmGZnOz.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1380-0-0x000000013FE80000-0x00000001401D4000-memory.dmp
memory/1380-1-0x00000000003F0000-0x0000000000400000-memory.dmp
\Windows\system\AfIKQkq.exe
| MD5 | a6db5eb50ed8d24cb71292a6f2732398 |
| SHA1 | f65db97485c59d03277a229b957c99a84b6a8f93 |
| SHA256 | 7ff7cdaa1f7ec5836328ad155558aac47e9821d4736e7b93aed71c6650913608 |
| SHA512 | af160d40a059c10f64dba978b1f4953dd7b001dff88377bda7224741ad874dd0d1a25301eff5299abb7e2d52151d4121f457dd4d1adae41c31adddcd7a148bc0 |
memory/1380-6-0x0000000002230000-0x0000000002584000-memory.dmp
\Windows\system\lSkkmgx.exe
| MD5 | 4b15ab14a5e348a227fd941223980dc1 |
| SHA1 | 60613033e4848839ca4df24431c3eaac4dd43e89 |
| SHA256 | c970cc52e895ff624f42326938bb1ed3cd7d69a54bee0f351fcd8288fdbaa153 |
| SHA512 | da162a12d7375c6af6137a5c75ba4019c122bd121dda6fe2056a861bc952ff80ce452ca5c05b49a99ddc6502168a33c2e4b3ea3687a348f5ea3386f45de1a0b8 |
memory/1380-15-0x000000013F220000-0x000000013F574000-memory.dmp
memory/2812-14-0x000000013FD10000-0x0000000140064000-memory.dmp
\Windows\system\rTlZodY.exe
| MD5 | 868ad2d6810b1ec16d62f3634b75d341 |
| SHA1 | 469e5e3384b3a49cca4b63050009f08fc079bfb4 |
| SHA256 | 914dfa62c57c36d4a64446df01fc20c75cec9a8b52534520031040c1b8868512 |
| SHA512 | b512bda4a5c4921a8544add35c22110a50402da7220fc211037307cf5b68af652ca6c7521cda3547ca852fae833b0c694acadb7437b1c68ba69ee380159cb7f8 |
memory/2588-17-0x000000013F220000-0x000000013F574000-memory.dmp
C:\Windows\system\SYqRnmI.exe
| MD5 | 50680a4a5bf72d57aee49761c563b2ce |
| SHA1 | fe43416f4e36903105a2e0746332599fd40e008a |
| SHA256 | 3ee0e56deb91617402a06510b706745e676355f34abba9eb772ef2d9aa3633d5 |
| SHA512 | 1e0ee0943a34a1c8181e3ccb66dc8b8ff90d4a71f73ef372c7559e79205cf3e0957d892a31b56a5a93556651def0a55e44eb49516edbee8e1435270562198cac |
memory/2504-39-0x000000013FD20000-0x0000000140074000-memory.dmp
C:\Windows\system\ORJJRxU.exe
| MD5 | 6ef5865916026df5ad8820ae718756d0 |
| SHA1 | 322ee2e91ce2d41ee3df592b47656229eafe73e2 |
| SHA256 | 1b62b9ca0d42d00988bb117918af8b7e6820cd16d4fb7b493932e61a7c98731b |
| SHA512 | 0afc94453bf8ac16e914aae856564cbbad4ff6c055830daddc9c8118e70b343989cc64606802ea6a6806303d40cec53d73f0e495246aeae1af07e06287057109 |
memory/1380-31-0x000000013F9F0000-0x000000013FD44000-memory.dmp
C:\Windows\system\YkPibec.exe
| MD5 | 03b27faaeeaec5e5f82efb616b9a6687 |
| SHA1 | 00aebd9848719008e22416e3601040d1aba1fbca |
| SHA256 | 51434632f3b376b555ecfda8488dde7cb73a4dadd67092478306e93ba0323e17 |
| SHA512 | 6223c3b699da528b07937d49cfc0732d109516a0604922a3667e41c32273472b6bc85e19b291510c8676885ec2c6067549c84ee928400a8d695362d41f37e19c |
C:\Windows\system\DVUzMfy.exe
| MD5 | 2f31bfef7e3f4565e11e5298f68121fd |
| SHA1 | c0680c23e6491d318afa44a8732b68c1e8b94e0e |
| SHA256 | 9a16d0ba26431c001d9e5a8fde1690359819e841e1c24a5551df956864b6e94b |
| SHA512 | f39796bbe5b971cea200310d0192b63618232e5bb85a8b1abe87088acb3eb017f6fb760b112fce918ec0c15674aee9afaf80c7f440705f1587b5b85000e2a0d8 |
memory/2200-56-0x000000013FE20000-0x0000000140174000-memory.dmp
memory/1380-55-0x0000000002230000-0x0000000002584000-memory.dmp
memory/2532-50-0x000000013F3C0000-0x000000013F714000-memory.dmp
memory/1380-49-0x000000013F3C0000-0x000000013F714000-memory.dmp
memory/2648-42-0x000000013FD60000-0x00000001400B4000-memory.dmp
memory/1380-38-0x0000000002230000-0x0000000002584000-memory.dmp
memory/1380-20-0x000000013FA50000-0x000000013FDA4000-memory.dmp
memory/2700-35-0x000000013F9F0000-0x000000013FD44000-memory.dmp
memory/2596-27-0x000000013FA50000-0x000000013FDA4000-memory.dmp
C:\Windows\system\RJpBvDA.exe
| MD5 | d002aaba2bbec53adc84f44de2a67901 |
| SHA1 | 3ce90c916f3aa2c69450d9b3915ef4a32278854a |
| SHA256 | 5d47ecd2b40e5f91b5c5edfcbdcf4019028fa5cdca31cfa4dd91fa22d28b9b01 |
| SHA512 | cd5e8d419e9a7d77057a247450fb56d560dd05516a6b31ae0fbdb49ef6d83f9e7f3af16f4645eface6d0b0feb0a51fd43ebf38fb89703154752961fb653fe767 |
\Windows\system\LdnpXhe.exe
| MD5 | be15b94b14e1fc6937d84ee4c9fc6fae |
| SHA1 | 29186b16ec020cfb18b3304247e3f1ddc4b2baf5 |
| SHA256 | 07b350e44b12ee5e59b398426aa0bbf4547690710058d18af6ec0093a876772f |
| SHA512 | e62295c5395c9d42ec7d7a7e3755f201b5b692ec01a6f2d6350f88add9c7b3031d37bd01a1bac6319c02075a476ac24ad818e4840de364ea095aedf229004918 |
\Windows\system\vltasxn.exe
| MD5 | a4c23c7837c24f386b64c7a9338c76cc |
| SHA1 | bcf132a27fe049d8de37575fd4a9b8397c6aa873 |
| SHA256 | e6dc0b948d32ee1c72b2d38696da178106c7385132e540204425c382463a0a4e |
| SHA512 | ef9bdf093c2f264ee111ca3ebe9e5a783206ef8c58f4941d8520f847623fcefe15e192d6c8b9e7385a87be8485c6c4062c2371bb930d9c45f0fab5b3f986a510 |
C:\Windows\system\DVwUCzH.exe
| MD5 | aae1c3ad9ac20a1d1175a9ac586bc132 |
| SHA1 | 6e53449e618869c75fbcd8e4cc34665c4442e680 |
| SHA256 | 68083322c961fc026e0f23807dfff6aec5999c94cd7e0a7b261225c732d63b41 |
| SHA512 | 8a8f95380cf083003aa1c1ed66a3f3c53901626aa0201420d248f83607bf78de74bbd81b8378bdb74f34a182f43957936f989f7fc4938e2469705b3d85c7e51a |
memory/1380-73-0x000000013FE80000-0x00000001401D4000-memory.dmp
\Windows\system\ZTVtEEm.exe
| MD5 | c70332dd94b180e57b9ed632bc99f399 |
| SHA1 | 218dba45d147e03cfbd3116c265d67edb778e6c6 |
| SHA256 | 9b9fe60b4340d83ac622c7d3b4c057029e050159ee59446c4f1aaad11f717d3b |
| SHA512 | 816908c25fc848dca5056fe382b3ecacc6471e8bfe29ae1ba7aaab0583dca064986dd6131648c9e6cace076c0baa02168d2f3776ea060fe597c955cdfde54816 |
memory/2964-90-0x000000013FC60000-0x000000013FFB4000-memory.dmp
memory/1380-89-0x000000013F930000-0x000000013FC84000-memory.dmp
memory/1956-88-0x000000013F930000-0x000000013FC84000-memory.dmp
memory/2804-87-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/1916-86-0x000000013F6B0000-0x000000013FA04000-memory.dmp
memory/1380-85-0x000000013F6B0000-0x000000013FA04000-memory.dmp
memory/1380-84-0x0000000002230000-0x0000000002584000-memory.dmp
memory/2568-82-0x000000013F260000-0x000000013F5B4000-memory.dmp
memory/2812-97-0x000000013FD10000-0x0000000140064000-memory.dmp
memory/2992-99-0x000000013F780000-0x000000013FAD4000-memory.dmp
C:\Windows\system\kauFuMH.exe
| MD5 | 4088a1f998edd0e5fc004e1db9086375 |
| SHA1 | 987e3c1d87d83b0cdf9b0701aa6896e91fe00f24 |
| SHA256 | c3e81740b0380276d18169ae866290eb70a677bd048706fa6dd6e6e9fdcda5cc |
| SHA512 | 109f533f4545c95bac0239acf45c80d8ae6dd46418ef66a2f1a67b705c7da02553279c1387572f18d05bc86e0de97b9177fce64c6dd4dc34e7a838ecb6402463 |
\Windows\system\bmGZnOz.exe
| MD5 | 625da2864aed8ffd76644ebcd8d4962a |
| SHA1 | 7acf60deea254c7d6b4432fc9610bbd1bc12d448 |
| SHA256 | ce29005612d42f6f4d912686cb938bdbbc122a10ab691efb6b975ea0d35d8317 |
| SHA512 | 0512943e5933743fb0755c095977daf12df23ffe9506aa6d4ba7102bca1ff2d1e5ccc8c892c68981a0dc551919a4d82f6eaaa7d5ecaefe6a3d8a2d0cc5e4852c |
C:\Windows\system\qtQyqvo.exe
| MD5 | 367819c068575f8025139111563376d8 |
| SHA1 | 602b45b0719ef99c07195b16bbd87c907df06b0d |
| SHA256 | 4125453cde213f0e39179b274002deeb450193014e5546e2792c556804bc7574 |
| SHA512 | 1b8b4561baec060ae0bdc7ec657198b6e0e942db636e4bc8a0ea4cabe84e6adb1c0a9f7f6f6f0556e356f8b97d0810349bd43fea142f417723778ba693998b76 |
C:\Windows\system\UqQajjJ.exe
| MD5 | a9e767f35ea616867a204a767c9b8a5e |
| SHA1 | 0ba6e0b1d3c3a43ef75c6221337a4b9fb4cdc761 |
| SHA256 | f6dbbcf9010aeea7fd6186dc9a037ee8cd18849facba1968f3a048bd6d9838df |
| SHA512 | 05f40d0ed5ad2df3783a58a4d7ab55b65e6d545fba52640c9a1210dd6075ec64f23e46d40d7fd1eb25b0c4bccafb68d91114bec2743618ae7eb0d6504e497d4d |
C:\Windows\system\BmsBCoH.exe
| MD5 | b517fbd02688684f67f164568452c3a8 |
| SHA1 | 09a65321e4bac58b6183b3d49b1d71d28ecf9134 |
| SHA256 | 86b97b11d1dfd069bc4ffdb211f7d4868fb1fb265767f01f7e908cb330eb0275 |
| SHA512 | f1f9c2327ff3fb0439b9eb4d79ab605868100f26b651b5ed6a2ae31e14d10e21aaf32205f2fa894c40180f21209c7e4b767e7045579fda29f7404a2736531e77 |
memory/1380-103-0x000000013FAE0000-0x000000013FE34000-memory.dmp
C:\Windows\system\xhskZQj.exe
| MD5 | a9bf57423792668f10d9d046b2f11b65 |
| SHA1 | 8476cdfb8496f796c5e2d37e7cee9214ad331855 |
| SHA256 | bd1859e326dc2ce8d5ede56adff2dc57f8e7bb15b9896d084f84fe70e24ef47a |
| SHA512 | 5d9953ef8f8bf12c42c809a10581a4536ac65965f9770e51b075489a8ea5a3aa5c5aa4ed579c8e0ec6cd786146ed1ca2e4a5ff9c3b0439b3ff20cc1e3b970ba9 |
C:\Windows\system\HiwCTjN.exe
| MD5 | ddffddf3da95900c6d5f9c930fb0fb19 |
| SHA1 | cb1a527f0bb7b683537e72924e07368fb1762df9 |
| SHA256 | 83c73eb0c3cef536f28333791b155a6c5af4c855d324ed8564d1cc1b78368050 |
| SHA512 | eb0e34e5e2e5c3617c28d6d7d32ff56607060493cb7a50042bd371019559edcfd61af2d98807218c267e9d7bd0ae54fbe86058feb900b5ffdd4232ba043bfe29 |
memory/1380-98-0x000000013F780000-0x000000013FAD4000-memory.dmp
C:\Windows\system\NDCJOrc.exe
| MD5 | 4e86821d63c2a82491ae97921d40dc8f |
| SHA1 | d087402e72b6fab9ed747f4eb7c2eaf39923404b |
| SHA256 | 5be8f78eb40817419fa1fb331dac4af871a6c7b2025cfb9c3b6c47f93c20c03d |
| SHA512 | 65c28f4008013eb57c8f77b833d05af7ec291fa1a8f67bb3c9f612a328f9745fe8d65d6a09e2eef31f666a8c7e00d3263f03178895c4141236b20c0e3cee2f37 |
memory/2596-135-0x000000013FA50000-0x000000013FDA4000-memory.dmp
C:\Windows\system\UtJfWal.exe
| MD5 | 68cb329837d9525850082335e7b12e33 |
| SHA1 | ad692cccb2330f1a56602f20777de157c332cc15 |
| SHA256 | f6f6f67a7a4b6e4df7666fffc8adcd178849250a73d2be0d6c2fda6a9dee9915 |
| SHA512 | d809d99fb87dba1d97152c8745e3fb2dbd5ba5d97d666d256e304093865a3ed8cc799bf1c536cb901610dfabf5fed6bc607ef3bdc2a75d4274a85fee2d160c12 |
memory/2504-136-0x000000013FD20000-0x0000000140074000-memory.dmp
memory/2648-137-0x000000013FD60000-0x00000001400B4000-memory.dmp
memory/1380-138-0x0000000002230000-0x0000000002584000-memory.dmp
memory/2200-139-0x000000013FE20000-0x0000000140174000-memory.dmp
memory/2804-140-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/1380-141-0x000000013F780000-0x000000013FAD4000-memory.dmp
memory/1380-142-0x000000013FAE0000-0x000000013FE34000-memory.dmp
memory/2588-143-0x000000013F220000-0x000000013F574000-memory.dmp
memory/2812-144-0x000000013FD10000-0x0000000140064000-memory.dmp
memory/2700-145-0x000000013F9F0000-0x000000013FD44000-memory.dmp
memory/2596-146-0x000000013FA50000-0x000000013FDA4000-memory.dmp
memory/2504-147-0x000000013FD20000-0x0000000140074000-memory.dmp
memory/2648-148-0x000000013FD60000-0x00000001400B4000-memory.dmp
memory/2532-149-0x000000013F3C0000-0x000000013F714000-memory.dmp
memory/2200-150-0x000000013FE20000-0x0000000140174000-memory.dmp
memory/2568-151-0x000000013F260000-0x000000013F5B4000-memory.dmp
memory/2964-152-0x000000013FC60000-0x000000013FFB4000-memory.dmp
memory/1916-153-0x000000013F6B0000-0x000000013FA04000-memory.dmp
memory/1956-154-0x000000013F930000-0x000000013FC84000-memory.dmp
memory/2804-155-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/2992-156-0x000000013F780000-0x000000013FAD4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-28 00:04
Reported
2024-06-28 00:06
Platform
win10v2004-20240611-en
Max time kernel
141s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\AfIKQkq.exe | N/A |
| N/A | N/A | C:\Windows\System\lSkkmgx.exe | N/A |
| N/A | N/A | C:\Windows\System\rTlZodY.exe | N/A |
| N/A | N/A | C:\Windows\System\RJpBvDA.exe | N/A |
| N/A | N/A | C:\Windows\System\ORJJRxU.exe | N/A |
| N/A | N/A | C:\Windows\System\SYqRnmI.exe | N/A |
| N/A | N/A | C:\Windows\System\YkPibec.exe | N/A |
| N/A | N/A | C:\Windows\System\DVUzMfy.exe | N/A |
| N/A | N/A | C:\Windows\System\UtJfWal.exe | N/A |
| N/A | N/A | C:\Windows\System\DVwUCzH.exe | N/A |
| N/A | N/A | C:\Windows\System\vltasxn.exe | N/A |
| N/A | N/A | C:\Windows\System\ZTVtEEm.exe | N/A |
| N/A | N/A | C:\Windows\System\LdnpXhe.exe | N/A |
| N/A | N/A | C:\Windows\System\NDCJOrc.exe | N/A |
| N/A | N/A | C:\Windows\System\BmsBCoH.exe | N/A |
| N/A | N/A | C:\Windows\System\HiwCTjN.exe | N/A |
| N/A | N/A | C:\Windows\System\UqQajjJ.exe | N/A |
| N/A | N/A | C:\Windows\System\xhskZQj.exe | N/A |
| N/A | N/A | C:\Windows\System\qtQyqvo.exe | N/A |
| N/A | N/A | C:\Windows\System\kauFuMH.exe | N/A |
| N/A | N/A | C:\Windows\System\bmGZnOz.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\AfIKQkq.exe
C:\Windows\System\AfIKQkq.exe
C:\Windows\System\lSkkmgx.exe
C:\Windows\System\lSkkmgx.exe
C:\Windows\System\rTlZodY.exe
C:\Windows\System\rTlZodY.exe
C:\Windows\System\RJpBvDA.exe
C:\Windows\System\RJpBvDA.exe
C:\Windows\System\ORJJRxU.exe
C:\Windows\System\ORJJRxU.exe
C:\Windows\System\SYqRnmI.exe
C:\Windows\System\SYqRnmI.exe
C:\Windows\System\YkPibec.exe
C:\Windows\System\YkPibec.exe
C:\Windows\System\DVUzMfy.exe
C:\Windows\System\DVUzMfy.exe
C:\Windows\System\UtJfWal.exe
C:\Windows\System\UtJfWal.exe
C:\Windows\System\DVwUCzH.exe
C:\Windows\System\DVwUCzH.exe
C:\Windows\System\vltasxn.exe
C:\Windows\System\vltasxn.exe
C:\Windows\System\ZTVtEEm.exe
C:\Windows\System\ZTVtEEm.exe
C:\Windows\System\LdnpXhe.exe
C:\Windows\System\LdnpXhe.exe
C:\Windows\System\NDCJOrc.exe
C:\Windows\System\NDCJOrc.exe
C:\Windows\System\BmsBCoH.exe
C:\Windows\System\BmsBCoH.exe
C:\Windows\System\HiwCTjN.exe
C:\Windows\System\HiwCTjN.exe
C:\Windows\System\UqQajjJ.exe
C:\Windows\System\UqQajjJ.exe
C:\Windows\System\xhskZQj.exe
C:\Windows\System\xhskZQj.exe
C:\Windows\System\qtQyqvo.exe
C:\Windows\System\qtQyqvo.exe
C:\Windows\System\kauFuMH.exe
C:\Windows\System\kauFuMH.exe
C:\Windows\System\bmGZnOz.exe
C:\Windows\System\bmGZnOz.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4976-0-0x00007FF6282D0000-0x00007FF628624000-memory.dmp
memory/4976-1-0x000001AA65140000-0x000001AA65150000-memory.dmp
C:\Windows\System\AfIKQkq.exe
| MD5 | a6db5eb50ed8d24cb71292a6f2732398 |
| SHA1 | f65db97485c59d03277a229b957c99a84b6a8f93 |
| SHA256 | 7ff7cdaa1f7ec5836328ad155558aac47e9821d4736e7b93aed71c6650913608 |
| SHA512 | af160d40a059c10f64dba978b1f4953dd7b001dff88377bda7224741ad874dd0d1a25301eff5299abb7e2d52151d4121f457dd4d1adae41c31adddcd7a148bc0 |
C:\Windows\System\lSkkmgx.exe
| MD5 | 4b15ab14a5e348a227fd941223980dc1 |
| SHA1 | 60613033e4848839ca4df24431c3eaac4dd43e89 |
| SHA256 | c970cc52e895ff624f42326938bb1ed3cd7d69a54bee0f351fcd8288fdbaa153 |
| SHA512 | da162a12d7375c6af6137a5c75ba4019c122bd121dda6fe2056a861bc952ff80ce452ca5c05b49a99ddc6502168a33c2e4b3ea3687a348f5ea3386f45de1a0b8 |
C:\Windows\System\rTlZodY.exe
| MD5 | 868ad2d6810b1ec16d62f3634b75d341 |
| SHA1 | 469e5e3384b3a49cca4b63050009f08fc079bfb4 |
| SHA256 | 914dfa62c57c36d4a64446df01fc20c75cec9a8b52534520031040c1b8868512 |
| SHA512 | b512bda4a5c4921a8544add35c22110a50402da7220fc211037307cf5b68af652ca6c7521cda3547ca852fae833b0c694acadb7437b1c68ba69ee380159cb7f8 |
memory/1632-12-0x00007FF722B70000-0x00007FF722EC4000-memory.dmp
memory/1528-14-0x00007FF6AE7B0000-0x00007FF6AEB04000-memory.dmp
memory/4816-20-0x00007FF736C30000-0x00007FF736F84000-memory.dmp
C:\Windows\System\RJpBvDA.exe
| MD5 | d002aaba2bbec53adc84f44de2a67901 |
| SHA1 | 3ce90c916f3aa2c69450d9b3915ef4a32278854a |
| SHA256 | 5d47ecd2b40e5f91b5c5edfcbdcf4019028fa5cdca31cfa4dd91fa22d28b9b01 |
| SHA512 | cd5e8d419e9a7d77057a247450fb56d560dd05516a6b31ae0fbdb49ef6d83f9e7f3af16f4645eface6d0b0feb0a51fd43ebf38fb89703154752961fb653fe767 |
memory/4456-26-0x00007FF613C20000-0x00007FF613F74000-memory.dmp
C:\Windows\System\ORJJRxU.exe
| MD5 | 6ef5865916026df5ad8820ae718756d0 |
| SHA1 | 322ee2e91ce2d41ee3df592b47656229eafe73e2 |
| SHA256 | 1b62b9ca0d42d00988bb117918af8b7e6820cd16d4fb7b493932e61a7c98731b |
| SHA512 | 0afc94453bf8ac16e914aae856564cbbad4ff6c055830daddc9c8118e70b343989cc64606802ea6a6806303d40cec53d73f0e495246aeae1af07e06287057109 |
memory/2556-32-0x00007FF7BE910000-0x00007FF7BEC64000-memory.dmp
C:\Windows\System\SYqRnmI.exe
| MD5 | 50680a4a5bf72d57aee49761c563b2ce |
| SHA1 | fe43416f4e36903105a2e0746332599fd40e008a |
| SHA256 | 3ee0e56deb91617402a06510b706745e676355f34abba9eb772ef2d9aa3633d5 |
| SHA512 | 1e0ee0943a34a1c8181e3ccb66dc8b8ff90d4a71f73ef372c7559e79205cf3e0957d892a31b56a5a93556651def0a55e44eb49516edbee8e1435270562198cac |
memory/3736-37-0x00007FF7B2D10000-0x00007FF7B3064000-memory.dmp
C:\Windows\System\YkPibec.exe
| MD5 | 03b27faaeeaec5e5f82efb616b9a6687 |
| SHA1 | 00aebd9848719008e22416e3601040d1aba1fbca |
| SHA256 | 51434632f3b376b555ecfda8488dde7cb73a4dadd67092478306e93ba0323e17 |
| SHA512 | 6223c3b699da528b07937d49cfc0732d109516a0604922a3667e41c32273472b6bc85e19b291510c8676885ec2c6067549c84ee928400a8d695362d41f37e19c |
C:\Windows\System\DVUzMfy.exe
| MD5 | 2f31bfef7e3f4565e11e5298f68121fd |
| SHA1 | c0680c23e6491d318afa44a8732b68c1e8b94e0e |
| SHA256 | 9a16d0ba26431c001d9e5a8fde1690359819e841e1c24a5551df956864b6e94b |
| SHA512 | f39796bbe5b971cea200310d0192b63618232e5bb85a8b1abe87088acb3eb017f6fb760b112fce918ec0c15674aee9afaf80c7f440705f1587b5b85000e2a0d8 |
memory/3472-50-0x00007FF6B6920000-0x00007FF6B6C74000-memory.dmp
memory/2836-54-0x00007FF6F3580000-0x00007FF6F38D4000-memory.dmp
C:\Windows\System\UtJfWal.exe
| MD5 | 68cb329837d9525850082335e7b12e33 |
| SHA1 | ad692cccb2330f1a56602f20777de157c332cc15 |
| SHA256 | f6f6f67a7a4b6e4df7666fffc8adcd178849250a73d2be0d6c2fda6a9dee9915 |
| SHA512 | d809d99fb87dba1d97152c8745e3fb2dbd5ba5d97d666d256e304093865a3ed8cc799bf1c536cb901610dfabf5fed6bc607ef3bdc2a75d4274a85fee2d160c12 |
memory/3860-46-0x00007FF634F40000-0x00007FF635294000-memory.dmp
C:\Windows\System\DVwUCzH.exe
| MD5 | aae1c3ad9ac20a1d1175a9ac586bc132 |
| SHA1 | 6e53449e618869c75fbcd8e4cc34665c4442e680 |
| SHA256 | 68083322c961fc026e0f23807dfff6aec5999c94cd7e0a7b261225c732d63b41 |
| SHA512 | 8a8f95380cf083003aa1c1ed66a3f3c53901626aa0201420d248f83607bf78de74bbd81b8378bdb74f34a182f43957936f989f7fc4938e2469705b3d85c7e51a |
memory/2844-61-0x00007FF62C2F0000-0x00007FF62C644000-memory.dmp
memory/4976-60-0x00007FF6282D0000-0x00007FF628624000-memory.dmp
C:\Windows\System\vltasxn.exe
| MD5 | a4c23c7837c24f386b64c7a9338c76cc |
| SHA1 | bcf132a27fe049d8de37575fd4a9b8397c6aa873 |
| SHA256 | e6dc0b948d32ee1c72b2d38696da178106c7385132e540204425c382463a0a4e |
| SHA512 | ef9bdf093c2f264ee111ca3ebe9e5a783206ef8c58f4941d8520f847623fcefe15e192d6c8b9e7385a87be8485c6c4062c2371bb930d9c45f0fab5b3f986a510 |
memory/4636-68-0x00007FF72D380000-0x00007FF72D6D4000-memory.dmp
C:\Windows\System\ZTVtEEm.exe
| MD5 | c70332dd94b180e57b9ed632bc99f399 |
| SHA1 | 218dba45d147e03cfbd3116c265d67edb778e6c6 |
| SHA256 | 9b9fe60b4340d83ac622c7d3b4c057029e050159ee59446c4f1aaad11f717d3b |
| SHA512 | 816908c25fc848dca5056fe382b3ecacc6471e8bfe29ae1ba7aaab0583dca064986dd6131648c9e6cace076c0baa02168d2f3776ea060fe597c955cdfde54816 |
memory/856-75-0x00007FF6918F0000-0x00007FF691C44000-memory.dmp
C:\Windows\System\LdnpXhe.exe
| MD5 | be15b94b14e1fc6937d84ee4c9fc6fae |
| SHA1 | 29186b16ec020cfb18b3304247e3f1ddc4b2baf5 |
| SHA256 | 07b350e44b12ee5e59b398426aa0bbf4547690710058d18af6ec0093a876772f |
| SHA512 | e62295c5395c9d42ec7d7a7e3755f201b5b692ec01a6f2d6350f88add9c7b3031d37bd01a1bac6319c02075a476ac24ad818e4840de364ea095aedf229004918 |
memory/3020-80-0x00007FF702D40000-0x00007FF703094000-memory.dmp
C:\Windows\System\NDCJOrc.exe
| MD5 | 4e86821d63c2a82491ae97921d40dc8f |
| SHA1 | d087402e72b6fab9ed747f4eb7c2eaf39923404b |
| SHA256 | 5be8f78eb40817419fa1fb331dac4af871a6c7b2025cfb9c3b6c47f93c20c03d |
| SHA512 | 65c28f4008013eb57c8f77b833d05af7ec291fa1a8f67bb3c9f612a328f9745fe8d65d6a09e2eef31f666a8c7e00d3263f03178895c4141236b20c0e3cee2f37 |
memory/3248-85-0x00007FF751B00000-0x00007FF751E54000-memory.dmp
C:\Windows\System\BmsBCoH.exe
| MD5 | b517fbd02688684f67f164568452c3a8 |
| SHA1 | 09a65321e4bac58b6183b3d49b1d71d28ecf9134 |
| SHA256 | 86b97b11d1dfd069bc4ffdb211f7d4868fb1fb265767f01f7e908cb330eb0275 |
| SHA512 | f1f9c2327ff3fb0439b9eb4d79ab605868100f26b651b5ed6a2ae31e14d10e21aaf32205f2fa894c40180f21209c7e4b767e7045579fda29f7404a2736531e77 |
memory/3140-94-0x00007FF6F1C20000-0x00007FF6F1F74000-memory.dmp
memory/2556-93-0x00007FF7BE910000-0x00007FF7BEC64000-memory.dmp
C:\Windows\System\HiwCTjN.exe
| MD5 | ddffddf3da95900c6d5f9c930fb0fb19 |
| SHA1 | cb1a527f0bb7b683537e72924e07368fb1762df9 |
| SHA256 | 83c73eb0c3cef536f28333791b155a6c5af4c855d324ed8564d1cc1b78368050 |
| SHA512 | eb0e34e5e2e5c3617c28d6d7d32ff56607060493cb7a50042bd371019559edcfd61af2d98807218c267e9d7bd0ae54fbe86058feb900b5ffdd4232ba043bfe29 |
C:\Windows\System\UqQajjJ.exe
| MD5 | a9e767f35ea616867a204a767c9b8a5e |
| SHA1 | 0ba6e0b1d3c3a43ef75c6221337a4b9fb4cdc761 |
| SHA256 | f6dbbcf9010aeea7fd6186dc9a037ee8cd18849facba1968f3a048bd6d9838df |
| SHA512 | 05f40d0ed5ad2df3783a58a4d7ab55b65e6d545fba52640c9a1210dd6075ec64f23e46d40d7fd1eb25b0c4bccafb68d91114bec2743618ae7eb0d6504e497d4d |
memory/660-102-0x00007FF74CCC0000-0x00007FF74D014000-memory.dmp
memory/3736-100-0x00007FF7B2D10000-0x00007FF7B3064000-memory.dmp
C:\Windows\System\xhskZQj.exe
| MD5 | a9bf57423792668f10d9d046b2f11b65 |
| SHA1 | 8476cdfb8496f796c5e2d37e7cee9214ad331855 |
| SHA256 | bd1859e326dc2ce8d5ede56adff2dc57f8e7bb15b9896d084f84fe70e24ef47a |
| SHA512 | 5d9953ef8f8bf12c42c809a10581a4536ac65965f9770e51b075489a8ea5a3aa5c5aa4ed579c8e0ec6cd786146ed1ca2e4a5ff9c3b0439b3ff20cc1e3b970ba9 |
C:\Windows\System\qtQyqvo.exe
| MD5 | 367819c068575f8025139111563376d8 |
| SHA1 | 602b45b0719ef99c07195b16bbd87c907df06b0d |
| SHA256 | 4125453cde213f0e39179b274002deeb450193014e5546e2792c556804bc7574 |
| SHA512 | 1b8b4561baec060ae0bdc7ec657198b6e0e942db636e4bc8a0ea4cabe84e6adb1c0a9f7f6f6f0556e356f8b97d0810349bd43fea142f417723778ba693998b76 |
memory/2836-117-0x00007FF6F3580000-0x00007FF6F38D4000-memory.dmp
memory/3576-118-0x00007FF743790000-0x00007FF743AE4000-memory.dmp
memory/2748-112-0x00007FF652010000-0x00007FF652364000-memory.dmp
memory/4808-106-0x00007FF6A1BD0000-0x00007FF6A1F24000-memory.dmp
memory/3860-105-0x00007FF634F40000-0x00007FF635294000-memory.dmp
C:\Windows\System\kauFuMH.exe
| MD5 | 4088a1f998edd0e5fc004e1db9086375 |
| SHA1 | 987e3c1d87d83b0cdf9b0701aa6896e91fe00f24 |
| SHA256 | c3e81740b0380276d18169ae866290eb70a677bd048706fa6dd6e6e9fdcda5cc |
| SHA512 | 109f533f4545c95bac0239acf45c80d8ae6dd46418ef66a2f1a67b705c7da02553279c1387572f18d05bc86e0de97b9177fce64c6dd4dc34e7a838ecb6402463 |
memory/2844-125-0x00007FF62C2F0000-0x00007FF62C644000-memory.dmp
C:\Windows\System\bmGZnOz.exe
| MD5 | 625da2864aed8ffd76644ebcd8d4962a |
| SHA1 | 7acf60deea254c7d6b4432fc9610bbd1bc12d448 |
| SHA256 | ce29005612d42f6f4d912686cb938bdbbc122a10ab691efb6b975ea0d35d8317 |
| SHA512 | 0512943e5933743fb0755c095977daf12df23ffe9506aa6d4ba7102bca1ff2d1e5ccc8c892c68981a0dc551919a4d82f6eaaa7d5ecaefe6a3d8a2d0cc5e4852c |
memory/4528-132-0x00007FF7B5970000-0x00007FF7B5CC4000-memory.dmp
memory/4636-133-0x00007FF72D380000-0x00007FF72D6D4000-memory.dmp
memory/2204-134-0x00007FF7045F0000-0x00007FF704944000-memory.dmp
memory/3020-135-0x00007FF702D40000-0x00007FF703094000-memory.dmp
memory/3248-136-0x00007FF751B00000-0x00007FF751E54000-memory.dmp
memory/4808-137-0x00007FF6A1BD0000-0x00007FF6A1F24000-memory.dmp
memory/2748-138-0x00007FF652010000-0x00007FF652364000-memory.dmp
memory/3576-139-0x00007FF743790000-0x00007FF743AE4000-memory.dmp
memory/4528-140-0x00007FF7B5970000-0x00007FF7B5CC4000-memory.dmp
memory/1632-141-0x00007FF722B70000-0x00007FF722EC4000-memory.dmp
memory/1528-142-0x00007FF6AE7B0000-0x00007FF6AEB04000-memory.dmp
memory/4816-143-0x00007FF736C30000-0x00007FF736F84000-memory.dmp
memory/4456-144-0x00007FF613C20000-0x00007FF613F74000-memory.dmp
memory/2556-145-0x00007FF7BE910000-0x00007FF7BEC64000-memory.dmp
memory/3736-146-0x00007FF7B2D10000-0x00007FF7B3064000-memory.dmp
memory/3860-147-0x00007FF634F40000-0x00007FF635294000-memory.dmp
memory/3472-148-0x00007FF6B6920000-0x00007FF6B6C74000-memory.dmp
memory/2836-149-0x00007FF6F3580000-0x00007FF6F38D4000-memory.dmp
memory/2844-150-0x00007FF62C2F0000-0x00007FF62C644000-memory.dmp
memory/4636-151-0x00007FF72D380000-0x00007FF72D6D4000-memory.dmp
memory/856-152-0x00007FF6918F0000-0x00007FF691C44000-memory.dmp
memory/3020-153-0x00007FF702D40000-0x00007FF703094000-memory.dmp
memory/3248-154-0x00007FF751B00000-0x00007FF751E54000-memory.dmp
memory/3140-155-0x00007FF6F1C20000-0x00007FF6F1F74000-memory.dmp
memory/660-156-0x00007FF74CCC0000-0x00007FF74D014000-memory.dmp
memory/4808-157-0x00007FF6A1BD0000-0x00007FF6A1F24000-memory.dmp
memory/2748-158-0x00007FF652010000-0x00007FF652364000-memory.dmp
memory/3576-159-0x00007FF743790000-0x00007FF743AE4000-memory.dmp
memory/4528-160-0x00007FF7B5970000-0x00007FF7B5CC4000-memory.dmp
memory/2204-161-0x00007FF7045F0000-0x00007FF704944000-memory.dmp