Analysis Overview
SHA256
cb58fa51dcdd9a6b1bbe1d77aff502f1286b301ea0696e89bc0fd47c83383ffb
Threat Level: Known bad
The file 2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Detects Reflective DLL injection artifacts
Cobalt Strike reflective loader
XMRig Miner payload
Cobaltstrike family
Xmrig family
xmrig
Cobaltstrike
UPX dump on OEP (original entry point)
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-28 00:07
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-28 00:07
Reported
2024-06-28 00:10
Platform
win7-20240221-en
Max time kernel
134s
Max time network
145s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\MOZgeMm.exe | N/A |
| N/A | N/A | C:\Windows\System\KdcyjiW.exe | N/A |
| N/A | N/A | C:\Windows\System\xaQaMnJ.exe | N/A |
| N/A | N/A | C:\Windows\System\xYpnuop.exe | N/A |
| N/A | N/A | C:\Windows\System\XqmQwPV.exe | N/A |
| N/A | N/A | C:\Windows\System\ndGNHry.exe | N/A |
| N/A | N/A | C:\Windows\System\FsSYzmb.exe | N/A |
| N/A | N/A | C:\Windows\System\uPmmWDA.exe | N/A |
| N/A | N/A | C:\Windows\System\uncVOzC.exe | N/A |
| N/A | N/A | C:\Windows\System\BEwtrHQ.exe | N/A |
| N/A | N/A | C:\Windows\System\mgoMKQV.exe | N/A |
| N/A | N/A | C:\Windows\System\BcePnrb.exe | N/A |
| N/A | N/A | C:\Windows\System\negbOLm.exe | N/A |
| N/A | N/A | C:\Windows\System\xnGBQkb.exe | N/A |
| N/A | N/A | C:\Windows\System\kIGnYNy.exe | N/A |
| N/A | N/A | C:\Windows\System\fmSfEGG.exe | N/A |
| N/A | N/A | C:\Windows\System\lBrEbni.exe | N/A |
| N/A | N/A | C:\Windows\System\pSVIhoE.exe | N/A |
| N/A | N/A | C:\Windows\System\QNKQnzr.exe | N/A |
| N/A | N/A | C:\Windows\System\vPTDxqD.exe | N/A |
| N/A | N/A | C:\Windows\System\fHEOxOT.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\MOZgeMm.exe
C:\Windows\System\MOZgeMm.exe
C:\Windows\System\KdcyjiW.exe
C:\Windows\System\KdcyjiW.exe
C:\Windows\System\xaQaMnJ.exe
C:\Windows\System\xaQaMnJ.exe
C:\Windows\System\xYpnuop.exe
C:\Windows\System\xYpnuop.exe
C:\Windows\System\XqmQwPV.exe
C:\Windows\System\XqmQwPV.exe
C:\Windows\System\ndGNHry.exe
C:\Windows\System\ndGNHry.exe
C:\Windows\System\FsSYzmb.exe
C:\Windows\System\FsSYzmb.exe
C:\Windows\System\BEwtrHQ.exe
C:\Windows\System\BEwtrHQ.exe
C:\Windows\System\uPmmWDA.exe
C:\Windows\System\uPmmWDA.exe
C:\Windows\System\mgoMKQV.exe
C:\Windows\System\mgoMKQV.exe
C:\Windows\System\uncVOzC.exe
C:\Windows\System\uncVOzC.exe
C:\Windows\System\BcePnrb.exe
C:\Windows\System\BcePnrb.exe
C:\Windows\System\negbOLm.exe
C:\Windows\System\negbOLm.exe
C:\Windows\System\xnGBQkb.exe
C:\Windows\System\xnGBQkb.exe
C:\Windows\System\kIGnYNy.exe
C:\Windows\System\kIGnYNy.exe
C:\Windows\System\fmSfEGG.exe
C:\Windows\System\fmSfEGG.exe
C:\Windows\System\lBrEbni.exe
C:\Windows\System\lBrEbni.exe
C:\Windows\System\pSVIhoE.exe
C:\Windows\System\pSVIhoE.exe
C:\Windows\System\QNKQnzr.exe
C:\Windows\System\QNKQnzr.exe
C:\Windows\System\vPTDxqD.exe
C:\Windows\System\vPTDxqD.exe
C:\Windows\System\fHEOxOT.exe
C:\Windows\System\fHEOxOT.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1724-0-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/1724-1-0x00000000001F0000-0x0000000000200000-memory.dmp
\Windows\system\MOZgeMm.exe
| MD5 | a49212db9c2d5138183fc477c021849c |
| SHA1 | 7231de13b07b3dad7187b4e545cd84d9efdcfca3 |
| SHA256 | ced8031f0d4968fe69c9d61a8c22b569c3c8b9c0492759869f0170432a7f02d4 |
| SHA512 | 5b0301b38d14f12e09580d0d489640eb52d2065ff6921bc6efbfdfd2004e305eb7e1f6371322c026e7923c7eb577fa32fe8777aa937db02a0d3ac5cfc98713f2 |
C:\Windows\system\KdcyjiW.exe
| MD5 | 9683780eb366372e51978a9c0a0bb097 |
| SHA1 | 46b05e1cfaa22c275ea413ffd6825be63664faf7 |
| SHA256 | a05cbc2862fe3dd70c076c8abb02bdc0eb04ee2d2fba69e518ae01e485e2daed |
| SHA512 | 9160be6a52fd51e197976d9fe67c44eb238ffe1089ceac266e4af3e92f648da7a4baaf326b4a0ccd6dfeb81bd483ec7ddea6ee0ae3517b4d05e290fdb1a145ca |
memory/2916-15-0x000000013FAC0000-0x000000013FE14000-memory.dmp
C:\Windows\system\xaQaMnJ.exe
| MD5 | 1f4cecc2cc041edcafa77e3b557c9069 |
| SHA1 | 8902075d45bedd0f206e0258b396459b48d6603e |
| SHA256 | 5e41a374d67b9c5a8b97b0cc7f5f19c014f9a943220468eaeac9cf3abced8702 |
| SHA512 | 8a8541e6bde289b6b82b3176a938cc9fd0f222d1c3cf8530ce47e17b5c5e004af3f91a9bda60764ce7b18f638fa2e625921f6f3b8df6c34f656ecb95be5aabd7 |
memory/1984-22-0x000000013F1E0000-0x000000013F534000-memory.dmp
memory/1724-20-0x000000013F1E0000-0x000000013F534000-memory.dmp
memory/1724-14-0x0000000002390000-0x00000000026E4000-memory.dmp
C:\Windows\system\xYpnuop.exe
| MD5 | f458103f408c06d8f6023f06059961d8 |
| SHA1 | a8194c402bed1335310d62a5f540d66a35add031 |
| SHA256 | c0ade637b34f4736c33998bd0b333b5f8e5116bfac8a7945ab502ac41181cfa7 |
| SHA512 | 87606e5c6f29bae04f310e7de99dee2fd852edd72e1e0b9c5e4df26e658a6bbbfc1076099b7329bf920a69969f970acd0b1ba3b5b2b0e94016e23cfb4b70d15f |
memory/1724-27-0x0000000002390000-0x00000000026E4000-memory.dmp
memory/1724-33-0x000000013F1D0000-0x000000013F524000-memory.dmp
memory/2608-70-0x000000013F2E0000-0x000000013F634000-memory.dmp
C:\Windows\system\mgoMKQV.exe
| MD5 | 7462f66317242d50e408ca6d80621146 |
| SHA1 | 096008fe572dcc1ab620c868a02bcfd6162f9cdc |
| SHA256 | 7ea7f38c9d9bc2a8155e63a5fd614901399df69d4681cd16c9f117543e520ebf |
| SHA512 | 467d4f2e55eec6b4735ce19a2bd4c96ee3ee68db1eccd484e298985d5e5494724caa9ff5bd1dbb432201db93e9a1fbfbf81339ae83762258d83900124d6663bd |
memory/2656-78-0x000000013F6B0000-0x000000013FA04000-memory.dmp
memory/2544-85-0x000000013F110000-0x000000013F464000-memory.dmp
\Windows\system\kIGnYNy.exe
| MD5 | 1310b6d1537331e092bbe9c16213e8c1 |
| SHA1 | 62283415421431c9acb849e363974f029a2412cc |
| SHA256 | 0335cf6f1ea51103de853c37996b9ea4d81f387dabb8d84970bc8e42ff39e67e |
| SHA512 | 9a0887d77678657d9d73b00b74a38e19d51a2f4a7884d88e27a71169d78e5cc1a1d7096c05f12fa790e7f0024a80c2f13b926ec7070d2c32f5feb5ad217cb2e3 |
C:\Windows\system\vPTDxqD.exe
| MD5 | 36c05e6b67f56f47eb4ca759153268d9 |
| SHA1 | 58b6cfbd4bc420ecbdb7635ea9653df0a7048de1 |
| SHA256 | b55a4b507e84b5d8571f12c8e7077a255eb40c055158f0ab706ae220681c75a7 |
| SHA512 | fa75e646e0530b91f465e4f71ff29503f27dde840a70b0eb9a199faf7746d9214c16576235c101458c3390226c74ae6b902f82db5f3a9977d21749795d2f2996 |
C:\Windows\system\fHEOxOT.exe
| MD5 | 63148a7a090e256c946dc2ba640d4400 |
| SHA1 | e9cdcc153229101a099c1bf635d4a104b71d9659 |
| SHA256 | dbc185db363ccc1d74646404bbb601183476233d252e0f390d06973d03243295 |
| SHA512 | 2223c49fd01fdf879cc90280f13db1c731d41bb2a7a6cc48ddcea7108027dfd8d70998184e360706b0989ccf22f797e18c64287574c8b359290ba266d284ab80 |
C:\Windows\system\QNKQnzr.exe
| MD5 | f79db33abde91e4825214ae735abeea6 |
| SHA1 | 8228e71a46902e399ecbf2f3d9860bb2c31af501 |
| SHA256 | e5c12a647149a6bbdad1556b41e4f10c9e8c3dde2aae9df3534478fae6c2cde8 |
| SHA512 | d23814902bdd3dcc9f357cd23951a56ac396aac435eff4c7ced5cceb69c6a75d44489b117c550e569fea556e34fd4402047447e6a7b188832f9058614e10074a |
C:\Windows\system\pSVIhoE.exe
| MD5 | 594c4893dddf4477e39f0af7121b2dd3 |
| SHA1 | 491f4c8d1241a7994b5a1c3f1469050b8807d94d |
| SHA256 | 1ac2d991beec66fbe80a610ab5750757335b70c2b3e02ee48b17428e5e1beefc |
| SHA512 | 4418e68c2b1f90a360f01e0cbb06e7b6b5936b24b99c50afaf171fbc71d600e5fe359c278e955c23f62293e7acc4bb823604a2ad42bf342b8247dc88333ef165 |
C:\Windows\system\lBrEbni.exe
| MD5 | 74782875cbe17eaf178c0d53e6110377 |
| SHA1 | 7e8655b412e4bd6eb88a4369df032f5dc23d71df |
| SHA256 | 8714fb3516cfe05c0abfe10e06e13ea932b1f173af39239973f2b6471a829707 |
| SHA512 | 7d23e9dc8918e146500208b92a3301398d1972069e1621f3ffeb7333f9c5a66ef3079f457b564d40a958db77c52d982b0b2b4b8fe79c428cc415590efd9cce86 |
C:\Windows\system\fmSfEGG.exe
| MD5 | dab54fc3f68992f5a2943ddb82dab4b0 |
| SHA1 | 1ada026db366b5725fb982f31d03dc526a98afa3 |
| SHA256 | 8818fd1e7b6871f54059791a1c50c1dd244b3e79ae509d904dfa679a312c6ca8 |
| SHA512 | ff901a77e13fd181a6358e6313db2e1a17980c64705fd6a156a77b157cd68f22dc367480bb90748d9637bfe90477fafd48a2bd1c33c8d7e3120d5194a378d43b |
memory/1984-108-0x000000013F1E0000-0x000000013F534000-memory.dmp
memory/1724-107-0x0000000002390000-0x00000000026E4000-memory.dmp
memory/2880-106-0x000000013FCD0000-0x0000000140024000-memory.dmp
memory/1724-105-0x0000000002390000-0x00000000026E4000-memory.dmp
C:\Windows\system\xnGBQkb.exe
| MD5 | 4182349233c7d3b500362217646d594e |
| SHA1 | 571c3c4c5b6124dfcccb3aa512003328729c5a52 |
| SHA256 | 4cc733a347d4e273df207834f04211129f028d070e7a4b64a2224de61c29811d |
| SHA512 | e4ac8f4db12b86d7fd140b626ab9a83fd334cd60b4ba647f6a02d9823fdf9aac641c5ff9d1ea251620d17193652ba6c21789c1bc24407fc828bbde0a1dba7d60 |
memory/2840-93-0x000000013F7D0000-0x000000013FB24000-memory.dmp
memory/1724-92-0x000000013F7D0000-0x000000013FB24000-memory.dmp
memory/1724-91-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/1724-84-0x000000013F110000-0x000000013F464000-memory.dmp
C:\Windows\system\negbOLm.exe
| MD5 | e6e8e99bbb77f364247790baf8bc46bd |
| SHA1 | c54e3cec677f79a13e0b23df20bfbb063cb56bfe |
| SHA256 | 95924da6a87cbe2a1cc9a83b68cc9c84ca37614e8e3c01ba34a2cc98f1d15067 |
| SHA512 | d3d00e458b4e53db85f0c275ce95f0949a9e6f337071c701a801c8d76d33796714b402f23afbbc4efdd874af54cc840ef1817761f55ef56c955afbe803bf72ba |
C:\Windows\system\BcePnrb.exe
| MD5 | d030d5dfacc8eb4681a44d9a08c2fc33 |
| SHA1 | e5865bde1da0da36e832482b7239643bd9d9b2d4 |
| SHA256 | e551da40d444c3dd4022a26db1c264236cecc8857b3ef73cacf907d3b5ff50c3 |
| SHA512 | 6c1a46e46e2cfa3c2b13fe803d5c86e4988aeec5f265d120dd19d1d67637216738c86140683e16007d47e8fbb327b6fe87ded3a86475b047e434656be720a91c |
memory/2316-77-0x000000013F9F0000-0x000000013FD44000-memory.dmp
C:\Windows\system\uPmmWDA.exe
| MD5 | 57ef304594f26b46134f00448361e450 |
| SHA1 | b83d11db7e04b69df34c3b1df0c3a2676605eafd |
| SHA256 | 2b50d3da6e1224664fefc594398da72dcab317b6f63f2f8a262e3186348715c0 |
| SHA512 | 14b881595b856a0e4b9d4ecbb669d420cef5fd0c3bb7da7266e9190067694cb95c95fdfb23941ba2fdc627e46bf543dfc6a0216180b967481026a1f49aa68d27 |
memory/1724-49-0x000000013F9F0000-0x000000013FD44000-memory.dmp
memory/2624-47-0x000000013F8E0000-0x000000013FC34000-memory.dmp
\Windows\system\BEwtrHQ.exe
| MD5 | a320fca53ab458b508bbb484067a77c5 |
| SHA1 | 7daac9c7c22d5695591503648ea36ac0284d35f0 |
| SHA256 | 4d6d0ad97e0dab5dbbba3384f8ea03bdedee622a20ed29b750e5a0940ec9aa4a |
| SHA512 | fd97742fffea5622b081dc28174d5ec501c348f1433daabeb6a09562e39e0dc8cea6eee64f7e601231510d3b05d7fa5eccc5b1dcfeaefce6888159f8558b46ac |
memory/1724-41-0x000000013F8E0000-0x000000013FC34000-memory.dmp
memory/2492-72-0x000000013FDD0000-0x0000000140124000-memory.dmp
memory/1724-71-0x0000000002390000-0x00000000026E4000-memory.dmp
C:\Windows\system\ndGNHry.exe
| MD5 | 63adea601a1770307c45b4c6d73e0d9b |
| SHA1 | 949428bffca791f823fc64ab43743f86488472c9 |
| SHA256 | 6df1d28b16c4f7397dc8e792a7f48357a966ee98e70ff6959efb79b45b771c11 |
| SHA512 | 3cfc8b2cdfb920a12a483984a970f402bc72ecc1d68c230c84335deb9581715601350a5561df8f45fc46f1c78d0686f7178940e52fe49b1c031e3de87b23d460 |
memory/1724-68-0x000000013F790000-0x000000013FAE4000-memory.dmp
memory/2716-67-0x000000013F790000-0x000000013FAE4000-memory.dmp
C:\Windows\system\uncVOzC.exe
| MD5 | c3063c6a8040738d76b5abaac2b6d330 |
| SHA1 | 4a75764c655bbdfdd5b708f969c87628ebe262df |
| SHA256 | d7b263404d165051ebc7ceb6ef3e33f37534d3b5ffa814d54cd774201643b6fb |
| SHA512 | 10966fee31e9307b0c7dbb7024b0ee122ddfbc46f3f27a3cf803f9dc3f9155d05a6ee2f55fef57c097e581ef03ce5887bae559fd2ddef1e868f7b18c07f9a661 |
memory/1724-65-0x000000013F6B0000-0x000000013FA04000-memory.dmp
memory/1724-64-0x000000013F2E0000-0x000000013F634000-memory.dmp
C:\Windows\system\FsSYzmb.exe
| MD5 | 17dabfe31cb73d66e256e510dd820dc0 |
| SHA1 | f6cf7286b606771ef439028f1b8b8ebec53e373b |
| SHA256 | 08e58f33d0aa6dee7e7a69df0d0c39dfc3efbc96ca73aabc91696e8aa38411cf |
| SHA512 | c87f5d7ab9e1448568fcab5a9933bb046ec5084ee8af254a155141d7a50ba059d318fcdd00e7a42903cc955a0ec20ff1b5348a721839a8bec90f0e15e56adf3b |
memory/2696-36-0x000000013F1D0000-0x000000013F524000-memory.dmp
C:\Windows\system\XqmQwPV.exe
| MD5 | 7d6e0c6ecd521ce5b560b9920a372af2 |
| SHA1 | 0b5421b52474c2315b4658ac75b71190f101cdff |
| SHA256 | 7d9fc5883ed85a3219987920bdcd90f7f960654a273504c38c459b3a6339bf42 |
| SHA512 | 8777813ccc6e5ede18a580c7396917bca009bed371db3ad3a63f281f8ea839d6d481dac3f0cadbe1751fa5c58a3ff1f003d7cff858e4b7ce297e2f69019d9906 |
memory/2708-28-0x000000013FC20000-0x000000013FF74000-memory.dmp
memory/1760-13-0x000000013FC00000-0x000000013FF54000-memory.dmp
memory/2708-137-0x000000013FC20000-0x000000013FF74000-memory.dmp
memory/2696-138-0x000000013F1D0000-0x000000013F524000-memory.dmp
memory/2624-139-0x000000013F8E0000-0x000000013FC34000-memory.dmp
memory/1724-140-0x0000000002390000-0x00000000026E4000-memory.dmp
memory/1760-141-0x000000013FC00000-0x000000013FF54000-memory.dmp
memory/2916-142-0x000000013FAC0000-0x000000013FE14000-memory.dmp
memory/1984-143-0x000000013F1E0000-0x000000013F534000-memory.dmp
memory/2696-145-0x000000013F1D0000-0x000000013F524000-memory.dmp
memory/2708-144-0x000000013FC20000-0x000000013FF74000-memory.dmp
memory/2608-147-0x000000013F2E0000-0x000000013F634000-memory.dmp
memory/2624-146-0x000000013F8E0000-0x000000013FC34000-memory.dmp
memory/2492-149-0x000000013FDD0000-0x0000000140124000-memory.dmp
memory/2716-148-0x000000013F790000-0x000000013FAE4000-memory.dmp
memory/2316-150-0x000000013F9F0000-0x000000013FD44000-memory.dmp
memory/2544-152-0x000000013F110000-0x000000013F464000-memory.dmp
memory/2656-151-0x000000013F6B0000-0x000000013FA04000-memory.dmp
memory/2840-153-0x000000013F7D0000-0x000000013FB24000-memory.dmp
memory/2880-154-0x000000013FCD0000-0x0000000140024000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-28 00:07
Reported
2024-06-28 00:10
Platform
win10v2004-20240611-en
Max time kernel
141s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\MOZgeMm.exe | N/A |
| N/A | N/A | C:\Windows\System\KdcyjiW.exe | N/A |
| N/A | N/A | C:\Windows\System\xaQaMnJ.exe | N/A |
| N/A | N/A | C:\Windows\System\xYpnuop.exe | N/A |
| N/A | N/A | C:\Windows\System\XqmQwPV.exe | N/A |
| N/A | N/A | C:\Windows\System\ndGNHry.exe | N/A |
| N/A | N/A | C:\Windows\System\FsSYzmb.exe | N/A |
| N/A | N/A | C:\Windows\System\BEwtrHQ.exe | N/A |
| N/A | N/A | C:\Windows\System\uPmmWDA.exe | N/A |
| N/A | N/A | C:\Windows\System\mgoMKQV.exe | N/A |
| N/A | N/A | C:\Windows\System\uncVOzC.exe | N/A |
| N/A | N/A | C:\Windows\System\BcePnrb.exe | N/A |
| N/A | N/A | C:\Windows\System\negbOLm.exe | N/A |
| N/A | N/A | C:\Windows\System\xnGBQkb.exe | N/A |
| N/A | N/A | C:\Windows\System\kIGnYNy.exe | N/A |
| N/A | N/A | C:\Windows\System\fmSfEGG.exe | N/A |
| N/A | N/A | C:\Windows\System\lBrEbni.exe | N/A |
| N/A | N/A | C:\Windows\System\pSVIhoE.exe | N/A |
| N/A | N/A | C:\Windows\System\QNKQnzr.exe | N/A |
| N/A | N/A | C:\Windows\System\vPTDxqD.exe | N/A |
| N/A | N/A | C:\Windows\System\fHEOxOT.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\MOZgeMm.exe
C:\Windows\System\MOZgeMm.exe
C:\Windows\System\KdcyjiW.exe
C:\Windows\System\KdcyjiW.exe
C:\Windows\System\xaQaMnJ.exe
C:\Windows\System\xaQaMnJ.exe
C:\Windows\System\xYpnuop.exe
C:\Windows\System\xYpnuop.exe
C:\Windows\System\XqmQwPV.exe
C:\Windows\System\XqmQwPV.exe
C:\Windows\System\ndGNHry.exe
C:\Windows\System\ndGNHry.exe
C:\Windows\System\FsSYzmb.exe
C:\Windows\System\FsSYzmb.exe
C:\Windows\System\BEwtrHQ.exe
C:\Windows\System\BEwtrHQ.exe
C:\Windows\System\uPmmWDA.exe
C:\Windows\System\uPmmWDA.exe
C:\Windows\System\mgoMKQV.exe
C:\Windows\System\mgoMKQV.exe
C:\Windows\System\uncVOzC.exe
C:\Windows\System\uncVOzC.exe
C:\Windows\System\BcePnrb.exe
C:\Windows\System\BcePnrb.exe
C:\Windows\System\negbOLm.exe
C:\Windows\System\negbOLm.exe
C:\Windows\System\xnGBQkb.exe
C:\Windows\System\xnGBQkb.exe
C:\Windows\System\kIGnYNy.exe
C:\Windows\System\kIGnYNy.exe
C:\Windows\System\fmSfEGG.exe
C:\Windows\System\fmSfEGG.exe
C:\Windows\System\lBrEbni.exe
C:\Windows\System\lBrEbni.exe
C:\Windows\System\pSVIhoE.exe
C:\Windows\System\pSVIhoE.exe
C:\Windows\System\QNKQnzr.exe
C:\Windows\System\QNKQnzr.exe
C:\Windows\System\vPTDxqD.exe
C:\Windows\System\vPTDxqD.exe
C:\Windows\System\fHEOxOT.exe
C:\Windows\System\fHEOxOT.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.15.31.184.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4892-0-0x00007FF63F720000-0x00007FF63FA74000-memory.dmp
memory/4892-1-0x0000019227990000-0x00000192279A0000-memory.dmp
C:\Windows\System\MOZgeMm.exe
| MD5 | a49212db9c2d5138183fc477c021849c |
| SHA1 | 7231de13b07b3dad7187b4e545cd84d9efdcfca3 |
| SHA256 | ced8031f0d4968fe69c9d61a8c22b569c3c8b9c0492759869f0170432a7f02d4 |
| SHA512 | 5b0301b38d14f12e09580d0d489640eb52d2065ff6921bc6efbfdfd2004e305eb7e1f6371322c026e7923c7eb577fa32fe8777aa937db02a0d3ac5cfc98713f2 |
C:\Windows\System\KdcyjiW.exe
| MD5 | 9683780eb366372e51978a9c0a0bb097 |
| SHA1 | 46b05e1cfaa22c275ea413ffd6825be63664faf7 |
| SHA256 | a05cbc2862fe3dd70c076c8abb02bdc0eb04ee2d2fba69e518ae01e485e2daed |
| SHA512 | 9160be6a52fd51e197976d9fe67c44eb238ffe1089ceac266e4af3e92f648da7a4baaf326b4a0ccd6dfeb81bd483ec7ddea6ee0ae3517b4d05e290fdb1a145ca |
C:\Windows\System\xaQaMnJ.exe
| MD5 | 1f4cecc2cc041edcafa77e3b557c9069 |
| SHA1 | 8902075d45bedd0f206e0258b396459b48d6603e |
| SHA256 | 5e41a374d67b9c5a8b97b0cc7f5f19c014f9a943220468eaeac9cf3abced8702 |
| SHA512 | 8a8541e6bde289b6b82b3176a938cc9fd0f222d1c3cf8530ce47e17b5c5e004af3f91a9bda60764ce7b18f638fa2e625921f6f3b8df6c34f656ecb95be5aabd7 |
memory/1432-19-0x00007FF7CE200000-0x00007FF7CE554000-memory.dmp
memory/2448-20-0x00007FF767490000-0x00007FF7677E4000-memory.dmp
C:\Windows\System\xYpnuop.exe
| MD5 | f458103f408c06d8f6023f06059961d8 |
| SHA1 | a8194c402bed1335310d62a5f540d66a35add031 |
| SHA256 | c0ade637b34f4736c33998bd0b333b5f8e5116bfac8a7945ab502ac41181cfa7 |
| SHA512 | 87606e5c6f29bae04f310e7de99dee2fd852edd72e1e0b9c5e4df26e658a6bbbfc1076099b7329bf920a69969f970acd0b1ba3b5b2b0e94016e23cfb4b70d15f |
memory/1692-24-0x00007FF7647A0000-0x00007FF764AF4000-memory.dmp
memory/2776-12-0x00007FF6DED80000-0x00007FF6DF0D4000-memory.dmp
C:\Windows\System\XqmQwPV.exe
| MD5 | 7d6e0c6ecd521ce5b560b9920a372af2 |
| SHA1 | 0b5421b52474c2315b4658ac75b71190f101cdff |
| SHA256 | 7d9fc5883ed85a3219987920bdcd90f7f960654a273504c38c459b3a6339bf42 |
| SHA512 | 8777813ccc6e5ede18a580c7396917bca009bed371db3ad3a63f281f8ea839d6d481dac3f0cadbe1751fa5c58a3ff1f003d7cff858e4b7ce297e2f69019d9906 |
memory/552-32-0x00007FF608830000-0x00007FF608B84000-memory.dmp
C:\Windows\System\ndGNHry.exe
| MD5 | 63adea601a1770307c45b4c6d73e0d9b |
| SHA1 | 949428bffca791f823fc64ab43743f86488472c9 |
| SHA256 | 6df1d28b16c4f7397dc8e792a7f48357a966ee98e70ff6959efb79b45b771c11 |
| SHA512 | 3cfc8b2cdfb920a12a483984a970f402bc72ecc1d68c230c84335deb9581715601350a5561df8f45fc46f1c78d0686f7178940e52fe49b1c031e3de87b23d460 |
memory/2584-38-0x00007FF61E7E0000-0x00007FF61EB34000-memory.dmp
C:\Windows\System\FsSYzmb.exe
| MD5 | 17dabfe31cb73d66e256e510dd820dc0 |
| SHA1 | f6cf7286b606771ef439028f1b8b8ebec53e373b |
| SHA256 | 08e58f33d0aa6dee7e7a69df0d0c39dfc3efbc96ca73aabc91696e8aa38411cf |
| SHA512 | c87f5d7ab9e1448568fcab5a9933bb046ec5084ee8af254a155141d7a50ba059d318fcdd00e7a42903cc955a0ec20ff1b5348a721839a8bec90f0e15e56adf3b |
memory/5040-43-0x00007FF7AA010000-0x00007FF7AA364000-memory.dmp
C:\Windows\System\BEwtrHQ.exe
| MD5 | a320fca53ab458b508bbb484067a77c5 |
| SHA1 | 7daac9c7c22d5695591503648ea36ac0284d35f0 |
| SHA256 | 4d6d0ad97e0dab5dbbba3384f8ea03bdedee622a20ed29b750e5a0940ec9aa4a |
| SHA512 | fd97742fffea5622b081dc28174d5ec501c348f1433daabeb6a09562e39e0dc8cea6eee64f7e601231510d3b05d7fa5eccc5b1dcfeaefce6888159f8558b46ac |
memory/5052-48-0x00007FF7F6760000-0x00007FF7F6AB4000-memory.dmp
C:\Windows\System\uPmmWDA.exe
| MD5 | 57ef304594f26b46134f00448361e450 |
| SHA1 | b83d11db7e04b69df34c3b1df0c3a2676605eafd |
| SHA256 | 2b50d3da6e1224664fefc594398da72dcab317b6f63f2f8a262e3186348715c0 |
| SHA512 | 14b881595b856a0e4b9d4ecbb669d420cef5fd0c3bb7da7266e9190067694cb95c95fdfb23941ba2fdc627e46bf543dfc6a0216180b967481026a1f49aa68d27 |
memory/3800-57-0x00007FF6CE510000-0x00007FF6CE864000-memory.dmp
memory/4892-56-0x00007FF63F720000-0x00007FF63FA74000-memory.dmp
C:\Windows\System\mgoMKQV.exe
| MD5 | 7462f66317242d50e408ca6d80621146 |
| SHA1 | 096008fe572dcc1ab620c868a02bcfd6162f9cdc |
| SHA256 | 7ea7f38c9d9bc2a8155e63a5fd614901399df69d4681cd16c9f117543e520ebf |
| SHA512 | 467d4f2e55eec6b4735ce19a2bd4c96ee3ee68db1eccd484e298985d5e5494724caa9ff5bd1dbb432201db93e9a1fbfbf81339ae83762258d83900124d6663bd |
C:\Windows\System\uncVOzC.exe
| MD5 | c3063c6a8040738d76b5abaac2b6d330 |
| SHA1 | 4a75764c655bbdfdd5b708f969c87628ebe262df |
| SHA256 | d7b263404d165051ebc7ceb6ef3e33f37534d3b5ffa814d54cd774201643b6fb |
| SHA512 | 10966fee31e9307b0c7dbb7024b0ee122ddfbc46f3f27a3cf803f9dc3f9155d05a6ee2f55fef57c097e581ef03ce5887bae559fd2ddef1e868f7b18c07f9a661 |
memory/1992-61-0x00007FF6C8030000-0x00007FF6C8384000-memory.dmp
C:\Windows\System\BcePnrb.exe
| MD5 | d030d5dfacc8eb4681a44d9a08c2fc33 |
| SHA1 | e5865bde1da0da36e832482b7239643bd9d9b2d4 |
| SHA256 | e551da40d444c3dd4022a26db1c264236cecc8857b3ef73cacf907d3b5ff50c3 |
| SHA512 | 6c1a46e46e2cfa3c2b13fe803d5c86e4988aeec5f265d120dd19d1d67637216738c86140683e16007d47e8fbb327b6fe87ded3a86475b047e434656be720a91c |
memory/4492-70-0x00007FF6371F0000-0x00007FF637544000-memory.dmp
memory/4980-75-0x00007FF6F90B0000-0x00007FF6F9404000-memory.dmp
C:\Windows\System\negbOLm.exe
| MD5 | e6e8e99bbb77f364247790baf8bc46bd |
| SHA1 | c54e3cec677f79a13e0b23df20bfbb063cb56bfe |
| SHA256 | 95924da6a87cbe2a1cc9a83b68cc9c84ca37614e8e3c01ba34a2cc98f1d15067 |
| SHA512 | d3d00e458b4e53db85f0c275ce95f0949a9e6f337071c701a801c8d76d33796714b402f23afbbc4efdd874af54cc840ef1817761f55ef56c955afbe803bf72ba |
C:\Windows\System\xnGBQkb.exe
| MD5 | 4182349233c7d3b500362217646d594e |
| SHA1 | 571c3c4c5b6124dfcccb3aa512003328729c5a52 |
| SHA256 | 4cc733a347d4e273df207834f04211129f028d070e7a4b64a2224de61c29811d |
| SHA512 | e4ac8f4db12b86d7fd140b626ab9a83fd334cd60b4ba647f6a02d9823fdf9aac641c5ff9d1ea251620d17193652ba6c21789c1bc24407fc828bbde0a1dba7d60 |
C:\Windows\System\kIGnYNy.exe
| MD5 | 1310b6d1537331e092bbe9c16213e8c1 |
| SHA1 | 62283415421431c9acb849e363974f029a2412cc |
| SHA256 | 0335cf6f1ea51103de853c37996b9ea4d81f387dabb8d84970bc8e42ff39e67e |
| SHA512 | 9a0887d77678657d9d73b00b74a38e19d51a2f4a7884d88e27a71169d78e5cc1a1d7096c05f12fa790e7f0024a80c2f13b926ec7070d2c32f5feb5ad217cb2e3 |
memory/4652-90-0x00007FF775890000-0x00007FF775BE4000-memory.dmp
memory/1692-89-0x00007FF7647A0000-0x00007FF764AF4000-memory.dmp
memory/4000-83-0x00007FF6312F0000-0x00007FF631644000-memory.dmp
memory/4876-95-0x00007FF6B6120000-0x00007FF6B6474000-memory.dmp
C:\Windows\System\fmSfEGG.exe
| MD5 | dab54fc3f68992f5a2943ddb82dab4b0 |
| SHA1 | 1ada026db366b5725fb982f31d03dc526a98afa3 |
| SHA256 | 8818fd1e7b6871f54059791a1c50c1dd244b3e79ae509d904dfa679a312c6ca8 |
| SHA512 | ff901a77e13fd181a6358e6313db2e1a17980c64705fd6a156a77b157cd68f22dc367480bb90748d9637bfe90477fafd48a2bd1c33c8d7e3120d5194a378d43b |
memory/552-94-0x00007FF608830000-0x00007FF608B84000-memory.dmp
memory/5040-105-0x00007FF7AA010000-0x00007FF7AA364000-memory.dmp
C:\Windows\System\lBrEbni.exe
| MD5 | 74782875cbe17eaf178c0d53e6110377 |
| SHA1 | 7e8655b412e4bd6eb88a4369df032f5dc23d71df |
| SHA256 | 8714fb3516cfe05c0abfe10e06e13ea932b1f173af39239973f2b6471a829707 |
| SHA512 | 7d23e9dc8918e146500208b92a3301398d1972069e1621f3ffeb7333f9c5a66ef3079f457b564d40a958db77c52d982b0b2b4b8fe79c428cc415590efd9cce86 |
memory/5012-106-0x00007FF7D3190000-0x00007FF7D34E4000-memory.dmp
memory/1616-99-0x00007FF681A20000-0x00007FF681D74000-memory.dmp
C:\Windows\System\pSVIhoE.exe
| MD5 | 594c4893dddf4477e39f0af7121b2dd3 |
| SHA1 | 491f4c8d1241a7994b5a1c3f1469050b8807d94d |
| SHA256 | 1ac2d991beec66fbe80a610ab5750757335b70c2b3e02ee48b17428e5e1beefc |
| SHA512 | 4418e68c2b1f90a360f01e0cbb06e7b6b5936b24b99c50afaf171fbc71d600e5fe359c278e955c23f62293e7acc4bb823604a2ad42bf342b8247dc88333ef165 |
memory/2036-113-0x00007FF61C9D0000-0x00007FF61CD24000-memory.dmp
C:\Windows\System\QNKQnzr.exe
| MD5 | f79db33abde91e4825214ae735abeea6 |
| SHA1 | 8228e71a46902e399ecbf2f3d9860bb2c31af501 |
| SHA256 | e5c12a647149a6bbdad1556b41e4f10c9e8c3dde2aae9df3534478fae6c2cde8 |
| SHA512 | d23814902bdd3dcc9f357cd23951a56ac396aac435eff4c7ced5cceb69c6a75d44489b117c550e569fea556e34fd4402047447e6a7b188832f9058614e10074a |
C:\Windows\System\vPTDxqD.exe
| MD5 | 36c05e6b67f56f47eb4ca759153268d9 |
| SHA1 | 58b6cfbd4bc420ecbdb7635ea9653df0a7048de1 |
| SHA256 | b55a4b507e84b5d8571f12c8e7077a255eb40c055158f0ab706ae220681c75a7 |
| SHA512 | fa75e646e0530b91f465e4f71ff29503f27dde840a70b0eb9a199faf7746d9214c16576235c101458c3390226c74ae6b902f82db5f3a9977d21749795d2f2996 |
memory/740-119-0x00007FF654ED0000-0x00007FF655224000-memory.dmp
C:\Windows\System\fHEOxOT.exe
| MD5 | 63148a7a090e256c946dc2ba640d4400 |
| SHA1 | e9cdcc153229101a099c1bf635d4a104b71d9659 |
| SHA256 | dbc185db363ccc1d74646404bbb601183476233d252e0f390d06973d03243295 |
| SHA512 | 2223c49fd01fdf879cc90280f13db1c731d41bb2a7a6cc48ddcea7108027dfd8d70998184e360706b0989ccf22f797e18c64287574c8b359290ba266d284ab80 |
memory/1872-129-0x00007FF65F500000-0x00007FF65F854000-memory.dmp
memory/1992-128-0x00007FF6C8030000-0x00007FF6C8384000-memory.dmp
memory/5052-112-0x00007FF7F6760000-0x00007FF7F6AB4000-memory.dmp
memory/1496-133-0x00007FF69BAA0000-0x00007FF69BDF4000-memory.dmp
memory/1616-134-0x00007FF681A20000-0x00007FF681D74000-memory.dmp
memory/5012-135-0x00007FF7D3190000-0x00007FF7D34E4000-memory.dmp
memory/2036-136-0x00007FF61C9D0000-0x00007FF61CD24000-memory.dmp
memory/740-137-0x00007FF654ED0000-0x00007FF655224000-memory.dmp
memory/2776-138-0x00007FF6DED80000-0x00007FF6DF0D4000-memory.dmp
memory/1432-139-0x00007FF7CE200000-0x00007FF7CE554000-memory.dmp
memory/2448-140-0x00007FF767490000-0x00007FF7677E4000-memory.dmp
memory/1692-141-0x00007FF7647A0000-0x00007FF764AF4000-memory.dmp
memory/552-142-0x00007FF608830000-0x00007FF608B84000-memory.dmp
memory/2584-143-0x00007FF61E7E0000-0x00007FF61EB34000-memory.dmp
memory/5040-144-0x00007FF7AA010000-0x00007FF7AA364000-memory.dmp
memory/5052-145-0x00007FF7F6760000-0x00007FF7F6AB4000-memory.dmp
memory/3800-146-0x00007FF6CE510000-0x00007FF6CE864000-memory.dmp
memory/1992-147-0x00007FF6C8030000-0x00007FF6C8384000-memory.dmp
memory/4492-148-0x00007FF6371F0000-0x00007FF637544000-memory.dmp
memory/4980-149-0x00007FF6F90B0000-0x00007FF6F9404000-memory.dmp
memory/4000-150-0x00007FF6312F0000-0x00007FF631644000-memory.dmp
memory/4652-151-0x00007FF775890000-0x00007FF775BE4000-memory.dmp
memory/4876-152-0x00007FF6B6120000-0x00007FF6B6474000-memory.dmp
memory/1616-153-0x00007FF681A20000-0x00007FF681D74000-memory.dmp
memory/5012-154-0x00007FF7D3190000-0x00007FF7D34E4000-memory.dmp
memory/2036-155-0x00007FF61C9D0000-0x00007FF61CD24000-memory.dmp
memory/740-157-0x00007FF654ED0000-0x00007FF655224000-memory.dmp
memory/1872-156-0x00007FF65F500000-0x00007FF65F854000-memory.dmp
memory/1496-158-0x00007FF69BAA0000-0x00007FF69BDF4000-memory.dmp