Analysis Overview
SHA256
bd8c88455e79dcf2211ebe1e27ee828fa94fd189943c063dc3d172ca9e968192
Threat Level: Known bad
The file 2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
Xmrig family
UPX dump on OEP (original entry point)
Cobalt Strike reflective loader
Detects Reflective DLL injection artifacts
xmrig
Cobaltstrike
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-28 00:09
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-28 00:09
Reported
2024-06-28 00:12
Platform
win7-20240611-en
Max time kernel
125s
Max time network
139s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\fgYFgHW.exe | N/A |
| N/A | N/A | C:\Windows\System\fTLSsgV.exe | N/A |
| N/A | N/A | C:\Windows\System\aUIUElm.exe | N/A |
| N/A | N/A | C:\Windows\System\lIgskMm.exe | N/A |
| N/A | N/A | C:\Windows\System\BqcGzzk.exe | N/A |
| N/A | N/A | C:\Windows\System\kpAcRue.exe | N/A |
| N/A | N/A | C:\Windows\System\kkrkjkt.exe | N/A |
| N/A | N/A | C:\Windows\System\kxTWSrO.exe | N/A |
| N/A | N/A | C:\Windows\System\iYSMuYU.exe | N/A |
| N/A | N/A | C:\Windows\System\xXZZWKF.exe | N/A |
| N/A | N/A | C:\Windows\System\nUdYlyi.exe | N/A |
| N/A | N/A | C:\Windows\System\RVICoaZ.exe | N/A |
| N/A | N/A | C:\Windows\System\CjfYUHx.exe | N/A |
| N/A | N/A | C:\Windows\System\IbcNBqu.exe | N/A |
| N/A | N/A | C:\Windows\System\GzqisrQ.exe | N/A |
| N/A | N/A | C:\Windows\System\KVYdYmF.exe | N/A |
| N/A | N/A | C:\Windows\System\yvysSnB.exe | N/A |
| N/A | N/A | C:\Windows\System\xOmTbvp.exe | N/A |
| N/A | N/A | C:\Windows\System\Teerzcr.exe | N/A |
| N/A | N/A | C:\Windows\System\aSbnput.exe | N/A |
| N/A | N/A | C:\Windows\System\ynhKBKn.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\fgYFgHW.exe
C:\Windows\System\fgYFgHW.exe
C:\Windows\System\fTLSsgV.exe
C:\Windows\System\fTLSsgV.exe
C:\Windows\System\aUIUElm.exe
C:\Windows\System\aUIUElm.exe
C:\Windows\System\lIgskMm.exe
C:\Windows\System\lIgskMm.exe
C:\Windows\System\BqcGzzk.exe
C:\Windows\System\BqcGzzk.exe
C:\Windows\System\kpAcRue.exe
C:\Windows\System\kpAcRue.exe
C:\Windows\System\kkrkjkt.exe
C:\Windows\System\kkrkjkt.exe
C:\Windows\System\kxTWSrO.exe
C:\Windows\System\kxTWSrO.exe
C:\Windows\System\xXZZWKF.exe
C:\Windows\System\xXZZWKF.exe
C:\Windows\System\iYSMuYU.exe
C:\Windows\System\iYSMuYU.exe
C:\Windows\System\nUdYlyi.exe
C:\Windows\System\nUdYlyi.exe
C:\Windows\System\RVICoaZ.exe
C:\Windows\System\RVICoaZ.exe
C:\Windows\System\CjfYUHx.exe
C:\Windows\System\CjfYUHx.exe
C:\Windows\System\IbcNBqu.exe
C:\Windows\System\IbcNBqu.exe
C:\Windows\System\GzqisrQ.exe
C:\Windows\System\GzqisrQ.exe
C:\Windows\System\KVYdYmF.exe
C:\Windows\System\KVYdYmF.exe
C:\Windows\System\yvysSnB.exe
C:\Windows\System\yvysSnB.exe
C:\Windows\System\xOmTbvp.exe
C:\Windows\System\xOmTbvp.exe
C:\Windows\System\Teerzcr.exe
C:\Windows\System\Teerzcr.exe
C:\Windows\System\aSbnput.exe
C:\Windows\System\aSbnput.exe
C:\Windows\System\ynhKBKn.exe
C:\Windows\System\ynhKBKn.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2448-0-0x000000013FFE0000-0x0000000140334000-memory.dmp
memory/2448-1-0x00000000001F0000-0x0000000000200000-memory.dmp
\Windows\system\fgYFgHW.exe
| MD5 | 9b9b0b180d7deea2a9884a49e0f79438 |
| SHA1 | 6f7f247454e7b20fa4a549d8c7e19b0622754fb8 |
| SHA256 | e9466a5627285b7b6a4e193d34f849aa215a612c23d1096ac698c09b5018276a |
| SHA512 | abaa576082a9bce61ec609108d37726473ffb308e9886042a8fa628298b79426435787fced5b7dc6d946938277423ba4485bc2a2f845e5c1faef4791c83cf7f7 |
memory/1664-8-0x000000013F6E0000-0x000000013FA34000-memory.dmp
C:\Windows\system\fTLSsgV.exe
| MD5 | 2f15200a753992b8cb99839c41af2677 |
| SHA1 | 9819c9f2ca8e11c952f68eebecb12118ca652f7d |
| SHA256 | b6ca8abe372b0c36a7d57cdf286972b66caf3668e6f159d9ed6a95b487ec9011 |
| SHA512 | f26b12f4cbb2efbe0069b83a5dd40f41362217bde5a2e0ec93cb7a22729985e459e4a3d09554f761398e8fec42e1bea411d6bea07403501ff93eebb10f0c64b7 |
C:\Windows\system\aUIUElm.exe
| MD5 | 53e84c94c978f34d5af7ae5e39e1898b |
| SHA1 | 2a8323f910f9db1508d8638e296f29fa94a629c5 |
| SHA256 | d1132f1363d077ec1813c5b0cc7c14bbc29cc493c1ac1fb3db810687f4acca4e |
| SHA512 | 630ff20f0212dc02bb4c3660dc86aa50b8b1243abf23036cacfa15900b9b05ca3a6ce2d863832057de6edab67417a279118142773fc1a49c56adc0481709e45b |
memory/1092-15-0x000000013F080000-0x000000013F3D4000-memory.dmp
memory/2448-13-0x000000013F080000-0x000000013F3D4000-memory.dmp
memory/2724-23-0x000000013F700000-0x000000013FA54000-memory.dmp
\Windows\system\lIgskMm.exe
| MD5 | 332d98f0a33a36efb90f4a22122d009d |
| SHA1 | f1b481394354856600256cb58186412f8f724c52 |
| SHA256 | dc3b5146c329b9637a8b307723cac216d93d370e30d97fc11f3b0898e3cb685e |
| SHA512 | b198ac27159045022803a48eb7a25c6770a6d17a6205fbdb1957fa39c299f7a43504374dd20e3f41ef5e63745c90b1e11b30fdc71f76dc58a908bd7b2d7674c6 |
memory/2448-21-0x000000013F700000-0x000000013FA54000-memory.dmp
memory/2720-29-0x000000013F860000-0x000000013FBB4000-memory.dmp
memory/2448-26-0x000000013F860000-0x000000013FBB4000-memory.dmp
\Windows\system\BqcGzzk.exe
| MD5 | 454b8cff9ed44e6c7f1a46ca9d60b8ff |
| SHA1 | 41fcb6841affc046d85438d9ac10b5f73cc7d8c9 |
| SHA256 | 926de82ec15f332224139cb5c552d17b39ef7fccec4e097b6c40f51e4236e665 |
| SHA512 | 640899104a74c8de954bb80bf8508d6791d2039c6f9cea448e17583a4e596cd15fd3406fc68125f790e50d3c011bd873a8a363012facb17f6f809c1b00d370df |
memory/2504-35-0x000000013FAC0000-0x000000013FE14000-memory.dmp
memory/2448-33-0x000000013FAC0000-0x000000013FE14000-memory.dmp
\Windows\system\kkrkjkt.exe
| MD5 | a966c1bef3f6958f2e82683035f450c9 |
| SHA1 | 7eb6c0ac29dfbd74eeb6b87c6f16455e73794cec |
| SHA256 | bff7385a37836029edc01b1158842a96362d32e0ab01c4ae498349f22635a78f |
| SHA512 | 8468dcf8694410650abe75126e84eddcefe1bccf6e3213490802f33220824170daf7ca8b9a79d21f3e6770f019037ea9f443b3ac73789950606adb7bf3a9bc90 |
C:\Windows\system\kxTWSrO.exe
| MD5 | 0a66d13bcab04f3048408ee7f935e66a |
| SHA1 | 3eb59e1193dc89009088afab45d00f537fd8e58e |
| SHA256 | 7806e6ddfba3f74103a6b7ef84466923e8252a317689fc35e8655a4d8d3c7cbb |
| SHA512 | 637f37be12bfb11dba571a7adc954b659d79a6695b3ae5b06ea9d8447eb6cc1f2e376bd6f9b7d52246ac0613d747bdbc7a559f8c45952f04cf602645514c1061 |
\Windows\system\iYSMuYU.exe
| MD5 | d52cc562f5f662707286525b94389f6a |
| SHA1 | 7dddf12e527b47ccb0ed0658d3e95718c0da137d |
| SHA256 | 1add77a5a0c14bcce002122289c2df91b98bf7af0e4e503cfc8fa5236b3877c3 |
| SHA512 | 8f42e840b1efe9fc4c0f4da1d3b949deab9fa649a6458519911dd803c2600e90a4c48d10599d47250775c4fcebf88d4fe90682b549b7b103fb1dc9fba6795d12 |
memory/2524-61-0x000000013F900000-0x000000013FC54000-memory.dmp
memory/2448-62-0x000000013F220000-0x000000013F574000-memory.dmp
memory/2556-63-0x000000013F610000-0x000000013F964000-memory.dmp
memory/2820-65-0x000000013F220000-0x000000013F574000-memory.dmp
memory/2692-66-0x000000013F1F0000-0x000000013F544000-memory.dmp
memory/2448-68-0x000000013F610000-0x000000013F964000-memory.dmp
memory/2492-70-0x000000013F250000-0x000000013F5A4000-memory.dmp
C:\Windows\system\xXZZWKF.exe
| MD5 | 85f24b07f9d6e22b25da6ee54f0d9676 |
| SHA1 | ea23f7093d3a9eefd415cb971a27c68da9c63c5e |
| SHA256 | 0db6925ad7a074538815121a1da46ec16022b1caabe113597e521b9380320646 |
| SHA512 | c5715e8208f47a6eaaf477188a45e09d6e89e31221c819a2191c630d72d7b9c180eadae0863cbae110d2e2a6533ff99cf54b34028b8c701698b3164385ba8eef |
\Windows\system\nUdYlyi.exe
| MD5 | 3cf99f75aa002c4ce800079cacea39aa |
| SHA1 | 8c91ff30fb92c6bb9bea5f438cea448346b877b9 |
| SHA256 | dbe76744b77d6262ca3dfe931bb8fd7bb7f277b625017a2442efe2b86fbde224 |
| SHA512 | b452828e713be097f09be3116741ec282d4c37ad09a1b7f15791d29b8dddcd576c36b667e4bec44f384396bee4721cd89832ee1d78436fb79ce6f268a40d6798 |
C:\Windows\system\RVICoaZ.exe
| MD5 | 0d0345f05bf9650cd32def2f6a99e92c |
| SHA1 | add5378541e93f1ae2a483d0b9935514e520720d |
| SHA256 | f9b91e9a5c078017df225f9630ed1113077e124f3bbe0e9a081166c8e8947b2d |
| SHA512 | e95f8eafa1d77b1d16a72c00b21e6eccee1d0e3021273d0558e17a45b1060e1e4e6146545b1c83d9bcd964b0795d4a7891f42db40cf4c2136460888bb171be86 |
memory/568-85-0x000000013FE80000-0x00000001401D4000-memory.dmp
memory/1684-77-0x000000013FFC0000-0x0000000140314000-memory.dmp
memory/2448-74-0x00000000024F0000-0x0000000002844000-memory.dmp
memory/1092-73-0x000000013F080000-0x000000013F3D4000-memory.dmp
memory/2448-84-0x00000000024F0000-0x0000000002844000-memory.dmp
memory/1664-72-0x000000013F6E0000-0x000000013FA34000-memory.dmp
\Windows\system\IbcNBqu.exe
| MD5 | c3b9fa992060b26509f391510ac37dc9 |
| SHA1 | 245c01c5d0988850a47ba40153a5b6508dd2f506 |
| SHA256 | 5ff23bd40b1d344a4643bd8c3b7a274a94dc793483430e7a4a9ff5e99c3b0902 |
| SHA512 | 9724f60fc21a4e046faa790a8fc6833eea52dd5bc8985291a094b45006713c26ff6410c3358d5dbfe28f5c735b367f3b31ec07524939a2fe6dcf9bd77c766cdc |
memory/1100-99-0x000000013F3F0000-0x000000013F744000-memory.dmp
\Windows\system\ynhKBKn.exe
| MD5 | aed104fa2d318b7d114aebdea7645cba |
| SHA1 | 7c280f7106882987b18268cf503fe5e7ed15a480 |
| SHA256 | 5ebee3520dfdfe082ae7e912ddbef8f642d5b646f8fed2cb9c793d7d60f9d235 |
| SHA512 | 7ce91d3a1ef6c37ac2ecb9bc8ef9c1164f0fdef44b378ad3797a4a911d4864a9f90ede7accb11ec5dbfd211f05215fed0ea348d7ea590bef7b0f05e8098fb6e6 |
C:\Windows\system\aSbnput.exe
| MD5 | a4c93bf0e85ed7d4fb35471cf3381b1d |
| SHA1 | b0d4e31d37eaa75bbc69e14109ca0b5cfb05dc04 |
| SHA256 | 95a66afe16aea98eb58afd6d3bb12bbb156448054c4ebe49764b3574cc9f6dca |
| SHA512 | a54a73cb31b179eceb7946a2e16316285c12269d98dc67b36f009863a3afcf1ccbb0bec23c8639ac17e5a76a7eda6dbd57ca27e5dddb9c3d208173e3544f97eb |
C:\Windows\system\Teerzcr.exe
| MD5 | bf4a3abe2677db8635b91e7cdd2df541 |
| SHA1 | 21bff9af515e09d2bc6776eb1973d02b62ada669 |
| SHA256 | f7f5e432939e842741c3c422a9aa385a192081ae9d80be2ffca08424f3c6d958 |
| SHA512 | 07f070022b1caca6f20cf93042579467c65f34d78071999f54b8b0d151d5c0ccc4755c78b23c22baf48b112e8bd1d1efd032f1a06205713aac01a79825ad085f |
C:\Windows\system\xOmTbvp.exe
| MD5 | ce5f285999b239a9c6e7b6c7dce6a3e2 |
| SHA1 | 688f39549619b30df0a4ec66409db15aafdf8fbb |
| SHA256 | f4a63e4fabf9c2f3685a6b6c94703b9711dd8e3d2713d507d64619049af4e54d |
| SHA512 | 328ab147979907021eb6742ed269da12c7f9482c7a95161b0a89414ff020f4903544cbc6695071ca7dde98af238ba991f701c3cefd01a03a7eede3b81fb1779b |
C:\Windows\system\yvysSnB.exe
| MD5 | 6b8ae37ed21b350e1780be61db351ed5 |
| SHA1 | 56d50241079caa360a62aa77b4991b12928c2e0b |
| SHA256 | 15e9694be6efd4ff8419149e7e1a5c838ffabeb32067eee100290c4d2ea33351 |
| SHA512 | 9596f9a0f47779233ca64e4179cb27a4445beb55471903232cd842d264f3fa44ca7f08fddda237e7baf1264f835008338053f5e6f1b7a4b1afb284a4d45570bc |
C:\Windows\system\KVYdYmF.exe
| MD5 | fb25a91ee8148571322b00972acf9e4b |
| SHA1 | d5b2c4b69c8f20e744ad95315f48f861e868f474 |
| SHA256 | 5b4c91d087d21b1d74fbe4f67e50066f7f03035a84d3e2c428a8704481418315 |
| SHA512 | 682cc39d2967dc8fdbd8afb2ebd762fc6907531efebc80df097f24b4a6e0545c4e0bfbf4afd314f86082282f4b0e5a3040044943b0213e0e887c5ebaeff9fbde |
memory/2448-107-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/2504-106-0x000000013FAC0000-0x000000013FE14000-memory.dmp
C:\Windows\system\GzqisrQ.exe
| MD5 | 0b41071ab8efba71445928166350316a |
| SHA1 | 7eb3c278890521f7e68d1f615558c1a3c627b373 |
| SHA256 | 8bc10a2b922be47f2b6ab1fbdc66b0619fc6ca1bd51465275858c7b2fdd69617 |
| SHA512 | 73046b04c7d51b6ebc5237816a4dc8fe990630efea39d48bcd526fb8c578db10fab792413b258460e68093a9da0a8df1736658645a6359d13649e26b8454bdc3 |
memory/2448-98-0x000000013F3F0000-0x000000013F744000-memory.dmp
memory/2972-92-0x000000013F520000-0x000000013F874000-memory.dmp
C:\Windows\system\CjfYUHx.exe
| MD5 | 516d0a8270ffd90b3aa04f0ff35fb0d5 |
| SHA1 | f7d9b47baf6092a53224eff55423dc1d515e66ac |
| SHA256 | d48799fdcce7ff0b21b1577cb3447d365d0934af3fe57c042639591fdc541869 |
| SHA512 | 55581a4d523f867ce099f71284290f7748860612ff6c213e93ce81039d169201d0eaf72b67f4d62636eb1040c6c27bead698ab96de90e2cbc3e543df329e61ac |
memory/2448-89-0x000000013F520000-0x000000013F874000-memory.dmp
memory/2448-54-0x000000013F900000-0x000000013FC54000-memory.dmp
memory/2448-67-0x000000013F250000-0x000000013F5A4000-memory.dmp
memory/2448-64-0x000000013FFE0000-0x0000000140334000-memory.dmp
C:\Windows\system\kpAcRue.exe
| MD5 | 6bdf10c734cb90c16630712357c19e91 |
| SHA1 | e1cd58eb99025c40e2cb8fa1123ba0eb800a7e7d |
| SHA256 | a817e04136a9c6d7e3a04993d2b4a9f59ec1c7faefee3b270d96760896b9f990 |
| SHA512 | 3fd4ce18c44dc56b977a4b664afec9e2a0fc5c72f83a7093e4d5126c887a6f4ad7a354af6db1a779bd8e2b5472b79b7a91ac0ac38408736404355eccfa7bee80 |
memory/2492-138-0x000000013F250000-0x000000013F5A4000-memory.dmp
memory/2448-139-0x00000000024F0000-0x0000000002844000-memory.dmp
memory/1684-140-0x000000013FFC0000-0x0000000140314000-memory.dmp
memory/568-141-0x000000013FE80000-0x00000001401D4000-memory.dmp
memory/2448-142-0x000000013F520000-0x000000013F874000-memory.dmp
memory/2972-143-0x000000013F520000-0x000000013F874000-memory.dmp
memory/2448-144-0x000000013F3F0000-0x000000013F744000-memory.dmp
memory/1100-145-0x000000013F3F0000-0x000000013F744000-memory.dmp
memory/2448-146-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/1664-147-0x000000013F6E0000-0x000000013FA34000-memory.dmp
memory/1092-148-0x000000013F080000-0x000000013F3D4000-memory.dmp
memory/2724-149-0x000000013F700000-0x000000013FA54000-memory.dmp
memory/2720-150-0x000000013F860000-0x000000013FBB4000-memory.dmp
memory/2504-151-0x000000013FAC0000-0x000000013FE14000-memory.dmp
memory/2524-152-0x000000013F900000-0x000000013FC54000-memory.dmp
memory/2692-154-0x000000013F1F0000-0x000000013F544000-memory.dmp
memory/2820-153-0x000000013F220000-0x000000013F574000-memory.dmp
memory/2556-155-0x000000013F610000-0x000000013F964000-memory.dmp
memory/1684-156-0x000000013FFC0000-0x0000000140314000-memory.dmp
memory/2492-157-0x000000013F250000-0x000000013F5A4000-memory.dmp
memory/568-158-0x000000013FE80000-0x00000001401D4000-memory.dmp
memory/2972-159-0x000000013F520000-0x000000013F874000-memory.dmp
memory/1100-160-0x000000013F3F0000-0x000000013F744000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-28 00:09
Reported
2024-06-28 00:12
Platform
win10v2004-20240226-en
Max time kernel
140s
Max time network
160s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\CLhgqeN.exe | N/A |
| N/A | N/A | C:\Windows\System\CUShHDE.exe | N/A |
| N/A | N/A | C:\Windows\System\nGOdEPQ.exe | N/A |
| N/A | N/A | C:\Windows\System\kfpdSGF.exe | N/A |
| N/A | N/A | C:\Windows\System\SvzWlCP.exe | N/A |
| N/A | N/A | C:\Windows\System\RbGvbOT.exe | N/A |
| N/A | N/A | C:\Windows\System\tDQOYsi.exe | N/A |
| N/A | N/A | C:\Windows\System\SMbCOmg.exe | N/A |
| N/A | N/A | C:\Windows\System\wBjrwEL.exe | N/A |
| N/A | N/A | C:\Windows\System\tSTkyKO.exe | N/A |
| N/A | N/A | C:\Windows\System\vXuROry.exe | N/A |
| N/A | N/A | C:\Windows\System\IgeXUqX.exe | N/A |
| N/A | N/A | C:\Windows\System\niECUCb.exe | N/A |
| N/A | N/A | C:\Windows\System\plXUzsP.exe | N/A |
| N/A | N/A | C:\Windows\System\jkYBqZj.exe | N/A |
| N/A | N/A | C:\Windows\System\eDfWmRA.exe | N/A |
| N/A | N/A | C:\Windows\System\CQKCgwc.exe | N/A |
| N/A | N/A | C:\Windows\System\mwehoFt.exe | N/A |
| N/A | N/A | C:\Windows\System\jhXbILX.exe | N/A |
| N/A | N/A | C:\Windows\System\UkEgBdT.exe | N/A |
| N/A | N/A | C:\Windows\System\SubrnTR.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\CLhgqeN.exe
C:\Windows\System\CLhgqeN.exe
C:\Windows\System\CUShHDE.exe
C:\Windows\System\CUShHDE.exe
C:\Windows\System\nGOdEPQ.exe
C:\Windows\System\nGOdEPQ.exe
C:\Windows\System\kfpdSGF.exe
C:\Windows\System\kfpdSGF.exe
C:\Windows\System\SvzWlCP.exe
C:\Windows\System\SvzWlCP.exe
C:\Windows\System\RbGvbOT.exe
C:\Windows\System\RbGvbOT.exe
C:\Windows\System\tDQOYsi.exe
C:\Windows\System\tDQOYsi.exe
C:\Windows\System\SMbCOmg.exe
C:\Windows\System\SMbCOmg.exe
C:\Windows\System\wBjrwEL.exe
C:\Windows\System\wBjrwEL.exe
C:\Windows\System\tSTkyKO.exe
C:\Windows\System\tSTkyKO.exe
C:\Windows\System\vXuROry.exe
C:\Windows\System\vXuROry.exe
C:\Windows\System\IgeXUqX.exe
C:\Windows\System\IgeXUqX.exe
C:\Windows\System\niECUCb.exe
C:\Windows\System\niECUCb.exe
C:\Windows\System\plXUzsP.exe
C:\Windows\System\plXUzsP.exe
C:\Windows\System\jkYBqZj.exe
C:\Windows\System\jkYBqZj.exe
C:\Windows\System\eDfWmRA.exe
C:\Windows\System\eDfWmRA.exe
C:\Windows\System\CQKCgwc.exe
C:\Windows\System\CQKCgwc.exe
C:\Windows\System\mwehoFt.exe
C:\Windows\System\mwehoFt.exe
C:\Windows\System\jhXbILX.exe
C:\Windows\System\jhXbILX.exe
C:\Windows\System\UkEgBdT.exe
C:\Windows\System\UkEgBdT.exe
C:\Windows\System\SubrnTR.exe
C:\Windows\System\SubrnTR.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3816 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4832-0-0x00007FF63F880000-0x00007FF63FBD4000-memory.dmp
memory/4832-1-0x000001C7C4AA0000-0x000001C7C4AB0000-memory.dmp
C:\Windows\System\CLhgqeN.exe
| MD5 | e64015da51c574193f8462893c7b9ed9 |
| SHA1 | 961cce3cff7dbf3e2c8b9ff649ee74d3b4890454 |
| SHA256 | ef7c80c7ec78f283bef69a79be01501f8f76e8c3d59d1227f19250d937422852 |
| SHA512 | 1509c6d094dd8a8b8fced6eedbb020e9e4600316de7289f10c6d55674485c836c1331fda9f0e2f3e68236b3dbf20fc22b16ef2f00f888a2e2675dce100b35746 |
memory/2600-8-0x00007FF6B7E50000-0x00007FF6B81A4000-memory.dmp
C:\Windows\System\CUShHDE.exe
| MD5 | 5c64b95c95eec6c5f9b90b6744a12ecf |
| SHA1 | 8f8ef0b16706d6e974575c132fe695703a652f58 |
| SHA256 | b6424f123048213d5d7d1cfc640ee4421c6a494b05eceba8317e47e44fcf1b26 |
| SHA512 | 7e9097d0391c8b95a1a8901e3245c4dbf93a82a2c450cd3b393c491e405152bcef684043ce228f63de24fc155d8858d07afe150d6a99fa67f3f629f886ef4bfa |
memory/1432-14-0x00007FF7D58C0000-0x00007FF7D5C14000-memory.dmp
C:\Windows\System\nGOdEPQ.exe
| MD5 | e54b77bd47b366975b4f2400a94f4d59 |
| SHA1 | dbb7980fa9393fd6c83b5a134f8e9d10d8dbd8e4 |
| SHA256 | b7faea29d1f1b3d9a1acf72bb2eef55c290c80a2dcf05fc770c8955278fcc6a1 |
| SHA512 | cf943a25b12b42f6fbfd3ad849b99d7e6be0f327fc14897285e5f97f71aff5d7591a02afd3e478bab8a996ae08130f5a603573d080e0a85b34c235a365a8c15d |
memory/2452-20-0x00007FF78BF20000-0x00007FF78C274000-memory.dmp
C:\Windows\System\kfpdSGF.exe
| MD5 | 3568e13905e01b4b12cab1df4838808a |
| SHA1 | 51475d3561154bb28b647ae5bd2add27d78e71e9 |
| SHA256 | 5fa37358a1643880206df05738a4cc140a6edb64003bd4c02774c27c9ddce432 |
| SHA512 | d7e88bc7c08ec6c8c6c21fe741d1ed0d729283eec32ac7e6423cc2b29b47be380f6b4441f0faf0cd75d7ab65516b9d849b85484162ea214a915cbaf7b5ac4f1a |
memory/3184-26-0x00007FF71BE80000-0x00007FF71C1D4000-memory.dmp
C:\Windows\System\SvzWlCP.exe
| MD5 | 4f757c994278c9c728273ffa81b80d8a |
| SHA1 | ef68deb389ff438d3622282b9d1851f8b1f652f9 |
| SHA256 | 3a520d631a769e39bf9bc614f5e19cc797396ffcdc903f03e39f574bc81bb319 |
| SHA512 | 75aac85df161f7f3f7ba7eb74ce9270c924e8bffacb937b6235e17cc01503311cde28fa2f516dd4cc0e443458f09621cd2674ecbb4f3496a309d04aa05000341 |
memory/4180-32-0x00007FF7AA1A0000-0x00007FF7AA4F4000-memory.dmp
C:\Windows\System\RbGvbOT.exe
| MD5 | 310f0e3417753cc23423f995abcd0fc7 |
| SHA1 | 626d6ec65186d52f25686ce76e2794cfb0559606 |
| SHA256 | 4e27bd1f357ada62acd78fac42451fc80db1ba60c2f069cc520b102a25272a99 |
| SHA512 | f7db990548d6e01e6b770835f90f9aa4dc1a685f70af57e0ad545c5a4bda37b30a15c1b897423877e4e8d06b5ce334b2f1f0becb57f678c2bf0d5d939516af43 |
memory/4512-37-0x00007FF7C07A0000-0x00007FF7C0AF4000-memory.dmp
C:\Windows\System\tDQOYsi.exe
| MD5 | 2b380ea718021b660e39e5d92b3fe369 |
| SHA1 | aef061d3045a0a873b854684748408239665c861 |
| SHA256 | 8f2a4d36b9445335dbc6925bfa10b721d592aa4c5e6196f2ef2ce8817fb47793 |
| SHA512 | 2effa907071fa49292929490b2f29070ab3faf0d57e11a2e4e3e1b0965540af39f0195ce69d79859b4785d6d80988f293502caf92f80fd470621330ecc4db9c6 |
memory/4064-44-0x00007FF79E2E0000-0x00007FF79E634000-memory.dmp
memory/4832-50-0x00007FF63F880000-0x00007FF63FBD4000-memory.dmp
C:\Windows\System\SMbCOmg.exe
| MD5 | 061c1db3fe31861d49ee24a3f2f920e5 |
| SHA1 | 1d897ff09563dad730db12a466fb0f989cfcd167 |
| SHA256 | 49b2467d841d3d2666e47b476666be763f8d573952c56d778c9be01c98a9f137 |
| SHA512 | b8a98b2d4d69cecbeaba11a46497c08276179ae08d5ce6610210c700d61882879d3b962fc1f8259ff1373961088d861f6e991a5caefb57ca74e0596fa0b314ef |
memory/3216-51-0x00007FF64CAA0000-0x00007FF64CDF4000-memory.dmp
C:\Windows\System\wBjrwEL.exe
| MD5 | 51153bc8dacb1eb0aded996c9f6585c8 |
| SHA1 | abe7e0c57d5f6615bcfa707eb8cab2187cd77dee |
| SHA256 | 84bbe8b10c2cc48ac1ce8c9450032d0c6fc6e13eba648d14e65104198c7c9d6a |
| SHA512 | 6816fe5152ac9d1ed3e05778732b619f73cd5ca5fb8e0a5972eb3f46f0651f915dc7bea87f81e34ae2d8cb4109c2fb34327b531f71e20b2415b7a264ce80f510 |
memory/2268-57-0x00007FF6DB620000-0x00007FF6DB974000-memory.dmp
C:\Windows\System\tSTkyKO.exe
| MD5 | eeb35490739c0fecce7583ca1235a666 |
| SHA1 | adaf2d732f71541a564534202c56464969d830a7 |
| SHA256 | ede418d6791890aa0166ebe47f8818a84baf1973e73f9d5121cba2725f01e3a2 |
| SHA512 | 1075180f72025259d18c327f4b633d5544a11462d9b74d6d4b77a218d03e582fc29cc532e7685071a57c7f70dbb0006a7f0a785a3577acfe1370654f402ce991 |
memory/4720-63-0x00007FF76B830000-0x00007FF76BB84000-memory.dmp
C:\Windows\System\vXuROry.exe
| MD5 | 8641b56c29ddb9a76f437542abc16f56 |
| SHA1 | b5b2b93c19df6969612e811b3baccec64a3b8e7e |
| SHA256 | 7a4a12fc22a296b7d27dc421e2b4e152aa1b3d77aad63a2865419bc3c6255d13 |
| SHA512 | 3848d806b51c4243840b2b704d9262ec583b0f821cc576acf424e26468fb19cac0fc562ab3b26473bce8207e74a721b2d5dba58f51dd1f558191f40a50c67718 |
memory/2600-69-0x00007FF6B7E50000-0x00007FF6B81A4000-memory.dmp
memory/2412-70-0x00007FF65EA20000-0x00007FF65ED74000-memory.dmp
memory/1432-76-0x00007FF7D58C0000-0x00007FF7D5C14000-memory.dmp
memory/440-77-0x00007FF60E4D0000-0x00007FF60E824000-memory.dmp
C:\Windows\System\IgeXUqX.exe
| MD5 | ff206b31d252b834c6dbfb5eb2ade946 |
| SHA1 | 3500ffe5cec5c5a867e015c6c6078c5c0b1725ed |
| SHA256 | a21ca6b3955a0d569722f4c1b9de0846005c6f4dc8e3597875565ea6d4561b12 |
| SHA512 | f4c7ba1de28ad9899017736af1ab401f03a0d13545106c6b7c71a82411659b05fb19c0e9ce015f549ececf533c138323543676bb1b74a16365a7d7aa49f25bc5 |
C:\Windows\System\niECUCb.exe
| MD5 | 0fe36ebedb98afe1b61af6d0efc5018b |
| SHA1 | 5bb6d3cd0a441dd11839d64f3a1f15d6cb16c1eb |
| SHA256 | de58873d77dc1d4221e5663fab26c3a838a60065b64fdd2fb20f70b250e75619 |
| SHA512 | 225ed1cea04c99ca270a1c18259328c2cfdfe55dccd9817b1531b20c7e6ae0c26916893b4bbe58d19e7435a7102a8bb0e672c656a48906d6e856a91665f88b7a |
memory/2452-83-0x00007FF78BF20000-0x00007FF78C274000-memory.dmp
memory/5000-84-0x00007FF7BB960000-0x00007FF7BBCB4000-memory.dmp
C:\Windows\System\plXUzsP.exe
| MD5 | bf57337649177c9f462610385292e735 |
| SHA1 | d9c19c31e676fee08162fadc3b6bbaa3ea441de9 |
| SHA256 | faa1c308b3672354c45516a9f7263dd87831a174ef4c358d5d6a281de2dda481 |
| SHA512 | 5da71522fa2d4ec17659a63d0ad2fb304cd2500fec5e73668c6c80c276b4d3504f1a29e58c799f7a86f18478670dc4c53d07a150eb26b73ba6d5aea05138647c |
memory/3184-90-0x00007FF71BE80000-0x00007FF71C1D4000-memory.dmp
memory/4176-91-0x00007FF7201E0000-0x00007FF720534000-memory.dmp
C:\Windows\System\jkYBqZj.exe
| MD5 | f1e29870bbed3996f382a9ef6f6be455 |
| SHA1 | b10099380c946fca6f50550a90fc587af1d6e2dc |
| SHA256 | 6547fb5b4d5832a4846f9f46a80a6451d7b3c6143b9d0e0ded0693e9be56ab60 |
| SHA512 | 4f66df3769afaaa45ab191eabc41b4fbfa66cc50b4bcbf767ef05312b038858c07d8e5f17358ec7387b3bd38072620bc21be5ac307a081715210a951fef6d836 |
memory/4180-97-0x00007FF7AA1A0000-0x00007FF7AA4F4000-memory.dmp
C:\Windows\System\eDfWmRA.exe
| MD5 | 782656c6db398648608bf6aca19ea800 |
| SHA1 | b960f681d4f8f4ad3b242bf6b6f80e4bb6667940 |
| SHA256 | 9b1c41a9dbc6f789773dbe14b965ff275662353a17e8e476357bcfcaca95acac |
| SHA512 | 012f3c3473b2a437835028e25fb37a84842a804e73821cf4cdbbd1dbb49301a3de2a82e07289b5c6882dd5ed7df7c433ec686d38de13b549ce74e17c842ccfe9 |
memory/4512-104-0x00007FF7C07A0000-0x00007FF7C0AF4000-memory.dmp
memory/2172-105-0x00007FF779690000-0x00007FF7799E4000-memory.dmp
memory/4000-103-0x00007FF6A2730000-0x00007FF6A2A84000-memory.dmp
C:\Windows\System\CQKCgwc.exe
| MD5 | c0385d4f1ed2a2cc6f0ee6223f8101eb |
| SHA1 | d0ee132698fed8c9a461a77348fe7eb9394f2dfb |
| SHA256 | 541f985ec654c807c4ddd2e2078c16950413cb4990cd36cf46ef0ddf3719a012 |
| SHA512 | 09aa3e44a24a4e93638d700dbd40fb38f018304e599acc90bbdb6ac50bf926f46ecc16e132b57cf72ffd161e1334eecff80daf7715bf3b8d529cd3d2ce93968a |
memory/4560-111-0x00007FF6F5920000-0x00007FF6F5C74000-memory.dmp
C:\Windows\System\mwehoFt.exe
| MD5 | 7fd9721d654f496c56b6af7aab599d36 |
| SHA1 | daef7d1c872384e81430c645ddd1bcdf301e153e |
| SHA256 | 6123fa1d8402b3cbfeb965eeffdd1677937d3f7c486ae0e555021473b6be30d7 |
| SHA512 | fa3a2aaab2243e58906ca344482b29053c8d3120009b719da9512a9f80729830db806021eb81a1131a1d8997affc389f6dee892f7599d34c087f80a61bc720d5 |
memory/4308-117-0x00007FF7748A0000-0x00007FF774BF4000-memory.dmp
C:\Windows\System\UkEgBdT.exe
| MD5 | d2cdcb1024973b172cb764537e14bdba |
| SHA1 | deb254369c8419a5ef4e1c23af97b17cfb1a645d |
| SHA256 | 2241bd870802951fafe93c24ebd15cd729cd46802ca37002fdf39a3b5a7075a8 |
| SHA512 | 620f502d77658f8778cadd99d0631214f573a912859e8242e525813a540daeb8e12f07fa1e28a5081bff1c4a1eafc46efddb801b594957ddc94c968d5a731ede |
memory/2268-122-0x00007FF6DB620000-0x00007FF6DB974000-memory.dmp
C:\Windows\System\SubrnTR.exe
| MD5 | 372f7beeb36195da5bb65836b9cd025a |
| SHA1 | a0df11690b224b942bda1dad45a5114d01df7c6e |
| SHA256 | 7a7ed19dffe56abf47e997a9af97cf5636cb9b6cb5b38dfcafd5e7e0b2576936 |
| SHA512 | 279159d84ec2ab32a247548391bf5ac322c81df852abcfe0453e771ab6c175c6ebd34c00642e6a559a99d95e4b83e0b899282a611a4aedf4157be959642f4b07 |
memory/4720-131-0x00007FF76B830000-0x00007FF76BB84000-memory.dmp
memory/3100-126-0x00007FF7C2570000-0x00007FF7C28C4000-memory.dmp
C:\Windows\System\jhXbILX.exe
| MD5 | 716746c1c98b6eaa7a33740b95c6ba54 |
| SHA1 | 72551143c6ca792a25cefe9ce72543f15c6f399a |
| SHA256 | 90ae3e50e7b791ee5240a671a2e7c488bc168353e10b73446f89f2aff7f1f3ee |
| SHA512 | fc12d969919f257cb50eee372bc8ed6115a864992af58f601e1a0df82fa701db43d49026c98ac73c8a8ae68df8a805b3ac3e57fee9cf4b98a1c125fae078ccf6 |
memory/3328-135-0x00007FF6468F0000-0x00007FF646C44000-memory.dmp
memory/5040-136-0x00007FF6C03E0000-0x00007FF6C0734000-memory.dmp
memory/2600-137-0x00007FF6B7E50000-0x00007FF6B81A4000-memory.dmp
memory/1432-138-0x00007FF7D58C0000-0x00007FF7D5C14000-memory.dmp
memory/2452-139-0x00007FF78BF20000-0x00007FF78C274000-memory.dmp
memory/3184-140-0x00007FF71BE80000-0x00007FF71C1D4000-memory.dmp
memory/4180-141-0x00007FF7AA1A0000-0x00007FF7AA4F4000-memory.dmp
memory/4512-142-0x00007FF7C07A0000-0x00007FF7C0AF4000-memory.dmp
memory/4064-143-0x00007FF79E2E0000-0x00007FF79E634000-memory.dmp
memory/3216-144-0x00007FF64CAA0000-0x00007FF64CDF4000-memory.dmp
memory/2268-145-0x00007FF6DB620000-0x00007FF6DB974000-memory.dmp
memory/4720-146-0x00007FF76B830000-0x00007FF76BB84000-memory.dmp
memory/2412-147-0x00007FF65EA20000-0x00007FF65ED74000-memory.dmp
memory/440-148-0x00007FF60E4D0000-0x00007FF60E824000-memory.dmp
memory/5000-149-0x00007FF7BB960000-0x00007FF7BBCB4000-memory.dmp
memory/4176-150-0x00007FF7201E0000-0x00007FF720534000-memory.dmp
memory/4000-151-0x00007FF6A2730000-0x00007FF6A2A84000-memory.dmp
memory/2172-152-0x00007FF779690000-0x00007FF7799E4000-memory.dmp
memory/4560-153-0x00007FF6F5920000-0x00007FF6F5C74000-memory.dmp
memory/4308-154-0x00007FF7748A0000-0x00007FF774BF4000-memory.dmp
memory/3100-155-0x00007FF7C2570000-0x00007FF7C28C4000-memory.dmp
memory/3328-156-0x00007FF6468F0000-0x00007FF646C44000-memory.dmp
memory/5040-157-0x00007FF6C03E0000-0x00007FF6C0734000-memory.dmp