Analysis Overview
SHA256
5e950ef4a9d97474734858be635001e4bbf87d895c2c1df1519ba9a0823b33c2
Threat Level: Known bad
The file 2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Xmrig family
Detects Reflective DLL injection artifacts
Cobalt Strike reflective loader
xmrig
Cobaltstrike family
UPX dump on OEP (original entry point)
XMRig Miner payload
Cobaltstrike
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-28 00:10
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-28 00:10
Reported
2024-06-28 00:13
Platform
win7-20240508-en
Max time kernel
138s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\WqACcaO.exe | N/A |
| N/A | N/A | C:\Windows\System\ushYuyS.exe | N/A |
| N/A | N/A | C:\Windows\System\WhoTtuV.exe | N/A |
| N/A | N/A | C:\Windows\System\EKgFJHc.exe | N/A |
| N/A | N/A | C:\Windows\System\CFlOswV.exe | N/A |
| N/A | N/A | C:\Windows\System\FRXIIDn.exe | N/A |
| N/A | N/A | C:\Windows\System\hQhKKJV.exe | N/A |
| N/A | N/A | C:\Windows\System\egzYhee.exe | N/A |
| N/A | N/A | C:\Windows\System\ReNPdbO.exe | N/A |
| N/A | N/A | C:\Windows\System\QbfasNE.exe | N/A |
| N/A | N/A | C:\Windows\System\ChPgvIM.exe | N/A |
| N/A | N/A | C:\Windows\System\OHfHQdG.exe | N/A |
| N/A | N/A | C:\Windows\System\aIWNosM.exe | N/A |
| N/A | N/A | C:\Windows\System\jgFjCke.exe | N/A |
| N/A | N/A | C:\Windows\System\ZPGtEfO.exe | N/A |
| N/A | N/A | C:\Windows\System\xrQTSoA.exe | N/A |
| N/A | N/A | C:\Windows\System\wLdxPVQ.exe | N/A |
| N/A | N/A | C:\Windows\System\wvbKalt.exe | N/A |
| N/A | N/A | C:\Windows\System\KuZZchi.exe | N/A |
| N/A | N/A | C:\Windows\System\aOxNwMt.exe | N/A |
| N/A | N/A | C:\Windows\System\MahYcQZ.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\WqACcaO.exe
C:\Windows\System\WqACcaO.exe
C:\Windows\System\ushYuyS.exe
C:\Windows\System\ushYuyS.exe
C:\Windows\System\WhoTtuV.exe
C:\Windows\System\WhoTtuV.exe
C:\Windows\System\EKgFJHc.exe
C:\Windows\System\EKgFJHc.exe
C:\Windows\System\CFlOswV.exe
C:\Windows\System\CFlOswV.exe
C:\Windows\System\FRXIIDn.exe
C:\Windows\System\FRXIIDn.exe
C:\Windows\System\hQhKKJV.exe
C:\Windows\System\hQhKKJV.exe
C:\Windows\System\egzYhee.exe
C:\Windows\System\egzYhee.exe
C:\Windows\System\ReNPdbO.exe
C:\Windows\System\ReNPdbO.exe
C:\Windows\System\QbfasNE.exe
C:\Windows\System\QbfasNE.exe
C:\Windows\System\OHfHQdG.exe
C:\Windows\System\OHfHQdG.exe
C:\Windows\System\ChPgvIM.exe
C:\Windows\System\ChPgvIM.exe
C:\Windows\System\aIWNosM.exe
C:\Windows\System\aIWNosM.exe
C:\Windows\System\jgFjCke.exe
C:\Windows\System\jgFjCke.exe
C:\Windows\System\ZPGtEfO.exe
C:\Windows\System\ZPGtEfO.exe
C:\Windows\System\xrQTSoA.exe
C:\Windows\System\xrQTSoA.exe
C:\Windows\System\wLdxPVQ.exe
C:\Windows\System\wLdxPVQ.exe
C:\Windows\System\wvbKalt.exe
C:\Windows\System\wvbKalt.exe
C:\Windows\System\KuZZchi.exe
C:\Windows\System\KuZZchi.exe
C:\Windows\System\aOxNwMt.exe
C:\Windows\System\aOxNwMt.exe
C:\Windows\System\MahYcQZ.exe
C:\Windows\System\MahYcQZ.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2084-0-0x000000013F4F0000-0x000000013F844000-memory.dmp
memory/2084-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\WqACcaO.exe
| MD5 | 8b96c595c1dae64314892bc4fdf35487 |
| SHA1 | 8d14ffe2374f836edce80c3b4e1552eed0f32c11 |
| SHA256 | 7b383c5eeba71bbfd156b1d431cdb4d23d2df84ff1f32938a5a0078e013d86b0 |
| SHA512 | e0b687e07fb1e83819a038129467be5de71c4b63cb292eb0f7eb80906a3a7c25131bb125301ba0e8dfd882bee46670d4236615417a726211e92ab1f3d1a3b603 |
\Windows\system\WhoTtuV.exe
| MD5 | b23b6c2b803a9a42909247ef7727e250 |
| SHA1 | becbe66505e7e67734524d2a19700bdb151d20ad |
| SHA256 | 519ae91e68a12973dda338cc593e421dced7875f6bcde31539786a2a52e91643 |
| SHA512 | 42d0bf19f31fb516cac11cf87ed75cc7f346eb57688c91a65db11b64dad2c52dd22a7a174c894c908fdbec3aeaae17bf5d5f3b32cf5220ab0994a503cf23855c |
memory/2084-12-0x0000000002420000-0x0000000002774000-memory.dmp
memory/2648-25-0x000000013F790000-0x000000013FAE4000-memory.dmp
memory/2888-30-0x000000013F9C0000-0x000000013FD14000-memory.dmp
memory/2240-21-0x000000013F340000-0x000000013F694000-memory.dmp
memory/1336-19-0x000000013F800000-0x000000013FB54000-memory.dmp
memory/2084-17-0x0000000002420000-0x0000000002774000-memory.dmp
C:\Windows\system\ushYuyS.exe
| MD5 | ebea477ca9eaf038b389b28b5a6eeb25 |
| SHA1 | 50bda73ec4f69c3252d2f2bfbb913bfd1f65027d |
| SHA256 | f84497ce3340369cd837f350919b06afb351fab2b62c4d0b78c3241011946f96 |
| SHA512 | 1de9aa441079553cf36e80f0786ae7abd4f80fa21b6a3a5f92e2019d56d893b219988da1ecba39d7be8d8266d05db8c0bc9b55a8c0e7b49b37e84d412276efe7 |
memory/2084-28-0x000000013F9C0000-0x000000013FD14000-memory.dmp
C:\Windows\system\EKgFJHc.exe
| MD5 | 660ed8b15812fb92ee3e08432107c291 |
| SHA1 | f8b904709b37f30df67d76f22607c828658765a2 |
| SHA256 | ea382f7f86598247c64d0c224ebbf9ec470611de891d03dae2458409eac3e1e0 |
| SHA512 | 9b1837a9b586b968476e831823faa56b7c3b0b0442d493f0e11b47f7042aba68bcc4ffebae9a0e120e6588fbcda95cf0bc2a9c27b84c09dd2e9e27cdbe49c9b1 |
memory/2084-6-0x0000000002420000-0x0000000002774000-memory.dmp
\Windows\system\FRXIIDn.exe
| MD5 | 0c00286b484e1015a3af70fcd20fac6b |
| SHA1 | 34a6462cd3eb145c4ae67c19af0f3fa206d474f6 |
| SHA256 | 28028adbe0569f12f6782ed963537a50d3eaae4fe7243aaa9c53041109c09735 |
| SHA512 | 0b53a505836660962d325b1d28ab3f5df21b62401b521c2827801ce12c4a38211e9f441e97b4769656aa0b4401b030f712534177243be9af56b3b767d557ba42 |
memory/2740-40-0x000000013F9D0000-0x000000013FD24000-memory.dmp
memory/2576-42-0x000000013F640000-0x000000013F994000-memory.dmp
memory/2084-41-0x000000013F4F0000-0x000000013F844000-memory.dmp
memory/2084-38-0x000000013F9D0000-0x000000013FD24000-memory.dmp
C:\Windows\system\CFlOswV.exe
| MD5 | 4c2700265a477514ae869b928004b222 |
| SHA1 | 487b9e44140b5de743d73c35e5358deb55b75adf |
| SHA256 | 3549d964391710c9a7bba11604775bcb06fab93d5cfa9c5d6a26c4964bc43c5a |
| SHA512 | f4d170692823b74b42c3cd354ad3b348658f4ead4c62f4201eb4de5fad099ed515f056b499d0c2c64fcde7b1449c09e9534122e0035f9d338db6b49f18eebea3 |
memory/2084-49-0x000000013F170000-0x000000013F4C4000-memory.dmp
C:\Windows\system\hQhKKJV.exe
| MD5 | e0483791709f07396a89b81baafe2a5f |
| SHA1 | 6ba9128db7ed7d30ce6e49fa655bdddc13da3b2d |
| SHA256 | 4eb09f8a1b17c24817d2d244f3d9fbad1a1009c12d17c97d557707797ae1688f |
| SHA512 | 03a8eb3629be98091c5eedbffc8dc4332a62a9c5ff212b0997c4ec4e54df4a604beb06dd3f5d4227e80ee72cc46dc8b9215e7af7bef56af74c94c6a6677791ab |
memory/2536-51-0x000000013F170000-0x000000013F4C4000-memory.dmp
C:\Windows\system\egzYhee.exe
| MD5 | 421952eba9ae773cca0c5e47367a7984 |
| SHA1 | 2744cb3b7e5fb9eaf378323fc4549efafe7936ee |
| SHA256 | a28308ff574f7c95d2c2aea421938ad22f5aed932342f356624a8adf404c0869 |
| SHA512 | c410926238faa4fae2b30667e8d081b25953200dbfcd8cc8036d33b785bcf824aa3dcc2ac0e90de6535c2af16835a53869fe9fdaec37b6824209c3233c664515 |
memory/2084-56-0x0000000002420000-0x0000000002774000-memory.dmp
memory/2992-59-0x000000013F850000-0x000000013FBA4000-memory.dmp
memory/2084-57-0x000000013F850000-0x000000013FBA4000-memory.dmp
\Windows\system\ReNPdbO.exe
| MD5 | 1a63f03d3fcc47a945a2ce9b35869b49 |
| SHA1 | 7d4abdbd3ac139d1deea0f8b68d4acced3fc60d7 |
| SHA256 | 4d01c0b6d463b7dbaa4b0b06b4a49da8d2b46b43aa10d23c65895cfe6f6c05c7 |
| SHA512 | 80bb2d98e2bdc3f55597c6a91a579597ee8b8d50cae12410e1adb7086eb8790511d42a00c7ef1122acdc9d8e5f414e7bb3a92b3c6909676f44cb5aadfe79949e |
memory/2084-65-0x000000013FDE0000-0x0000000140134000-memory.dmp
memory/1584-66-0x000000013FDE0000-0x0000000140134000-memory.dmp
memory/2588-78-0x000000013FC90000-0x000000013FFE4000-memory.dmp
C:\Windows\system\QbfasNE.exe
| MD5 | 6618ca68d1fbda48657357e707660294 |
| SHA1 | c1a2fae97f457f313d995f595dca7b05a792f50c |
| SHA256 | 72ac63c051370672a376bacaed3b6a08ec22d52ba8dd240b6af3b76228c8182a |
| SHA512 | bf58202f2fd311be41c175ca1ca2fd4632d0d0ecdba6068c77898449f8ed45644f809d1f6b18d8226aefd1ab680567169bb97a5367c62d5a22cd739459aa877c |
memory/2888-96-0x000000013F9C0000-0x000000013FD14000-memory.dmp
memory/808-101-0x000000013F4C0000-0x000000013F814000-memory.dmp
memory/2084-100-0x0000000002420000-0x0000000002774000-memory.dmp
memory/2844-97-0x000000013FC10000-0x000000013FF64000-memory.dmp
C:\Windows\system\aIWNosM.exe
| MD5 | c85977f95230e125ab8b12a5f2556a6a |
| SHA1 | affc4b48cb49fb1cccf2f7f7d487c0cbe8d6c9fd |
| SHA256 | 27128ad88d077d2ad4edde2fca3a082155d69f59710643b57b58c3b5530c72d1 |
| SHA512 | 168dcf782ec5d48e0978d2e5b4a6504ea5c90b4e01fd095bd263fd98bd9d17e64640efb2b778f2455e32749529b08191bbf38814eda40e52e5a6ecc894c138c1 |
C:\Windows\system\ZPGtEfO.exe
| MD5 | 0d84652e9ad70d950880f1cc836187d0 |
| SHA1 | b453a900b60f870c1b75636eb6f5dcaf59f76bba |
| SHA256 | aeb4f615a9b6469fa28f74853875d89640e3198b3fadfa4180026367c599cb39 |
| SHA512 | 7d6f585526a820a23f4d9e3b01845a25ed6e309c7a80cf43db6c779bf45125c0a7f8f64e40744255bc50d4a19a17538041d4716c187c1d9922b751d9ef671f61 |
\Windows\system\MahYcQZ.exe
| MD5 | eec06933508c1ade25bed401dc66e446 |
| SHA1 | c9bdf5bc6083f4cd7a0cb503e04dcfd553d9f6fa |
| SHA256 | 8883724078a7053d4d1f41576bc8ee44a89399b4f5928fbf1ff97b2d4a474821 |
| SHA512 | 21cbd09947f6433a2d6b284cab306de9d2c8151c1c470a5ce1b723f04fc4d0dc49ec414b048f5a38ac64085e74eb63399a4c0a00120d4e0fd26704a0417800d7 |
C:\Windows\system\aOxNwMt.exe
| MD5 | 8c3024f86303362435c96d7de765be5e |
| SHA1 | 7b77dda01a4a03cb3b9968ef810c506acb423396 |
| SHA256 | 198ba9c4ef29194aa9e4adbea9dd13d1a069e720cc61a1e9b389fe87ae02f087 |
| SHA512 | 705a88a6b90c3e1ad2f916247dc470c424f69b2a9c2c1aa8134f4ceac9cf63125716900ef7de60b44606f13c92a2452a9565d96c5ee17adc916a419d47a48c14 |
C:\Windows\system\KuZZchi.exe
| MD5 | 56b2d82381019dda9e83bfa53cd63566 |
| SHA1 | 489e1abd1bb6c9362cb7ed8b64140c156d8221c1 |
| SHA256 | 31d68223a7fec7e58d8ca14817f5915b727dc57b12684a8732113340c06b9418 |
| SHA512 | ae406e51571608fdf5b30e81306eb5a368d4b49137910d6da018eaa2daa7f68471a101d3ae9de505af0b37bbb5e0462ad06f2845a383bb4d45b92ac2d64b2fee |
C:\Windows\system\wvbKalt.exe
| MD5 | de1133e02163229a539f3451ddada152 |
| SHA1 | d0e026f51d46781903f90d649cdbde1cc366ef56 |
| SHA256 | a5165d5819a188b664da232c09174fece6f3fab1ff98020b5007fafd49b42a6a |
| SHA512 | eb056a7cf35a61c80aef7a41ec88bb0bf02a67009142b00e1670ac6d4e71d89ad5b3bd852e1f64429b14897941f9ed38647855ca2f7f459e9612c1b61e50bb54 |
C:\Windows\system\wLdxPVQ.exe
| MD5 | c91fdbc000d57cf428d1a6cfc9e214c1 |
| SHA1 | 7080b7dd6187a432645a3c1e727bf89786c47eeb |
| SHA256 | 7f9ce5e4c87f25011517827b326d4c131279f33159a4982e689378bc72fc5ebd |
| SHA512 | 17366b931353865aa1bb630a819eff85d43a491286a1cc58100bc565cce528ca355aeb76f3b1a17688719d228e809bd3e023cfa492f5c23909c435e9b7ebc162 |
memory/2084-108-0x000000013F880000-0x000000013FBD4000-memory.dmp
memory/2576-107-0x000000013F640000-0x000000013F994000-memory.dmp
C:\Windows\system\xrQTSoA.exe
| MD5 | 0d3fb20c3db1ae04e271510e002fa2cb |
| SHA1 | b46f1795b03fb84c2591cb3fdff92f0584c65a2a |
| SHA256 | 8b6de5bf8d8e29651e090dc7dbe17ee3b5a7c21a41c8020ec2a52c3a7f537292 |
| SHA512 | ef87ca9a4b9ce32d00593a3b7473556a18bd466d17975dd416e96ba0a87e07fc161e4dcb76834a38522b502a77376a40c004e4a5f9b4cb4ce7593fe98cba0c70 |
memory/2804-90-0x000000013F080000-0x000000013F3D4000-memory.dmp
memory/2828-89-0x000000013F480000-0x000000013F7D4000-memory.dmp
memory/2084-88-0x000000013FC10000-0x000000013FF64000-memory.dmp
memory/2084-87-0x0000000002420000-0x0000000002774000-memory.dmp
C:\Windows\system\OHfHQdG.exe
| MD5 | ea31510d93f3d1764cb3fa210c7050dd |
| SHA1 | 3bcd0ae6f50b1696dc657e3fb76b0c76872ff1bb |
| SHA256 | 49004d3532cd0fe44acf071aa526ee95d263d69b16c75b2a3474ae5a53601cf5 |
| SHA512 | b2f872a5a131a282fbb9c0269b586fc73300811322b02924318289e758ebac55be2cf6729629b644fcfb9c3a9908cf160c1d283918e876945b898bb05bc334ef |
C:\Windows\system\ChPgvIM.exe
| MD5 | 107ce33af51165d9d8e39381a0cb3f33 |
| SHA1 | 5a8d57c4a3dc77b299219b5572e51ba132c3475b |
| SHA256 | f40e726410ff595ee4ec48315a654b5491435f7c69d1303c316aeed2d41cbffd |
| SHA512 | f70671c8decdbe250bc6aea490df75a40f9561a0843d8492fa920d78c392ea08b42d12ad58fdebe03fbfd8cc36dddfb861c6755bc110552dee636de6a94cfad1 |
C:\Windows\system\jgFjCke.exe
| MD5 | 8a83d5c75f9a25ddd6ac868ef457fb89 |
| SHA1 | ece777369aa1878fe91be83cce01da455b1e35b8 |
| SHA256 | d6fed4710d31e81dbea5cecd1a48be1e5e63c40346c0ad6f6a28a5b8af7b249b |
| SHA512 | 6cbcb3903b9b377267cfb5a49cec25dd05d4733fc8e29ef1b50a225d2ccc039ab993a7b8002742686f0bc87626236932bc27baabed0208b0a2653cffc5afcb4e |
memory/2648-70-0x000000013F790000-0x000000013FAE4000-memory.dmp
memory/2992-139-0x000000013F850000-0x000000013FBA4000-memory.dmp
memory/2084-138-0x000000013F850000-0x000000013FBA4000-memory.dmp
memory/2084-140-0x000000013FDE0000-0x0000000140134000-memory.dmp
memory/2084-141-0x000000013FC90000-0x000000013FFE4000-memory.dmp
memory/2084-143-0x000000013F080000-0x000000013F3D4000-memory.dmp
memory/2588-142-0x000000013FC90000-0x000000013FFE4000-memory.dmp
memory/2084-144-0x0000000002420000-0x0000000002774000-memory.dmp
memory/2844-145-0x000000013FC10000-0x000000013FF64000-memory.dmp
memory/2084-146-0x000000013F880000-0x000000013FBD4000-memory.dmp
memory/1336-147-0x000000013F800000-0x000000013FB54000-memory.dmp
memory/2240-148-0x000000013F340000-0x000000013F694000-memory.dmp
memory/2648-149-0x000000013F790000-0x000000013FAE4000-memory.dmp
memory/2888-150-0x000000013F9C0000-0x000000013FD14000-memory.dmp
memory/2740-151-0x000000013F9D0000-0x000000013FD24000-memory.dmp
memory/2576-152-0x000000013F640000-0x000000013F994000-memory.dmp
memory/2536-153-0x000000013F170000-0x000000013F4C4000-memory.dmp
memory/2992-154-0x000000013F850000-0x000000013FBA4000-memory.dmp
memory/1584-155-0x000000013FDE0000-0x0000000140134000-memory.dmp
memory/2588-156-0x000000013FC90000-0x000000013FFE4000-memory.dmp
memory/2828-157-0x000000013F480000-0x000000013F7D4000-memory.dmp
memory/2804-158-0x000000013F080000-0x000000013F3D4000-memory.dmp
memory/2844-160-0x000000013FC10000-0x000000013FF64000-memory.dmp
memory/808-159-0x000000013F4C0000-0x000000013F814000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-28 00:10
Reported
2024-06-28 00:13
Platform
win10v2004-20240508-en
Max time kernel
140s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\WqACcaO.exe | N/A |
| N/A | N/A | C:\Windows\System\ushYuyS.exe | N/A |
| N/A | N/A | C:\Windows\System\WhoTtuV.exe | N/A |
| N/A | N/A | C:\Windows\System\EKgFJHc.exe | N/A |
| N/A | N/A | C:\Windows\System\CFlOswV.exe | N/A |
| N/A | N/A | C:\Windows\System\FRXIIDn.exe | N/A |
| N/A | N/A | C:\Windows\System\hQhKKJV.exe | N/A |
| N/A | N/A | C:\Windows\System\egzYhee.exe | N/A |
| N/A | N/A | C:\Windows\System\ReNPdbO.exe | N/A |
| N/A | N/A | C:\Windows\System\QbfasNE.exe | N/A |
| N/A | N/A | C:\Windows\System\OHfHQdG.exe | N/A |
| N/A | N/A | C:\Windows\System\ChPgvIM.exe | N/A |
| N/A | N/A | C:\Windows\System\aIWNosM.exe | N/A |
| N/A | N/A | C:\Windows\System\jgFjCke.exe | N/A |
| N/A | N/A | C:\Windows\System\ZPGtEfO.exe | N/A |
| N/A | N/A | C:\Windows\System\xrQTSoA.exe | N/A |
| N/A | N/A | C:\Windows\System\wLdxPVQ.exe | N/A |
| N/A | N/A | C:\Windows\System\wvbKalt.exe | N/A |
| N/A | N/A | C:\Windows\System\KuZZchi.exe | N/A |
| N/A | N/A | C:\Windows\System\aOxNwMt.exe | N/A |
| N/A | N/A | C:\Windows\System\MahYcQZ.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\WqACcaO.exe
C:\Windows\System\WqACcaO.exe
C:\Windows\System\ushYuyS.exe
C:\Windows\System\ushYuyS.exe
C:\Windows\System\WhoTtuV.exe
C:\Windows\System\WhoTtuV.exe
C:\Windows\System\EKgFJHc.exe
C:\Windows\System\EKgFJHc.exe
C:\Windows\System\CFlOswV.exe
C:\Windows\System\CFlOswV.exe
C:\Windows\System\FRXIIDn.exe
C:\Windows\System\FRXIIDn.exe
C:\Windows\System\hQhKKJV.exe
C:\Windows\System\hQhKKJV.exe
C:\Windows\System\egzYhee.exe
C:\Windows\System\egzYhee.exe
C:\Windows\System\ReNPdbO.exe
C:\Windows\System\ReNPdbO.exe
C:\Windows\System\QbfasNE.exe
C:\Windows\System\QbfasNE.exe
C:\Windows\System\OHfHQdG.exe
C:\Windows\System\OHfHQdG.exe
C:\Windows\System\ChPgvIM.exe
C:\Windows\System\ChPgvIM.exe
C:\Windows\System\aIWNosM.exe
C:\Windows\System\aIWNosM.exe
C:\Windows\System\jgFjCke.exe
C:\Windows\System\jgFjCke.exe
C:\Windows\System\ZPGtEfO.exe
C:\Windows\System\ZPGtEfO.exe
C:\Windows\System\xrQTSoA.exe
C:\Windows\System\xrQTSoA.exe
C:\Windows\System\wLdxPVQ.exe
C:\Windows\System\wLdxPVQ.exe
C:\Windows\System\wvbKalt.exe
C:\Windows\System\wvbKalt.exe
C:\Windows\System\KuZZchi.exe
C:\Windows\System\KuZZchi.exe
C:\Windows\System\aOxNwMt.exe
C:\Windows\System\aOxNwMt.exe
C:\Windows\System\MahYcQZ.exe
C:\Windows\System\MahYcQZ.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4124-0-0x00007FF6A2B00000-0x00007FF6A2E54000-memory.dmp
memory/4124-1-0x0000022C63540000-0x0000022C63550000-memory.dmp
C:\Windows\System\WqACcaO.exe
| MD5 | 8b96c595c1dae64314892bc4fdf35487 |
| SHA1 | 8d14ffe2374f836edce80c3b4e1552eed0f32c11 |
| SHA256 | 7b383c5eeba71bbfd156b1d431cdb4d23d2df84ff1f32938a5a0078e013d86b0 |
| SHA512 | e0b687e07fb1e83819a038129467be5de71c4b63cb292eb0f7eb80906a3a7c25131bb125301ba0e8dfd882bee46670d4236615417a726211e92ab1f3d1a3b603 |
memory/4220-8-0x00007FF7E2140000-0x00007FF7E2494000-memory.dmp
C:\Windows\System\ushYuyS.exe
| MD5 | ebea477ca9eaf038b389b28b5a6eeb25 |
| SHA1 | 50bda73ec4f69c3252d2f2bfbb913bfd1f65027d |
| SHA256 | f84497ce3340369cd837f350919b06afb351fab2b62c4d0b78c3241011946f96 |
| SHA512 | 1de9aa441079553cf36e80f0786ae7abd4f80fa21b6a3a5f92e2019d56d893b219988da1ecba39d7be8d8266d05db8c0bc9b55a8c0e7b49b37e84d412276efe7 |
C:\Windows\System\WhoTtuV.exe
| MD5 | b23b6c2b803a9a42909247ef7727e250 |
| SHA1 | becbe66505e7e67734524d2a19700bdb151d20ad |
| SHA256 | 519ae91e68a12973dda338cc593e421dced7875f6bcde31539786a2a52e91643 |
| SHA512 | 42d0bf19f31fb516cac11cf87ed75cc7f346eb57688c91a65db11b64dad2c52dd22a7a174c894c908fdbec3aeaae17bf5d5f3b32cf5220ab0994a503cf23855c |
memory/800-14-0x00007FF6B3F70000-0x00007FF6B42C4000-memory.dmp
C:\Windows\System\EKgFJHc.exe
| MD5 | 660ed8b15812fb92ee3e08432107c291 |
| SHA1 | f8b904709b37f30df67d76f22607c828658765a2 |
| SHA256 | ea382f7f86598247c64d0c224ebbf9ec470611de891d03dae2458409eac3e1e0 |
| SHA512 | 9b1837a9b586b968476e831823faa56b7c3b0b0442d493f0e11b47f7042aba68bcc4ffebae9a0e120e6588fbcda95cf0bc2a9c27b84c09dd2e9e27cdbe49c9b1 |
memory/116-24-0x00007FF676610000-0x00007FF676964000-memory.dmp
C:\Windows\System\CFlOswV.exe
| MD5 | 4c2700265a477514ae869b928004b222 |
| SHA1 | 487b9e44140b5de743d73c35e5358deb55b75adf |
| SHA256 | 3549d964391710c9a7bba11604775bcb06fab93d5cfa9c5d6a26c4964bc43c5a |
| SHA512 | f4d170692823b74b42c3cd354ad3b348658f4ead4c62f4201eb4de5fad099ed515f056b499d0c2c64fcde7b1449c09e9534122e0035f9d338db6b49f18eebea3 |
memory/4532-32-0x00007FF63D560000-0x00007FF63D8B4000-memory.dmp
C:\Windows\System\FRXIIDn.exe
| MD5 | 0c00286b484e1015a3af70fcd20fac6b |
| SHA1 | 34a6462cd3eb145c4ae67c19af0f3fa206d474f6 |
| SHA256 | 28028adbe0569f12f6782ed963537a50d3eaae4fe7243aaa9c53041109c09735 |
| SHA512 | 0b53a505836660962d325b1d28ab3f5df21b62401b521c2827801ce12c4a38211e9f441e97b4769656aa0b4401b030f712534177243be9af56b3b767d557ba42 |
memory/5064-20-0x00007FF7E3E50000-0x00007FF7E41A4000-memory.dmp
memory/4492-40-0x00007FF799AC0000-0x00007FF799E14000-memory.dmp
C:\Windows\System\hQhKKJV.exe
| MD5 | e0483791709f07396a89b81baafe2a5f |
| SHA1 | 6ba9128db7ed7d30ce6e49fa655bdddc13da3b2d |
| SHA256 | 4eb09f8a1b17c24817d2d244f3d9fbad1a1009c12d17c97d557707797ae1688f |
| SHA512 | 03a8eb3629be98091c5eedbffc8dc4332a62a9c5ff212b0997c4ec4e54df4a604beb06dd3f5d4227e80ee72cc46dc8b9215e7af7bef56af74c94c6a6677791ab |
C:\Windows\System\egzYhee.exe
| MD5 | 421952eba9ae773cca0c5e47367a7984 |
| SHA1 | 2744cb3b7e5fb9eaf378323fc4549efafe7936ee |
| SHA256 | a28308ff574f7c95d2c2aea421938ad22f5aed932342f356624a8adf404c0869 |
| SHA512 | c410926238faa4fae2b30667e8d081b25953200dbfcd8cc8036d33b785bcf824aa3dcc2ac0e90de6535c2af16835a53869fe9fdaec37b6824209c3233c664515 |
memory/3584-46-0x00007FF729F20000-0x00007FF72A274000-memory.dmp
memory/1756-44-0x00007FF72AD60000-0x00007FF72B0B4000-memory.dmp
C:\Windows\System\ReNPdbO.exe
| MD5 | 1a63f03d3fcc47a945a2ce9b35869b49 |
| SHA1 | 7d4abdbd3ac139d1deea0f8b68d4acced3fc60d7 |
| SHA256 | 4d01c0b6d463b7dbaa4b0b06b4a49da8d2b46b43aa10d23c65895cfe6f6c05c7 |
| SHA512 | 80bb2d98e2bdc3f55597c6a91a579597ee8b8d50cae12410e1adb7086eb8790511d42a00c7ef1122acdc9d8e5f414e7bb3a92b3c6909676f44cb5aadfe79949e |
memory/620-55-0x00007FF6B6310000-0x00007FF6B6664000-memory.dmp
C:\Windows\System\QbfasNE.exe
| MD5 | 6618ca68d1fbda48657357e707660294 |
| SHA1 | c1a2fae97f457f313d995f595dca7b05a792f50c |
| SHA256 | 72ac63c051370672a376bacaed3b6a08ec22d52ba8dd240b6af3b76228c8182a |
| SHA512 | bf58202f2fd311be41c175ca1ca2fd4632d0d0ecdba6068c77898449f8ed45644f809d1f6b18d8226aefd1ab680567169bb97a5367c62d5a22cd739459aa877c |
memory/4124-62-0x00007FF6A2B00000-0x00007FF6A2E54000-memory.dmp
memory/2388-64-0x00007FF7708C0000-0x00007FF770C14000-memory.dmp
C:\Windows\System\OHfHQdG.exe
| MD5 | ea31510d93f3d1764cb3fa210c7050dd |
| SHA1 | 3bcd0ae6f50b1696dc657e3fb76b0c76872ff1bb |
| SHA256 | 49004d3532cd0fe44acf071aa526ee95d263d69b16c75b2a3474ae5a53601cf5 |
| SHA512 | b2f872a5a131a282fbb9c0269b586fc73300811322b02924318289e758ebac55be2cf6729629b644fcfb9c3a9908cf160c1d283918e876945b898bb05bc334ef |
memory/2184-70-0x00007FF673DD0000-0x00007FF674124000-memory.dmp
C:\Windows\System\ChPgvIM.exe
| MD5 | 107ce33af51165d9d8e39381a0cb3f33 |
| SHA1 | 5a8d57c4a3dc77b299219b5572e51ba132c3475b |
| SHA256 | f40e726410ff595ee4ec48315a654b5491435f7c69d1303c316aeed2d41cbffd |
| SHA512 | f70671c8decdbe250bc6aea490df75a40f9561a0843d8492fa920d78c392ea08b42d12ad58fdebe03fbfd8cc36dddfb861c6755bc110552dee636de6a94cfad1 |
memory/4220-69-0x00007FF7E2140000-0x00007FF7E2494000-memory.dmp
C:\Windows\System\aIWNosM.exe
| MD5 | c85977f95230e125ab8b12a5f2556a6a |
| SHA1 | affc4b48cb49fb1cccf2f7f7d487c0cbe8d6c9fd |
| SHA256 | 27128ad88d077d2ad4edde2fca3a082155d69f59710643b57b58c3b5530c72d1 |
| SHA512 | 168dcf782ec5d48e0978d2e5b4a6504ea5c90b4e01fd095bd263fd98bd9d17e64640efb2b778f2455e32749529b08191bbf38814eda40e52e5a6ecc894c138c1 |
memory/1520-77-0x00007FF781BB0000-0x00007FF781F04000-memory.dmp
memory/3532-83-0x00007FF742980000-0x00007FF742CD4000-memory.dmp
memory/116-88-0x00007FF676610000-0x00007FF676964000-memory.dmp
C:\Windows\System\jgFjCke.exe
| MD5 | 8a83d5c75f9a25ddd6ac868ef457fb89 |
| SHA1 | ece777369aa1878fe91be83cce01da455b1e35b8 |
| SHA256 | d6fed4710d31e81dbea5cecd1a48be1e5e63c40346c0ad6f6a28a5b8af7b249b |
| SHA512 | 6cbcb3903b9b377267cfb5a49cec25dd05d4733fc8e29ef1b50a225d2ccc039ab993a7b8002742686f0bc87626236932bc27baabed0208b0a2653cffc5afcb4e |
C:\Windows\System\ZPGtEfO.exe
| MD5 | 0d84652e9ad70d950880f1cc836187d0 |
| SHA1 | b453a900b60f870c1b75636eb6f5dcaf59f76bba |
| SHA256 | aeb4f615a9b6469fa28f74853875d89640e3198b3fadfa4180026367c599cb39 |
| SHA512 | 7d6f585526a820a23f4d9e3b01845a25ed6e309c7a80cf43db6c779bf45125c0a7f8f64e40744255bc50d4a19a17538041d4716c187c1d9922b751d9ef671f61 |
memory/1840-94-0x00007FF649B40000-0x00007FF649E94000-memory.dmp
memory/4532-95-0x00007FF63D560000-0x00007FF63D8B4000-memory.dmp
memory/1004-96-0x00007FF688C30000-0x00007FF688F84000-memory.dmp
C:\Windows\System\wLdxPVQ.exe
| MD5 | c91fdbc000d57cf428d1a6cfc9e214c1 |
| SHA1 | 7080b7dd6187a432645a3c1e727bf89786c47eeb |
| SHA256 | 7f9ce5e4c87f25011517827b326d4c131279f33159a4982e689378bc72fc5ebd |
| SHA512 | 17366b931353865aa1bb630a819eff85d43a491286a1cc58100bc565cce528ca355aeb76f3b1a17688719d228e809bd3e023cfa492f5c23909c435e9b7ebc162 |
memory/1756-108-0x00007FF72AD60000-0x00007FF72B0B4000-memory.dmp
memory/3584-113-0x00007FF729F20000-0x00007FF72A274000-memory.dmp
memory/620-119-0x00007FF6B6310000-0x00007FF6B6664000-memory.dmp
C:\Windows\System\KuZZchi.exe
| MD5 | 56b2d82381019dda9e83bfa53cd63566 |
| SHA1 | 489e1abd1bb6c9362cb7ed8b64140c156d8221c1 |
| SHA256 | 31d68223a7fec7e58d8ca14817f5915b727dc57b12684a8732113340c06b9418 |
| SHA512 | ae406e51571608fdf5b30e81306eb5a368d4b49137910d6da018eaa2daa7f68471a101d3ae9de505af0b37bbb5e0462ad06f2845a383bb4d45b92ac2d64b2fee |
memory/3176-121-0x00007FF7415A0000-0x00007FF7418F4000-memory.dmp
C:\Windows\System\wvbKalt.exe
| MD5 | de1133e02163229a539f3451ddada152 |
| SHA1 | d0e026f51d46781903f90d649cdbde1cc366ef56 |
| SHA256 | a5165d5819a188b664da232c09174fece6f3fab1ff98020b5007fafd49b42a6a |
| SHA512 | eb056a7cf35a61c80aef7a41ec88bb0bf02a67009142b00e1670ac6d4e71d89ad5b3bd852e1f64429b14897941f9ed38647855ca2f7f459e9612c1b61e50bb54 |
memory/4928-116-0x00007FF7027B0000-0x00007FF702B04000-memory.dmp
memory/3316-112-0x00007FF738760000-0x00007FF738AB4000-memory.dmp
memory/948-107-0x00007FF7169D0000-0x00007FF716D24000-memory.dmp
C:\Windows\System\xrQTSoA.exe
| MD5 | 0d3fb20c3db1ae04e271510e002fa2cb |
| SHA1 | b46f1795b03fb84c2591cb3fdff92f0584c65a2a |
| SHA256 | 8b6de5bf8d8e29651e090dc7dbe17ee3b5a7c21a41c8020ec2a52c3a7f537292 |
| SHA512 | ef87ca9a4b9ce32d00593a3b7473556a18bd466d17975dd416e96ba0a87e07fc161e4dcb76834a38522b502a77376a40c004e4a5f9b4cb4ce7593fe98cba0c70 |
C:\Windows\System\aOxNwMt.exe
| MD5 | 8c3024f86303362435c96d7de765be5e |
| SHA1 | 7b77dda01a4a03cb3b9968ef810c506acb423396 |
| SHA256 | 198ba9c4ef29194aa9e4adbea9dd13d1a069e720cc61a1e9b389fe87ae02f087 |
| SHA512 | 705a88a6b90c3e1ad2f916247dc470c424f69b2a9c2c1aa8134f4ceac9cf63125716900ef7de60b44606f13c92a2452a9565d96c5ee17adc916a419d47a48c14 |
C:\Windows\System\MahYcQZ.exe
| MD5 | eec06933508c1ade25bed401dc66e446 |
| SHA1 | c9bdf5bc6083f4cd7a0cb503e04dcfd553d9f6fa |
| SHA256 | 8883724078a7053d4d1f41576bc8ee44a89399b4f5928fbf1ff97b2d4a474821 |
| SHA512 | 21cbd09947f6433a2d6b284cab306de9d2c8151c1c470a5ce1b723f04fc4d0dc49ec414b048f5a38ac64085e74eb63399a4c0a00120d4e0fd26704a0417800d7 |
memory/1520-134-0x00007FF781BB0000-0x00007FF781F04000-memory.dmp
memory/4580-135-0x00007FF7C9A50000-0x00007FF7C9DA4000-memory.dmp
memory/4568-128-0x00007FF652040000-0x00007FF652394000-memory.dmp
memory/4928-136-0x00007FF7027B0000-0x00007FF702B04000-memory.dmp
memory/3176-137-0x00007FF7415A0000-0x00007FF7418F4000-memory.dmp
memory/4568-138-0x00007FF652040000-0x00007FF652394000-memory.dmp
memory/4220-139-0x00007FF7E2140000-0x00007FF7E2494000-memory.dmp
memory/800-140-0x00007FF6B3F70000-0x00007FF6B42C4000-memory.dmp
memory/5064-141-0x00007FF7E3E50000-0x00007FF7E41A4000-memory.dmp
memory/116-142-0x00007FF676610000-0x00007FF676964000-memory.dmp
memory/4532-143-0x00007FF63D560000-0x00007FF63D8B4000-memory.dmp
memory/4492-144-0x00007FF799AC0000-0x00007FF799E14000-memory.dmp
memory/3584-146-0x00007FF729F20000-0x00007FF72A274000-memory.dmp
memory/1756-145-0x00007FF72AD60000-0x00007FF72B0B4000-memory.dmp
memory/620-147-0x00007FF6B6310000-0x00007FF6B6664000-memory.dmp
memory/2388-148-0x00007FF7708C0000-0x00007FF770C14000-memory.dmp
memory/2184-149-0x00007FF673DD0000-0x00007FF674124000-memory.dmp
memory/1520-150-0x00007FF781BB0000-0x00007FF781F04000-memory.dmp
memory/3532-151-0x00007FF742980000-0x00007FF742CD4000-memory.dmp
memory/1004-152-0x00007FF688C30000-0x00007FF688F84000-memory.dmp
memory/1840-153-0x00007FF649B40000-0x00007FF649E94000-memory.dmp
memory/948-154-0x00007FF7169D0000-0x00007FF716D24000-memory.dmp
memory/3316-155-0x00007FF738760000-0x00007FF738AB4000-memory.dmp
memory/4928-156-0x00007FF7027B0000-0x00007FF702B04000-memory.dmp
memory/3176-157-0x00007FF7415A0000-0x00007FF7418F4000-memory.dmp
memory/4568-158-0x00007FF652040000-0x00007FF652394000-memory.dmp
memory/4580-159-0x00007FF7C9A50000-0x00007FF7C9DA4000-memory.dmp