Analysis Overview
SHA256
33f46ef55469f3ec834da05b32b19fbd2d6dde0cee007399470beae879ea3801
Threat Level: Known bad
The file 2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Xmrig family
xmrig
Cobaltstrike
UPX dump on OEP (original entry point)
Cobaltstrike family
Cobalt Strike reflective loader
XMRig Miner payload
Detects Reflective DLL injection artifacts
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-28 08:52
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-28 08:52
Reported
2024-06-28 08:54
Platform
win7-20240220-en
Max time kernel
139s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\BlANNKq.exe | N/A |
| N/A | N/A | C:\Windows\System\XXSnQgC.exe | N/A |
| N/A | N/A | C:\Windows\System\MipylSz.exe | N/A |
| N/A | N/A | C:\Windows\System\FlvqaMe.exe | N/A |
| N/A | N/A | C:\Windows\System\DVSMxEq.exe | N/A |
| N/A | N/A | C:\Windows\System\qyXxwfE.exe | N/A |
| N/A | N/A | C:\Windows\System\eJPtKCI.exe | N/A |
| N/A | N/A | C:\Windows\System\CXRPSyD.exe | N/A |
| N/A | N/A | C:\Windows\System\oBxiNGR.exe | N/A |
| N/A | N/A | C:\Windows\System\JTwMjCE.exe | N/A |
| N/A | N/A | C:\Windows\System\CdfWzuY.exe | N/A |
| N/A | N/A | C:\Windows\System\IRJKkrI.exe | N/A |
| N/A | N/A | C:\Windows\System\QLmTKEM.exe | N/A |
| N/A | N/A | C:\Windows\System\AqBDFJO.exe | N/A |
| N/A | N/A | C:\Windows\System\oxwEPvy.exe | N/A |
| N/A | N/A | C:\Windows\System\kyrsBks.exe | N/A |
| N/A | N/A | C:\Windows\System\XzukAXA.exe | N/A |
| N/A | N/A | C:\Windows\System\LJgomjl.exe | N/A |
| N/A | N/A | C:\Windows\System\wXLpifw.exe | N/A |
| N/A | N/A | C:\Windows\System\PGYNcJM.exe | N/A |
| N/A | N/A | C:\Windows\System\LCQbLOQ.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\BlANNKq.exe
C:\Windows\System\BlANNKq.exe
C:\Windows\System\XXSnQgC.exe
C:\Windows\System\XXSnQgC.exe
C:\Windows\System\MipylSz.exe
C:\Windows\System\MipylSz.exe
C:\Windows\System\FlvqaMe.exe
C:\Windows\System\FlvqaMe.exe
C:\Windows\System\qyXxwfE.exe
C:\Windows\System\qyXxwfE.exe
C:\Windows\System\DVSMxEq.exe
C:\Windows\System\DVSMxEq.exe
C:\Windows\System\eJPtKCI.exe
C:\Windows\System\eJPtKCI.exe
C:\Windows\System\CXRPSyD.exe
C:\Windows\System\CXRPSyD.exe
C:\Windows\System\oBxiNGR.exe
C:\Windows\System\oBxiNGR.exe
C:\Windows\System\JTwMjCE.exe
C:\Windows\System\JTwMjCE.exe
C:\Windows\System\CdfWzuY.exe
C:\Windows\System\CdfWzuY.exe
C:\Windows\System\IRJKkrI.exe
C:\Windows\System\IRJKkrI.exe
C:\Windows\System\QLmTKEM.exe
C:\Windows\System\QLmTKEM.exe
C:\Windows\System\AqBDFJO.exe
C:\Windows\System\AqBDFJO.exe
C:\Windows\System\oxwEPvy.exe
C:\Windows\System\oxwEPvy.exe
C:\Windows\System\kyrsBks.exe
C:\Windows\System\kyrsBks.exe
C:\Windows\System\XzukAXA.exe
C:\Windows\System\XzukAXA.exe
C:\Windows\System\LJgomjl.exe
C:\Windows\System\LJgomjl.exe
C:\Windows\System\wXLpifw.exe
C:\Windows\System\wXLpifw.exe
C:\Windows\System\PGYNcJM.exe
C:\Windows\System\PGYNcJM.exe
C:\Windows\System\LCQbLOQ.exe
C:\Windows\System\LCQbLOQ.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2192-0-0x0000000001BA0000-0x0000000001BB0000-memory.dmp
memory/2192-1-0x000000013FF90000-0x00000001402E4000-memory.dmp
\Windows\system\BlANNKq.exe
| MD5 | 9da0afb0283b1f8ff6c7b55e226e7b54 |
| SHA1 | 91697d73a42c6ba869d8757b203e74c52e95d07b |
| SHA256 | 2f2ad7a87569598855aca602e61a1567c49d17f408ef4dff5786fe08d4c7fc09 |
| SHA512 | 857e75b230fe035ad98a08b41a3dfbc3fbc70a52fd828139386af86d327f4139ea70f408e4c8eccec7b59571fdeb292dcce0a4f357f6c69f112de6ab3831a282 |
memory/1788-9-0x000000013FB00000-0x000000013FE54000-memory.dmp
\Windows\system\XXSnQgC.exe
| MD5 | 0f759d03a42d80630e2c1b8eae7eaf20 |
| SHA1 | 6d8153afcabf146331d23e2a400fb0b24e308276 |
| SHA256 | 0ccc4f18cd2a0740941e8556b8dad48f78a1a94514090958d1fec2e2701507d1 |
| SHA512 | 23b127cd9e3d8ab9315d5f54f4d238c1def46c28c817c05e9cc02ffe7b235310e581657cf32010f0400807738e0254710a8f1a77530004bf334eedf0bba33ec9 |
memory/2192-6-0x000000013FB00000-0x000000013FE54000-memory.dmp
memory/1036-15-0x000000013F900000-0x000000013FC54000-memory.dmp
C:\Windows\system\MipylSz.exe
| MD5 | 78e1de6c0ce7e58521b423d8ac51f101 |
| SHA1 | dc8aa45aeb9d1641ca430d982a68f3fb5efd691d |
| SHA256 | edb8c4ee4624f4a3b7d19c971b1ecde3215ebc258d26a063a5d43946d92fa850 |
| SHA512 | dba566c7ab0efdf9bf604cb8c5c05cbe8b7222d65d3cdbcf53766bfb9adfa61f9024d4d4a21a2c4bd01629fec7b468a2182e49164446b8d8c730b07592ccf4a3 |
memory/2532-22-0x000000013F300000-0x000000013F654000-memory.dmp
\Windows\system\FlvqaMe.exe
| MD5 | 1af17ca2af2351572253911409e2b0c9 |
| SHA1 | d69400b7a0ff56f926b7fa9a06cabd013ec003d8 |
| SHA256 | a3d4bdbfec52420d8ab97c1248254df82261367d1d30d34ab58843bf10b59a3c |
| SHA512 | eccb255d9dd344cdbb9c3de1142f08ccac01ddefea2cd5813e76e5a9bba8d9236a0e4aedbf9a30b5491d2e80b5a8771bc11bd72f4c42b02b3fe9fe5bbcbeb52f |
memory/2644-30-0x000000013F890000-0x000000013FBE4000-memory.dmp
memory/2192-29-0x000000013F890000-0x000000013FBE4000-memory.dmp
memory/2192-21-0x000000013F300000-0x000000013F654000-memory.dmp
memory/2192-13-0x000000013F900000-0x000000013FC54000-memory.dmp
\Windows\system\qyXxwfE.exe
| MD5 | 1c1884980da077ab6a31bc2ce1db3133 |
| SHA1 | a2e52320f159804bc5934a8a489a655746743b04 |
| SHA256 | 687e67a8837cb7d7b2a73d74b9cc4e4bdbb45792643cb7c8055cab49e8902bb3 |
| SHA512 | d53b9a34a3ed9366add8187466ae7de9342f6813cbade651e7dfd79aa23d23257ae671c4f5ff340588b131e6099c0c6d224d6c48a2cac9c124c8fdd217f9bbac |
\Windows\system\DVSMxEq.exe
| MD5 | 7aae6656e12d2b127ad12075c22aab76 |
| SHA1 | 10cd00b3ba049517351c1244ba175dbee1b2bf75 |
| SHA256 | f07ef5c13f11c42624dd31ceab6410595ec6ef815443160926beb3ecd4688462 |
| SHA512 | 1114d96309cd99ea1ac5dce1ba5aedb8d8494f737261d2f1e73ecd8d011776d29336560253f1d8f9e7de20adb32db6698f40643819443365253b828713f19926 |
\Windows\system\eJPtKCI.exe
| MD5 | 8cf213b21fd3a428156c46346ae4c80f |
| SHA1 | cbf3b0b2b7bf817299314d7c717892579211ff13 |
| SHA256 | 45fff5577b710b0c60d1bc012301add010e4d9d32b3680bc4551646972995b0e |
| SHA512 | 962d068c5e002ce4dbf94390fe9986600cf30bd54dcec728ac9d2828e8b3d03c14522cd67e77571f8612d226775cc2257e543724168b0e9c872b1817cbc276fd |
memory/2192-37-0x000000013F320000-0x000000013F674000-memory.dmp
memory/2304-50-0x000000013F900000-0x000000013FC54000-memory.dmp
memory/2660-49-0x000000013F320000-0x000000013F674000-memory.dmp
memory/2192-48-0x000000013F900000-0x000000013FC54000-memory.dmp
memory/2420-46-0x000000013FBB0000-0x000000013FF04000-memory.dmp
\Windows\system\CXRPSyD.exe
| MD5 | 7c6ac8b2715d076a0871c7e83c5941aa |
| SHA1 | 08ce125e401f1751586d0bf1a056fabf8536c26a |
| SHA256 | b3f730dc045a1f1bfd2c125d08fd3658b2721791e129670f0e6a22d4c0c018e3 |
| SHA512 | e5fa3a30662053d2c15fe3047e25f77c6e0e4727d7cc20e74581be9fe93e208b14ac2b18d1992d43bcd9b4ca8852532c0f6862c4a1a8322e0f1ff996ae9d7430 |
memory/2192-56-0x000000013FF90000-0x00000001402E4000-memory.dmp
memory/2396-57-0x000000013F1E0000-0x000000013F534000-memory.dmp
\Windows\system\oBxiNGR.exe
| MD5 | ee914ec67042e2dbaaa64208bd4f1ca8 |
| SHA1 | c091fb6ad91ab1fed5a446ad61837463cd6cd1f2 |
| SHA256 | a4b2efee3ac758594a0e0937d266afabdf216ecb4a430d3021015d2da8ee71f8 |
| SHA512 | 1447403959fd18c6eef85a343887109d9ea26069b7e4a95e91c86262f157c068824cc6fda4d64f2953733dab9f2f9f13c945c0e1bdd6847366e77b61ddaca18f |
memory/2556-63-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/1788-62-0x000000013FB00000-0x000000013FE54000-memory.dmp
C:\Windows\system\JTwMjCE.exe
| MD5 | b3f6a99e00501a76a2fe13d83474dae1 |
| SHA1 | 0cb42c230f988d461b73472037463cbe2255c51a |
| SHA256 | d457ab2ff8e0705ff4b9f5748a489f59efd11d2742881c0bb26db463b94d47ec |
| SHA512 | 7b16adec25e942bba02d15bd3f1ea0e684fd4d5925e93c77b7636df748e4ae6cce16dc7c018cc5603b50f650a000d4d825f9738b1e3417fa3e4cc4864c2a7c18 |
memory/2192-68-0x00000000021A0000-0x00000000024F4000-memory.dmp
memory/2084-71-0x000000013FF80000-0x00000001402D4000-memory.dmp
C:\Windows\system\CdfWzuY.exe
| MD5 | f35c87bd74f9b65aa031d324918dc395 |
| SHA1 | 8c247aa9e1c9e44a1608879fcd012dda7edc72a7 |
| SHA256 | b0acf3d35414de64f44088cdb48b87a0b9a6f0ab92582b472f6d75f5f06f2ca5 |
| SHA512 | 67abfdf3322c8e081816576a7be677ba9075607ed2d79c9ca5142cb36bcb80eeaa77d43f3ab21775ad46679bd6210c07f0c6b78c11c25b020c6306cf5412b710 |
memory/776-79-0x000000013F6C0000-0x000000013FA14000-memory.dmp
memory/2192-77-0x000000013F6C0000-0x000000013FA14000-memory.dmp
memory/1036-76-0x000000013F900000-0x000000013FC54000-memory.dmp
C:\Windows\system\IRJKkrI.exe
| MD5 | 33586cb4a817a120e77e601e6580a21a |
| SHA1 | 9712f74ce93609907b1f95059c8e6c02dd16e774 |
| SHA256 | 3b8fa4c59c80b6f86f283f2139d8bf158de4dbf485a521c298a4ab2b9b23b1b1 |
| SHA512 | 2cf0cf8f15782201c6cdad51a0f2b4e75dcf1e073dd96e575cd3da18450b4977bcebbd33a147232615264b5b902946f4200f5d5b41734bcea5412b3afbcbe2dd |
memory/2192-86-0x000000013F710000-0x000000013FA64000-memory.dmp
memory/2616-87-0x000000013F710000-0x000000013FA64000-memory.dmp
memory/2532-84-0x000000013F300000-0x000000013F654000-memory.dmp
C:\Windows\system\QLmTKEM.exe
| MD5 | 8a3e9d0137585b9bcb27fbbd191b80a1 |
| SHA1 | ad1bfc2071519bef81c73c0b6168834efcd714e0 |
| SHA256 | 33003e6467342f0afc6b107a2fe1d15040b4d336782d96421ab7f31e27691a42 |
| SHA512 | db37faec1be878216c27fa30f762e115d0910c2d388952d9f89361c491b987006daa90c065b5e2a28f3fdbaef3323eb064572e5de1b484e6cb75ecaac8fbc6de |
memory/2700-93-0x000000013F270000-0x000000013F5C4000-memory.dmp
memory/2192-91-0x000000013F270000-0x000000013F5C4000-memory.dmp
C:\Windows\system\AqBDFJO.exe
| MD5 | c107cd353852a1efdbdf6288e4b954c3 |
| SHA1 | a36d8443c4580660bb1ed79d63689f54235c13b3 |
| SHA256 | dc11b42e6bf7adfc4be8cd90e763f9f1f7ed4752abcc52cb98072c35e1384d07 |
| SHA512 | c21b1fdffdf1351ac16599da13e685694a67e1c62c9ca4c5e08feeb6e8f8c8ca33ea0fe2326736da9a4c209441fe6857b606afee0601136bf37e8aadae4cd8a9 |
memory/2836-99-0x000000013F1C0000-0x000000013F514000-memory.dmp
C:\Windows\system\kyrsBks.exe
| MD5 | b00eb73bf6b17107af55e2c265f0cdc5 |
| SHA1 | 6df098d90f741d60a36121d54f698b59cde5b8b6 |
| SHA256 | 5ada2670b3132eddf9fe4ab96a7c565d20925fa9af2ae4a3622b774245f1b32e |
| SHA512 | a93d3ca969a23419b8fa9fa2306532a30c333937a007df1b81e72e22a9790c703e98ea8332587072a355d70b572b62ce45125f9bee46853c31cd7e82e816dfb0 |
\Windows\system\oxwEPvy.exe
| MD5 | c1928b333ac4fbfd5b1b6685d7d70593 |
| SHA1 | e47458acbe71eb78d73f0aa566cbd46e50e1f4d4 |
| SHA256 | 6939f3e40b1608a7a7b4a1e9ae724c360ae54deda88bf81a703cc7a6ff7c313d |
| SHA512 | dfd7b2c3a5619f2db3d7606fd170581b40b1a899e960c97670b8e3e7fae4f4d0faf2cdb8839c24ea93fa5037f51b6f5a50ca8627f0af156c7d0b80a4ff7ca8a6 |
C:\Windows\system\LJgomjl.exe
| MD5 | ffc6db81dd2c285c8b40858f94065b0e |
| SHA1 | 30c1f02bd5304d656e5620078b88c11cbe8f37e2 |
| SHA256 | 7d6d2bb9a9f78d720e13cbe269c0b87a55cd17cac6e02594647ad1299f48e892 |
| SHA512 | 61f24edeb04ddc8628f8c85fdca04865b974a84de5bfb6d6276ca462233f4b865a97f3125279525d90d00c6feb0811ba04a149acb8b192b648bc60941c742c21 |
C:\Windows\system\PGYNcJM.exe
| MD5 | 0db98266b4501d11d301c5d6fbe2a011 |
| SHA1 | 57c576cf9ac16a92e57720da6f855baa4542f071 |
| SHA256 | 2f0b57cf8ec98be956ed74b27d8de5e7aaecb28b2051684791d12b56408eb209 |
| SHA512 | 6bea64702b3983a352eea5d8527d9495481af96a6c7c205c097373b1d488641dec1c0cf029a8babb9ea5425ccc1e94e017257ce706ed5e89cd07d8f6053d7f6b |
\Windows\system\LCQbLOQ.exe
| MD5 | 086b9eb486dd0f6be948e7f08d721bef |
| SHA1 | c492521f7668ac1382fd89df5fb385c4357ac486 |
| SHA256 | dd41ff2095c775c0ea02dc4386ae8d268de1fa3013e329f4bc57e9757dcc5d42 |
| SHA512 | 0a369787de22dd2a6c750f2bb57f1e3578addb9cf15ecebcbd7025f926fbd77b2f97f827642d79333de46ccc23955e379f18782425a03726a8e00cca58bf3890 |
C:\Windows\system\wXLpifw.exe
| MD5 | b91741aa995e99e21eeb4ddbdaae38a2 |
| SHA1 | 2c3737ebe414b30b8e4d5894860be5f3c9b1e2f4 |
| SHA256 | ff5820e6b0c7e505d69da86603c7bded5c78d766984c7eec74e8b75680f3a123 |
| SHA512 | 0f0bdaf231de0815f329267c56543ad9d2b366dbfa14adaf7ba16775a392fd8f0f93ede6726491c9feccf8b8df4b56d75cc33aebddf4b7191d8b448b4c2d5dd7 |
C:\Windows\system\XzukAXA.exe
| MD5 | 769823eafaa828bf4b00a83447c3ea10 |
| SHA1 | 71841e5622cb78b30aa2928ea5eadd1f452081c0 |
| SHA256 | a68bbdad13fad18afb39b7fcf1e9378ab240e7ddadbbd16d2e605e7aa418b234 |
| SHA512 | cddeffddaf2b5702573b74fb19881f3ce68c3ba5de4940805ee4bc08c60afa2c4e3b218ae21302a418415ecd3ff48789187c980acccab26f3a14af2799818777 |
memory/2192-102-0x000000013F460000-0x000000013F7B4000-memory.dmp
memory/2556-136-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/2192-137-0x00000000021A0000-0x00000000024F4000-memory.dmp
memory/2084-138-0x000000013FF80000-0x00000001402D4000-memory.dmp
memory/2192-139-0x000000013F6C0000-0x000000013FA14000-memory.dmp
memory/776-140-0x000000013F6C0000-0x000000013FA14000-memory.dmp
memory/2192-141-0x000000013F710000-0x000000013FA64000-memory.dmp
memory/2192-142-0x000000013F270000-0x000000013F5C4000-memory.dmp
memory/2700-143-0x000000013F270000-0x000000013F5C4000-memory.dmp
memory/2836-144-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/2192-145-0x000000013F460000-0x000000013F7B4000-memory.dmp
memory/1788-146-0x000000013FB00000-0x000000013FE54000-memory.dmp
memory/1036-147-0x000000013F900000-0x000000013FC54000-memory.dmp
memory/2532-148-0x000000013F300000-0x000000013F654000-memory.dmp
memory/2644-149-0x000000013F890000-0x000000013FBE4000-memory.dmp
memory/2420-150-0x000000013FBB0000-0x000000013FF04000-memory.dmp
memory/2660-151-0x000000013F320000-0x000000013F674000-memory.dmp
memory/2304-152-0x000000013F900000-0x000000013FC54000-memory.dmp
memory/2396-153-0x000000013F1E0000-0x000000013F534000-memory.dmp
memory/2556-154-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/2084-155-0x000000013FF80000-0x00000001402D4000-memory.dmp
memory/776-156-0x000000013F6C0000-0x000000013FA14000-memory.dmp
memory/2616-157-0x000000013F710000-0x000000013FA64000-memory.dmp
memory/2700-158-0x000000013F270000-0x000000013F5C4000-memory.dmp
memory/2836-159-0x000000013F1C0000-0x000000013F514000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-28 08:52
Reported
2024-06-28 08:54
Platform
win10v2004-20240611-en
Max time kernel
143s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\LiYLJmT.exe | N/A |
| N/A | N/A | C:\Windows\System\ZgyvXZV.exe | N/A |
| N/A | N/A | C:\Windows\System\EJancyI.exe | N/A |
| N/A | N/A | C:\Windows\System\ntpelzu.exe | N/A |
| N/A | N/A | C:\Windows\System\vjHhIUw.exe | N/A |
| N/A | N/A | C:\Windows\System\KFFbnBa.exe | N/A |
| N/A | N/A | C:\Windows\System\HAHxnPc.exe | N/A |
| N/A | N/A | C:\Windows\System\GBhLKUf.exe | N/A |
| N/A | N/A | C:\Windows\System\mygkGPX.exe | N/A |
| N/A | N/A | C:\Windows\System\ADolDPm.exe | N/A |
| N/A | N/A | C:\Windows\System\AjwakiQ.exe | N/A |
| N/A | N/A | C:\Windows\System\RVXkMXJ.exe | N/A |
| N/A | N/A | C:\Windows\System\jlrCadd.exe | N/A |
| N/A | N/A | C:\Windows\System\ZOarXqV.exe | N/A |
| N/A | N/A | C:\Windows\System\dhvpRfu.exe | N/A |
| N/A | N/A | C:\Windows\System\MhAMemt.exe | N/A |
| N/A | N/A | C:\Windows\System\VJTtWjq.exe | N/A |
| N/A | N/A | C:\Windows\System\DyMvSyK.exe | N/A |
| N/A | N/A | C:\Windows\System\LDMbNjD.exe | N/A |
| N/A | N/A | C:\Windows\System\BTWzRya.exe | N/A |
| N/A | N/A | C:\Windows\System\uifkavW.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\LiYLJmT.exe
C:\Windows\System\LiYLJmT.exe
C:\Windows\System\ZgyvXZV.exe
C:\Windows\System\ZgyvXZV.exe
C:\Windows\System\EJancyI.exe
C:\Windows\System\EJancyI.exe
C:\Windows\System\ntpelzu.exe
C:\Windows\System\ntpelzu.exe
C:\Windows\System\vjHhIUw.exe
C:\Windows\System\vjHhIUw.exe
C:\Windows\System\KFFbnBa.exe
C:\Windows\System\KFFbnBa.exe
C:\Windows\System\HAHxnPc.exe
C:\Windows\System\HAHxnPc.exe
C:\Windows\System\GBhLKUf.exe
C:\Windows\System\GBhLKUf.exe
C:\Windows\System\mygkGPX.exe
C:\Windows\System\mygkGPX.exe
C:\Windows\System\ADolDPm.exe
C:\Windows\System\ADolDPm.exe
C:\Windows\System\RVXkMXJ.exe
C:\Windows\System\RVXkMXJ.exe
C:\Windows\System\AjwakiQ.exe
C:\Windows\System\AjwakiQ.exe
C:\Windows\System\jlrCadd.exe
C:\Windows\System\jlrCadd.exe
C:\Windows\System\ZOarXqV.exe
C:\Windows\System\ZOarXqV.exe
C:\Windows\System\dhvpRfu.exe
C:\Windows\System\dhvpRfu.exe
C:\Windows\System\MhAMemt.exe
C:\Windows\System\MhAMemt.exe
C:\Windows\System\VJTtWjq.exe
C:\Windows\System\VJTtWjq.exe
C:\Windows\System\DyMvSyK.exe
C:\Windows\System\DyMvSyK.exe
C:\Windows\System\LDMbNjD.exe
C:\Windows\System\LDMbNjD.exe
C:\Windows\System\BTWzRya.exe
C:\Windows\System\BTWzRya.exe
C:\Windows\System\uifkavW.exe
C:\Windows\System\uifkavW.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 19.177.190.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1020-0-0x00007FF730790000-0x00007FF730AE4000-memory.dmp
memory/1020-1-0x00000247DA340000-0x00000247DA350000-memory.dmp
C:\Windows\System\LiYLJmT.exe
| MD5 | fa46400c9ba8f74c46b099da19932d57 |
| SHA1 | b103657ac1f54bbd49c957739501a957d048fef1 |
| SHA256 | 5e69362cd8f0b62603e1c7e571bfad38e2d3fff1e179ccb5368fc8d2b7729ebd |
| SHA512 | 70f5cea05dd9b111c0910cde64a5a0e4b0ded96504b1be9e4b49fc864b92aaeb5742573bfb4ddefbe8ba41542b52e6d8666a69a1a9083357fe42271d32863fb2 |
memory/1112-8-0x00007FF60FA80000-0x00007FF60FDD4000-memory.dmp
C:\Windows\System\ZgyvXZV.exe
| MD5 | 6800e6d0472d6500d6045c566c072ff5 |
| SHA1 | 45f68b60e4351fc2cc827b731893c8eb0e161e06 |
| SHA256 | da51914a0a5c79e17fb58259381b740895e0dbd721b3d299b282a38f103556fd |
| SHA512 | 24a7c9b3aa4cc3dfb36e5af7b41859cb95b298267db2a532ec1b810c54f178b310ee37466263fe5d6003436ea8834fe8340a449a7437c5dd6d674334ca7f5573 |
C:\Windows\System\ntpelzu.exe
| MD5 | 88ceff45ee8c66ed384c394711a1a3ee |
| SHA1 | aec14c0e63318217f1dd593dc1d2128a457a65fa |
| SHA256 | 21c506b9923ca056e8c2a89ce7da76234bd33bef85d2d1b693289458e8e64b69 |
| SHA512 | 9580ca2cae3a3b5c82f75c912b388fc02a25896b1ec74a0b8d06ce5d563f5497ac13aadee5aad8f0956a9f9b8ad7fc931f16c825182e3d95d4fcbe7f547582e0 |
C:\Windows\System\vjHhIUw.exe
| MD5 | 39f279397b476d3ba2f187ba1ac8e310 |
| SHA1 | 54e3622a90489bdee038fb0e4d647f62bb8263b6 |
| SHA256 | 4e54e5034e61231fc8ae24730e96ba044f1d7942a965eaf86d1cd85b353d545a |
| SHA512 | 2dd88641c916971e8afebdda32bbc804e3bac63211c7631040dc968d1dc13b5a56c0c13243477268d94ff9ea387addee9fb93e911fedb692d8fa22a4ff822809 |
C:\Windows\System\KFFbnBa.exe
| MD5 | 017cf30e3308843d50c3b96be62e20b4 |
| SHA1 | 4d94be446b7625f1d64659b32244827c1dc61b04 |
| SHA256 | 04452d8865ec0acc8fd0d71d84deb57ef621547479b16c84c89c582d0e9695bb |
| SHA512 | 14e3ecae9c9aeba7ef637f8c5b30b1a3099b72c3be24a6dffdebc91dfd132ff2658fa2a620af64231610759798f141cebdbd3d6869bb184a445141d3732598bd |
C:\Windows\System\GBhLKUf.exe
| MD5 | 44eb8c878fb024d7d3d6583d431b3530 |
| SHA1 | 46020e6ac278750f82d57d935bf831c0b8c2323c |
| SHA256 | 8bd889c10d6624da478f79a05157f80554725c3e5d0e09ab92077a738e3d1d55 |
| SHA512 | 7265013ace4df201a623c506415dd42c883c1c5761bf924684906ce89a2400a2141f2c095b8719ef8a8ef37d61d2b1a0e1fed962b86f92ca4c8930c475c934f2 |
memory/676-56-0x00007FF65DCA0000-0x00007FF65DFF4000-memory.dmp
C:\Windows\System\RVXkMXJ.exe
| MD5 | 9e8fc1bcb90993383822a4b095b34d70 |
| SHA1 | 7ef79e18f53878939b1135dba07fe075137a3f80 |
| SHA256 | 573349de0a25b17aa1faa6dd76f083719a3d17509e3596c77f1e6bf1ad8a0842 |
| SHA512 | 374e2248e61431a7139279cfbb0835c712de60b5ce727a2d1ef4acfe9316847d8835a3bc277516a7f1d47d0baab05b824494c018968758d3cf6dc20387905bca |
C:\Windows\System\AjwakiQ.exe
| MD5 | 139b699a3836d2f3d2ff8bd142ecd5f1 |
| SHA1 | 622c27205a0dd4d3ffc6a343a59bc9950fc94499 |
| SHA256 | cddcacda1272ea45a9366660cc1b23c1f0cb62c10fc71b8818f505445ad43f9a |
| SHA512 | de8023a4f816ccb1e2ac36af2bdea81bb30d0c7c7bca8801a80b9d49154296ac1d9fdf7856db41aac0dacd85d616e97752f3203ead4f6ba4732eb0be89849aed |
C:\Windows\System\jlrCadd.exe
| MD5 | a38938fbe6edd2ffe0c0eec79f90459a |
| SHA1 | b900c167422c12e4194db41bf277c151528f3cc9 |
| SHA256 | bec4744713d9bd45466d5264bb8ebcffd8fc13c28215504044605b0ca873115a |
| SHA512 | 78a00d56d8141695bb6146c4a9b3504ccc7466fe893ecc5a03fcc549e5a4688aff4f03f635c2fc6f6768be22d47edb60bb66e0e0c674e20f1829410238b3d886 |
C:\Windows\System\ZOarXqV.exe
| MD5 | ac7bdd95210d32da26b5e817ac5bcf54 |
| SHA1 | 3c9b90294a7279d4fd0da0da5f2dfbf73a9b65c2 |
| SHA256 | addfe4066533b83649bcc9f406668bebf8e9eacf51c28b0a81ff20bfe5afaf7e |
| SHA512 | 0d77e0d9844d376b3fb1cd50cbac335f598d0452fc15a08d3fbee980607291eea300c9d0f70f979353163ee49bdd043ede43519a629e6f4e241c5b4120f3a007 |
memory/1776-84-0x00007FF788070000-0x00007FF7883C4000-memory.dmp
memory/2888-81-0x00007FF63B870000-0x00007FF63BBC4000-memory.dmp
memory/1548-75-0x00007FF7D3E30000-0x00007FF7D4184000-memory.dmp
memory/2524-71-0x00007FF6D9480000-0x00007FF6D97D4000-memory.dmp
C:\Windows\System\mygkGPX.exe
| MD5 | 07ab7339dc6ac47566ef411309b5a993 |
| SHA1 | 9091635303cdb4da4ed563495b589a26fbc92b0e |
| SHA256 | acea62084f23916265de9944ab3836f7b19c8ba48ad78ec73e620f25eb9ec51c |
| SHA512 | 535712ea0b730d73667a9f20ecd668d2be081098af2b0daf276cf4a9a1c0c094410ebc8eed1de7bc02d01ab577e75b03e3f6bddf3aec2c881718b1402e4b66fe |
memory/3952-63-0x00007FF64CF00000-0x00007FF64D254000-memory.dmp
C:\Windows\System\ADolDPm.exe
| MD5 | dfda5ce4816579697f9fdc400885ba42 |
| SHA1 | bed088cdd8d27d5c3e0152b2b1e59e8f06476171 |
| SHA256 | a90b3eeb55c50bce6e4c081072b1ea945e097b29d79443b959ed812b0145e457 |
| SHA512 | 8e4eff0ab8e7526d66f0555db5c270b945d5d4479b5455af4e0cdea6aec16e00acd7d0dff387de7d5f6bf630b1055fdf20dd31781cfb0511e3a0b9085733d3f6 |
C:\Windows\System\HAHxnPc.exe
| MD5 | 56a6d718c8123858cd84d4903038acbe |
| SHA1 | 3c85bea6b8ed1c7b90ccb8ffe8dea44b8597276f |
| SHA256 | 163066cc135ccb023ba3e18463a8717584f0db6dd29570da0c337f2d9c9063c4 |
| SHA512 | a1413da147c87487beb8be375354236e37b3f6485117fe56090fa14828f8b5815fce1e7ef4341e87251559e4e52005084bbb676f8d66711ea84532f4dd752dd5 |
memory/4736-47-0x00007FF645630000-0x00007FF645984000-memory.dmp
memory/1912-45-0x00007FF61DBF0000-0x00007FF61DF44000-memory.dmp
memory/3904-38-0x00007FF7082A0000-0x00007FF7085F4000-memory.dmp
memory/4308-34-0x00007FF7150A0000-0x00007FF7153F4000-memory.dmp
memory/4632-32-0x00007FF7D4430000-0x00007FF7D4784000-memory.dmp
memory/4128-26-0x00007FF726BA0000-0x00007FF726EF4000-memory.dmp
C:\Windows\System\EJancyI.exe
| MD5 | 7456387162aad0d54b85b7d8adcd2504 |
| SHA1 | d0517a5d4338017d62b90d24f3176e4c35b661c0 |
| SHA256 | 650add9a166712aa78cd3682869fd985836ed26be03c5c50eb8a5d633080421b |
| SHA512 | 40cbcc6a071661ce286cda519047dacd4c8566d6a4891b98d64198d7db6233abce51b9bf9695b4ffa4f00194c6152ab7e14e66f2c58cb105a4a65601a03b902f |
memory/2960-21-0x00007FF697290000-0x00007FF6975E4000-memory.dmp
C:\Windows\System\dhvpRfu.exe
| MD5 | f919722671fbf10bb7688242b0ad0e16 |
| SHA1 | 84db69ffe042e5f7bb6a627a762d1b3d65634797 |
| SHA256 | 1f6845aecffbfe70295d788dc8a17765a3bfe66e24c5b7ff7b3c728e5d2ce76a |
| SHA512 | f9c0b941108fbb7e80e81fe05a39052e8ba8ab45b6da1e412edd33034c451d672e34f3e886413feb5c8c5d92c6957f7af67918cdd1e5e273d11c352a67399744 |
memory/1088-92-0x00007FF607F90000-0x00007FF6082E4000-memory.dmp
C:\Windows\System\MhAMemt.exe
| MD5 | fb7c3bbeee6288697e8fecb68a1d7b08 |
| SHA1 | 4bf7ecabb26465824a5d97f684b4c8df562a3e96 |
| SHA256 | e771e767386d67443b189b6bfde73582079d318362ca781b20acefb3182cb21a |
| SHA512 | f5e268570a11ad21703d72f83d000a1c9d9a9dbdaa8a7d566b12147590a6ac7f2ddaa7915caa3a026c5e62611d887c5dfa059eeef167d2e884f7f46b5911b01d |
memory/1020-96-0x00007FF730790000-0x00007FF730AE4000-memory.dmp
C:\Windows\System\DyMvSyK.exe
| MD5 | 56c2bf531890e37225ec14905e06a126 |
| SHA1 | 123bf6a020e89b4e80a7d721965dea63122baad1 |
| SHA256 | e5ade23c3a19d35a6267bdc33ddff892fedcb15ac59601ef00377250703b39d9 |
| SHA512 | ec0f670a245c266d3231ffe7e9297853feb805803bb04c5c95216b6f3431d8cd5e8149d91b31e77b2e9ccdc1e86d797a5805829093fa9862382cdde181e074ed |
memory/4632-111-0x00007FF7D4430000-0x00007FF7D4784000-memory.dmp
memory/2960-110-0x00007FF697290000-0x00007FF6975E4000-memory.dmp
memory/1112-108-0x00007FF60FA80000-0x00007FF60FDD4000-memory.dmp
memory/2400-105-0x00007FF773F30000-0x00007FF774284000-memory.dmp
C:\Windows\System\VJTtWjq.exe
| MD5 | d25f92153815fc608055826487ae3b65 |
| SHA1 | c266a6b552c2f5aead42ab6e753e4468f07ca8c0 |
| SHA256 | 352be4bd5ceb276a3f26c61057ee71f39119412c87c77040b4e4a4a3a110e8b7 |
| SHA512 | 0c85738a3d29de38ab02a6a00370d07da697d76973c71f2414bb7ce6737bf22a49c85ce0555f809c06b8b0ae4df87b3a9ad3a03d1ed3265e297d4155d8a89a73 |
memory/3380-120-0x00007FF73FC20000-0x00007FF73FF74000-memory.dmp
C:\Windows\System\uifkavW.exe
| MD5 | 0772a01670f80635b81b37a5a24d0f95 |
| SHA1 | f01f0698ba4a14aa7e244a99684bd75cf994510e |
| SHA256 | 4a3189a7ca2b31f6d842eaabea1ebe526b0664ed6dec19861033c52029cb8e5d |
| SHA512 | c060dd5e5e7ec7a7c827fd79eb7e77315758959da0f1a1d0de501b9ab071d8d167c4dc196a47f3f905a83e483ad5d33f626e7ed9619aa6476c82b1935244a27b |
memory/4128-130-0x00007FF726BA0000-0x00007FF726EF4000-memory.dmp
memory/4400-126-0x00007FF656230000-0x00007FF656584000-memory.dmp
C:\Windows\System\BTWzRya.exe
| MD5 | dc0c523549a9cf5e996b347d1836bbbc |
| SHA1 | 3f77f899a9e70669dd241a57804b9a2a82e4dd80 |
| SHA256 | cae4a084b7b76055575f76ed82f6a07472a0e4c4dc48eff0f5f0d652805eacaa |
| SHA512 | a9f68a0aec9fb8c6f08c82d0c78b85877c105a3f2d383d40df403586d2a7bd26f7a4c841e6d0a06ae73cde03dfaf4584be0844b4cf9cd9351f1f7f98cbc03e3f |
C:\Windows\System\LDMbNjD.exe
| MD5 | c28b76fb7ecf9707f8d6b5d82f4d486f |
| SHA1 | 230f8270fec256db7ff206e77757b741ccefd4ae |
| SHA256 | 0c942867db0b842b8aca90d9a1e248d324e4fad8cef3e1d51b7321da3d3025aa |
| SHA512 | 642c144c7f893188240d2855dc1d683d6b86907cac78b1fcb81f4f5d00c019e5bb9dcc704eaf05448f4bcca01dc09a2697a736a2d57706a95023bd086a83797c |
memory/3108-116-0x00007FF758520000-0x00007FF758874000-memory.dmp
memory/872-131-0x00007FF659DF0000-0x00007FF65A144000-memory.dmp
memory/3200-132-0x00007FF6CED60000-0x00007FF6CF0B4000-memory.dmp
memory/1912-134-0x00007FF61DBF0000-0x00007FF61DF44000-memory.dmp
memory/3904-133-0x00007FF7082A0000-0x00007FF7085F4000-memory.dmp
memory/4736-135-0x00007FF645630000-0x00007FF645984000-memory.dmp
memory/676-136-0x00007FF65DCA0000-0x00007FF65DFF4000-memory.dmp
memory/3952-137-0x00007FF64CF00000-0x00007FF64D254000-memory.dmp
memory/2524-138-0x00007FF6D9480000-0x00007FF6D97D4000-memory.dmp
memory/1548-139-0x00007FF7D3E30000-0x00007FF7D4184000-memory.dmp
memory/1776-140-0x00007FF788070000-0x00007FF7883C4000-memory.dmp
memory/3380-141-0x00007FF73FC20000-0x00007FF73FF74000-memory.dmp
memory/4400-142-0x00007FF656230000-0x00007FF656584000-memory.dmp
memory/1112-143-0x00007FF60FA80000-0x00007FF60FDD4000-memory.dmp
memory/2960-144-0x00007FF697290000-0x00007FF6975E4000-memory.dmp
memory/4308-145-0x00007FF7150A0000-0x00007FF7153F4000-memory.dmp
memory/4128-146-0x00007FF726BA0000-0x00007FF726EF4000-memory.dmp
memory/4632-147-0x00007FF7D4430000-0x00007FF7D4784000-memory.dmp
memory/4736-148-0x00007FF645630000-0x00007FF645984000-memory.dmp
memory/676-149-0x00007FF65DCA0000-0x00007FF65DFF4000-memory.dmp
memory/1912-150-0x00007FF61DBF0000-0x00007FF61DF44000-memory.dmp
memory/3952-151-0x00007FF64CF00000-0x00007FF64D254000-memory.dmp
memory/1548-152-0x00007FF7D3E30000-0x00007FF7D4184000-memory.dmp
memory/2888-154-0x00007FF63B870000-0x00007FF63BBC4000-memory.dmp
memory/1776-156-0x00007FF788070000-0x00007FF7883C4000-memory.dmp
memory/3904-155-0x00007FF7082A0000-0x00007FF7085F4000-memory.dmp
memory/2524-153-0x00007FF6D9480000-0x00007FF6D97D4000-memory.dmp
memory/1088-157-0x00007FF607F90000-0x00007FF6082E4000-memory.dmp
memory/2400-158-0x00007FF773F30000-0x00007FF774284000-memory.dmp
memory/3108-159-0x00007FF758520000-0x00007FF758874000-memory.dmp
memory/872-160-0x00007FF659DF0000-0x00007FF65A144000-memory.dmp
memory/4400-162-0x00007FF656230000-0x00007FF656584000-memory.dmp
memory/3380-161-0x00007FF73FC20000-0x00007FF73FF74000-memory.dmp
memory/3200-163-0x00007FF6CED60000-0x00007FF6CF0B4000-memory.dmp