Analysis Overview
SHA256
2f3f74dd2e0ca6101248ec33d475c73ba34c1c43015893578491093eaaa16045
Threat Level: Known bad
The file 2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
Cobalt Strike reflective loader
Xmrig family
xmrig
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Cobaltstrike
XMRig Miner payload
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-28 08:54
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-28 08:54
Reported
2024-06-28 08:56
Platform
win7-20240611-en
Max time kernel
145s
Max time network
153s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\jzwhznN.exe | N/A |
| N/A | N/A | C:\Windows\System\ylUbueS.exe | N/A |
| N/A | N/A | C:\Windows\System\sXFIVxl.exe | N/A |
| N/A | N/A | C:\Windows\System\myHTCjq.exe | N/A |
| N/A | N/A | C:\Windows\System\kZKqYyu.exe | N/A |
| N/A | N/A | C:\Windows\System\CmnFeak.exe | N/A |
| N/A | N/A | C:\Windows\System\MrcvupK.exe | N/A |
| N/A | N/A | C:\Windows\System\gKWNKWt.exe | N/A |
| N/A | N/A | C:\Windows\System\lGAuzrZ.exe | N/A |
| N/A | N/A | C:\Windows\System\pFHGXRF.exe | N/A |
| N/A | N/A | C:\Windows\System\lDkAesH.exe | N/A |
| N/A | N/A | C:\Windows\System\oyifRkS.exe | N/A |
| N/A | N/A | C:\Windows\System\dlsamby.exe | N/A |
| N/A | N/A | C:\Windows\System\crGxLAq.exe | N/A |
| N/A | N/A | C:\Windows\System\muHqEsa.exe | N/A |
| N/A | N/A | C:\Windows\System\MsBoNQk.exe | N/A |
| N/A | N/A | C:\Windows\System\IVQXnhf.exe | N/A |
| N/A | N/A | C:\Windows\System\bludnCn.exe | N/A |
| N/A | N/A | C:\Windows\System\jOCgGCj.exe | N/A |
| N/A | N/A | C:\Windows\System\sBQheAP.exe | N/A |
| N/A | N/A | C:\Windows\System\RsaTOJi.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\jzwhznN.exe
C:\Windows\System\jzwhznN.exe
C:\Windows\System\ylUbueS.exe
C:\Windows\System\ylUbueS.exe
C:\Windows\System\sXFIVxl.exe
C:\Windows\System\sXFIVxl.exe
C:\Windows\System\myHTCjq.exe
C:\Windows\System\myHTCjq.exe
C:\Windows\System\kZKqYyu.exe
C:\Windows\System\kZKqYyu.exe
C:\Windows\System\CmnFeak.exe
C:\Windows\System\CmnFeak.exe
C:\Windows\System\MrcvupK.exe
C:\Windows\System\MrcvupK.exe
C:\Windows\System\gKWNKWt.exe
C:\Windows\System\gKWNKWt.exe
C:\Windows\System\lGAuzrZ.exe
C:\Windows\System\lGAuzrZ.exe
C:\Windows\System\pFHGXRF.exe
C:\Windows\System\pFHGXRF.exe
C:\Windows\System\lDkAesH.exe
C:\Windows\System\lDkAesH.exe
C:\Windows\System\oyifRkS.exe
C:\Windows\System\oyifRkS.exe
C:\Windows\System\dlsamby.exe
C:\Windows\System\dlsamby.exe
C:\Windows\System\crGxLAq.exe
C:\Windows\System\crGxLAq.exe
C:\Windows\System\muHqEsa.exe
C:\Windows\System\muHqEsa.exe
C:\Windows\System\MsBoNQk.exe
C:\Windows\System\MsBoNQk.exe
C:\Windows\System\IVQXnhf.exe
C:\Windows\System\IVQXnhf.exe
C:\Windows\System\bludnCn.exe
C:\Windows\System\bludnCn.exe
C:\Windows\System\jOCgGCj.exe
C:\Windows\System\jOCgGCj.exe
C:\Windows\System\sBQheAP.exe
C:\Windows\System\sBQheAP.exe
C:\Windows\System\RsaTOJi.exe
C:\Windows\System\RsaTOJi.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2208-0-0x000000013F6D0000-0x000000013FA24000-memory.dmp
memory/2208-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\jzwhznN.exe
| MD5 | 51729c3da86c1b4728ca6e9ddc809131 |
| SHA1 | cc6e15ad9e3910354e372d2f05878c142af2cde7 |
| SHA256 | e8b818ec3aa0a4874357d562f97ab1d13e8c496dbf3c64e98afbd32622c74f17 |
| SHA512 | 4f0ed8125365a6847df6478031e3030fd7c4340265dfbba76fc7647c4af2c9cbd9486e48bf0c8920ef16d18065e03c3d0f59162644478ae2b0d7dbe560e1a7c4 |
memory/1708-9-0x000000013FEC0000-0x0000000140214000-memory.dmp
memory/2208-8-0x000000013FEC0000-0x0000000140214000-memory.dmp
C:\Windows\system\ylUbueS.exe
| MD5 | d90fe16f1f4d7441cffc678cfe1ee3c8 |
| SHA1 | 4b11a7c0c561693bf71344cb40dd7951ff318055 |
| SHA256 | 0806f5f4be4006192a445322534fe8f150621b67d9d59d4d4aaae42bc6f9c458 |
| SHA512 | 052c5d879b2f3ad4fb168fb25d5c87f04219fd33fb481ca3f8d895bf2f1975ebd4ebe537744fb00d4d507996ef9b0dc4ec02ac1b336963da16f64f4ef5842d1d |
C:\Windows\system\sXFIVxl.exe
| MD5 | 47ce30f018104f8bffa48c7db6d06010 |
| SHA1 | f6ce14ed1f80468ee4fba2cdf439f8975d1ac5e1 |
| SHA256 | cef7ae694a009d4e93b3d11623f89265f67f98f2c4b1f769a6ef1a11c6dc5b7a |
| SHA512 | 541d731f41f99177c36f65106835418e607314c58faf717619b0e9367cc95abafcdde2ed623ca6064fbdb70f1f5d718fc2bcbdc8316d13e40d9a4909b7290cbd |
memory/2208-22-0x000000013F200000-0x000000013F554000-memory.dmp
memory/2588-21-0x000000013F200000-0x000000013F554000-memory.dmp
memory/2352-19-0x000000013F2B0000-0x000000013F604000-memory.dmp
\Windows\system\myHTCjq.exe
| MD5 | c3ab34d1ed5fb21a4d2b6a549e25fe03 |
| SHA1 | 6310fd15c68a80443e4f3c346e22d8a4ab88b12f |
| SHA256 | 8c709f15465464cc077fc691be477810cb9e7f111b8e444e196a6fcc1594e7ca |
| SHA512 | 8f247392ea977ba41c45a0c0d51688c825d80b97869c129c5e40dfb75aee739dc3d91a64b797445e10b354b3cc1f0f45cbabc5a4442eaa97f0ddcbcf3defd0bd |
memory/2208-28-0x0000000002280000-0x00000000025D4000-memory.dmp
C:\Windows\system\CmnFeak.exe
| MD5 | ecc743a81a9eaa246d9d72d28a0bc8c9 |
| SHA1 | 9c83719e43c226de8b728b8be4b39f508d40116b |
| SHA256 | 26f0fc6e6ff4d53502d2629e9e40ba6f39bfbbfe6a0225923950f0291180c906 |
| SHA512 | 546576aba1abe781b521d95535820484cd8c740b4f03e957dd8f509d5dd42a58f2eea76afc8bb49a3a2f0fbad5daa0f867b3d6fa1f48b30294de798689c70a43 |
memory/2704-33-0x000000013F3C0000-0x000000013F714000-memory.dmp
memory/2484-37-0x000000013F5F0000-0x000000013F944000-memory.dmp
memory/2208-41-0x0000000002280000-0x00000000025D4000-memory.dmp
C:\Windows\system\kZKqYyu.exe
| MD5 | c8cee0fd3d877e0086512364a2d4f076 |
| SHA1 | f22308158d3c3500d0df97fda11181606da2762c |
| SHA256 | 0190aa0bc19a6a31ba80f75e338f491824abc781884207b619fd398c34327fba |
| SHA512 | 45630c653877ad7693abd0e63bd345595e066b0fb99299fdade5f414e00b17105b55c0f5a5d3eb6b689fd953f0b2c2bc709b5309043a3042c3833b04a64463bc |
memory/2736-45-0x000000013F910000-0x000000013FC64000-memory.dmp
memory/2616-48-0x000000013F1F0000-0x000000013F544000-memory.dmp
C:\Windows\system\MrcvupK.exe
| MD5 | e92968ac6ed825a650296d6f9c1546e9 |
| SHA1 | 374e0fe1fc3197c92e926389f2115c24c3c835b0 |
| SHA256 | 213cbd3ba6ee8bb0b1238e971c31a5552e1ffcfc9afeac8ff6adc6a8f857faee |
| SHA512 | fb0b3ff689c539843fed2f78692acc06bc1d3272ec18368e3a2ba18723001b2b7876397a3d07ff6981f3873fce7c970964e11f64fda1b95628a490c5de8ae0a9 |
memory/2208-46-0x000000013F1F0000-0x000000013F544000-memory.dmp
memory/2208-54-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/2480-56-0x000000013F050000-0x000000013F3A4000-memory.dmp
\Windows\system\pFHGXRF.exe
| MD5 | b72fe27debb83eb8b85976d1dec4e017 |
| SHA1 | d2886586116af260f694f7245bc3204b521324cb |
| SHA256 | 3a839a17f075528efe150d1bfddb035362e939b7ced9308a64356486229488e7 |
| SHA512 | 98c59117256f95e508858856094295069b81dbafea51a11987f5f823bb7f47de6baac0da44ce052096b4a6445341d9bc66de0fe403b93b05df4e911df5f3f27d |
C:\Windows\system\lGAuzrZ.exe
| MD5 | ceaccb77fff0ab7af75c5cbcae0f769d |
| SHA1 | 0a86f7f0f9f0129a8f48bcd1aeae52ec5f8c7a1e |
| SHA256 | 00f682c1c07e168a98f10d795dc8757ef0e106da391ff1af982be455c06fdb15 |
| SHA512 | d63ceec8a54cd782caefcabc5f04b91ab6e9f58c202bdb29e489d493cc332bfb99a20dd6e58d9ac4d167d38734c333eef335479e772104d400baed0e8416af3f |
memory/2552-67-0x000000013F3F0000-0x000000013F744000-memory.dmp
memory/3032-68-0x000000013F730000-0x000000013FA84000-memory.dmp
memory/2208-60-0x000000013F6D0000-0x000000013FA24000-memory.dmp
\Windows\system\lDkAesH.exe
| MD5 | 04a769ccf1b395e0a420b4f7db88ed73 |
| SHA1 | fb515c25af84da0abd26af16d84be39a1c90131f |
| SHA256 | 41fbeac887d0b9018b49d8101b4d5e052dc05704459e7a01c874788d613110e7 |
| SHA512 | 35b515ddb01582711eb039796312875d25fb3dfb91ec780e52cb09c45f1d6ff39674cc766dd683a4728d196631f7bdbb68f8f11884d0682931356f1d25ec1ab6 |
memory/2208-66-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/2208-62-0x0000000002280000-0x00000000025D4000-memory.dmp
memory/1624-80-0x000000013FAD0000-0x000000013FE24000-memory.dmp
memory/2208-84-0x0000000002280000-0x00000000025D4000-memory.dmp
memory/2820-85-0x000000013F630000-0x000000013F984000-memory.dmp
C:\Windows\system\crGxLAq.exe
| MD5 | d80d0abe49b41186e3567473f0b15277 |
| SHA1 | 93cbe7817e58120d315dde4ea0998405c6acf3cd |
| SHA256 | cda7fcff9c72da45de746545b9ce2bd94b1bbcd3532a1d7f4b5bc4a3873545ab |
| SHA512 | c0d2989a209125d3d9b4efeba5cc692e4240acf01210b5c4adb2b56d11c9734d81f84f40c0a1d42187501bce794efe2847b1d2020398ed396478df1361fbffc8 |
memory/2852-100-0x000000013FD10000-0x0000000140064000-memory.dmp
C:\Windows\system\muHqEsa.exe
| MD5 | 21c6c4b8ca17e09ff67508695c69a0e0 |
| SHA1 | e992fef3e53ba09e52deb57ddfeb95d2203015be |
| SHA256 | 398cb21553db5f76926ddeaba72f1bc6e0d5de165037ebde60d087c0d88d6fc8 |
| SHA512 | 6dd543592c7b4d4223eb5a69623069cbe1b4cf0fcb2ee66c5dbec5b0d17629fe7e7cd9520aee2745b27cda48b2a48d4974edd7f93ed3712ecec2d17d55a97bae |
memory/2208-106-0x0000000002280000-0x00000000025D4000-memory.dmp
C:\Windows\system\bludnCn.exe
| MD5 | 9dad1ab64f42c0376100563007c26c8e |
| SHA1 | 0fbaf533b69c077d31f9bcb8964c45648be7bd61 |
| SHA256 | 6950c00d9c29964293b711646aafc36d6b4003b38b57dc225a42ab6b005cf821 |
| SHA512 | 7ed831332c6a89b409a6d9aa9a29eaac98a7227c68bf7fca7e1048e6a448d58cf873915d33e2620e0a4fc3b45ff4e64370536801294bfe1d6ea693a66842fc02 |
C:\Windows\system\jOCgGCj.exe
| MD5 | 4719290b7aed3c852fded4cf2924a9ae |
| SHA1 | df9efff468fe05c56c2cb2ce1f365475b9894233 |
| SHA256 | 4b62a8221931c836ce713e88379126f5e8f3019ef7b934b30e3bceaf254393ae |
| SHA512 | 4e9cba5dcc432d3a6b24ad127831e57736b4190edab7a6fbf9e695596c974db810228c0d115c2060a4967f233adbd61b9a000cc770d4d65c9299300ad6846ea7 |
\Windows\system\RsaTOJi.exe
| MD5 | c5894dba8cc845157776aecc776844f1 |
| SHA1 | e094c988ab37f7ca89adfb418692b12cb95547e6 |
| SHA256 | 8a6c4949a7550166e2b932b2c52121519eee6607c7764d4ce826ae4476e259fa |
| SHA512 | 04b36cf98bb76e6c2099480d28bce1949a57b87025c7ab45a70be60f62120f449c0d3a87f1ae130b4fbbc9c5f096a9d1d0cb478af8fb4bca715e2355408e5011 |
C:\Windows\system\sBQheAP.exe
| MD5 | 5c77f98353de222fd7186e52da695999 |
| SHA1 | 1cedda969a5713d12c50fd1ac5a04b6980a7e87a |
| SHA256 | c5b2808da02e66ac8f4d496c8ac20407f577e9b54e760631219453ea58f3d9ae |
| SHA512 | 85fce90b213db623fb3804330b4ecf36e10e8856f1e48babc9e49351eb58cea42accd1820bd0e4c2202131a7bf92f924ad0c7e9aab5d31d473da875db1172b80 |
C:\Windows\system\IVQXnhf.exe
| MD5 | 53433358aa71179dee7e30bb8d044fb9 |
| SHA1 | 4bb58199b3e6bb81a421ace1347ec6400f51c3c8 |
| SHA256 | 7ad3ea671f41ddd0f8b413fece4ff2eeffc72900abaca2d54f6acadfc57ff839 |
| SHA512 | 14ad8a65f3ed7348ecd3a99e820376ab741d9798234abb9e143b625b07c5f1edc9f942fd9f0b36e5cfbf31d473628b0ad8a455f0fada51a868a3fd56dcca6c3c |
memory/2616-137-0x000000013F1F0000-0x000000013F544000-memory.dmp
C:\Windows\system\MsBoNQk.exe
| MD5 | 0442ea9eebab2cfef71dcda7220314d1 |
| SHA1 | 2ef93edc0de993b4a9eb22283e2d3835503def09 |
| SHA256 | e3cf4f3dd9d66d6c55498e9665a16d2ec60e1b05d6df3601a9ff42c6a2680c2a |
| SHA512 | ac91cf2bdd670dbf57cc5250d64750b434bb7b9feab37d07babba4bc30bf53ca0f0ba13b277ec28935bba0350f78485fc1d5496f354705815f252064a519b6ff |
memory/2208-99-0x000000013FD10000-0x0000000140064000-memory.dmp
memory/2792-92-0x000000013F4F0000-0x000000013F844000-memory.dmp
memory/2208-91-0x0000000002280000-0x00000000025D4000-memory.dmp
C:\Windows\system\dlsamby.exe
| MD5 | a9f4c347b65675b19ca783a2de332a20 |
| SHA1 | 3389c98302319a73da3552d953058eabc591c749 |
| SHA256 | 7fcef199989ff68fbb768118d3b0e9d731a694870ce62c7aa1bcf5e132551f7c |
| SHA512 | 825a235b1bbf5fbcae416cb858a92ae5090cf7987e4522f44f994e187eb465792810874d6db0fe5bb378bff416089f82795de15f1f2ced6060509d9761183d37 |
C:\Windows\system\oyifRkS.exe
| MD5 | 8caf9f92d9adc013578fb41f9e6066f3 |
| SHA1 | f9799f5ecfa703e16ff44adb0eba65aa7290c35e |
| SHA256 | 84c14b55221f1b0ede2dd2d9ac7689c5b734820949cde34bc640d57b020e4ce2 |
| SHA512 | 50810509990a56ca467d1c56b061d92b46bceec2dc252b6bacf0418f03d95d6c30cd5766aab64df0256c1cf9fe9d5233c5ccd32ce376c0e1eba7dbe53eceeb85 |
memory/2208-79-0x000000013FAD0000-0x000000013FE24000-memory.dmp
memory/2484-78-0x000000013F5F0000-0x000000013F944000-memory.dmp
memory/2588-77-0x000000013F200000-0x000000013F554000-memory.dmp
C:\Windows\system\gKWNKWt.exe
| MD5 | d99f92f062da6539221f0da0f54fc649 |
| SHA1 | 43ca18d322a878b4626a5785668c2aa92b249880 |
| SHA256 | 120ef754360950452f59696bd05df21233458c046bf9a2a0639da4f79bace97e |
| SHA512 | ac0631e821de29315707d66e23ac3f036afde6ad6d5c625e75ef857a9a485235349804c247f0dbf2c7a9cee589590fa5915330dba43616cbf8fd3e6e7e7050d0 |
memory/2208-138-0x0000000002280000-0x00000000025D4000-memory.dmp
memory/2552-139-0x000000013F3F0000-0x000000013F744000-memory.dmp
memory/3032-140-0x000000013F730000-0x000000013FA84000-memory.dmp
memory/2208-141-0x000000013FAD0000-0x000000013FE24000-memory.dmp
memory/2208-142-0x0000000002280000-0x00000000025D4000-memory.dmp
memory/2820-143-0x000000013F630000-0x000000013F984000-memory.dmp
memory/2208-144-0x0000000002280000-0x00000000025D4000-memory.dmp
memory/2792-145-0x000000013F4F0000-0x000000013F844000-memory.dmp
memory/2208-146-0x000000013FD10000-0x0000000140064000-memory.dmp
memory/2852-147-0x000000013FD10000-0x0000000140064000-memory.dmp
memory/2208-148-0x0000000002280000-0x00000000025D4000-memory.dmp
memory/1708-149-0x000000013FEC0000-0x0000000140214000-memory.dmp
memory/2352-150-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/2588-151-0x000000013F200000-0x000000013F554000-memory.dmp
memory/2484-153-0x000000013F5F0000-0x000000013F944000-memory.dmp
memory/2736-154-0x000000013F910000-0x000000013FC64000-memory.dmp
memory/2704-152-0x000000013F3C0000-0x000000013F714000-memory.dmp
memory/2616-155-0x000000013F1F0000-0x000000013F544000-memory.dmp
memory/2480-156-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/2552-158-0x000000013F3F0000-0x000000013F744000-memory.dmp
memory/3032-157-0x000000013F730000-0x000000013FA84000-memory.dmp
memory/1624-159-0x000000013FAD0000-0x000000013FE24000-memory.dmp
memory/2820-160-0x000000013F630000-0x000000013F984000-memory.dmp
memory/2792-161-0x000000013F4F0000-0x000000013F844000-memory.dmp
memory/2852-162-0x000000013FD10000-0x0000000140064000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-28 08:54
Reported
2024-06-28 08:56
Platform
win10v2004-20240611-en
Max time kernel
146s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\WREElkz.exe | N/A |
| N/A | N/A | C:\Windows\System\ktuTlBK.exe | N/A |
| N/A | N/A | C:\Windows\System\YMkoNzY.exe | N/A |
| N/A | N/A | C:\Windows\System\WisVfco.exe | N/A |
| N/A | N/A | C:\Windows\System\PFWKrcH.exe | N/A |
| N/A | N/A | C:\Windows\System\tkVCSwn.exe | N/A |
| N/A | N/A | C:\Windows\System\ZPvOauh.exe | N/A |
| N/A | N/A | C:\Windows\System\BRVVOpv.exe | N/A |
| N/A | N/A | C:\Windows\System\lYadaPZ.exe | N/A |
| N/A | N/A | C:\Windows\System\evyPust.exe | N/A |
| N/A | N/A | C:\Windows\System\AALVWcc.exe | N/A |
| N/A | N/A | C:\Windows\System\xGzhlLb.exe | N/A |
| N/A | N/A | C:\Windows\System\LLYfBFn.exe | N/A |
| N/A | N/A | C:\Windows\System\bOkenoV.exe | N/A |
| N/A | N/A | C:\Windows\System\zlYIIuC.exe | N/A |
| N/A | N/A | C:\Windows\System\UmDPUmh.exe | N/A |
| N/A | N/A | C:\Windows\System\CLdXvsC.exe | N/A |
| N/A | N/A | C:\Windows\System\ezjVzOI.exe | N/A |
| N/A | N/A | C:\Windows\System\izBpcYL.exe | N/A |
| N/A | N/A | C:\Windows\System\rwkSAGE.exe | N/A |
| N/A | N/A | C:\Windows\System\XSvnsZD.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\WREElkz.exe
C:\Windows\System\WREElkz.exe
C:\Windows\System\ktuTlBK.exe
C:\Windows\System\ktuTlBK.exe
C:\Windows\System\YMkoNzY.exe
C:\Windows\System\YMkoNzY.exe
C:\Windows\System\WisVfco.exe
C:\Windows\System\WisVfco.exe
C:\Windows\System\PFWKrcH.exe
C:\Windows\System\PFWKrcH.exe
C:\Windows\System\tkVCSwn.exe
C:\Windows\System\tkVCSwn.exe
C:\Windows\System\ZPvOauh.exe
C:\Windows\System\ZPvOauh.exe
C:\Windows\System\BRVVOpv.exe
C:\Windows\System\BRVVOpv.exe
C:\Windows\System\lYadaPZ.exe
C:\Windows\System\lYadaPZ.exe
C:\Windows\System\evyPust.exe
C:\Windows\System\evyPust.exe
C:\Windows\System\AALVWcc.exe
C:\Windows\System\AALVWcc.exe
C:\Windows\System\xGzhlLb.exe
C:\Windows\System\xGzhlLb.exe
C:\Windows\System\LLYfBFn.exe
C:\Windows\System\LLYfBFn.exe
C:\Windows\System\bOkenoV.exe
C:\Windows\System\bOkenoV.exe
C:\Windows\System\zlYIIuC.exe
C:\Windows\System\zlYIIuC.exe
C:\Windows\System\UmDPUmh.exe
C:\Windows\System\UmDPUmh.exe
C:\Windows\System\CLdXvsC.exe
C:\Windows\System\CLdXvsC.exe
C:\Windows\System\ezjVzOI.exe
C:\Windows\System\ezjVzOI.exe
C:\Windows\System\izBpcYL.exe
C:\Windows\System\izBpcYL.exe
C:\Windows\System\rwkSAGE.exe
C:\Windows\System\rwkSAGE.exe
C:\Windows\System\XSvnsZD.exe
C:\Windows\System\XSvnsZD.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| BE | 88.221.83.208:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 208.83.221.88.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.15.31.184.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4576-0-0x00007FF6BED30000-0x00007FF6BF084000-memory.dmp
memory/4576-1-0x000001F58CEB0000-0x000001F58CEC0000-memory.dmp
memory/4564-6-0x00007FF633020000-0x00007FF633374000-memory.dmp
C:\Windows\System\WREElkz.exe
| MD5 | 2e97420167fb64e18cc9ca28bfa75d2b |
| SHA1 | 350941f6e98a5bdfcfde239620bb7bb963de86e6 |
| SHA256 | 31092e2dda8e206e02e307cee8a03df461c47c7cf2e26af2c0a3b42f90fdf23f |
| SHA512 | 269aeeffb34948a1870f7df8201f4e367e70b2a0c4e932feb9b64191295a7c934ca587383ce52e7bbf3330219e4344024838da4d3c0a73ad8637aac5a9db6eea |
C:\Windows\System\ktuTlBK.exe
| MD5 | d582a6a01a77a3440c61f34b0fe4e230 |
| SHA1 | 7eec56dda791626df330de4e87260b0951fbc48b |
| SHA256 | 7e4e842e53e1e9ebbc3cfa3068528994eeeaef464874a5921967d4def07a22fb |
| SHA512 | 649d82dd6df269ddbd566521f78d0ea18ef47243efbbd2bb7086440740133c72c11119d4a34cd81a2fcecb83f8162f7777c78a90f57fdf151cfb39e83e330770 |
C:\Windows\System\YMkoNzY.exe
| MD5 | 2353f37b7256b070dada891d936bb6cb |
| SHA1 | e5bb2fb38920b5e7a499a6fc2ed66b22339db6bd |
| SHA256 | 8d25fceb01e5c23ce1be93e9da41ed6de94c4eba0ab39a02dab874c76e9ae4de |
| SHA512 | 94e01c0309b68cd65c84183a6c41ed253152ef476b71be37a7f9c063c3c088b95425d4b2772e6ba8443214fb2eee98284954284bf772a7073e47acdb6360fae6 |
memory/3180-14-0x00007FF79CCD0000-0x00007FF79D024000-memory.dmp
C:\Windows\System\WisVfco.exe
| MD5 | 74480f5fd61db5bedfc49e79d11fc5f3 |
| SHA1 | b809ee3168dc3678f23ce286336636063ee6b3b9 |
| SHA256 | 04786d68e01564807b97c5acd6dff45cbde52db60f0ca4fd892b7d5ebc1c5f26 |
| SHA512 | 68964f68144fa24c45e104f02d50e1ac5cbbf6d8e0c9d75b0a69ae06d64be56b6bc33796036c2359a383c27ddee9d614e218adddb5965a68a9a9e613441c6bc2 |
memory/3172-22-0x00007FF7AD4F0000-0x00007FF7AD844000-memory.dmp
memory/1672-30-0x00007FF6A2400000-0x00007FF6A2754000-memory.dmp
C:\Windows\System\PFWKrcH.exe
| MD5 | 7b8e791968975d097d470eb64963772f |
| SHA1 | 13e62fc43351c8fd38ba5d3c1500c02d542c2f16 |
| SHA256 | 421563e545e3080dcb01325d8f5694f052ee1c2ec124eea4a6d569a73bc2532e |
| SHA512 | 661c382880cc632414637891adf114f23e36873e038a6d8a9a1e3923f0bf541259e9e1a3edd92ca8748b17e0becc6ca58aa49c47e9950a82072163608cc7bae9 |
memory/992-29-0x00007FF7CF5A0000-0x00007FF7CF8F4000-memory.dmp
C:\Windows\System\tkVCSwn.exe
| MD5 | 3923c9eda7305b9cdaaee1f125969e64 |
| SHA1 | ae4a584bf8f9a5232e777362068fad0d2dfa9dfd |
| SHA256 | 97ee9ca63611e384c7ebe1744e1db4604458246beac850c24cc40d602df40867 |
| SHA512 | 32bc00414b26f2f828fb466e707f9ce5d4d7fa35a94c7c6b6ad7a7103f3500d5c619b1650213b2d86b404001bf1e73b831a681a085a7c1d238a5bf52c2b27712 |
memory/212-36-0x00007FF67D300000-0x00007FF67D654000-memory.dmp
C:\Windows\System\ZPvOauh.exe
| MD5 | 0b813103d726851486c6657dfb7071bf |
| SHA1 | d912c5af715e1342cc7b38510e6bb6be3e3be6a5 |
| SHA256 | d313126ff495e69bd8e1071b17c9cb1a447fbcd4bfa2a48030a7626e5a1fc3a9 |
| SHA512 | b21ec15a78fbcaa86f6d334616d644c028a08ad39e38b41d84a225056e5a45b574fb0c06bbed290cf80319b4cee8d6284d0354006a58187191244c72412fb66e |
memory/2052-43-0x00007FF6CAD60000-0x00007FF6CB0B4000-memory.dmp
C:\Windows\System\BRVVOpv.exe
| MD5 | 589cd0068374c190c8fcbc2be58fbf3b |
| SHA1 | dc3652ae1e72b9edd981b4a8d886dfa599b8c92b |
| SHA256 | 23836c531ae8d4dd5afbfefa7516f53cbc271fc8dae77760dc49b800e0eb9379 |
| SHA512 | 3e367269dd213eebcd64cdd227978cfd62210f13fe43659ffea7645939d90d800f2842b1aab430da08f319a0569b0b605e01d2132b22cb7ba8ac1ac905681f48 |
memory/5040-50-0x00007FF7ADBD0000-0x00007FF7ADF24000-memory.dmp
C:\Windows\System\lYadaPZ.exe
| MD5 | 27ead8a8294727bdcd34c3fddabc1b7e |
| SHA1 | 7fdcf617a43c428f13827283902fc5945bc585c6 |
| SHA256 | 9d42144b6df2324527ad5da2aa66dec6b47cfc853ed058885a551d386af4dc06 |
| SHA512 | ea262208d497af77e213bcc00a8c03d99ec77f937f5d64c58fd99410433819c30304740aad391ff217c6aa003cafc3a5362802f1ba0c48482f7eaef375010eab |
memory/3964-56-0x00007FF60D100000-0x00007FF60D454000-memory.dmp
C:\Windows\System\evyPust.exe
| MD5 | 4ef419874e8249312b73bfef814b31cb |
| SHA1 | 183550d08dca60c688ecf66a3cdb4a3839ccf071 |
| SHA256 | 7bee0dc7e6f2a779c39b963fba83defcf965b5ed398358a81a1f445be83402ec |
| SHA512 | 07096073ebfe1ff60782dabd9c13b8f348486ff252a2c7f71f55e943bbfe588c78aee591c92eb81e3fb069188020a959ad4919a2f8eb3685ee25d0525ab7fdd7 |
memory/2104-62-0x00007FF6437F0000-0x00007FF643B44000-memory.dmp
C:\Windows\System\AALVWcc.exe
| MD5 | 080eb3712014524e7756ec60ac2bc36a |
| SHA1 | 3df5ec5b3abd787f5b3ba4ed9cbef3a3d0565c11 |
| SHA256 | 022501c4ee817ae19cba0563a1534f3f26fa63ddfc4f7fdfb3a95456bb31a5e9 |
| SHA512 | e6a33e8b2882058eda702671a1b8406818be558a78370e5bf284a7470d465620204cf1ae23cab99ed3aa59d882a51d726b2528104cc784ea30ef8b886570d0b9 |
C:\Windows\System\xGzhlLb.exe
| MD5 | 93fe94c9114223e3a4a2036db506f8d1 |
| SHA1 | 0182df05fe794d306643a356cf86dad6891abb4e |
| SHA256 | 69548643a3a477c9ab5a501c3632bb3109c361c633e2c5eb877f4499cf69773d |
| SHA512 | c15cc1bc09accc5ef847ed837d9f01b7d14b0ebb5da5eeeb4790a024bea1aed63643709f40c4b91127cfa2b5a1bf12d5d04d665a47ff2144170730ed53e196f6 |
memory/5008-74-0x00007FF68D4E0000-0x00007FF68D834000-memory.dmp
memory/4564-73-0x00007FF633020000-0x00007FF633374000-memory.dmp
memory/4612-67-0x00007FF6DA620000-0x00007FF6DA974000-memory.dmp
memory/4576-66-0x00007FF6BED30000-0x00007FF6BF084000-memory.dmp
C:\Windows\System\LLYfBFn.exe
| MD5 | 60d8fbabb9afe92aeea81740a53e1a11 |
| SHA1 | 4bd2490ea772574c4570e4474214897501e1ba38 |
| SHA256 | 4655948ab714660861506c280f5efc21aceae25a83c73b72391d74b8930ce536 |
| SHA512 | ceb5c203d4223eb59d8da439d8623f93b1eb2d2a714b606dd99c072381766ac4dddc244cc445e9012e583195eff214d6710509caf41967376a19d8c1e39f8169 |
C:\Windows\System\bOkenoV.exe
| MD5 | 76ad9bace674a166087241d14b0864e2 |
| SHA1 | d2f37a19356725fb56f592aaf4a895cd1dd7524e |
| SHA256 | 484495042896c78655e9c6b96f5c4a7e5cb7dfa8ae8f34928126e742b2ba5794 |
| SHA512 | dbd848f66c39d1367be4e66e3d9d5ec7095a810c61b5420d445a2a09046cc4397dc33f89ec586a4c91d340dfd66ae24e1a7c6d38430db837e35b5f7b5b306247 |
memory/992-86-0x00007FF7CF5A0000-0x00007FF7CF8F4000-memory.dmp
C:\Windows\System\zlYIIuC.exe
| MD5 | 8ac9cd37608839cd740b567d843cd2f2 |
| SHA1 | 7c57cb37161b1401a08823da5deee60514521d1b |
| SHA256 | 94fcdcc0dc2ec66a8a2d1af618e661d14ef298f1c3087e174cd7795295d967aa |
| SHA512 | feffcfe59d0e1a4e0c823e8818676864bc42c6648f5121e23e42da0ac47dfe24809ec175b9e57ab471d62708642afed6fded9ab351812ee2339d86057f402d19 |
memory/1812-97-0x00007FF723330000-0x00007FF723684000-memory.dmp
memory/2584-100-0x00007FF768730000-0x00007FF768A84000-memory.dmp
C:\Windows\System\CLdXvsC.exe
| MD5 | 043412b264da8a1235d52ad11c40d47a |
| SHA1 | a7455081d79b8be1f2ba017c920d24731b08c55d |
| SHA256 | 79129eb783e98511fa879b6f4b59e57d29121f0aa687282ea08ada522d28d67b |
| SHA512 | d55d82e05c6861a0c45250cb58bf95eeedf08cdfe72aabc2a4872f388515a561a209460a37da9a27d821fa4e286c802dab0505f7bd47ce856e6432c044a5fbb9 |
C:\Windows\System\UmDPUmh.exe
| MD5 | 423d43dedfdb8c3e3db70d5601364076 |
| SHA1 | 5220a1e35724b49c5dfb8fcd8963031aa92344b6 |
| SHA256 | 4b44d8a95b847bb0ddae06ad4c1d967a9649710f3f2023b3a8d602d717a92560 |
| SHA512 | c3fac5adc655344f2111a5896ff91a1a6dee4a68d6f218b74d4e5833c87cd46eb3a49d8e3e4c551431227f4f6387b7b0cf52809f38d50cdd5434febf4ab238ea |
memory/212-103-0x00007FF67D300000-0x00007FF67D654000-memory.dmp
memory/1672-99-0x00007FF6A2400000-0x00007FF6A2754000-memory.dmp
memory/1568-94-0x00007FF650130000-0x00007FF650484000-memory.dmp
memory/3472-88-0x00007FF709BC0000-0x00007FF709F14000-memory.dmp
memory/2052-109-0x00007FF6CAD60000-0x00007FF6CB0B4000-memory.dmp
memory/4908-110-0x00007FF73E500000-0x00007FF73E854000-memory.dmp
C:\Windows\System\ezjVzOI.exe
| MD5 | 99baa6468c3e457e93d639ea6a81dd13 |
| SHA1 | 210b787a308476f90d91b778c4c02ebb29ad0432 |
| SHA256 | 2406c97afc655121135ef9357c1bc47bed1bc2efb6f0453522049b37ebe109e9 |
| SHA512 | e4cba7390b07bd739c8281f6228e2c9595e96dec33d5376eb5c6ee1d11f7302def55812b5e227e74a63f2cfed6edf0ab18bdae0604879dc016528322c0828aa5 |
memory/4288-116-0x00007FF786260000-0x00007FF7865B4000-memory.dmp
C:\Windows\System\izBpcYL.exe
| MD5 | e4b0c53e607524fda40f4a2bb2cdc332 |
| SHA1 | 6c300cc3f517c512c0d8ffd619b9fca6bdc106e6 |
| SHA256 | b2f469e213ed18717621e6e85a241f3e77a9c7a7eb83167e7a62d76f8e9cc7b5 |
| SHA512 | 7f1322c901b085b04bc6b6c95b0afad9d84ba42e1eebd6f2df4e4b149ee128940ed646547c130f52378710c916899ad725c15c2c1c00cde302fd00fed0fb15d2 |
memory/4776-122-0x00007FF7B15F0000-0x00007FF7B1944000-memory.dmp
C:\Windows\System\rwkSAGE.exe
| MD5 | 70a18c92275972f23134ef04e2bc916d |
| SHA1 | 8c24c4bb8908a053b15cbe7ac1bf51ea14772f90 |
| SHA256 | 9e32c66f39ae885b1eb4a78bc36b0614845d813c4f3a21332584c6d4a872cfe9 |
| SHA512 | 092ee9ff52b75da906fd3923cbdf68c368d2bd1dc711cb2e7cb8a80e2fe2bd57503dbf047b6a8fb6bcc1b44bf41a671fd600bc4fef55be02dd6f215f6278eef9 |
memory/4152-127-0x00007FF6069B0000-0x00007FF606D04000-memory.dmp
C:\Windows\System\XSvnsZD.exe
| MD5 | 8763604ac65cf52064661de042809197 |
| SHA1 | e6f9f73eebb02ff53fa007a2c6e604facaa742bd |
| SHA256 | a7bdcc0aba7b81194568f6bf72f9fff505db6d8b44c3ef167bce639b0356f44e |
| SHA512 | b0873002363594813534cc4d8d307a3f8435ebd59ee1233379c7e96e5a465ae0fdfce8915e767d8f881eb2800eb303f567a82b4a10b0e2fd13c588b6a9949b76 |
memory/4612-133-0x00007FF6DA620000-0x00007FF6DA974000-memory.dmp
memory/3404-134-0x00007FF6C0820000-0x00007FF6C0B74000-memory.dmp
memory/5008-135-0x00007FF68D4E0000-0x00007FF68D834000-memory.dmp
memory/2584-136-0x00007FF768730000-0x00007FF768A84000-memory.dmp
memory/4152-137-0x00007FF6069B0000-0x00007FF606D04000-memory.dmp
memory/4564-138-0x00007FF633020000-0x00007FF633374000-memory.dmp
memory/3180-139-0x00007FF79CCD0000-0x00007FF79D024000-memory.dmp
memory/3172-140-0x00007FF7AD4F0000-0x00007FF7AD844000-memory.dmp
memory/992-141-0x00007FF7CF5A0000-0x00007FF7CF8F4000-memory.dmp
memory/1672-142-0x00007FF6A2400000-0x00007FF6A2754000-memory.dmp
memory/212-143-0x00007FF67D300000-0x00007FF67D654000-memory.dmp
memory/2052-144-0x00007FF6CAD60000-0x00007FF6CB0B4000-memory.dmp
memory/5040-145-0x00007FF7ADBD0000-0x00007FF7ADF24000-memory.dmp
memory/3964-146-0x00007FF60D100000-0x00007FF60D454000-memory.dmp
memory/2104-147-0x00007FF6437F0000-0x00007FF643B44000-memory.dmp
memory/4612-148-0x00007FF6DA620000-0x00007FF6DA974000-memory.dmp
memory/5008-149-0x00007FF68D4E0000-0x00007FF68D834000-memory.dmp
memory/3472-150-0x00007FF709BC0000-0x00007FF709F14000-memory.dmp
memory/1568-151-0x00007FF650130000-0x00007FF650484000-memory.dmp
memory/1812-152-0x00007FF723330000-0x00007FF723684000-memory.dmp
memory/4908-153-0x00007FF73E500000-0x00007FF73E854000-memory.dmp
memory/2584-154-0x00007FF768730000-0x00007FF768A84000-memory.dmp
memory/4288-155-0x00007FF786260000-0x00007FF7865B4000-memory.dmp
memory/4776-156-0x00007FF7B15F0000-0x00007FF7B1944000-memory.dmp
memory/4152-157-0x00007FF6069B0000-0x00007FF606D04000-memory.dmp
memory/3404-158-0x00007FF6C0820000-0x00007FF6C0B74000-memory.dmp