Analysis Overview
SHA256
b6e7b8e1d526534e6fea86caa155154b8377c5caee9f4588ae50af87d87842ef
Threat Level: Known bad
The file 2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
UPX dump on OEP (original entry point)
Cobaltstrike family
xmrig
Cobaltstrike
Detects Reflective DLL injection artifacts
Xmrig family
XMRig Miner payload
Cobalt Strike reflective loader
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-28 08:57
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-28 08:57
Reported
2024-06-28 08:59
Platform
win7-20240221-en
Max time kernel
146s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\MHpmsuV.exe | N/A |
| N/A | N/A | C:\Windows\System\RzeecdL.exe | N/A |
| N/A | N/A | C:\Windows\System\LQdDLvJ.exe | N/A |
| N/A | N/A | C:\Windows\System\NFDMZUu.exe | N/A |
| N/A | N/A | C:\Windows\System\uxEvXnP.exe | N/A |
| N/A | N/A | C:\Windows\System\hwKSfWz.exe | N/A |
| N/A | N/A | C:\Windows\System\Cxazprn.exe | N/A |
| N/A | N/A | C:\Windows\System\WnsIFbV.exe | N/A |
| N/A | N/A | C:\Windows\System\wCjDfSj.exe | N/A |
| N/A | N/A | C:\Windows\System\YWxWZZT.exe | N/A |
| N/A | N/A | C:\Windows\System\aceeiQL.exe | N/A |
| N/A | N/A | C:\Windows\System\GSKTtCF.exe | N/A |
| N/A | N/A | C:\Windows\System\VAFquol.exe | N/A |
| N/A | N/A | C:\Windows\System\AKushRZ.exe | N/A |
| N/A | N/A | C:\Windows\System\vfLtssc.exe | N/A |
| N/A | N/A | C:\Windows\System\UpjWaYb.exe | N/A |
| N/A | N/A | C:\Windows\System\IJQHAuw.exe | N/A |
| N/A | N/A | C:\Windows\System\uqdBvir.exe | N/A |
| N/A | N/A | C:\Windows\System\yDXbGqn.exe | N/A |
| N/A | N/A | C:\Windows\System\rVLFcGY.exe | N/A |
| N/A | N/A | C:\Windows\System\wXlnsUD.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\MHpmsuV.exe
C:\Windows\System\MHpmsuV.exe
C:\Windows\System\RzeecdL.exe
C:\Windows\System\RzeecdL.exe
C:\Windows\System\LQdDLvJ.exe
C:\Windows\System\LQdDLvJ.exe
C:\Windows\System\NFDMZUu.exe
C:\Windows\System\NFDMZUu.exe
C:\Windows\System\uxEvXnP.exe
C:\Windows\System\uxEvXnP.exe
C:\Windows\System\hwKSfWz.exe
C:\Windows\System\hwKSfWz.exe
C:\Windows\System\Cxazprn.exe
C:\Windows\System\Cxazprn.exe
C:\Windows\System\WnsIFbV.exe
C:\Windows\System\WnsIFbV.exe
C:\Windows\System\wCjDfSj.exe
C:\Windows\System\wCjDfSj.exe
C:\Windows\System\YWxWZZT.exe
C:\Windows\System\YWxWZZT.exe
C:\Windows\System\aceeiQL.exe
C:\Windows\System\aceeiQL.exe
C:\Windows\System\GSKTtCF.exe
C:\Windows\System\GSKTtCF.exe
C:\Windows\System\VAFquol.exe
C:\Windows\System\VAFquol.exe
C:\Windows\System\AKushRZ.exe
C:\Windows\System\AKushRZ.exe
C:\Windows\System\vfLtssc.exe
C:\Windows\System\vfLtssc.exe
C:\Windows\System\UpjWaYb.exe
C:\Windows\System\UpjWaYb.exe
C:\Windows\System\IJQHAuw.exe
C:\Windows\System\IJQHAuw.exe
C:\Windows\System\uqdBvir.exe
C:\Windows\System\uqdBvir.exe
C:\Windows\System\yDXbGqn.exe
C:\Windows\System\yDXbGqn.exe
C:\Windows\System\rVLFcGY.exe
C:\Windows\System\rVLFcGY.exe
C:\Windows\System\wXlnsUD.exe
C:\Windows\System\wXlnsUD.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2060-0-0x000000013FD40000-0x0000000140094000-memory.dmp
memory/2060-1-0x00000000001F0000-0x0000000000200000-memory.dmp
\Windows\system\MHpmsuV.exe
| MD5 | 50bf4460f112953c94fe2c9f917e8c00 |
| SHA1 | 7ff5ce5db6e55c9367e569c9e1dcb07a426efdda |
| SHA256 | dabf4815de2d3bcc2f0a5751a45bd728747810e4911795fc5b2e031b6a170067 |
| SHA512 | 0ddf8b1f4e08dee982ba831042cb1b92bcce8914cfad99279876e6c88f0c121e7b7602fd772a2b1b12faa8149fd7e6d9b81424623992444f39698587349e0ac3 |
memory/2060-7-0x0000000002230000-0x0000000002584000-memory.dmp
memory/1708-9-0x000000013FFB0000-0x0000000140304000-memory.dmp
\Windows\system\RzeecdL.exe
| MD5 | 8cbb926f903dd9a3dacc74c077cc11b9 |
| SHA1 | 5bb3b62d7379694709c295e5ff2b60996babbf47 |
| SHA256 | b387131428a13c9b293dcfabeacb260c70b4464d76e40e28e301a50cc5fb1efd |
| SHA512 | 3bee3c229185cf4a70217bffbcc6918a0a11073aa91629f800a28a1807b3b69991951a545e6b600b87fbfbe4cb9097a23db7f09342c498bff32c1b94067d9269 |
memory/2540-23-0x000000013F210000-0x000000013F564000-memory.dmp
memory/2060-31-0x000000013F660000-0x000000013F9B4000-memory.dmp
memory/2664-29-0x000000013F580000-0x000000013F8D4000-memory.dmp
\Windows\system\uxEvXnP.exe
| MD5 | 184849a10085de62283f3eb5319ce23c |
| SHA1 | 689ab107d24cf34af57396d7340f9ac899ab94f0 |
| SHA256 | 5198b98270a7e18cf8a36aa1fb3bb6ecfa0906a7bb4679f11627c6e1193df45d |
| SHA512 | a06e3d987af141c91cee3a53f37de89390a5f6107bc06d2749053472776085d880089539421c8e5be6184f231b189c79c564dcc60a334d85ce951e6b736026b7 |
memory/2060-28-0x000000013F580000-0x000000013F8D4000-memory.dmp
C:\Windows\system\NFDMZUu.exe
| MD5 | ebfc7e93ef375529b9b01368dbbe7b0b |
| SHA1 | 96983fe23be02c77eab2e2b83a17d1bb53bba6c8 |
| SHA256 | e8bb40c1cb52a75dad4aa9b549f156a55391311021a924f4b978a54e37aa53fd |
| SHA512 | 3038d038298667dffc516edbd10b3e630834c8ca302dcf4f1ebe8b605bc1c0329b533b709578bede6b176222481cb41e41acd6ba7236b400708f1ac1a31e0821 |
memory/2060-21-0x000000013F210000-0x000000013F564000-memory.dmp
memory/2620-15-0x000000013FC60000-0x000000013FFB4000-memory.dmp
C:\Windows\system\LQdDLvJ.exe
| MD5 | 0adcc2c8acad3131146e03f671b92bab |
| SHA1 | 5fc109f374331768cc41ae343194848f40d22ecf |
| SHA256 | 2357d140c484e7b47e6f78e0ef162d9572a74f1bf847bef186ecd19a51bd35ac |
| SHA512 | 4b514f3f1bbae0153d720731121411db2f8f56302e5ebd56a965638024371d4c49da875f289a11e5cbcdbc78b848374487f543aac02c90e93fd6b147ea5e9607 |
memory/2060-14-0x0000000002230000-0x0000000002584000-memory.dmp
memory/2836-36-0x000000013F660000-0x000000013F9B4000-memory.dmp
C:\Windows\system\Cxazprn.exe
| MD5 | 08e114764500a943daebaee780ebc3d9 |
| SHA1 | 11c64a8d706769f03fca90507932ea381e36c787 |
| SHA256 | c644810fd8b813fe7e629c4f9f0ab1de5f57fdf0372b7e6010bc631a7f901db1 |
| SHA512 | 4e3c0ae4b65120356a91885308c24541dbc2b4ca89192766476559558248590a1b42f071352bd373184f02cbf3aada2a20e7eb2ccd630945f46b09e2a0b6e982 |
memory/2960-51-0x000000013FFC0000-0x0000000140314000-memory.dmp
memory/2060-57-0x0000000002230000-0x0000000002584000-memory.dmp
C:\Windows\system\YWxWZZT.exe
| MD5 | acf8e1daf304d380e4e719d735b7f4f7 |
| SHA1 | e8965176828973938c0c59147e642bdf25b2893f |
| SHA256 | dbbdfbc6d58a6a5cbc537a6aaca5c5cbef837860591243942956927a85149cca |
| SHA512 | 735acd26b5372ab96461c53e202298d3b9b3726aeeeb9a42ce7a3e8054664dd6922a5cfa49eb60eb88d69652b3a098e4a89fb96f8d62df28a94ec99dc6ee365b |
memory/2964-73-0x000000013F8E0000-0x000000013FC34000-memory.dmp
memory/1800-81-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/2540-87-0x000000013F210000-0x000000013F564000-memory.dmp
memory/2772-97-0x000000013F190000-0x000000013F4E4000-memory.dmp
C:\Windows\system\IJQHAuw.exe
| MD5 | 6cb37ee073cca003df738c6f7061643a |
| SHA1 | 039389a3cef0d8b647254bc9b3162027614cf910 |
| SHA256 | 96a49d9fd3cfd04d63c48be25ed2f1a2c0b0e9e1608f136941406674dbee5231 |
| SHA512 | 235c91a34b209bd41a6675a7b824a5f676126328bd4a6e6c8622bdd418040f41386b43e0307f5a9b73d2f7271ce6bf28b98ec24300ebd32746fdcac467924642 |
C:\Windows\system\wXlnsUD.exe
| MD5 | 08b6e98468a63768175e751d1de0fdee |
| SHA1 | f3adec2a3e5ba96eb85a72d789784db1ffec5b7d |
| SHA256 | 42ce6e2938cefdbaa70f0d02d4a3d0229dadb791e2dd846b356a349003be6308 |
| SHA512 | 3eaf316ee6b73c5acf10bb98b4929bacc5da96136c17367f5fcbe410f275185abecd8f8ed561fec5baa9022f2ce9bed450947264a749dbc65e5d75f31a5092af |
C:\Windows\system\rVLFcGY.exe
| MD5 | 1d5d025b00757293ae3edc6c80f4f66b |
| SHA1 | c0d3abac55ed199f019a32dc682b825017d90123 |
| SHA256 | 08a5358eadcecbd0ee20ff27efb3a491eaa67faa7f4e405ce0a135e5f452a80a |
| SHA512 | 5afdfbc5c896d5c4b4d164c0d4072fa8e4d35d68b48948a5d973e84bd869727680718d7946c1c66745801fba148163a25f482173e1127298a9eabd9f00649407 |
C:\Windows\system\yDXbGqn.exe
| MD5 | b74769468363c6e793e2bac693f75700 |
| SHA1 | 38228baf52f0ee058b68f320294074395d0578d1 |
| SHA256 | b1816c5d5acf4f3495e6d3322ed2cbca491a11a9b1c96f83885592800bece437 |
| SHA512 | cbc4fcd904c46ce3968a7c2937cd580f9f40ecabc172e4b9bfa9592100b83595486d9415d65b3b39662da70043c81f42966fe927f4e72d68b9e5fe4cedd1bab9 |
C:\Windows\system\uqdBvir.exe
| MD5 | 54ecdd5d4a701cdf7d8fed45b492a655 |
| SHA1 | 631c2380281e866343c67c04de013c91494dd025 |
| SHA256 | a204a229f40fb9c24dcbe03bb22e4e22527ad86db9738f7c0fe84baa35e25cd7 |
| SHA512 | a9e0cd5aea77e9a81a9ab911d9dd4d954c48d67e093998f868233aaff0cc8e25ef429064a56593fe98f3992500f3468c9517ebd287900741af882d8f0cc1f794 |
C:\Windows\system\UpjWaYb.exe
| MD5 | 3c0e08a2934a54407ecca5d58b7a11d4 |
| SHA1 | f66560343c5502d70c1aa88c72e38a5457e98e76 |
| SHA256 | b42f3bd1b23e84173272508c595d439219d1143c877433e127fc55381ca230bb |
| SHA512 | b17aec4b28b00e708b5da7f338002d19cd6630bf9f88aaaa54e90078177260b73e3dbb740d8f09c559af285e4a93e6037ff01c50d909347c79a5b8875b89daa0 |
memory/2060-113-0x000000013F190000-0x000000013F4E4000-memory.dmp
memory/2592-141-0x000000013F120000-0x000000013F474000-memory.dmp
memory/2836-110-0x000000013F660000-0x000000013F9B4000-memory.dmp
C:\Windows\system\vfLtssc.exe
| MD5 | 566df5483d640a89279c198e10c2cd9f |
| SHA1 | a9181e5b1a9337fbd89f7ad767597e6999c402fe |
| SHA256 | 72a132808891464a1e14a9011c26b21ce9e42b4fca45c98c30c9c37d30b91451 |
| SHA512 | 2089e94147d1ea6338e09775a9e94176899dfcfce4e6129addc9574f3e89e7a4e319558aa12a768a8fcce7e651617d166ce40973c64ea50d38ef0330251f4e10 |
memory/1936-104-0x000000013F8D0000-0x000000013FC24000-memory.dmp
memory/2060-103-0x000000013F8D0000-0x000000013FC24000-memory.dmp
C:\Windows\system\AKushRZ.exe
| MD5 | 6ec3badcc24e3cd623678a32a0317f75 |
| SHA1 | f72b1ce1a76a312d89d723cd1f5d130b8f22ab05 |
| SHA256 | 634556c51171995029ba71b8c7ed7144f7d6e6dedb03115f801641dd871ad63a |
| SHA512 | 2d48ba8dbc12bf7340f533129e9db2dc817fcc2b95403aa797fd5ec4ffdc9db004dced869a463ed683a61f74ce6989a7e3b49eea065341e311b361be694aa235 |
memory/2060-96-0x000000013F190000-0x000000013F4E4000-memory.dmp
memory/2664-95-0x000000013F580000-0x000000013F8D4000-memory.dmp
C:\Windows\system\VAFquol.exe
| MD5 | 0b9199b97cabcfb1b66443da63b980a6 |
| SHA1 | 5d2c33e7f9e9e8046d5bd68140bb2afc0faaa0eb |
| SHA256 | c856f0a0d8ad1d05b1f21e30989e1615c09e7eb8909ec2e491c736779d576533 |
| SHA512 | 7bd8ed11a82301469b3871a9d59d0a4f83b5a0c11526273d24a907739aaccd583fbe8559fa912994d2bb211b4feba2bef98dbb5424a289f2b89eba133524a259 |
memory/2700-89-0x000000013FFB0000-0x0000000140304000-memory.dmp
memory/2060-88-0x0000000002230000-0x0000000002584000-memory.dmp
C:\Windows\system\GSKTtCF.exe
| MD5 | c191f4e13347af7d47569530792db3a8 |
| SHA1 | 4c1c4df608ff374f8c507b14a4bcbb53ded1d804 |
| SHA256 | e33dc5dcedd0a6b3e9871aa90774a1997db464524d0d2c9ebc9e803bb82e6949 |
| SHA512 | 2771917fb73e657cffd79f7573399a394185539bf906297941c0e97edddf7b3da5b1f76db1ff207f664e65785f4d638e2c4f9f860940bb99cc33a629af6943e5 |
memory/2060-80-0x0000000002230000-0x0000000002584000-memory.dmp
memory/2620-79-0x000000013FC60000-0x000000013FFB4000-memory.dmp
C:\Windows\system\aceeiQL.exe
| MD5 | c1dbffd5b8a83f8f2397df4379fa3443 |
| SHA1 | 9648d41a5e47ae1c7c3cd8630bf12e599ff2b9ad |
| SHA256 | b57540c839d1960dcd49ea532f410e6a06b50b924f5c101233adc5f3a91899a0 |
| SHA512 | a34e04aa0056b67255526df8ecf69ab265117b816f9a8239b2814bbd73144247a31787671a8fec046f222c5ed19d4b7c12c4ceeff162ef671e629767d3c79e31 |
memory/2060-72-0x000000013F8E0000-0x000000013FC34000-memory.dmp
memory/1708-71-0x000000013FFB0000-0x0000000140304000-memory.dmp
memory/2464-63-0x000000013FCB0000-0x0000000140004000-memory.dmp
memory/2060-62-0x000000013FD40000-0x0000000140094000-memory.dmp
C:\Windows\system\wCjDfSj.exe
| MD5 | 6f7a0619192708554b2b32f4da5db3c0 |
| SHA1 | 4a00623c531c20853667746322fe347c6b1ad120 |
| SHA256 | 6185dce9806760ad5362e27e127d560cf2688f88b42d64f4a32aa45f348da1fe |
| SHA512 | caa7bb45afcb39d7794a2037a6304c5d3e8962ffe973f9a7d4b72bdc0071eb0c020187038bbe07f00c897e19fed11e43c8c31d07376a45d34b478fa260c6d0df |
memory/2488-58-0x000000013FE60000-0x00000001401B4000-memory.dmp
C:\Windows\system\WnsIFbV.exe
| MD5 | 91d729fb559c7a618ba16167c12df3ad |
| SHA1 | f87694ec70e7cb0179fe6f5efa8dfd45ff8757f1 |
| SHA256 | 0403b768e29ef99096e6910934b800c18bb7512b046018fd10259044b216bd7a |
| SHA512 | 89780678024283e478ca01a234484aeba093580bc6221baf2ca944e1ea6c38548f6218d04df9335e44a39efc9196aab3f1f917e54477166fb17287d71da862b7 |
memory/2464-142-0x000000013FCB0000-0x0000000140004000-memory.dmp
memory/2060-50-0x0000000002230000-0x0000000002584000-memory.dmp
memory/2592-41-0x000000013F120000-0x000000013F474000-memory.dmp
memory/2060-40-0x000000013F120000-0x000000013F474000-memory.dmp
C:\Windows\system\hwKSfWz.exe
| MD5 | bffabf183be2890b6970bb178865561f |
| SHA1 | 7cb9ccc296e92d55d6e99cf71cdbc5ce5acbfa8c |
| SHA256 | 0d4b65814b519e99cc77a317b5e07e845e8a7c3df6c28e22515236ec8f73f1d5 |
| SHA512 | 52f74adce0d9ae94424e4db2915c5500350d253adf11f5b236f3d749897b959a4259fcd8f707919a1f869c8ddde1c8ad134064260b35b1e6b760858d2ffd80fb |
memory/2060-143-0x0000000002230000-0x0000000002584000-memory.dmp
memory/2060-144-0x0000000002230000-0x0000000002584000-memory.dmp
memory/2060-145-0x000000013F190000-0x000000013F4E4000-memory.dmp
memory/2060-146-0x000000013F8D0000-0x000000013FC24000-memory.dmp
memory/2060-147-0x000000013F190000-0x000000013F4E4000-memory.dmp
memory/1708-148-0x000000013FFB0000-0x0000000140304000-memory.dmp
memory/2620-149-0x000000013FC60000-0x000000013FFB4000-memory.dmp
memory/2540-150-0x000000013F210000-0x000000013F564000-memory.dmp
memory/2664-151-0x000000013F580000-0x000000013F8D4000-memory.dmp
memory/2836-152-0x000000013F660000-0x000000013F9B4000-memory.dmp
memory/2960-154-0x000000013FFC0000-0x0000000140314000-memory.dmp
memory/2592-153-0x000000013F120000-0x000000013F474000-memory.dmp
memory/2488-155-0x000000013FE60000-0x00000001401B4000-memory.dmp
memory/2464-156-0x000000013FCB0000-0x0000000140004000-memory.dmp
memory/2964-157-0x000000013F8E0000-0x000000013FC34000-memory.dmp
memory/1800-158-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/2700-159-0x000000013FFB0000-0x0000000140304000-memory.dmp
memory/2772-160-0x000000013F190000-0x000000013F4E4000-memory.dmp
memory/1936-161-0x000000013F8D0000-0x000000013FC24000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-28 08:57
Reported
2024-06-28 08:59
Platform
win10v2004-20240611-en
Max time kernel
139s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\cRKvRXj.exe | N/A |
| N/A | N/A | C:\Windows\System\AaxlnpQ.exe | N/A |
| N/A | N/A | C:\Windows\System\OThCdDh.exe | N/A |
| N/A | N/A | C:\Windows\System\DUEdZLp.exe | N/A |
| N/A | N/A | C:\Windows\System\WAhNSjE.exe | N/A |
| N/A | N/A | C:\Windows\System\AQHJNjI.exe | N/A |
| N/A | N/A | C:\Windows\System\sBMQtcZ.exe | N/A |
| N/A | N/A | C:\Windows\System\MfewGKo.exe | N/A |
| N/A | N/A | C:\Windows\System\yMBjtUl.exe | N/A |
| N/A | N/A | C:\Windows\System\vPYVTuH.exe | N/A |
| N/A | N/A | C:\Windows\System\qAiidTl.exe | N/A |
| N/A | N/A | C:\Windows\System\ylpHNBe.exe | N/A |
| N/A | N/A | C:\Windows\System\thyFzYj.exe | N/A |
| N/A | N/A | C:\Windows\System\mBdpTIJ.exe | N/A |
| N/A | N/A | C:\Windows\System\hUfZsFj.exe | N/A |
| N/A | N/A | C:\Windows\System\VTNyalh.exe | N/A |
| N/A | N/A | C:\Windows\System\nUJqVEE.exe | N/A |
| N/A | N/A | C:\Windows\System\ogTQsvj.exe | N/A |
| N/A | N/A | C:\Windows\System\jzYmbnd.exe | N/A |
| N/A | N/A | C:\Windows\System\trYiPPs.exe | N/A |
| N/A | N/A | C:\Windows\System\HKhzDpo.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\cRKvRXj.exe
C:\Windows\System\cRKvRXj.exe
C:\Windows\System\AaxlnpQ.exe
C:\Windows\System\AaxlnpQ.exe
C:\Windows\System\OThCdDh.exe
C:\Windows\System\OThCdDh.exe
C:\Windows\System\DUEdZLp.exe
C:\Windows\System\DUEdZLp.exe
C:\Windows\System\WAhNSjE.exe
C:\Windows\System\WAhNSjE.exe
C:\Windows\System\AQHJNjI.exe
C:\Windows\System\AQHJNjI.exe
C:\Windows\System\sBMQtcZ.exe
C:\Windows\System\sBMQtcZ.exe
C:\Windows\System\MfewGKo.exe
C:\Windows\System\MfewGKo.exe
C:\Windows\System\yMBjtUl.exe
C:\Windows\System\yMBjtUl.exe
C:\Windows\System\vPYVTuH.exe
C:\Windows\System\vPYVTuH.exe
C:\Windows\System\qAiidTl.exe
C:\Windows\System\qAiidTl.exe
C:\Windows\System\ylpHNBe.exe
C:\Windows\System\ylpHNBe.exe
C:\Windows\System\thyFzYj.exe
C:\Windows\System\thyFzYj.exe
C:\Windows\System\mBdpTIJ.exe
C:\Windows\System\mBdpTIJ.exe
C:\Windows\System\hUfZsFj.exe
C:\Windows\System\hUfZsFj.exe
C:\Windows\System\VTNyalh.exe
C:\Windows\System\VTNyalh.exe
C:\Windows\System\nUJqVEE.exe
C:\Windows\System\nUJqVEE.exe
C:\Windows\System\ogTQsvj.exe
C:\Windows\System\ogTQsvj.exe
C:\Windows\System\jzYmbnd.exe
C:\Windows\System\jzYmbnd.exe
C:\Windows\System\HKhzDpo.exe
C:\Windows\System\HKhzDpo.exe
C:\Windows\System\trYiPPs.exe
C:\Windows\System\trYiPPs.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| BE | 88.221.83.232:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 232.83.221.88.in-addr.arpa | udp |
| BE | 88.221.83.232:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4056-0-0x00007FF7DCBE0000-0x00007FF7DCF34000-memory.dmp
memory/4056-1-0x00000244D4CC0000-0x00000244D4CD0000-memory.dmp
C:\Windows\System\cRKvRXj.exe
| MD5 | 47c6fe5f9aa33aa471d007948fe27a6d |
| SHA1 | 8090ed93b7e67356cc175aca005f4982efb6b375 |
| SHA256 | e3d8d609e678b4c87efdeefa3f58c9a8c40017bf8c2f50b88eb581d69dd469ae |
| SHA512 | c71769fc58d549f14bdff299170b85311098e40632c99d6a52413f660ad49c6065fc4b19cfda713076c04f537f541e90850e699cf97a5bfcf97a8b8ec06d33c6 |
C:\Windows\System\AaxlnpQ.exe
| MD5 | b60ad4eb0cd4404c752bc02e68695f7e |
| SHA1 | 142c739370161259c57d849c47f5051cbd6aeb43 |
| SHA256 | f6d34ba6b2295a9c7f98f28f64011bdc5a401157cf07f21dbd342a89c2efe099 |
| SHA512 | 2139d0bd73d55138bac888877c7d0b71ce31eee350682adf4c8b4dae3ed54efbb8d58e0c24e9c0865198526ebb07c71ac4537560d7fc0de504ba3774175f6b97 |
C:\Windows\System\OThCdDh.exe
| MD5 | fa5782795918e133657e902c2e12e0c8 |
| SHA1 | 72fe9ceea7a0e08dbe37bb2219f6b6e2736cf033 |
| SHA256 | 5f2632102ff9402984416b28b4e2c7b20a356aa6e30ba10253fe3b4b7cd51356 |
| SHA512 | a90ffe9bb8861964cf3e10440585d50cc926b064794d022dcc5dc881f3c134bf7972e4eb6569fd6c0717d8d0bec0628a7f70f5fda9d66c4b783d2394f55eca25 |
C:\Windows\System\DUEdZLp.exe
| MD5 | 259d4883a32687d576ef5e539857aa72 |
| SHA1 | 92bb3c922b24276985bf492b04501ba715b5f7d7 |
| SHA256 | 13b46ca3ab604c84a652081358c09438810b35d5a940930ab0b55f1ee8f0556e |
| SHA512 | 8fb716d3a5fdca62d1a6e45e8a816495ee0463fdd8f769a508a78e46d5977183587be9c13e83d71c0a1fedf2ed2ae8a03e03279618b67d68d4eb12db4815e25e |
C:\Windows\System\WAhNSjE.exe
| MD5 | c64b2f8ecf1de0cee09658736450f57c |
| SHA1 | 0f44273b2f86ac7ff3e9e5263ab8cbceb169d8b1 |
| SHA256 | 0bfc266ef9bd7bf054dbe656af33b758ea6ed65548e8369f649518c839b4a5a3 |
| SHA512 | 0b34babbaa9ddde0ba220dd3c8fc39bd63a5a0fa6a0ae859b0c2e3692c6a9eee320d7d041d73743b9edb635f86d0b62061f5092217c85d9c6ebb58cad7a9ceed |
C:\Windows\System\sBMQtcZ.exe
| MD5 | 32e06ead863ffcbedd9e7d2497fe0a39 |
| SHA1 | ea01712e548bd927038ed4f5587d41bfa57cc8b0 |
| SHA256 | af112746753a0844eb3763c7cb55e8548291d13143738c2d176755396be15b72 |
| SHA512 | 627612e274d708a63faca477fc5c97b7406748bb19329a3760ced178c38faddb0482c31a9efaaa6a5dd0054400bb13f502885afd8c30bd7fa5e21f719d6f9256 |
C:\Windows\System\AQHJNjI.exe
| MD5 | 97c70550a0e3d9322c6053b18f6f559f |
| SHA1 | ff096d9e02d90a3c668bffa8bf34eb1c697218b6 |
| SHA256 | 3bcf5b2fc84e955f6a87aaf581cb7893756e8a506ad297113db05bb3c96ecc26 |
| SHA512 | 363daa840b7448b7bc75dc0da02da3380678591a9a03ec25177a5964de9056761772961b5c55ed9ae31871488e1f1023b5cba8d0c60cff09e2d734d945592ec1 |
C:\Windows\System\MfewGKo.exe
| MD5 | 94f1927e2fd49c35faeac0ab1a26c8c4 |
| SHA1 | cccfbdaff99603f9905f55d58de2dd6e8293c334 |
| SHA256 | f617ed6e8bdb59b31a79c5cda0f7a13c27ef93e795ceefe0672c48a6b92e8257 |
| SHA512 | 3ba00a6648218607aa939b85393657d3804df261093c40f3ad11568db20109d392e31c2cf82f0c00d5ab0195adb538124078455ba0648331a0a365644d8db55a |
C:\Windows\System\vPYVTuH.exe
| MD5 | a733823c2c52e94434405213b45667da |
| SHA1 | edcf0c6313b31dd1e596dd51a3e44e8c01e0fe9b |
| SHA256 | 5ac5e4434fc71092a3cf4e58216af874eb8a77508de66a4577bf39ebaacf224c |
| SHA512 | c4569d80e8ba01af2219d68ded884c8593c1160775446f220f2bd6aae58afa681271870f6fd7abd1a13ed5a49d9ff9089c5f8cb28c419f275b7f6292f52267da |
memory/432-60-0x00007FF77CB80000-0x00007FF77CED4000-memory.dmp
C:\Windows\System\yMBjtUl.exe
| MD5 | 0eeeba704d617656f71e2895cd2f01a3 |
| SHA1 | cad2bfb6d4235934ead84c0c51115fc42103652c |
| SHA256 | 60c62f8410427b258873a8155f471c2add99e216991ac4449eccf0907d575364 |
| SHA512 | 0951bb633219c935c2f0de7f1a2fa709f8a1d3f372fea7bfef3f4ec718a70d5ae7ccd34af5df7b274574735a930c00806f6b68e6c194f8d7f6c8c5e69075746a |
C:\Windows\System\qAiidTl.exe
| MD5 | 118c8c504bc36a71e52811a4f355511b |
| SHA1 | dc0a8484c9586fd7559b4a28864420b5e00d3abd |
| SHA256 | fc5c713c5ac2b364e38c6635e9c4a5ef6764e7804ce051c13dbdc4c6cd43b9ac |
| SHA512 | 69056b5799a97da0cf6ed43388080d890a7464ef010f61e4f354c9044358f6bace4737683ff959bae79999805ac560f44ec58cc40a38bacaf24e26122f0fe01e |
memory/5048-62-0x00007FF72F170000-0x00007FF72F4C4000-memory.dmp
memory/3400-61-0x00007FF6B06E0000-0x00007FF6B0A34000-memory.dmp
memory/1136-59-0x00007FF7860F0000-0x00007FF786444000-memory.dmp
memory/3436-48-0x00007FF76A0B0000-0x00007FF76A404000-memory.dmp
memory/656-45-0x00007FF7CFB30000-0x00007FF7CFE84000-memory.dmp
memory/1756-34-0x00007FF71A830000-0x00007FF71AB84000-memory.dmp
memory/3368-27-0x00007FF681EE0000-0x00007FF682234000-memory.dmp
memory/772-19-0x00007FF71E8B0000-0x00007FF71EC04000-memory.dmp
memory/4272-18-0x00007FF6EA690000-0x00007FF6EA9E4000-memory.dmp
memory/216-8-0x00007FF6FBE80000-0x00007FF6FC1D4000-memory.dmp
C:\Windows\System\ylpHNBe.exe
| MD5 | 88aef3a4d2cc0c6890550436dbaff7be |
| SHA1 | 97cebee61b792c7e1e83155237abea7f90aa39e8 |
| SHA256 | a6218cb746379f8e12a82aaf9f1cc08e573ab4a154a057dcf7e4ee2e6a5d3097 |
| SHA512 | b60ec9ccb7cca1c1bd923a14c7ada2cf2a22727dde0998f062f09568763ab470e7c007539ea6df1a893862b7a5ee6e36e62cf0cb23a8ca4e7efc265c082b4622 |
C:\Windows\System\thyFzYj.exe
| MD5 | ea349737ded8ebf864d91d027cb49d8a |
| SHA1 | 276a7365121c48d474d36dc37a2940116185160b |
| SHA256 | 02ed91c4236290fea5cd67d53f4493534f4145ca5dfc8d2f2b27ea1614f7ba5e |
| SHA512 | a2b686f1b9461c952544a51348c3e4cdb130103a7da744c94102ca3bf5140cfa1969613f7cd784990914c1b8be30a724240e38096e0458a9af80f967ff866c9e |
C:\Windows\System\mBdpTIJ.exe
| MD5 | b86876e5775d385d617b4e1bc43c1949 |
| SHA1 | 2fd45f2844b7f3ec8acccd37f58437401d804c6e |
| SHA256 | 7e25354eaf997a0c35a9b43a393bae7709216b34673759f7e36500fcf6a6b81f |
| SHA512 | c9a253eeaaa75119f261be1d10374fb7e579631c113abb8d93cf03fd468ab8acc4e402f1e2f3d55689b4ffe3c70f4ca3fec83d1b15b438eb7aee403fcc74bff0 |
memory/4056-80-0x00007FF7DCBE0000-0x00007FF7DCF34000-memory.dmp
memory/216-85-0x00007FF6FBE80000-0x00007FF6FC1D4000-memory.dmp
memory/640-91-0x00007FF6F0970000-0x00007FF6F0CC4000-memory.dmp
C:\Windows\System\VTNyalh.exe
| MD5 | 0899ab321b53711ac7c9981c26dfaed6 |
| SHA1 | 99babd2c2340de82298d970e01ede2f32b0785b5 |
| SHA256 | 96aa33f5a8f3c554d9413a9f6fe6c4137292b2cfe1e329babb1d27dffe77e874 |
| SHA512 | a0a1a1403bcdb26fe55848aa1410186ccfd63497046476849bb7ce8ef3da62f97917cbde195710cfd7d69b471d009b24ed386a562effd605de8287a785030f1d |
C:\Windows\System\nUJqVEE.exe
| MD5 | 9ce2d980a6138b9cc20554ea922dfbe6 |
| SHA1 | e54e1a94d2546a1de19432f62faf7a1a6ad1c7fe |
| SHA256 | fb305775647e24a3c27575f906bbd44173ab9a2a24d6fa833cdaf543d418fb3a |
| SHA512 | 0efe38a74185e18b1afe79d0e43228ab04ea175e3dcebe0431f7e77f265250c9627d78e565ff8df7fac563a7be85b73b1c46d51f8fe30102a53ad0819d228c45 |
C:\Windows\System\ogTQsvj.exe
| MD5 | 156c5f25d7f4ef1c20ccf15bcddd9603 |
| SHA1 | fe3d385d810afd948a64a15fa4f22b6d2dcebda1 |
| SHA256 | 13b90f1a8dcdc5e7c2d94828130cb266ff3cf2d0897f4fd24b3bc29b36254832 |
| SHA512 | 04f96628290d2a6d231ebb70be44333865c3eb0c242a98190e560aeb86bbb13b5c6735e2df431aa90b63f92e7efb749d259959144d696d099f42ead5b5a4a1f3 |
memory/1416-115-0x00007FF6251B0000-0x00007FF625504000-memory.dmp
C:\Windows\System\HKhzDpo.exe
| MD5 | 615c44ea87dd0b3f03fd7be9b5709690 |
| SHA1 | 99a997cebce4522e2e143289dcd9912cee4e3585 |
| SHA256 | eac7385655b8c823cb44e05244bd3c76d37212015a9f24d8c695d31d81006af8 |
| SHA512 | ea79ab0c0ad6157727170affac6570c75f4fdf1b3255e72e8694b8f2efc0bcc090f150a659e6d860e72bc5c4a0517c877df3664f3b9a89172d66262f90f4e2e5 |
C:\Windows\System\trYiPPs.exe
| MD5 | 025a852d983fade36d7363bc8276be8a |
| SHA1 | 5a6eae8169f9dde9a87f832b6703e384e841d92c |
| SHA256 | c6647e2b143281cbe557db3452705924cf6b362734d89be8eaa6cb254f850673 |
| SHA512 | bedb98bb8c5e30a63c5d4174151e240ce7b341bf229e6bb6b745b0dc730e24dd98cc6da8746e141ca869492cddf61d5696aa967cc72b6ffb7c097128b89b3031 |
C:\Windows\System\jzYmbnd.exe
| MD5 | 0b59297b9f8d727de96467e0ab22879c |
| SHA1 | bc90f6524a5c931cd9f3d47c2663bda1cff201f3 |
| SHA256 | 57bbc346b91db0637b221518a74652cf02e11e6ef785a73f3bef50d9c10a9273 |
| SHA512 | cb027f1c11c3aa6f40c86619d939a68ce4e58bac40ba063d568787ae5d989f21a74e7d8e3beabeb00e44734d9afec57fd072baddf62c61d1dc2fe4af06aac440 |
memory/2168-103-0x00007FF759790000-0x00007FF759AE4000-memory.dmp
C:\Windows\System\hUfZsFj.exe
| MD5 | c44a67a87f6b97f8444d2c1297f54584 |
| SHA1 | 658e9a6a76932b7a722c1105e43e8d2096cf7237 |
| SHA256 | b02bb7a9c5da732903430f02b57cac708ba7dff210eb0217ed45b6e04ec4dabe |
| SHA512 | b773a3be6b660d01abef59f6c805849e1af92a26b0e8fefd66cf62dbb4c63326f503f62004c5a6bedb8e483f1771a7cecc04fb3b1786cfd2204499c0aec24c1c |
memory/772-97-0x00007FF71E8B0000-0x00007FF71EC04000-memory.dmp
memory/3988-96-0x00007FF7C64A0000-0x00007FF7C67F4000-memory.dmp
memory/4496-84-0x00007FF617E00000-0x00007FF618154000-memory.dmp
memory/2936-79-0x00007FF6B8510000-0x00007FF6B8864000-memory.dmp
memory/1256-127-0x00007FF6651B0000-0x00007FF665504000-memory.dmp
memory/208-128-0x00007FF6F4C30000-0x00007FF6F4F84000-memory.dmp
memory/2288-129-0x00007FF65B750000-0x00007FF65BAA4000-memory.dmp
memory/3464-130-0x00007FF7CCC20000-0x00007FF7CCF74000-memory.dmp
memory/1136-131-0x00007FF7860F0000-0x00007FF786444000-memory.dmp
memory/3400-132-0x00007FF6B06E0000-0x00007FF6B0A34000-memory.dmp
memory/432-133-0x00007FF77CB80000-0x00007FF77CED4000-memory.dmp
memory/5048-134-0x00007FF72F170000-0x00007FF72F4C4000-memory.dmp
memory/3988-135-0x00007FF7C64A0000-0x00007FF7C67F4000-memory.dmp
memory/2168-136-0x00007FF759790000-0x00007FF759AE4000-memory.dmp
memory/1256-137-0x00007FF6651B0000-0x00007FF665504000-memory.dmp
memory/216-138-0x00007FF6FBE80000-0x00007FF6FC1D4000-memory.dmp
memory/4272-139-0x00007FF6EA690000-0x00007FF6EA9E4000-memory.dmp
memory/3368-140-0x00007FF681EE0000-0x00007FF682234000-memory.dmp
memory/772-141-0x00007FF71E8B0000-0x00007FF71EC04000-memory.dmp
memory/3436-142-0x00007FF76A0B0000-0x00007FF76A404000-memory.dmp
memory/1756-143-0x00007FF71A830000-0x00007FF71AB84000-memory.dmp
memory/656-144-0x00007FF7CFB30000-0x00007FF7CFE84000-memory.dmp
memory/1136-145-0x00007FF7860F0000-0x00007FF786444000-memory.dmp
memory/432-147-0x00007FF77CB80000-0x00007FF77CED4000-memory.dmp
memory/5048-146-0x00007FF72F170000-0x00007FF72F4C4000-memory.dmp
memory/3400-148-0x00007FF6B06E0000-0x00007FF6B0A34000-memory.dmp
memory/2936-149-0x00007FF6B8510000-0x00007FF6B8864000-memory.dmp
memory/4496-150-0x00007FF617E00000-0x00007FF618154000-memory.dmp
memory/640-151-0x00007FF6F0970000-0x00007FF6F0CC4000-memory.dmp
memory/2168-152-0x00007FF759790000-0x00007FF759AE4000-memory.dmp
memory/3988-153-0x00007FF7C64A0000-0x00007FF7C67F4000-memory.dmp
memory/1416-154-0x00007FF6251B0000-0x00007FF625504000-memory.dmp
memory/2288-156-0x00007FF65B750000-0x00007FF65BAA4000-memory.dmp
memory/1256-155-0x00007FF6651B0000-0x00007FF665504000-memory.dmp
memory/3464-158-0x00007FF7CCC20000-0x00007FF7CCF74000-memory.dmp
memory/208-157-0x00007FF6F4C30000-0x00007FF6F4F84000-memory.dmp