Analysis Overview
SHA256
04ab552014594f7cc201c97eea474bf331986f16ac017527f8b9aa4118b1e114
Threat Level: Known bad
The file 2024-06-29_3069453ad4f7bf7314205e257c2526f3_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
Cobaltstrike
UPX dump on OEP (original entry point)
Cobaltstrike family
XMRig Miner payload
Xmrig family
Detects Reflective DLL injection artifacts
xmrig
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-29 06:51
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-29 06:51
Reported
2024-06-29 06:53
Platform
win7-20240611-en
Max time kernel
147s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\AyjyyEN.exe | N/A |
| N/A | N/A | C:\Windows\System\RhjDMjd.exe | N/A |
| N/A | N/A | C:\Windows\System\LWCSGtx.exe | N/A |
| N/A | N/A | C:\Windows\System\kxhhLgj.exe | N/A |
| N/A | N/A | C:\Windows\System\bRpXXWm.exe | N/A |
| N/A | N/A | C:\Windows\System\KgLOgRU.exe | N/A |
| N/A | N/A | C:\Windows\System\eWatdiX.exe | N/A |
| N/A | N/A | C:\Windows\System\qSXROES.exe | N/A |
| N/A | N/A | C:\Windows\System\GHyTqFe.exe | N/A |
| N/A | N/A | C:\Windows\System\zwXFwWu.exe | N/A |
| N/A | N/A | C:\Windows\System\yxyqfmY.exe | N/A |
| N/A | N/A | C:\Windows\System\wpPcuub.exe | N/A |
| N/A | N/A | C:\Windows\System\VrWVLMI.exe | N/A |
| N/A | N/A | C:\Windows\System\GXoBPxm.exe | N/A |
| N/A | N/A | C:\Windows\System\OIGgXvk.exe | N/A |
| N/A | N/A | C:\Windows\System\kEhstsd.exe | N/A |
| N/A | N/A | C:\Windows\System\IpVCTmH.exe | N/A |
| N/A | N/A | C:\Windows\System\VOwzdQr.exe | N/A |
| N/A | N/A | C:\Windows\System\qHRZBGa.exe | N/A |
| N/A | N/A | C:\Windows\System\ODiAMHR.exe | N/A |
| N/A | N/A | C:\Windows\System\phWPQsq.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-29_3069453ad4f7bf7314205e257c2526f3_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-29_3069453ad4f7bf7314205e257c2526f3_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-29_3069453ad4f7bf7314205e257c2526f3_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-29_3069453ad4f7bf7314205e257c2526f3_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\AyjyyEN.exe
C:\Windows\System\AyjyyEN.exe
C:\Windows\System\RhjDMjd.exe
C:\Windows\System\RhjDMjd.exe
C:\Windows\System\LWCSGtx.exe
C:\Windows\System\LWCSGtx.exe
C:\Windows\System\kxhhLgj.exe
C:\Windows\System\kxhhLgj.exe
C:\Windows\System\KgLOgRU.exe
C:\Windows\System\KgLOgRU.exe
C:\Windows\System\bRpXXWm.exe
C:\Windows\System\bRpXXWm.exe
C:\Windows\System\eWatdiX.exe
C:\Windows\System\eWatdiX.exe
C:\Windows\System\qSXROES.exe
C:\Windows\System\qSXROES.exe
C:\Windows\System\zwXFwWu.exe
C:\Windows\System\zwXFwWu.exe
C:\Windows\System\GHyTqFe.exe
C:\Windows\System\GHyTqFe.exe
C:\Windows\System\yxyqfmY.exe
C:\Windows\System\yxyqfmY.exe
C:\Windows\System\wpPcuub.exe
C:\Windows\System\wpPcuub.exe
C:\Windows\System\VrWVLMI.exe
C:\Windows\System\VrWVLMI.exe
C:\Windows\System\GXoBPxm.exe
C:\Windows\System\GXoBPxm.exe
C:\Windows\System\OIGgXvk.exe
C:\Windows\System\OIGgXvk.exe
C:\Windows\System\kEhstsd.exe
C:\Windows\System\kEhstsd.exe
C:\Windows\System\IpVCTmH.exe
C:\Windows\System\IpVCTmH.exe
C:\Windows\System\VOwzdQr.exe
C:\Windows\System\VOwzdQr.exe
C:\Windows\System\qHRZBGa.exe
C:\Windows\System\qHRZBGa.exe
C:\Windows\System\ODiAMHR.exe
C:\Windows\System\ODiAMHR.exe
C:\Windows\System\phWPQsq.exe
C:\Windows\System\phWPQsq.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2024-1-0x000000013F8A0000-0x000000013FBF4000-memory.dmp
memory/2024-0-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\AyjyyEN.exe
| MD5 | 1f5008953abd229b38ae698dd9d0fe85 |
| SHA1 | fa7e5340c4fc88095f94534ee6cad78536078a16 |
| SHA256 | 35fc56b60db0693ef00b5f518a092f145c08b976deb3f50da855f3c4302142e8 |
| SHA512 | 310154005f4637b30058c853fd94470d64bb54ed170c3c3f6d272a24471a7fcb72d62e394f9e0ac4fa5562110845d99b8e24a99298caaf50a82fecdb19f3c6e8 |
memory/2304-8-0x000000013F6D0000-0x000000013FA24000-memory.dmp
\Windows\system\RhjDMjd.exe
| MD5 | c957521b6c4cb6a964722481cc51a2cb |
| SHA1 | 76c8814f677066d6396cc568349ed1e5d84fc78d |
| SHA256 | 87c4f88f3e6b30eafcc5bf7023540945e7abda35f691e9c0b4b896cbe05cec19 |
| SHA512 | 279f6453a28845aaf0d91746b39e7c0e1a3d51bfbffd6396b14340011ba6926d51aa782cee31638edb4db30272893d74958ef375f8b2cc18d6ccb53a1debc724 |
memory/2616-14-0x000000013F260000-0x000000013F5B4000-memory.dmp
C:\Windows\system\LWCSGtx.exe
| MD5 | ac5f83d83b39d7bb9b2bb3076d7f48e3 |
| SHA1 | da66aa3c8634a462d5f14b054eef7c9444093847 |
| SHA256 | 39670705397ea0c18244e02a6998225e982e7e76173fda69d706ee26a2ac2add |
| SHA512 | 6c0d623ba1ea7f47eab519ea2c8f1d142fa2401f75681ae7d60aa2b450b87597b9e7856b533c396c46650c379ea53a8b7a5459ffdde14c8df0b5ee362f834137 |
memory/2024-23-0x000000013F480000-0x000000013F7D4000-memory.dmp
C:\Windows\system\bRpXXWm.exe
| MD5 | 906204479ec56386bedca37aeeeb3d74 |
| SHA1 | b61142b78f260a8f290473123c9a0289254f1e6e |
| SHA256 | c68316c1a95e779369d0605816e8185066448ce4c0bd91692d550d59579d0c87 |
| SHA512 | aceeb7b2f1b7245f5ef4547d50b73eb5d766389c907fb1e152ee85d0dc2fb430bee539f854053a9590786847ca0059ce6d3fce537d0522d1ad5432eb5992935b |
memory/2024-36-0x0000000002380000-0x00000000026D4000-memory.dmp
C:\Windows\system\kxhhLgj.exe
| MD5 | 246db5985210cb42d83ce92fffcb733d |
| SHA1 | ac0058fb19bd7b348bccd5af09124b776378b81c |
| SHA256 | 89a1f6d6f372ca29ceb820ef57f193f1a52853d217a1b9a467ebff3fec36d01a |
| SHA512 | ec0ee7f8fe8499bc5ad5a81381f19c75ca3de99f8fc344909e110de3e6fba0728167ca2aceb18bc7f005debf18f4027d3c76c56ccac8452b01c77edad74f591c |
C:\Windows\system\eWatdiX.exe
| MD5 | b83bafbd1745f993e0db1e6fe33c9c0e |
| SHA1 | 92feb8b540230fc6b07cc41d1010dd48710d4b69 |
| SHA256 | 45b5d0692a673b46f7e5f85c35f6b1431abd310904e03c6498f6cbf1db207412 |
| SHA512 | 36317aa0a995e160bdd7c6c4d79f80663ee8e7ff4977959f9ee0f92264358ffc7adb86ecff440075e9884155e64c47e9365deb2b74f10b62e05dfdec73dc380a |
memory/2784-47-0x000000013F400000-0x000000013F754000-memory.dmp
memory/2884-53-0x000000013FA70000-0x000000013FDC4000-memory.dmp
C:\Windows\system\zwXFwWu.exe
| MD5 | 1d21fdd283bf8d80e1e37e0d6fd3b8c1 |
| SHA1 | 069bc8a630112979b3eb74b60ada0519cf8a38ba |
| SHA256 | 3ad52bf12b82fb73e3314e07cc556914e701bbae8e8409920b43843519707e04 |
| SHA512 | 929f0f096b6ae58beb755d57f3fb8678c9986a165299994fe65375f152f330552cb597dc552487bfede3c94defdd8d55b2da3fe0216b81b52dddb4712de48eb1 |
memory/2568-64-0x000000013FEA0000-0x00000001401F4000-memory.dmp
C:\Windows\system\yxyqfmY.exe
| MD5 | 7434bda41b7f0c964e8096866d217391 |
| SHA1 | 1c91630d2a4186ca416ef3c91075231ef67c0db2 |
| SHA256 | e1bafdb9664e67fb5e8697985e0e2cfa1b2522c5041537297d11de9c8b4146c8 |
| SHA512 | 70dd77f017220c3dfe3cff0a622a232f1769410f4f04630b0ff5acdbfb0d07e752044d226886aa9a28550317cb56fab43465f80b367366b18d7af4e3fb44de55 |
memory/2172-71-0x000000013FF40000-0x0000000140294000-memory.dmp
C:\Windows\system\ODiAMHR.exe
| MD5 | afa50ee3964164dfe617af41d5c15a8e |
| SHA1 | e90bb4d0118379dbf200e3cf6d418922fce3b647 |
| SHA256 | d77fa6b29ad7e9d232f65170ba0f571b58b5b1a19e0203e3de277abc6923a1ef |
| SHA512 | 19792c35d8b46c495bffbc21b5e9277228bab81153a992bcd98d64530e046f31a1a8186b9ede3ac40c1d316925b9ce662d13d04645181041d1b085966d5ce2c1 |
\Windows\system\phWPQsq.exe
| MD5 | a27f708416ad31df9fc8fbd1696552c7 |
| SHA1 | ea85ace4f7a300205faeb968f64f3e94371457bc |
| SHA256 | ff78751c8da8603c99e77a9600def8571c63a348c38b9409295f967532512951 |
| SHA512 | 991e823542ef98ee17f8036435ba40004f7058084c7574f61b6c2d86f825417ddc18c9b4a70234cdde96b02439d4a1eb63b2cca13ede22bf5f384085a5068b6c |
C:\Windows\system\qHRZBGa.exe
| MD5 | 4350c4a7bc2e33f59317c56144afc98d |
| SHA1 | a62f2e2b60856e4a325a96605ac1affffcf5a6f0 |
| SHA256 | 5f79960abfaa99c21e7e4f9c053346fdf77c88905a53fefee93d1f8ebaaaf99d |
| SHA512 | e26a0c6e1a33740b108250e0a1d2f65f34ff4af4bf3f363af5864becda89736b84b85e03f5798d431fbafd0957ffb42e5d5dc40a498cf155ae2321815f63eeee |
C:\Windows\system\VOwzdQr.exe
| MD5 | 870ebb0b9ea5e48724605a6d9aa5abdb |
| SHA1 | 6d6a3c4a0af56a608dc4f398680283a4224926d1 |
| SHA256 | ed16d0a9ac67ae0f00932b81476334e58828572a645cd8d15162b8076fc620f1 |
| SHA512 | e1e0ecb19502500b83ce8c89182a2a456afeabd5b66c0dfee6167d0038910689491f7a93081325ce2025652aa66779001a87b124ca4ca27c0206fe8ab7570795 |
C:\Windows\system\IpVCTmH.exe
| MD5 | bd073fd2e26edef1f1e6fefc11a733f1 |
| SHA1 | dd185d5c5dd70aa3172f40f1dbf0e9a940edd4e9 |
| SHA256 | 03cd8bd4f6a46307d4c5d3faa1a82800465e122496535c0350809a8be786bbd1 |
| SHA512 | 6f619ad2cfda5b410476e12fa9c078d2f91f1add9ddd60e412e992cf8402899bd7fb940c2ab6be79a1a482e3f71aaf2cf5b7aa2623e5786b4ace0a1fe751b152 |
C:\Windows\system\kEhstsd.exe
| MD5 | 1b0aca7daa5920013b6783810f452714 |
| SHA1 | 093d70899cf9d1f87c150be54bd09efb3b36231d |
| SHA256 | 9efe455944e820721e57f65b6f35ca28936610651d562620d00b39a73740ba3d |
| SHA512 | 39f72acdeb3357114149daabf93b716c9e6d1599fbd53bd48286ea52aee4c5496de8b622617cde8942032d5b898f37b287bd1f33a1793b86c3ac0b28304f7383 |
memory/2024-95-0x000000013FE20000-0x0000000140174000-memory.dmp
C:\Windows\system\OIGgXvk.exe
| MD5 | 8bd9321fce51805b8de7e364980b87a6 |
| SHA1 | 848ec647bea9136ce0947bb9c93b8eea6e274b6c |
| SHA256 | 4612bfc5033b39e67e0aa014e5cd7da7e9b83f8d442a153d561dd82b3728970f |
| SHA512 | 8339ac3154a7c98282afc2fca81f8c123a9c06209f6731ded5424e6002e46fc70cbb33fd8e4caa09e6f047f4a2a643810e9847a1a0f0550c46918486d3cc2de4 |
memory/3012-90-0x000000013FBB0000-0x000000013FF04000-memory.dmp
memory/2024-89-0x0000000002380000-0x00000000026D4000-memory.dmp
C:\Windows\system\GXoBPxm.exe
| MD5 | 2d079d80bbdd407133b2904dbf2d20e0 |
| SHA1 | 57aeba791966748444d6e46e4e8daf06d0b67598 |
| SHA256 | e7be1b750896a1b3d83d46cb1a5306f69dcaf7fb22455a0c8d69cafe7703a76f |
| SHA512 | 45ddefdea17ee027eef63815fdd6a00660bc90aeaa30b4939dae1e09cf10d125256d953090812ec9fdf810e45c450aaf236cdc0e85549324732ffebbd5ac7329 |
memory/2868-84-0x000000013F620000-0x000000013F974000-memory.dmp
memory/2024-83-0x0000000002380000-0x00000000026D4000-memory.dmp
C:\Windows\system\VrWVLMI.exe
| MD5 | 2127ce2f585debfcb512d81b41045bbc |
| SHA1 | dd41c9e81be8194b5f8d4e1a29f7f733bc49578e |
| SHA256 | 82eb4439bbb066848f961fdc68d88557eaac1f266a9bd1205bc431da57105b62 |
| SHA512 | d397fa4e309b8dc4b065180d06f0881b16cda9bb2286c4e45b3a37327dd21be16b39fbd31cdd968558270a38a527d26375782a51573edb7e98c34fb7bf1a1b6b |
memory/2856-78-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/2024-77-0x000000013FD70000-0x00000001400C4000-memory.dmp
C:\Windows\system\wpPcuub.exe
| MD5 | 0dbaa3bd481b1c244c87b031b77e5f7d |
| SHA1 | 3d649e56f35f882fc088a526cd32bcaa8c035ff6 |
| SHA256 | ada155645040aec7dfa10398280c33c18fcf60fff7e30de300f364e2ef2ebe47 |
| SHA512 | df48ef5859b42bd6d74e2e701780d3c071f86e5cbb46a50e9afd356463ce34767a03a6a60dce4ac9bfa2b72949e9cdb84c40e201b205ab84eb10c3294e712680 |
memory/2024-70-0x000000013FF40000-0x0000000140294000-memory.dmp
memory/2616-69-0x000000013F260000-0x000000013F5B4000-memory.dmp
memory/1796-63-0x000000013FB00000-0x000000013FE54000-memory.dmp
memory/2024-62-0x0000000002380000-0x00000000026D4000-memory.dmp
memory/2024-61-0x000000013F260000-0x000000013F5B4000-memory.dmp
C:\Windows\system\GHyTqFe.exe
| MD5 | 41ca756cb4a322c34d425f5ef1b8aa66 |
| SHA1 | 8161d5d84114e067e92342b2bccd859bbf574f5f |
| SHA256 | c3c7b636c5328363c7d44cd338d66b80243777dc5a2c8131d16a5ceb101044f6 |
| SHA512 | 81f5428e85deb4f06c8869468c54919272671f6ba25af8f6983503070ec8935f8869cefd67afdbf83e2f85933fa5867c946b56463c835f722c4f7f83d2cd3f28 |
memory/2024-52-0x000000013F8A0000-0x000000013FBF4000-memory.dmp
C:\Windows\system\qSXROES.exe
| MD5 | cc583273fcb792a157d889b805dfa8a5 |
| SHA1 | c4d0595e504edd344e6b8e0c25ad9e08a718590f |
| SHA256 | cd438e4d6381119480cfda8e6e74ac34aeb55dfec89205e22a36670a5fc4742f |
| SHA512 | 69b81a87cfebae3f9125855ff8e637f8cfbccf1d718e6a2d65c405fd398f6b20235c5dbbe197333192ed01e011c3f31937ce77257750055d704ce9f52ab67b52 |
memory/2024-45-0x000000013F400000-0x000000013F754000-memory.dmp
memory/2652-27-0x000000013F480000-0x000000013F7D4000-memory.dmp
\Windows\system\KgLOgRU.exe
| MD5 | 039174c5773dec597222f562c8f885e0 |
| SHA1 | 1254dcce4e94e1168f7ebf313c33feb956011d0e |
| SHA256 | 0ecb7998389bcf70f92c0574c88c233ecf9442834e3f06dea7efbe88c658f3ae |
| SHA512 | 4c241b150415f67d164de94a523f05aee2ff1eda92e04f685ba00573b5ed1ffd7f22b2a4cfb3a590713cf5bab41c49213ea07bfdeb90a3878378137610b997d2 |
memory/2676-41-0x000000013F480000-0x000000013F7D4000-memory.dmp
memory/2956-39-0x000000013FAF0000-0x000000013FE44000-memory.dmp
memory/2792-37-0x000000013F360000-0x000000013F6B4000-memory.dmp
memory/2024-34-0x000000013F480000-0x000000013F7D4000-memory.dmp
memory/2024-31-0x000000013F360000-0x000000013F6B4000-memory.dmp
memory/2024-135-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/2024-136-0x0000000002380000-0x00000000026D4000-memory.dmp
memory/2568-138-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/1796-137-0x000000013FB00000-0x000000013FE54000-memory.dmp
memory/2024-139-0x000000013FF40000-0x0000000140294000-memory.dmp
memory/2172-140-0x000000013FF40000-0x0000000140294000-memory.dmp
memory/2024-141-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/2856-142-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/2024-143-0x0000000002380000-0x00000000026D4000-memory.dmp
memory/2868-144-0x000000013F620000-0x000000013F974000-memory.dmp
memory/3012-145-0x000000013FBB0000-0x000000013FF04000-memory.dmp
memory/2024-146-0x000000013FE20000-0x0000000140174000-memory.dmp
memory/2304-147-0x000000013F6D0000-0x000000013FA24000-memory.dmp
memory/2616-148-0x000000013F260000-0x000000013F5B4000-memory.dmp
memory/2652-149-0x000000013F480000-0x000000013F7D4000-memory.dmp
memory/2792-150-0x000000013F360000-0x000000013F6B4000-memory.dmp
memory/2956-151-0x000000013FAF0000-0x000000013FE44000-memory.dmp
memory/2856-153-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/3012-155-0x000000013FBB0000-0x000000013FF04000-memory.dmp
memory/1796-154-0x000000013FB00000-0x000000013FE54000-memory.dmp
memory/2884-152-0x000000013FA70000-0x000000013FDC4000-memory.dmp
memory/2676-156-0x000000013F480000-0x000000013F7D4000-memory.dmp
memory/2868-160-0x000000013F620000-0x000000013F974000-memory.dmp
memory/2172-159-0x000000013FF40000-0x0000000140294000-memory.dmp
memory/2568-158-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/2784-157-0x000000013F400000-0x000000013F754000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-29 06:51
Reported
2024-06-29 06:53
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\DiDeIeG.exe | N/A |
| N/A | N/A | C:\Windows\System\mQdDOKS.exe | N/A |
| N/A | N/A | C:\Windows\System\uOlxXLA.exe | N/A |
| N/A | N/A | C:\Windows\System\SxTrgIU.exe | N/A |
| N/A | N/A | C:\Windows\System\aHIJBrP.exe | N/A |
| N/A | N/A | C:\Windows\System\eaTLlEy.exe | N/A |
| N/A | N/A | C:\Windows\System\oHYeVQg.exe | N/A |
| N/A | N/A | C:\Windows\System\IhRNLOn.exe | N/A |
| N/A | N/A | C:\Windows\System\BYPUcow.exe | N/A |
| N/A | N/A | C:\Windows\System\ZhIjzKH.exe | N/A |
| N/A | N/A | C:\Windows\System\wPLKacK.exe | N/A |
| N/A | N/A | C:\Windows\System\VJeOShT.exe | N/A |
| N/A | N/A | C:\Windows\System\bzmhfSu.exe | N/A |
| N/A | N/A | C:\Windows\System\jktgVUJ.exe | N/A |
| N/A | N/A | C:\Windows\System\FgrdSJU.exe | N/A |
| N/A | N/A | C:\Windows\System\tkNwJbY.exe | N/A |
| N/A | N/A | C:\Windows\System\ZybtpIm.exe | N/A |
| N/A | N/A | C:\Windows\System\SSazlpE.exe | N/A |
| N/A | N/A | C:\Windows\System\boSmsZr.exe | N/A |
| N/A | N/A | C:\Windows\System\doQeBDW.exe | N/A |
| N/A | N/A | C:\Windows\System\AaeeYDP.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-29_3069453ad4f7bf7314205e257c2526f3_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-29_3069453ad4f7bf7314205e257c2526f3_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-29_3069453ad4f7bf7314205e257c2526f3_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-29_3069453ad4f7bf7314205e257c2526f3_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\DiDeIeG.exe
C:\Windows\System\DiDeIeG.exe
C:\Windows\System\mQdDOKS.exe
C:\Windows\System\mQdDOKS.exe
C:\Windows\System\uOlxXLA.exe
C:\Windows\System\uOlxXLA.exe
C:\Windows\System\SxTrgIU.exe
C:\Windows\System\SxTrgIU.exe
C:\Windows\System\aHIJBrP.exe
C:\Windows\System\aHIJBrP.exe
C:\Windows\System\eaTLlEy.exe
C:\Windows\System\eaTLlEy.exe
C:\Windows\System\oHYeVQg.exe
C:\Windows\System\oHYeVQg.exe
C:\Windows\System\IhRNLOn.exe
C:\Windows\System\IhRNLOn.exe
C:\Windows\System\BYPUcow.exe
C:\Windows\System\BYPUcow.exe
C:\Windows\System\ZhIjzKH.exe
C:\Windows\System\ZhIjzKH.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4092,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=1036 /prefetch:8
C:\Windows\System\VJeOShT.exe
C:\Windows\System\VJeOShT.exe
C:\Windows\System\wPLKacK.exe
C:\Windows\System\wPLKacK.exe
C:\Windows\System\bzmhfSu.exe
C:\Windows\System\bzmhfSu.exe
C:\Windows\System\jktgVUJ.exe
C:\Windows\System\jktgVUJ.exe
C:\Windows\System\FgrdSJU.exe
C:\Windows\System\FgrdSJU.exe
C:\Windows\System\tkNwJbY.exe
C:\Windows\System\tkNwJbY.exe
C:\Windows\System\ZybtpIm.exe
C:\Windows\System\ZybtpIm.exe
C:\Windows\System\SSazlpE.exe
C:\Windows\System\SSazlpE.exe
C:\Windows\System\boSmsZr.exe
C:\Windows\System\boSmsZr.exe
C:\Windows\System\doQeBDW.exe
C:\Windows\System\doQeBDW.exe
C:\Windows\System\AaeeYDP.exe
C:\Windows\System\AaeeYDP.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2060-0-0x00007FF630950000-0x00007FF630CA4000-memory.dmp
memory/2060-1-0x000001C9C51C0000-0x000001C9C51D0000-memory.dmp
C:\Windows\System\DiDeIeG.exe
| MD5 | 92bfcb94544bd22d5a7faa72941cc46d |
| SHA1 | 6fd52cf69e3d2cc6c67320a859526d83f4b9431b |
| SHA256 | 9b592d36134e7c068607afcf0a62682e8c41397a7610548250683df3892439c2 |
| SHA512 | 522f0560d5e9cfcdd3cdc02b19d036c735474fc6d1c4e52555631d070b2b0f5af84f080062ddaddbc029a14e305027587e24909f95e2f85b93eb9940df28a091 |
memory/3440-7-0x00007FF73D700000-0x00007FF73DA54000-memory.dmp
C:\Windows\System\uOlxXLA.exe
| MD5 | dab8d71287d9f5fdd5d3d5228e40a6b7 |
| SHA1 | 176307234a0db93862307b11b50d2813c1606ecb |
| SHA256 | 4ac762ed12d0c7bd25269d32a0a06973d5ada4be3ccdfe2e3f691ef0b77a376d |
| SHA512 | 59c97db529402e095c2b60bf95d2eb4628840021d546dc445be981fe389ed4cf7b4ffb2b2971e409c288340875ec69f0a95872fe4d30dbc19967ed71000fe3dd |
C:\Windows\System\mQdDOKS.exe
| MD5 | 8fefa6927d7ad4cc718c6990f8665e04 |
| SHA1 | dbb2e08fd52f86f382786f86f1099fc4fb42d60c |
| SHA256 | db5d4c4e8940bffeb4a2c8fcd5eb38ea763a0f83cc1d77e003e3fb0512523485 |
| SHA512 | 8f640378d20252e497637d5ef43c66ed362db89d325118dd00a5993d9028157bbed974afeaed32e8e67f0e336b53dbf3196b38cb5df9fc4999e66845d30966ba |
memory/4432-14-0x00007FF7242E0000-0x00007FF724634000-memory.dmp
memory/4608-25-0x00007FF6E49F0000-0x00007FF6E4D44000-memory.dmp
C:\Windows\System\aHIJBrP.exe
| MD5 | 3c08673640a56903b9fd8d030acf5518 |
| SHA1 | 17d348397da7180c3d6f1610f39d3cb32ebf0ac7 |
| SHA256 | 2e0eebdd134ac962b631073869211586ad0fb12b3943487e48d70028106a3dc1 |
| SHA512 | f66e5aff75709a1e0dd6f3483c531d2323f6a676e10eeb2aff903d00f79d4f7a00d56c7a67885c97c0bc2eb01fd78a4d2a61c704d5e6f2d0633a2443ba7c1fdc |
C:\Windows\System\eaTLlEy.exe
| MD5 | c14957cc67a588137434f6e409b8071b |
| SHA1 | b999ebea3200bcadc2d0a4496c7b37de7c48dc86 |
| SHA256 | be001a48601af0a088f226ae6e68890f589f5b62de64516885c5af0881be74d2 |
| SHA512 | 5bcd65a9e2837f2063d521db1f73094dad8e9d4aea82c883ae985460be7c2106c715810f32fe83e1ea715f22711ac71c0786fef217ab157aef26b53c72793867 |
C:\Windows\System\IhRNLOn.exe
| MD5 | 6b96d914388ba70ca7b55ac68f3221cf |
| SHA1 | 9dc4ecf2ca2faf25d5202a8db5c5a7ac5735465d |
| SHA256 | 95e0bec48d5271596d4cba6307c2d0e70327f019e1e52d622069b3a4edefd7a6 |
| SHA512 | 67232c7039ee8095a14ab874e707225528b688e66472ab4bba5e883eafdc1481a164abc81758715e15099aa18b8b2fb14fb43820ab98d8787d412c4f1f7359e4 |
memory/620-55-0x00007FF711440000-0x00007FF711794000-memory.dmp
memory/3456-56-0x00007FF61C460000-0x00007FF61C7B4000-memory.dmp
memory/2900-54-0x00007FF68FD20000-0x00007FF690074000-memory.dmp
C:\Windows\System\BYPUcow.exe
| MD5 | b6928236482b15e5fab07f3c12433d72 |
| SHA1 | 8f79878cb633123359c29ad776011adc7ac27f26 |
| SHA256 | b50f8da9f0fb69ed1c37f67134c32e0f5991765ed8733ecdbd6acf8254b94a8a |
| SHA512 | c2f4801feceab653b4e4f3dc79403b500827308de40cec085c7aa280fc7937f1de6175efd10662eaadc22ad2e392fc67b99b3008c79e53688d7fb32d35a0f3cd |
memory/1292-51-0x00007FF742A60000-0x00007FF742DB4000-memory.dmp
memory/4508-48-0x00007FF7C1B50000-0x00007FF7C1EA4000-memory.dmp
C:\Windows\System\oHYeVQg.exe
| MD5 | 2efffa499d296e0eadd6dca37971411b |
| SHA1 | 5ae71e2353b1a1e3cd5a8e3492e49873aee2b6e5 |
| SHA256 | 87357df5057d2cfa900d065be4af39c864c2bbfe1eb59f0a31c20858e70f34c8 |
| SHA512 | d7a05195530877248c5c3adcb95a04e78374ff7a2e8ea88b4a4eb0ad033e363b489476e906cf69c522f4ccd468ecd145da2e8c7a7ea40a7b62bc434f0dcfa125 |
C:\Windows\System\SxTrgIU.exe
| MD5 | 7376f05b2229d960c0e2f34150ad2fa6 |
| SHA1 | 97955cee1fa900d002f9385c0590d588a2b5dcd9 |
| SHA256 | 9581283154a9066f12802997987f9c7f8ad983f13e7e6029cf57a1f63b79db99 |
| SHA512 | 08577ada27bd9789fbd6e0a25f351d3b6cbc0dc1382f51aa1c85d35d81f918ad267267ea6e7924d9c18dadd08cb3f7dab19e1dc483e7e6adbbc351295d93a261 |
memory/3704-20-0x00007FF6EA570000-0x00007FF6EA8C4000-memory.dmp
C:\Windows\System\ZhIjzKH.exe
| MD5 | 0aabd581702a5bbbd831348d9ef3605b |
| SHA1 | ed02abeeba11a277c10ba4b35bd638c89c153047 |
| SHA256 | 412cb41a982024a73aa72b245b476afaa6c4ca9858dbea95192f200a66cefe3a |
| SHA512 | 4ef465753db8a70d201bdd78cad55ff038f5bb68152907fd63ed255db6529c9490e28a8ae47d804bfd4c00d96acf1c5c582db14df793b1a3cc72c4745afd521e |
memory/2568-64-0x00007FF74B930000-0x00007FF74BC84000-memory.dmp
C:\Windows\System\VJeOShT.exe
| MD5 | 05a56d6323b437ed516ffe1014e2609f |
| SHA1 | f89f2617d0eb79953c6a90940f3394c337213e22 |
| SHA256 | 5d3deee507c2b25204659fa8cacc13cb32dc8111d7e70209d3c83fce6794c67c |
| SHA512 | 216b5c32084d3822e40c4b008925e44b80abf8f1a77772f050a999b0e698c4480caf6a6290d024af56468c12aa1d9670507dcfcc993b77ad9e65075f09c21b06 |
C:\Windows\System\bzmhfSu.exe
| MD5 | 822b6a07b4d5e7f43f042863fb504f1e |
| SHA1 | 0574e16d25617e17d9b3a8649b434bf87087dc25 |
| SHA256 | c0e78fef0a53492f1dcd4009db033d24fed469effca6de3eb35a6dd40f90a323 |
| SHA512 | 5bbae301377f3addddf034a243b31555dce27093baa2f4dca8d33e1b061128b9126c71ea6bafcbe6ec3396dce813f75a6c1c021c46de15ecf2f140a19934b096 |
C:\Windows\System\FgrdSJU.exe
| MD5 | 3f45dc8d5d0eff163d536537ffe3c247 |
| SHA1 | 60ff7f45e5189541f47d41b1b89bd03825cbbc80 |
| SHA256 | f5f138c0dbc11be9aa3c27c2dd9fc49694c31197185699482209c02c1fcf5c30 |
| SHA512 | 346272a8f2de4e0cb76ce8ad7d7bb9345fc5b4e048bd7eb29e57c4a30dc188b06dda1eaf1d378322dc35d77971283a81b25fafc5dc28e8e3d87d4fcf14b11322 |
memory/4452-97-0x00007FF676E90000-0x00007FF6771E4000-memory.dmp
C:\Windows\System\ZybtpIm.exe
| MD5 | d12b9fbc0ac5ecd2a34f8cb00e53ce89 |
| SHA1 | 23620d69e15ba7b269b4955f4fd79ac011280724 |
| SHA256 | ad50b6151e1bbfade0d26b3404dcf8e9dbcdb71de22ef9793c93f3b522490f39 |
| SHA512 | 20c071ed1f96a116493535458ebdb3a8e25816d0d1c5e9a9966cc22085e7caf461643877fcd861e954c36f05dd933c2b43399f10ae0211e55222023187e4f14e |
C:\Windows\System\tkNwJbY.exe
| MD5 | b03afe5090d7a3ee07fb052fec5d3c33 |
| SHA1 | 016d2a80e03b6de7b9720f6757bdd1e14ff9414e |
| SHA256 | cec670d9ff6577b9f5f55abfbf1f3c49eca9a2ffce5beae2343c6a40584bb0f8 |
| SHA512 | b6c33b7f8897f6b053e13e7207404c944031f5698658600648cdba9e353ec1cc3c68e745a453b0237324b23974463426e57b3904ed57abc2f09db6717c362e45 |
memory/2920-88-0x00007FF7D83E0000-0x00007FF7D8734000-memory.dmp
C:\Windows\System\jktgVUJ.exe
| MD5 | b5b5698956b8044d2932dd706d42743f |
| SHA1 | 05d9103938869efd3cc5760432ab61afbf63563a |
| SHA256 | f6c785926551b1bb054df06d86feb5fbc5430295419183a9b97431cbd991d934 |
| SHA512 | 558eb966d3ab8cde08ff043e99f0e86f6fb4fdd7611355599e38bc106e39abfd881b62d3938c56dac619dd284fb81b0790ccd8192260e17bc401e1c0517fc1aa |
memory/4860-82-0x00007FF7935B0000-0x00007FF793904000-memory.dmp
C:\Windows\System\boSmsZr.exe
| MD5 | 4fa1113f377e91bd2a87dee64de3d651 |
| SHA1 | 408cfe9d672cc6d61d286b61d3b4af09f2a519ea |
| SHA256 | 8a8fdd18152b37f0035b4e1769cd710076c1e739fc96590ca69f2ca4eb80817d |
| SHA512 | ba3be06fd23965c8e338220ad946cc806237c544626e160600f97d1ef59397a11fa2d5746050372346f004e4b622076a069d53fb85f637944329e79e235ece56 |
C:\Windows\System\SSazlpE.exe
| MD5 | a59b0354ed931e274d7e65b842ba274e |
| SHA1 | dfe8401bbe78fea53e1f21fecf0e990ed91399ab |
| SHA256 | 5a3e89bd0f782d3da5a84af6279e30e2fb1507ad6dab2e42526e98b17db95d5f |
| SHA512 | 0ad5c9ac35ac3d890a895a3eb1c1e7a096d3aa0b1699c441168d048c78618dc2ec00b7daa0fa67842d74cfd653e04571e582b27d679d9df69ad192fc3bb92564 |
memory/2340-111-0x00007FF7702A0000-0x00007FF7705F4000-memory.dmp
C:\Windows\System\AaeeYDP.exe
| MD5 | 4294f6717eb1f5fea3ba6403dbbaf3ac |
| SHA1 | 523407d171f9fef58823ee13f9c0b25335a4a900 |
| SHA256 | 50a056276ad2c39c6721fa246451c6088e61a39cc0ff41a2cffe7814dec4a97f |
| SHA512 | db6935f89b83f100c0057eb1c6c97392fd421ba985ba7db7a26873a9fbd7b61f07804926c624b32094cc6fe823ace3cc70e7bd8d19e6d6ce31559458599cc4ef |
C:\Windows\System\doQeBDW.exe
| MD5 | fb02b46ccdc56436d1ae2948dcf04c51 |
| SHA1 | d62c04f95a8759c024269de60d937f9dfbcbd05c |
| SHA256 | 4894171a722988dcf81f07cce069872ed84d9cc0306855e6b49eef47259928e7 |
| SHA512 | 688e8056fe04057a6e2d351d406a26e16754167c291fe303a14e32076944872acb99370a03321b7836724250c1c1a10b7d0e8d4e453ca32c7a157867e0e6e9db |
memory/2060-110-0x00007FF630950000-0x00007FF630CA4000-memory.dmp
memory/692-104-0x00007FF65FFB0000-0x00007FF660304000-memory.dmp
memory/1776-101-0x00007FF729910000-0x00007FF729C64000-memory.dmp
memory/1340-100-0x00007FF6D5900000-0x00007FF6D5C54000-memory.dmp
memory/952-74-0x00007FF686490000-0x00007FF6867E4000-memory.dmp
C:\Windows\System\wPLKacK.exe
| MD5 | b505fb2427dde28878a7273d3fe6d086 |
| SHA1 | c3a021b20c1f5c3bbc90142275859b76ce5b2dbc |
| SHA256 | 14973239696d6d2cec1daff22a88f86f0aae1692bc55373423c53abce51b3bcb |
| SHA512 | 850af3e07442719a42cc91f0670ab30d2f8d69fff4cbdc7b0e257f08c5e41fd532d2927776d97c4ab3635befd47887b9960da5939359b3046cfdcd9444c4076e |
memory/3440-126-0x00007FF73D700000-0x00007FF73DA54000-memory.dmp
memory/4620-127-0x00007FF7DD080000-0x00007FF7DD3D4000-memory.dmp
memory/4948-129-0x00007FF6AF570000-0x00007FF6AF8C4000-memory.dmp
memory/4464-128-0x00007FF7D8D10000-0x00007FF7D9064000-memory.dmp
memory/3704-130-0x00007FF6EA570000-0x00007FF6EA8C4000-memory.dmp
memory/4608-131-0x00007FF6E49F0000-0x00007FF6E4D44000-memory.dmp
memory/2568-132-0x00007FF74B930000-0x00007FF74BC84000-memory.dmp
memory/4860-133-0x00007FF7935B0000-0x00007FF793904000-memory.dmp
memory/2920-134-0x00007FF7D83E0000-0x00007FF7D8734000-memory.dmp
memory/952-135-0x00007FF686490000-0x00007FF6867E4000-memory.dmp
memory/1776-136-0x00007FF729910000-0x00007FF729C64000-memory.dmp
memory/692-137-0x00007FF65FFB0000-0x00007FF660304000-memory.dmp
memory/2340-138-0x00007FF7702A0000-0x00007FF7705F4000-memory.dmp
memory/3440-139-0x00007FF73D700000-0x00007FF73DA54000-memory.dmp
memory/4432-140-0x00007FF7242E0000-0x00007FF724634000-memory.dmp
memory/3704-141-0x00007FF6EA570000-0x00007FF6EA8C4000-memory.dmp
memory/4608-142-0x00007FF6E49F0000-0x00007FF6E4D44000-memory.dmp
memory/1292-143-0x00007FF742A60000-0x00007FF742DB4000-memory.dmp
memory/4508-144-0x00007FF7C1B50000-0x00007FF7C1EA4000-memory.dmp
memory/2900-145-0x00007FF68FD20000-0x00007FF690074000-memory.dmp
memory/620-147-0x00007FF711440000-0x00007FF711794000-memory.dmp
memory/3456-146-0x00007FF61C460000-0x00007FF61C7B4000-memory.dmp
memory/2568-148-0x00007FF74B930000-0x00007FF74BC84000-memory.dmp
memory/4860-149-0x00007FF7935B0000-0x00007FF793904000-memory.dmp
memory/952-150-0x00007FF686490000-0x00007FF6867E4000-memory.dmp
memory/4452-151-0x00007FF676E90000-0x00007FF6771E4000-memory.dmp
memory/1340-153-0x00007FF6D5900000-0x00007FF6D5C54000-memory.dmp
memory/2920-152-0x00007FF7D83E0000-0x00007FF7D8734000-memory.dmp
memory/4620-154-0x00007FF7DD080000-0x00007FF7DD3D4000-memory.dmp
memory/1776-157-0x00007FF729910000-0x00007FF729C64000-memory.dmp
memory/692-156-0x00007FF65FFB0000-0x00007FF660304000-memory.dmp
memory/2340-155-0x00007FF7702A0000-0x00007FF7705F4000-memory.dmp
memory/4948-158-0x00007FF6AF570000-0x00007FF6AF8C4000-memory.dmp
memory/4464-159-0x00007FF7D8D10000-0x00007FF7D9064000-memory.dmp