Analysis Overview
SHA256
33083de1ea22cb1e4281e12f26b10247ee617c908b5dd6d94fda729868a61f48
Threat Level: Known bad
The file 2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Xmrig family
Cobaltstrike
Cobaltstrike family
XMRig Miner payload
xmrig
Cobalt Strike reflective loader
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-29 07:07
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-29 07:06
Reported
2024-06-29 07:09
Platform
win7-20240611-en
Max time kernel
142s
Max time network
145s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\fbOLxSh.exe | N/A |
| N/A | N/A | C:\Windows\System\ATePjZI.exe | N/A |
| N/A | N/A | C:\Windows\System\NacDvZK.exe | N/A |
| N/A | N/A | C:\Windows\System\emIYqmp.exe | N/A |
| N/A | N/A | C:\Windows\System\dGTjcKE.exe | N/A |
| N/A | N/A | C:\Windows\System\EVpQLBn.exe | N/A |
| N/A | N/A | C:\Windows\System\TQLkVkl.exe | N/A |
| N/A | N/A | C:\Windows\System\uHaKrDt.exe | N/A |
| N/A | N/A | C:\Windows\System\qJasthF.exe | N/A |
| N/A | N/A | C:\Windows\System\SuRNOUy.exe | N/A |
| N/A | N/A | C:\Windows\System\ePvJPmC.exe | N/A |
| N/A | N/A | C:\Windows\System\cOeSPEy.exe | N/A |
| N/A | N/A | C:\Windows\System\cBdlNVe.exe | N/A |
| N/A | N/A | C:\Windows\System\cTqmrlo.exe | N/A |
| N/A | N/A | C:\Windows\System\MsOSjhc.exe | N/A |
| N/A | N/A | C:\Windows\System\IonBHnm.exe | N/A |
| N/A | N/A | C:\Windows\System\rShaOjs.exe | N/A |
| N/A | N/A | C:\Windows\System\vOetJDi.exe | N/A |
| N/A | N/A | C:\Windows\System\PFGjPAf.exe | N/A |
| N/A | N/A | C:\Windows\System\IPgtdQA.exe | N/A |
| N/A | N/A | C:\Windows\System\AdQHoQL.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\fbOLxSh.exe
C:\Windows\System\fbOLxSh.exe
C:\Windows\System\ATePjZI.exe
C:\Windows\System\ATePjZI.exe
C:\Windows\System\NacDvZK.exe
C:\Windows\System\NacDvZK.exe
C:\Windows\System\emIYqmp.exe
C:\Windows\System\emIYqmp.exe
C:\Windows\System\dGTjcKE.exe
C:\Windows\System\dGTjcKE.exe
C:\Windows\System\EVpQLBn.exe
C:\Windows\System\EVpQLBn.exe
C:\Windows\System\qJasthF.exe
C:\Windows\System\qJasthF.exe
C:\Windows\System\TQLkVkl.exe
C:\Windows\System\TQLkVkl.exe
C:\Windows\System\SuRNOUy.exe
C:\Windows\System\SuRNOUy.exe
C:\Windows\System\uHaKrDt.exe
C:\Windows\System\uHaKrDt.exe
C:\Windows\System\ePvJPmC.exe
C:\Windows\System\ePvJPmC.exe
C:\Windows\System\cOeSPEy.exe
C:\Windows\System\cOeSPEy.exe
C:\Windows\System\cBdlNVe.exe
C:\Windows\System\cBdlNVe.exe
C:\Windows\System\cTqmrlo.exe
C:\Windows\System\cTqmrlo.exe
C:\Windows\System\MsOSjhc.exe
C:\Windows\System\MsOSjhc.exe
C:\Windows\System\IonBHnm.exe
C:\Windows\System\IonBHnm.exe
C:\Windows\System\rShaOjs.exe
C:\Windows\System\rShaOjs.exe
C:\Windows\System\vOetJDi.exe
C:\Windows\System\vOetJDi.exe
C:\Windows\System\PFGjPAf.exe
C:\Windows\System\PFGjPAf.exe
C:\Windows\System\IPgtdQA.exe
C:\Windows\System\IPgtdQA.exe
C:\Windows\System\AdQHoQL.exe
C:\Windows\System\AdQHoQL.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2148-0-0x0000000000080000-0x0000000000090000-memory.dmp
memory/2148-2-0x000000013F0D0000-0x000000013F424000-memory.dmp
\Windows\system\fbOLxSh.exe
| MD5 | 2ba932c9bccc35d50127968c4246a2c8 |
| SHA1 | 0c5e50d89f47a4a40d5902af8290b7717df93a66 |
| SHA256 | bc8a81a5293b67573c69f5179d2266726c93fdb89b8d19a6d74773116a66460f |
| SHA512 | 522ca9a87294f45ef7e12eed55c5f626005b0fcf8f059127e91836a0a5afd41a7f656c8c23475b6b5da226837d840aee1ab582f647ebdfafabec92e27511c427 |
memory/2800-9-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/2148-8-0x00000000024B0000-0x0000000002804000-memory.dmp
\Windows\system\ATePjZI.exe
| MD5 | cb24e8c2bde19544126dd7c45429d0c7 |
| SHA1 | 3e1169c3f8c0739851540b6461bffe4130a3c69d |
| SHA256 | f4338b04fd774d8c2f3f00311f93b90308190a852cab9204003e585aae8f929b |
| SHA512 | 5ed2d1195a0f9b0caa70f088dccc57605748aaa5e684cdd1c7c4e7f04ceee72ad5ad69cf5c1666608076f3a600ce9bd8d9e4422c12fd6105bd3db68d9e3f944c |
memory/1204-15-0x000000013F080000-0x000000013F3D4000-memory.dmp
C:\Windows\system\NacDvZK.exe
| MD5 | 2cb573b8abbe4d1220c1554cdfb96061 |
| SHA1 | a19ec9ef73a80931ec092c25741639cf621b0352 |
| SHA256 | 927caa723ba16d64d5e18498f307a7f82c024fdb1e8c40345c419a0f0d8dbc45 |
| SHA512 | 7516b0d1e80f035c1609ef3993691d333b07ac7b0f0c586dc916228bbf0841d2ae53d575db21af0a77b6cf08f6b8df220eae7f5389c1998af8738615183ba7c1 |
memory/2576-22-0x000000013F410000-0x000000013F764000-memory.dmp
memory/2148-21-0x00000000024B0000-0x0000000002804000-memory.dmp
\Windows\system\emIYqmp.exe
| MD5 | 4f10c8c3c1562658219232250ebad193 |
| SHA1 | e354faf533bdca46c6bf57f425d1bde5bc2aef29 |
| SHA256 | cf60b38b678966c3db98d983679f4d25fd4cebac745d46bc12306361bb76dffb |
| SHA512 | f56936315de67dfe0d56496de161c2ef83dbe9e707304ba55641421f7b4b0ef760320d5655d781459725b32f660ea9f8d6cff71fefc5cd5fcfe9d3cefe84ae11 |
memory/2700-29-0x000000013F610000-0x000000013F964000-memory.dmp
memory/2148-28-0x000000013F610000-0x000000013F964000-memory.dmp
\Windows\system\dGTjcKE.exe
| MD5 | b310fb007d633575c0e18dbb2e31d37d |
| SHA1 | aff630e7ad33e274c819f8cb8c7c1f07abf6c63b |
| SHA256 | 5186b763e39c04db18ded71fb6231d4160976381c4ebf763bc11678bf616a201 |
| SHA512 | 3087889f6068fd1ece69df8376476e2b732a31dbd788987b54e2a2359f6e5c4b66c0df0898d0eb2426d9597d90456dd8f35c55536b7acabad7aa21a5caf4a71e |
memory/2148-39-0x000000013F0D0000-0x000000013F424000-memory.dmp
memory/2148-40-0x00000000024B0000-0x0000000002804000-memory.dmp
memory/2204-49-0x000000013F680000-0x000000013F9D4000-memory.dmp
memory/2604-59-0x000000013F1F0000-0x000000013F544000-memory.dmp
memory/2632-35-0x000000013F070000-0x000000013F3C4000-memory.dmp
C:\Windows\system\SuRNOUy.exe
| MD5 | 8ddbd21cba2712aa884eee36959b16f1 |
| SHA1 | 463c7ba2ead1b67122b39d8a1c4426a4d1c1eaa2 |
| SHA256 | 9ff657becb0ec319d4b39cd87ce53feb463dd3c064b71451f6b2ef48d947d912 |
| SHA512 | 1d808375598f1e793f74d02fa17c4944883f0775fdd960aafa8e51890ac44d43ced591902ef9d4145c7a74fb725c1af178ca73d1949a98ccb10ff148df4daff2 |
memory/1204-67-0x000000013F080000-0x000000013F3D4000-memory.dmp
memory/2488-69-0x000000013F7F0000-0x000000013FB44000-memory.dmp
C:\Windows\system\ePvJPmC.exe
| MD5 | 24303061a0e7ad37e47b912dc168e188 |
| SHA1 | 9f4b73e83944fc24bf162176b12ea50bc4b76ebd |
| SHA256 | aa1df33115798384a687aa6f0ab2c673825175a5be07437b90565d5aecd1489a |
| SHA512 | b818f50382d9352ccc41d6ca1f75c619e8c41e99caceb27760f122d81c0f6f600469f01da2e2552b8c1223c9612cec511ebd97bd9a376b91c5b51053f7d70876 |
C:\Windows\system\cOeSPEy.exe
| MD5 | 28f563c4a0749191266cedef9bad737b |
| SHA1 | ada8ce388364fcf79fcf6d0379208db3ac202b60 |
| SHA256 | a0ecd47bdaadb23df9855e06c3b8a3a4b97b0f0b20f84c80c0d6ef22b52047c0 |
| SHA512 | e4148afc592167ef0bec3afb57ce7ec2abf3e418e87cf6e7375729ca6728ecb8433a850251f57ddbc420da3f938245eaefcb8f13727622b15b0ff3a2aadc7e3e |
memory/1012-83-0x000000013F780000-0x000000013FAD4000-memory.dmp
C:\Windows\system\IonBHnm.exe
| MD5 | e44da85c7d96f44178f8451f4e023173 |
| SHA1 | 341eb2c97631a5ad30b9b7ad08fdd21ae6c707c7 |
| SHA256 | c074979af6cb2a60b30031c197393afbe553750a5027dd2e9d7ca379b55c80f3 |
| SHA512 | 63b42ebd882daa5453cb675ea863049b99f806c8f390d7c57a6f3f391520c4cb9f7368167faee73e50995df6e3edee395f89f83b90907fb65b2166d069ea9b56 |
C:\Windows\system\IPgtdQA.exe
| MD5 | 4bc5069c2659bd1bede0b573d84482c3 |
| SHA1 | 7cf020f0321da7e41de2e89189179765110a5b3c |
| SHA256 | ef8d95dcbe98c361764c28d1af85ddb66e074a576e075dc9697524e4e607d616 |
| SHA512 | a0c56f7c29f14027d26e4ca5943b4883d47790e2b017e49e1959bb21734f7187bbd9931962d9ef972a9886ff6267792381c809386ac4ec7d6bcda0434c0d090c |
\Windows\system\AdQHoQL.exe
| MD5 | a65e7d48fe886d4484392eb26cded8fd |
| SHA1 | 2c77c72dc02013508d1bf85e4261dc5fe32f43fd |
| SHA256 | 0c1470299816e17977d4bc353f72fcb161f5e37964006340fb5d6197fc608801 |
| SHA512 | 54722abd8119cecce956302c2de19f9ca58f202a4f935e693e7d7f218b0fb8f6bc97112ca0099089c8ad917982df0c680012f36daeaed9177d5f7db7f8fd092b |
C:\Windows\system\PFGjPAf.exe
| MD5 | 3756c7f0f1f45372678c06ef1c1e56d7 |
| SHA1 | b55a498b5b0e3b97f274576b336f6e0ecf9aa459 |
| SHA256 | 09b4561c8df641c6b3127c5bbdc42f8765f2b8fb18fa33173e38f0c52a6e53e7 |
| SHA512 | 569feea2a19862f18f0268813b8a6ade61740da04e25bd4b329a4ccc65ac56d80d7c4a8299f6fac48f72512e815ed749c815f03ed32bc1954939c2eb27f916bb |
C:\Windows\system\vOetJDi.exe
| MD5 | c3a90920816f3de5e09d2cc142840510 |
| SHA1 | c0aebd01a9cd51dd6db88db860ddd4522de34709 |
| SHA256 | d94fab7835b7b68c1bd01957ec8a59136069a43512692db61960534655cc62eb |
| SHA512 | fd77cac01def66323712811a9774645d8d6a290276dcdbf566db9e2194054f52c623cb8e84bc50ec8719a645e8efc1c738de81acedc72dc526c1eefd2d4ac6f9 |
C:\Windows\system\rShaOjs.exe
| MD5 | 1b4bc8384a65610520693f913073909e |
| SHA1 | 5243b38647cb5ba5adaca2f07968d81718763051 |
| SHA256 | e82aed67e80f06447e30cf3893b6be42bf94144b28004f20449ffac4c9669527 |
| SHA512 | f553c6ad9293dfff7df55e50877ccb2e4153cf48c6a9ad1333d89927d6337f01d63ade1c79134c61d51151f49963f88e2ff231b3f0f95ef9d1e77082b8a16d30 |
memory/2204-103-0x000000013F680000-0x000000013F9D4000-memory.dmp
C:\Windows\system\MsOSjhc.exe
| MD5 | b796f6b6c362520aea0a98b7971e2060 |
| SHA1 | 1cdcba6aad4db2a1df010cb1c2c4c134c1de1410 |
| SHA256 | f522051a28473c130d8cf5a8ad0a2d55a0d578c5e60da9a6e6e06b611f014819 |
| SHA512 | 70afabd0259d3ac185b9f6af331402129b81cdbb4790f27c2c63efd0442f92644bee74d709bf78ba16c3a91934d59d499b16a7079db5aee4552c2ff806a8f9ce |
memory/1668-96-0x000000013F090000-0x000000013F3E4000-memory.dmp
memory/2148-95-0x00000000024B0000-0x0000000002804000-memory.dmp
C:\Windows\system\cTqmrlo.exe
| MD5 | f8053ed821760ff51b8cafd2e043b93f |
| SHA1 | a177ebff8d252d5850798d9d006683e9d523b355 |
| SHA256 | f9d4fa90d9bd1ef2142366baca8bbc688171e9288ad194a4526f49d2b5551ee9 |
| SHA512 | 7ed52383294ade1c55caeccbfbd498501c5232b72a3db91e7160f220fcdd72d0efe1e85794c7dd1cfbb848b8151faaad3db86f94241384d2a8734504200f2932 |
memory/2500-89-0x000000013F900000-0x000000013FC54000-memory.dmp
memory/2148-88-0x000000013F900000-0x000000013FC54000-memory.dmp
C:\Windows\system\cBdlNVe.exe
| MD5 | 4a8fac213a6469204aa163cf5ccb2613 |
| SHA1 | 7f97f5e068f59369ff76bdfbf995dd3ace8ed8ab |
| SHA256 | d3794d4625913c73ac4e99065afb32a90c11202106b4df7b9365c52f2ee288d0 |
| SHA512 | f2da9bdefe2f0e9640680a91cf1d5a16c5e61eda03423bda4f6f7d81ae1d3d0c7043e3118c808592dbee015c92c07f2d9faee78eb2dc5bf7a89ee6ca97bed85f |
memory/2148-82-0x000000013F780000-0x000000013FAD4000-memory.dmp
memory/2904-74-0x000000013FD00000-0x0000000140054000-memory.dmp
memory/2148-73-0x000000013FD00000-0x0000000140054000-memory.dmp
memory/2472-68-0x000000013F730000-0x000000013FA84000-memory.dmp
C:\Windows\system\TQLkVkl.exe
| MD5 | a1a8c70d71e143bb450cfd7d7bd3b0ed |
| SHA1 | 195cef7199d42666c89653ea7bdd79faa3b0175c |
| SHA256 | 04092f85e040fba0c45a4dff99de0581bd360c0ed20368f94ab0cd121c1d07da |
| SHA512 | 2d581af71f3f682dff641ac0178160c0c160323d1392cfe7a93817d2b51a8a8c03d3c803c6e0da38bac4cdef7bb106f3d72e11a381f9d0256fab45aee5ecec97 |
\Windows\system\qJasthF.exe
| MD5 | 491cdcae5b0769ef9eac5806f58151f5 |
| SHA1 | 6aa9ac6b44e8d77424cdfd764386a3e146a1a7ee |
| SHA256 | f20afdf587efc5ecfb51a0831f09b9bbe001eb3244aad900e99cf7fe006ed861 |
| SHA512 | 0660374fb801a53deba6e9ca21f2a1d79e99b421b97f8168b197d611ace9e1e25e5ad12fc3fd59cce3996583f1022b62ff9c676f3ce5b6eec2b0e67d9586550f |
memory/2452-63-0x000000013F870000-0x000000013FBC4000-memory.dmp
memory/2148-62-0x000000013F870000-0x000000013FBC4000-memory.dmp
C:\Windows\system\uHaKrDt.exe
| MD5 | ac9bab6ae775e0ba9402a6a68fb5e02f |
| SHA1 | d80b78f9ad3b0ff94b8c7d1157b80ac6c1328d3c |
| SHA256 | ab9e884c250faec5d5f831fd5e289739aeb1bb26122e7217c2c170059a4c2802 |
| SHA512 | 16afa657454e6537e26af98ca2c42ead02ed14bae06467db3c72b13cff0bc45b481c7b5a3a819e933df60762834abc8adf4c7700a890739d1a91bbde1fa5b3c9 |
memory/2148-56-0x00000000024B0000-0x0000000002804000-memory.dmp
memory/2604-134-0x000000013F1F0000-0x000000013F544000-memory.dmp
C:\Windows\system\EVpQLBn.exe
| MD5 | c4f356bc7a44ab9a97a43ea9169ebae0 |
| SHA1 | a251344fe7f8e481bea22c728271068a2adac934 |
| SHA256 | d250c3252c21715f7b612279ab2cd44c53a242cbce8e66e65d2da7832d3be94e |
| SHA512 | b774dc568df8b1263751973d42d0ccdd17975a53e6f8d26679cc02423178e937fbaff0e24d9a5040f05d25483f1e3edbaced27fef370b8b8e6e8170e256dd7ff |
memory/2148-135-0x000000013F870000-0x000000013FBC4000-memory.dmp
memory/2488-136-0x000000013F7F0000-0x000000013FB44000-memory.dmp
memory/2904-137-0x000000013FD00000-0x0000000140054000-memory.dmp
memory/2148-138-0x000000013F780000-0x000000013FAD4000-memory.dmp
memory/1012-139-0x000000013F780000-0x000000013FAD4000-memory.dmp
memory/2148-140-0x000000013F900000-0x000000013FC54000-memory.dmp
memory/2500-141-0x000000013F900000-0x000000013FC54000-memory.dmp
memory/2148-142-0x00000000024B0000-0x0000000002804000-memory.dmp
memory/1668-143-0x000000013F090000-0x000000013F3E4000-memory.dmp
memory/2800-144-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/1204-145-0x000000013F080000-0x000000013F3D4000-memory.dmp
memory/2576-146-0x000000013F410000-0x000000013F764000-memory.dmp
memory/2700-147-0x000000013F610000-0x000000013F964000-memory.dmp
memory/2632-148-0x000000013F070000-0x000000013F3C4000-memory.dmp
memory/2204-149-0x000000013F680000-0x000000013F9D4000-memory.dmp
memory/2604-150-0x000000013F1F0000-0x000000013F544000-memory.dmp
memory/2472-152-0x000000013F730000-0x000000013FA84000-memory.dmp
memory/2452-151-0x000000013F870000-0x000000013FBC4000-memory.dmp
memory/2904-153-0x000000013FD00000-0x0000000140054000-memory.dmp
memory/2488-154-0x000000013F7F0000-0x000000013FB44000-memory.dmp
memory/1012-155-0x000000013F780000-0x000000013FAD4000-memory.dmp
memory/2500-156-0x000000013F900000-0x000000013FC54000-memory.dmp
memory/1668-157-0x000000013F090000-0x000000013F3E4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-29 07:06
Reported
2024-06-29 07:09
Platform
win10v2004-20240226-en
Max time kernel
142s
Max time network
153s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\vlbUWwn.exe | N/A |
| N/A | N/A | C:\Windows\System\itxXudF.exe | N/A |
| N/A | N/A | C:\Windows\System\QcgKNZi.exe | N/A |
| N/A | N/A | C:\Windows\System\UuJprVd.exe | N/A |
| N/A | N/A | C:\Windows\System\FJwKXGt.exe | N/A |
| N/A | N/A | C:\Windows\System\YomHlFE.exe | N/A |
| N/A | N/A | C:\Windows\System\nOEJGRj.exe | N/A |
| N/A | N/A | C:\Windows\System\IPxYOLE.exe | N/A |
| N/A | N/A | C:\Windows\System\UEjtbWA.exe | N/A |
| N/A | N/A | C:\Windows\System\RAAJdXi.exe | N/A |
| N/A | N/A | C:\Windows\System\tfzMSpc.exe | N/A |
| N/A | N/A | C:\Windows\System\UgJGjLX.exe | N/A |
| N/A | N/A | C:\Windows\System\ArNASEb.exe | N/A |
| N/A | N/A | C:\Windows\System\FKZkVkg.exe | N/A |
| N/A | N/A | C:\Windows\System\yZiybuc.exe | N/A |
| N/A | N/A | C:\Windows\System\BSReHzs.exe | N/A |
| N/A | N/A | C:\Windows\System\WmSJkuA.exe | N/A |
| N/A | N/A | C:\Windows\System\pwMAxIb.exe | N/A |
| N/A | N/A | C:\Windows\System\Atzmjpd.exe | N/A |
| N/A | N/A | C:\Windows\System\XEtewyR.exe | N/A |
| N/A | N/A | C:\Windows\System\xxDBLLH.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\vlbUWwn.exe
C:\Windows\System\vlbUWwn.exe
C:\Windows\System\itxXudF.exe
C:\Windows\System\itxXudF.exe
C:\Windows\System\QcgKNZi.exe
C:\Windows\System\QcgKNZi.exe
C:\Windows\System\UuJprVd.exe
C:\Windows\System\UuJprVd.exe
C:\Windows\System\FJwKXGt.exe
C:\Windows\System\FJwKXGt.exe
C:\Windows\System\YomHlFE.exe
C:\Windows\System\YomHlFE.exe
C:\Windows\System\nOEJGRj.exe
C:\Windows\System\nOEJGRj.exe
C:\Windows\System\IPxYOLE.exe
C:\Windows\System\IPxYOLE.exe
C:\Windows\System\UEjtbWA.exe
C:\Windows\System\UEjtbWA.exe
C:\Windows\System\RAAJdXi.exe
C:\Windows\System\RAAJdXi.exe
C:\Windows\System\tfzMSpc.exe
C:\Windows\System\tfzMSpc.exe
C:\Windows\System\UgJGjLX.exe
C:\Windows\System\UgJGjLX.exe
C:\Windows\System\ArNASEb.exe
C:\Windows\System\ArNASEb.exe
C:\Windows\System\FKZkVkg.exe
C:\Windows\System\FKZkVkg.exe
C:\Windows\System\yZiybuc.exe
C:\Windows\System\yZiybuc.exe
C:\Windows\System\BSReHzs.exe
C:\Windows\System\BSReHzs.exe
C:\Windows\System\WmSJkuA.exe
C:\Windows\System\WmSJkuA.exe
C:\Windows\System\pwMAxIb.exe
C:\Windows\System\pwMAxIb.exe
C:\Windows\System\Atzmjpd.exe
C:\Windows\System\Atzmjpd.exe
C:\Windows\System\XEtewyR.exe
C:\Windows\System\XEtewyR.exe
C:\Windows\System\xxDBLLH.exe
C:\Windows\System\xxDBLLH.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3144 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 25.173.189.20.in-addr.arpa | udp |
Files
memory/1384-0-0x00007FF6D1B70000-0x00007FF6D1EC4000-memory.dmp
memory/1384-1-0x000001A67E730000-0x000001A67E740000-memory.dmp
C:\Windows\System\vlbUWwn.exe
| MD5 | 9832865bc4f3dd6b1e8e4b8f96615fa2 |
| SHA1 | 74e5dca343b7ff62ef775b96a5f00fa44a04334f |
| SHA256 | 940ac78bc6fe3acfda920a6641d21ded77848ebabffff10fdd751ca2f634a162 |
| SHA512 | 047a29b1d25545e9b8b35f91f0a153a291cf476397c0342a051126c8138a8b3915f33395e070d34b4d23d3cef1761a93ac3fc48c4644bd66f91c81b6129e1d94 |
memory/4468-8-0x00007FF76C0F0000-0x00007FF76C444000-memory.dmp
C:\Windows\System\itxXudF.exe
| MD5 | 04806cc7366036d77dddd5f962f0afe2 |
| SHA1 | 115cce05e7d18092e264dc81c6066bb84cd59442 |
| SHA256 | 476f7e97d4add6e84b474cf53e92fc0d0dd4642c6e5b8e5f95b8077e8db0a061 |
| SHA512 | 76fe49e159100bd40690b09233de47d1146e9bc07c8be9815721a2a7721099674f35af4f2766398b8e06e7feff9ae42496afb10b09351fa1f66e2fa9de61caa9 |
C:\Windows\System\QcgKNZi.exe
| MD5 | 7a75a644e37c142f8634211ed5b09814 |
| SHA1 | ba6768fa294fb8935ecd0f7feccaef5d9ae70797 |
| SHA256 | 453210e4e080318ba5da2a48d23ce3770148ea91fef3476b529351a731d66ea2 |
| SHA512 | b904b6156d9c99e3993ef20efc4d30ce772569d3b21d273acbae50c9a51ad79913f504beb74d8b2114242a641c6b429713538c0e3faaaf85728bb2a7e5dbf7c2 |
memory/4240-14-0x00007FF7BF280000-0x00007FF7BF5D4000-memory.dmp
memory/2528-20-0x00007FF7424B0000-0x00007FF742804000-memory.dmp
C:\Windows\System\UuJprVd.exe
| MD5 | 4ca236b218a8ae36baf4d670dae5d2a7 |
| SHA1 | 3d54d2f4d93ca96e9bb7b863bf39d291fb67f494 |
| SHA256 | 76e9261ca9929d5793920ce3d9144af90bc16178cc649f75491108f8c583c5fb |
| SHA512 | e0c2cf3bba43e0a475d6ed31bc0d096edfdab3f98ff7eb83d3495b721dfe6dc20ca6827800d57b317a1078eedb5e50cca7a0a5654824378928852deb93b52e74 |
memory/2436-26-0x00007FF7FEB20000-0x00007FF7FEE74000-memory.dmp
C:\Windows\System\FJwKXGt.exe
| MD5 | 33bd30692a48d23312ebdf6b60df9d55 |
| SHA1 | 70241125c63e08a1d7ad13b7d432d3092855f79a |
| SHA256 | 11698780497e640bfd7f3cd2f5e6a9b6d19ea7210d6e8024e3350df0f0b1f829 |
| SHA512 | 833a92cef96c35dd20dd6365cdf4b26a2789230460db0cfdf39aad88a7b0c90dd0e2b933472588526af4f9c83b7d2c5469d76722224b9fa4eb1d71e405202448 |
memory/1028-31-0x00007FF6F1CC0000-0x00007FF6F2014000-memory.dmp
C:\Windows\System\YomHlFE.exe
| MD5 | 1adc22901023cd2142f4cc4c3ee6a6ec |
| SHA1 | 4ff220cc94d77c52b61ac47659f418f37facdb69 |
| SHA256 | f33f07bdeec4580ea3ee315a970ebeaa33a44a8efd6e484eaf6c916a31b0193c |
| SHA512 | 8fa5fbff1a9941fe7003c03151688c9e735f2203209db5569b18920a3a7dae2b9d1d6284e21a384beb2b0c570d479b491fc1810f1bf6d845f164ec8deff85986 |
memory/1608-37-0x00007FF7451C0000-0x00007FF745514000-memory.dmp
C:\Windows\System\nOEJGRj.exe
| MD5 | 63fac8af8a927c129d70c1d710e7ce14 |
| SHA1 | 15881a272ea75f90a8d8df076477f1c0acbc8d45 |
| SHA256 | 464bb9fa7cd6893a7440fa7c77e368a621f84b3c7535b04d9077eb37856ead9b |
| SHA512 | a84c15bb455c023c1bdbddeef026d2a20a0de74eb32b249b564e6bb669fb1d8ec030ef4a9a92db19d04bb98033d20d111dd06c2f98bb6adfb22d0803dbeb043c |
memory/4848-44-0x00007FF774340000-0x00007FF774694000-memory.dmp
C:\Windows\System\IPxYOLE.exe
| MD5 | 680dea1651a23363d38c48cda24a2fde |
| SHA1 | 3e1abf42e5921d6cae243e6660215ad036bd97a0 |
| SHA256 | f0b31cb94323afc4d495cd2ffd34370b43477ea51e6765078e9ba2c27be80d1f |
| SHA512 | c904d8ab3c03ad1c6710a70b09de1ca7ac8228221249b54f55eb9de638a63b46c9b2b816618cba921042b6147b37f6e8cc8a46158c6fd280fbce7c74519ddf9d |
memory/852-50-0x00007FF7C4F40000-0x00007FF7C5294000-memory.dmp
C:\Windows\System\UEjtbWA.exe
| MD5 | e7119e4f2ae9c41dd8150ecd4895c5ec |
| SHA1 | be15aa7aa4d540008115d093e9239ec485242926 |
| SHA256 | f654ce67f1bbd924df9db32fbfe54e6dccd77f8dd47e1c266097f2ec26005671 |
| SHA512 | 1c3927c29440516bb256d27eddba59dfaf8d364e340d04b1c376bbd062a4742863f9ee546ce97fcd84dc7d15ef8ab42c16777b9979a7e13ab2f6be2d3b61d394 |
memory/1624-56-0x00007FF6E2B90000-0x00007FF6E2EE4000-memory.dmp
C:\Windows\System\RAAJdXi.exe
| MD5 | 5c5a0696a3658285e4b93b04d11e0708 |
| SHA1 | 28cf49a292f4d80cbf8cc564091fa6f903344057 |
| SHA256 | b72de73a583dfab0ab0b78b26a3de9e176825c06de8728e72d34acea8e0b6a10 |
| SHA512 | 0529bf165a5195beed76a2458bea265544d0218436d45618eb2e1a32abaf2b56d5a05c2edf1a60f7c9de045cc70ed94951b9a01f9280ca2166046489f3b4638c |
C:\Windows\System\tfzMSpc.exe
| MD5 | 4b2646389edcc1cf380c8de3450e9096 |
| SHA1 | 29dceb8928ef7f18bed006d01bf24e77e711b842 |
| SHA256 | 8e2b284d454eff34f63069c91740f805ae1ff6a45b68583acb8db11cb3cdb162 |
| SHA512 | 8ee9c90fe0215c3107a628b705034a2ee2cf6c8475f308609361df11f7b08dfb3b57ab1cbf354dcbe40aa34adab87dd42bdd0edbf15f5c11528d6d66c48c3729 |
memory/1384-62-0x00007FF6D1B70000-0x00007FF6D1EC4000-memory.dmp
memory/3672-66-0x00007FF656610000-0x00007FF656964000-memory.dmp
memory/4468-67-0x00007FF76C0F0000-0x00007FF76C444000-memory.dmp
C:\Windows\System\UgJGjLX.exe
| MD5 | 40daff8711b3f5c949166b6cd74384d5 |
| SHA1 | e331a4d3c1b60f6cb72ff9d070f79a93ff83ebf1 |
| SHA256 | d3b63e9a3030b275980c8aaa8f33042d2dd9beffa8a973c587035f044c9b7f8b |
| SHA512 | 1a2e82ee37328e3d755b99041731914fe608552ec8ca052dbf9f3d7cb3119c698d8ad42384eeae1005e119e8a634d332aa201a11f6731939f9ddf89d19e27684 |
memory/3260-69-0x00007FF632D30000-0x00007FF633084000-memory.dmp
C:\Windows\System\ArNASEb.exe
| MD5 | 92b04a09f8220386a5ef25f141c7cb0d |
| SHA1 | 7778e943a7a32c16243c78d0d3ddf83f5a5f8b02 |
| SHA256 | 40a73ad5b9547a770aa27af4c33abed38a17cb528b2b73936bbcee1a0dff04b4 |
| SHA512 | cb19a5fd1b06bf4fe825174f01127ab20058718a4be1aabb9507407798cdcb49acfe2600db90f2e65a54e9b1c6f527705774317c97c062c425eb554ddc278d07 |
C:\Windows\System\FKZkVkg.exe
| MD5 | 734cc8a706bd20f1da3f177a7f5625f6 |
| SHA1 | 8f46ca99d632f507b2f5d6ef27999efab8e72cec |
| SHA256 | caf6ffb0a7ab0de227f226934ff031b8d7cbdda2e6415d573318eb2813a643c6 |
| SHA512 | 6261cb29f70bacdb66ef94fad71a270308520fcfe2004df99c0d68b043477ef7ff22fb7da8e150446039bcf905f2e317a369f790481243d65678854bf4e3008f |
C:\Windows\System\yZiybuc.exe
| MD5 | ab89ad3d5416d4625f891eb9924a6813 |
| SHA1 | db465a559742b9484ed09255047947c0b4b28d09 |
| SHA256 | e80b9375896c392f5a0fddbbd5e6b45179a2a7b6b9f7a9e3a70c5ae977b55a6d |
| SHA512 | 80f8e00be5b80abb3c34da6cddbcdf0e9bf4d31791cc72f2618b9e068065b20a1f80dc1e644898c9b70339026759f5b16f1937b5c6d2b541e72a89afee1d683a |
C:\Windows\System\BSReHzs.exe
| MD5 | d843f167128b75c75c6ad59186ef2646 |
| SHA1 | 99fd7df70fd8373abedcd2ee337999c6073013e6 |
| SHA256 | 8fd1d3b871a794bc0842ca68f15d706475316002c16f701ffa3d114fbd7af7f8 |
| SHA512 | 9dcb17dba074b08f12e640e3434089b8881a867473fef44a9d98ca56679d9dba0b4b6d14fbc308a6b1ebca0496f7bbcea29e6f19a5e46d0ba216ec18533a8909 |
C:\Windows\System\WmSJkuA.exe
| MD5 | 7530f496ddec799ce20172610d6feb41 |
| SHA1 | 36696164c4a8089f7975fcded86572504427b9e4 |
| SHA256 | 6bd8986f8ba031a51bda7959b9e3925f7ef94f0571b41eb09e5dba5bcb48819b |
| SHA512 | 67c4cfcb5adccfba6b652734ad8f9ac8e8a696965b8e2cbe85c3753d25676e5998ffe93c4bedc1443acb8aa2cc4fdd5353a73afa2a03c69915fc9e0eee47a952 |
C:\Windows\System\Atzmjpd.exe
| MD5 | f3b416fcf9c3c6b13c3167075977e569 |
| SHA1 | 9af1cea96c282d8e3ade12dc7b6347fdd9b10802 |
| SHA256 | efd1621b137d388ccf3fe0504eb1fc12f2b76f569e66e7fde9df608a1c89703e |
| SHA512 | fef6ad856c8dc12fcad799922d74bb8ef9e24385ddc11e94d3250f41aa466fb754050414b27b016c75dc96e9dfda2d21c249ba7cbc519e7595b9e2467ac9db51 |
C:\Windows\System\XEtewyR.exe
| MD5 | 44dc7ecf8fb351493f252d7229b990c3 |
| SHA1 | f3fe2037dfc1d96d675c4228b61c4d960412bb6c |
| SHA256 | 280dc842de05ddf661302bc6a39962cd6fffe61991bcbc5e0221d95a558033e4 |
| SHA512 | 6efa6e166a2b68b5cc1e268badae71eceaa9ef5f726d821cddb3681210da46619d394a6eb0c3898fe6c02f3a8a64162370fd9d04328e5968f3d4862aae7e84cf |
C:\Windows\System\xxDBLLH.exe
| MD5 | b5f720cc59045e623fcab756369b2de0 |
| SHA1 | 11fd070431c921f5b6a990572cc1a2d0b8ec8dd1 |
| SHA256 | 7e175602670a36e44a33822e8fc2b3eae88d53f9fe79b86d34775d5ba5d346d6 |
| SHA512 | 133920c9def89bb448fb26f9fdd4ee9ecb151edb97406fda9df8f7e9c73af5bb35d03e8061d56cbcd0b8a9636246b4e3b8a70b48eecd709815bbd655c9965bd6 |
C:\Windows\System\pwMAxIb.exe
| MD5 | 1f49df919b41f010d0ff60a08b92e75e |
| SHA1 | c4670b0520a09ca81e71c0c69fde467deaef594e |
| SHA256 | 3667babab86bb34abb4ca8beae0dea0faa100f1fa88f94694fceca4e32ffca02 |
| SHA512 | c50f371992f5bb0820d99c36781309c3e44d0cf2f3da91814209ae5f940100e82407f6639f2e010649f82f5f1439a46d0c88c295709fa58e7130cee50726e64b |
memory/4240-120-0x00007FF7BF280000-0x00007FF7BF5D4000-memory.dmp
memory/964-121-0x00007FF614110000-0x00007FF614464000-memory.dmp
memory/1652-123-0x00007FF716610000-0x00007FF716964000-memory.dmp
memory/2180-122-0x00007FF68C290000-0x00007FF68C5E4000-memory.dmp
memory/2452-125-0x00007FF7D0FE0000-0x00007FF7D1334000-memory.dmp
memory/3644-126-0x00007FF7A9B30000-0x00007FF7A9E84000-memory.dmp
memory/4104-127-0x00007FF60ABB0000-0x00007FF60AF04000-memory.dmp
memory/768-124-0x00007FF78F1B0000-0x00007FF78F504000-memory.dmp
memory/568-128-0x00007FF7A4A70000-0x00007FF7A4DC4000-memory.dmp
memory/4308-129-0x00007FF76E1E0000-0x00007FF76E534000-memory.dmp
memory/4316-130-0x00007FF6D9220000-0x00007FF6D9574000-memory.dmp
memory/2528-131-0x00007FF7424B0000-0x00007FF742804000-memory.dmp
memory/2436-132-0x00007FF7FEB20000-0x00007FF7FEE74000-memory.dmp
memory/1028-133-0x00007FF6F1CC0000-0x00007FF6F2014000-memory.dmp
memory/1608-134-0x00007FF7451C0000-0x00007FF745514000-memory.dmp
memory/852-135-0x00007FF7C4F40000-0x00007FF7C5294000-memory.dmp
memory/4468-136-0x00007FF76C0F0000-0x00007FF76C444000-memory.dmp
memory/4240-137-0x00007FF7BF280000-0x00007FF7BF5D4000-memory.dmp
memory/2528-138-0x00007FF7424B0000-0x00007FF742804000-memory.dmp
memory/2436-139-0x00007FF7FEB20000-0x00007FF7FEE74000-memory.dmp
memory/1028-140-0x00007FF6F1CC0000-0x00007FF6F2014000-memory.dmp
memory/1608-141-0x00007FF7451C0000-0x00007FF745514000-memory.dmp
memory/4848-142-0x00007FF774340000-0x00007FF774694000-memory.dmp
memory/852-143-0x00007FF7C4F40000-0x00007FF7C5294000-memory.dmp
memory/1624-144-0x00007FF6E2B90000-0x00007FF6E2EE4000-memory.dmp
memory/3260-145-0x00007FF632D30000-0x00007FF633084000-memory.dmp
memory/3672-146-0x00007FF656610000-0x00007FF656964000-memory.dmp
memory/964-147-0x00007FF614110000-0x00007FF614464000-memory.dmp
memory/3260-148-0x00007FF632D30000-0x00007FF633084000-memory.dmp
memory/2180-149-0x00007FF68C290000-0x00007FF68C5E4000-memory.dmp
memory/1652-150-0x00007FF716610000-0x00007FF716964000-memory.dmp
memory/768-151-0x00007FF78F1B0000-0x00007FF78F504000-memory.dmp
memory/2452-152-0x00007FF7D0FE0000-0x00007FF7D1334000-memory.dmp
memory/568-153-0x00007FF7A4A70000-0x00007FF7A4DC4000-memory.dmp
memory/3644-155-0x00007FF7A9B30000-0x00007FF7A9E84000-memory.dmp
memory/4104-154-0x00007FF60ABB0000-0x00007FF60AF04000-memory.dmp
memory/4316-156-0x00007FF6D9220000-0x00007FF6D9574000-memory.dmp
memory/4308-157-0x00007FF76E1E0000-0x00007FF76E534000-memory.dmp