Analysis Overview
SHA256
64a0bc5302d9fd527639653b5fd39485e8330096f143acc61b9caa11123bf0ae
Threat Level: Known bad
The file 2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
XMRig Miner payload
Cobalt Strike reflective loader
UPX dump on OEP (original entry point)
Cobaltstrike family
Detects Reflective DLL injection artifacts
Xmrig family
xmrig
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-29 07:09
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-29 07:09
Reported
2024-06-29 07:11
Platform
win7-20240220-en
Max time kernel
141s
Max time network
145s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\uJkEhnZ.exe | N/A |
| N/A | N/A | C:\Windows\System\AaTbjoR.exe | N/A |
| N/A | N/A | C:\Windows\System\HctTWMs.exe | N/A |
| N/A | N/A | C:\Windows\System\sWVaMjt.exe | N/A |
| N/A | N/A | C:\Windows\System\jeMeCMQ.exe | N/A |
| N/A | N/A | C:\Windows\System\zYLrAfP.exe | N/A |
| N/A | N/A | C:\Windows\System\MJCUupP.exe | N/A |
| N/A | N/A | C:\Windows\System\juoKySN.exe | N/A |
| N/A | N/A | C:\Windows\System\TSEcaRK.exe | N/A |
| N/A | N/A | C:\Windows\System\dYeCSHX.exe | N/A |
| N/A | N/A | C:\Windows\System\sdQvryn.exe | N/A |
| N/A | N/A | C:\Windows\System\lGEWyDM.exe | N/A |
| N/A | N/A | C:\Windows\System\jDNYIEL.exe | N/A |
| N/A | N/A | C:\Windows\System\sgMWsMF.exe | N/A |
| N/A | N/A | C:\Windows\System\eMZnrOn.exe | N/A |
| N/A | N/A | C:\Windows\System\ZpaxkKG.exe | N/A |
| N/A | N/A | C:\Windows\System\HPsolAO.exe | N/A |
| N/A | N/A | C:\Windows\System\KCGTWUs.exe | N/A |
| N/A | N/A | C:\Windows\System\WrFuTjh.exe | N/A |
| N/A | N/A | C:\Windows\System\GORwvuN.exe | N/A |
| N/A | N/A | C:\Windows\System\XhyrRYl.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\uJkEhnZ.exe
C:\Windows\System\uJkEhnZ.exe
C:\Windows\System\AaTbjoR.exe
C:\Windows\System\AaTbjoR.exe
C:\Windows\System\HctTWMs.exe
C:\Windows\System\HctTWMs.exe
C:\Windows\System\sWVaMjt.exe
C:\Windows\System\sWVaMjt.exe
C:\Windows\System\jeMeCMQ.exe
C:\Windows\System\jeMeCMQ.exe
C:\Windows\System\zYLrAfP.exe
C:\Windows\System\zYLrAfP.exe
C:\Windows\System\MJCUupP.exe
C:\Windows\System\MJCUupP.exe
C:\Windows\System\juoKySN.exe
C:\Windows\System\juoKySN.exe
C:\Windows\System\TSEcaRK.exe
C:\Windows\System\TSEcaRK.exe
C:\Windows\System\dYeCSHX.exe
C:\Windows\System\dYeCSHX.exe
C:\Windows\System\sdQvryn.exe
C:\Windows\System\sdQvryn.exe
C:\Windows\System\sgMWsMF.exe
C:\Windows\System\sgMWsMF.exe
C:\Windows\System\lGEWyDM.exe
C:\Windows\System\lGEWyDM.exe
C:\Windows\System\KCGTWUs.exe
C:\Windows\System\KCGTWUs.exe
C:\Windows\System\jDNYIEL.exe
C:\Windows\System\jDNYIEL.exe
C:\Windows\System\WrFuTjh.exe
C:\Windows\System\WrFuTjh.exe
C:\Windows\System\eMZnrOn.exe
C:\Windows\System\eMZnrOn.exe
C:\Windows\System\GORwvuN.exe
C:\Windows\System\GORwvuN.exe
C:\Windows\System\ZpaxkKG.exe
C:\Windows\System\ZpaxkKG.exe
C:\Windows\System\XhyrRYl.exe
C:\Windows\System\XhyrRYl.exe
C:\Windows\System\HPsolAO.exe
C:\Windows\System\HPsolAO.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2872-0-0x000000013F1A0000-0x000000013F4F4000-memory.dmp
memory/2872-1-0x00000000001F0000-0x0000000000200000-memory.dmp
C:\Windows\system\uJkEhnZ.exe
| MD5 | c1e162e46ba0931f8bb88ca1290144b0 |
| SHA1 | 34d0d292ef491627b30f5ddd7db5de3f3666f928 |
| SHA256 | 1bfae5069a0ebc592de06af8385905e9a4934ad91ad4c88e2fc88653f240f061 |
| SHA512 | 9626f8404add3326cb7506a756d0198c744d516aa971daab7e25f65e376472a719bbc875b31f1eca76d9fccdec42481ffc0c1ea484351beb7ced282181ad6e2c |
\Windows\system\AaTbjoR.exe
| MD5 | aaeb111ca64d0432710ae9e8e19064ad |
| SHA1 | 88482a436617fc60d383c51b669e094766b701e0 |
| SHA256 | 6e90cbd2b81f513401dcda549986a5271767091041c05b17f9afd6c7e1069d70 |
| SHA512 | 0dfdfbbb75ecf911e6c8295dc42b43b76dbce4c178217e85676556e3f19d9af2f60334ebab23f66f64e3d220637c6bfe5fc0386a5f84e0827c01f824525ef183 |
memory/2872-14-0x000000013FFF0000-0x0000000140344000-memory.dmp
\Windows\system\HctTWMs.exe
| MD5 | 041d0f583fdde7097d2a6a409bd23d4d |
| SHA1 | a1b30eb263d6bf802cdcc77aa285aca590571dfd |
| SHA256 | 38d7d9bc62c6ffc9725c33aaf9bd5061b20280c2062097e7564a5f2c3a653f75 |
| SHA512 | c2e369ba7fdc5b237bfb70701847c88b9a65eec274816e8f4d964d0393dbe130bf0713bc2ed26b88cc104824841348b2fe21537b706af429b6ad1736c5aa3ab8 |
\Windows\system\sWVaMjt.exe
| MD5 | ee22fef5fc35b97d627df7fd2e361f6b |
| SHA1 | 60e25d4dc14069e00463d732bdbff8b9ff0da43e |
| SHA256 | 54ce8c07e6a2b9fa4ce4190cde2bab04c7fa0650777b0bf3ad78d4f519cb555a |
| SHA512 | 08185617dbe01437b935d810da999c53df35c4bc49c046ca60d4eb4fb113e753f963c2ad548327065c5858fda017af6128cc405bd3f912ca079a237fd7f5fadd |
memory/2564-34-0x000000013F100000-0x000000013F454000-memory.dmp
memory/2744-37-0x000000013F550000-0x000000013F8A4000-memory.dmp
memory/2648-36-0x000000013F290000-0x000000013F5E4000-memory.dmp
C:\Windows\system\zYLrAfP.exe
| MD5 | 698f1f1981c7192f86a4f22d32da58bc |
| SHA1 | b25be498808ae951702f2f4d4de49d8a64bb6569 |
| SHA256 | a9483732ad07e6d646d033068c825056a81f1a500d6c11518af7ac2855e892ce |
| SHA512 | f770007107213fa1cb0f4ba939f39d920c479b452760fb588152289c4b8cd122a079410ade6cefc97c74ea35b569a90ca2238f0383f518d893bc6bfa5727ab33 |
C:\Windows\system\MJCUupP.exe
| MD5 | a31bed0b5c4c65e70dee6fa76bba1b71 |
| SHA1 | 6f6b70d115deff2eabe4e0a5fd1216bc4a1f2eeb |
| SHA256 | 14634bfa6cb44d4bb2c588c124444dc969ca1af1c149940bb9af752a0d102f2d |
| SHA512 | 9f97035295daa050968f44a3e859fa40bb6113abb5884d10de61fe2aab10cdc677d7cccf82503a71eea8b414f5e7dc16d651dd4ec2684cd32031ed340bd06749 |
memory/2608-50-0x000000013F7E0000-0x000000013FB34000-memory.dmp
memory/2872-56-0x000000013FD50000-0x00000001400A4000-memory.dmp
C:\Windows\system\TSEcaRK.exe
| MD5 | 9f19216e94110b0ad038f5a58d3df473 |
| SHA1 | bf7695b91739bfbe669aa5cdfa8bc156db37f055 |
| SHA256 | df086a7cd11b1f5ab510301933190320851ae6be228f4a522da477ca653a3f9e |
| SHA512 | 8f1fda8e684b80933b064e5839000e9b4a4eecd3d99131e4a5bb5e878550df5b6cddd573dc3157f277043b5248557666102ea49a06460542d783482ea90075be |
memory/2824-64-0x000000013F990000-0x000000013FCE4000-memory.dmp
memory/1860-119-0x000000013F600000-0x000000013F954000-memory.dmp
\Windows\system\KCGTWUs.exe
| MD5 | 8b5ac45f9f3a9512f42037e49e0cbd9d |
| SHA1 | 5b4cc895769fb26eb58673ff3ee8352bf9924b99 |
| SHA256 | 4ac688b07151abc0f14464d593eb2dce8592a8650493abdd313726cbc085f4b8 |
| SHA512 | 107ecf02c81154f4fb5cf5a4f3f8f4ac81045ba1ffa3cbdf7664cc3f8d86c53b841733db4e0da4fa350ceb9cea82e69a333ffdb3ad08ea372f6b214089814340 |
C:\Windows\system\ZpaxkKG.exe
| MD5 | 8680224f16dda7dc8bca943bdba0539c |
| SHA1 | 4bd1894aaed557114f5cb2920c7ede49e1e6e7e6 |
| SHA256 | aac0d1a5b5490c91e5bbec028abeaacaf30962b5165665b7e46c188690272246 |
| SHA512 | 8bcff3edf975595afd321084c01d98dc08869d36749afd9cfe24a5688586bd2ecdb2b464562f33da4ce7fd23e41caa29fc3f47cc3f3bd802384b60af605bbb00 |
C:\Windows\system\eMZnrOn.exe
| MD5 | 98391c15ed028485edf7daf2b85dddd0 |
| SHA1 | b0efac81af78aebf112e58e655ec62249da3c8d9 |
| SHA256 | e3990c8f011c4cc6399b45c6476178ae21d2e76efd668a8430ac830a52b141c3 |
| SHA512 | 0fe76f0750ffafed47c0796343be8eb83fff78cdafad0f5d8afc453b270b06d3df620314b0800244591fc6689e17c43f730b41a8e61ff8196ec2060b7f039f7a |
memory/2872-114-0x0000000002430000-0x0000000002784000-memory.dmp
memory/1464-112-0x000000013F310000-0x000000013F664000-memory.dmp
C:\Windows\system\sgMWsMF.exe
| MD5 | 5369c403ab2daa962c3915ca54f65c85 |
| SHA1 | 7e9d9866c625aa3cc2387114318b160c3fbbe281 |
| SHA256 | 656e7a08f86bca912df926857325ed921407eb8f5b884d649d919868c7ac720f |
| SHA512 | afa52ec4ced46505c74849961675bbb81eb36cf6524b5d802332603a2b5ac3d8cd0b41ceded75545e8716893ebe85dd7f26b7f610e47538382baa82a7574a35d |
memory/2872-109-0x000000013F820000-0x000000013FB74000-memory.dmp
\Windows\system\XhyrRYl.exe
| MD5 | 366b56dfedddeae5f472cf7f479e5dd5 |
| SHA1 | 0dfed35b1a141838a6ce3613102674f9dbb2f59b |
| SHA256 | c00f792e7f680502eab53361810dea1205a8b4162dc8a1a102d8a9730591b10a |
| SHA512 | 2bbcafd171f548ad28513dd70e46b607cf2405b7749747de313b7c2afb4633e835c0b4fa1a66ed67eb2972741a0f727fee8c50f8b290ce1ff215be937e7e67b5 |
\Windows\system\GORwvuN.exe
| MD5 | 2987b4e13f4509e792a46b142a9c2072 |
| SHA1 | d44207377f8d158f407f015fd22eaf096c5536a2 |
| SHA256 | b7b328b32bad4064331f1d9bdd0c27ab1785f27213d849390467078eb9c451a0 |
| SHA512 | 28845aa8d1369a6d2b46f138ef6ed097ae54c076c2ac3977e188326d78314734adb0cc2d874bbd1d525328903df6ea64e63da311c5f39681eeedba876b597cfe |
C:\Windows\system\jDNYIEL.exe
| MD5 | 04e2e3c9ec6dfdf32134bb935da76660 |
| SHA1 | dba20c1afcfb5f208deff2dc6d8b287132adb3f0 |
| SHA256 | d3a423b8000d7d42a8fe238d7479df43a07735e64c5808b2666325bdb3e263e7 |
| SHA512 | fceaf5aa36219e27e212340b01d801710517c473ae75ad468dfbcd555986065af27c0ce7ec59f2badb80498fd70f52b41cf2290cbd8f0d498ba8dbc6572aa94b |
\Windows\system\WrFuTjh.exe
| MD5 | eb450f14267e1ea8aad88219d28c8875 |
| SHA1 | 1feb97a2175d9053aacb0bc125cb9f55bb8dcb0e |
| SHA256 | 61bfd522db6a8001f4b8b4c16ebfcab71069b11e217934ce3acb364daf461e96 |
| SHA512 | 8c41e7c210ac4250daaeb0f8b6cb1c5a10946fc89416c016f95d4f1bb07c376cf768714ae786b844117a4f679ea7d525b3a2fdcd7dc4237c5f3814b5ec8dcc44 |
memory/2872-123-0x000000013F600000-0x000000013F954000-memory.dmp
C:\Windows\system\HPsolAO.exe
| MD5 | 0c5f6d07974faec92ea1e040de85b8ef |
| SHA1 | 55a4dc860286f1fecd832488549b28751030b192 |
| SHA256 | 2e4edfdcd71620e6766487d8d37cd414ee7f8f10f6b1c9edbeac71858c4ea2ea |
| SHA512 | 35f007321d9a1c24403abb68b34717607d67f65473ef94fd6d81d31a1bacda1b8b2d09fbba34a09506c3ba8cc7c3047ea959e37d98a66e84be0cab61d0f6d5c3 |
memory/2872-121-0x000000013FFC0000-0x0000000140314000-memory.dmp
memory/2872-120-0x0000000002430000-0x0000000002784000-memory.dmp
memory/2832-71-0x000000013F500000-0x000000013F854000-memory.dmp
memory/2872-70-0x000000013F500000-0x000000013F854000-memory.dmp
memory/2872-128-0x000000013F1A0000-0x000000013F4F4000-memory.dmp
memory/2004-99-0x000000013F2F0000-0x000000013F644000-memory.dmp
C:\Windows\system\lGEWyDM.exe
| MD5 | ed653e1e6008cf7ab96c15b4e3494f7d |
| SHA1 | 0653f5d60cc3a890dd65fccf32e35649f8761c52 |
| SHA256 | 14efd9655e29aa74dfd256e43851587ffae3e34a1d9b98613e432d357d395e92 |
| SHA512 | e4ce77311f55c182bfa92c17456d0f8a54e4b0d45941cbfa313e7345e169c2c643e6c9eb5853dfd7936c0acae94654da0f838df50cb27eb352d7376c507694f5 |
C:\Windows\system\sdQvryn.exe
| MD5 | c84c7cad24c2885866187148f105e43b |
| SHA1 | ecb3719b6f80b128a286a307e25144fcfdf0ef4b |
| SHA256 | 5454f59c5179e0c7a0081eb9676994eb84a08c948b82306c9ed6766618cbad6f |
| SHA512 | 081b25d2bb1d290a455db2a3cbda680e9c5cd5675911b93e91043c02c48c82e782600a88cfda13f55daac1f2a84733f994ab6c5abd77dc3e54b49497f56d56ef |
C:\Windows\system\dYeCSHX.exe
| MD5 | 0e29997b153fdee8a3ccd8140ea246ef |
| SHA1 | e602c74e0d63d4f3c2513a5588c6aa8e141a9774 |
| SHA256 | b0eafc57781591c634a99891a567dfaf39332d2040833fe9887481585a7e8f89 |
| SHA512 | 4005c767045c65f531596d5007aae1d5ea0f2086f8f70fbf5053614e0feae12fd2c317cfd118c8716eb538996b78ed60c3379959ad5f02026c8257baa370a0ab |
memory/2872-63-0x000000013F990000-0x000000013FCE4000-memory.dmp
memory/2476-57-0x000000013FD50000-0x00000001400A4000-memory.dmp
C:\Windows\system\juoKySN.exe
| MD5 | 8d5c4686f018a8f0c6e50a2f25f17128 |
| SHA1 | fc71fc499a63e97c06dfd6f48b199a753999d9db |
| SHA256 | 776b0eebaaa1d133db12fa5a782b451e2989527f8c9c71b67749d7c5a4b187f0 |
| SHA512 | 8dd5b44c747ace0c4bc4123357248d8f39085563631196e0bf2191b8f9cd33b836a17f8cc3f16a6d60aa25efe1b22915d40156c2a92c43bc46fbf9574d63a0cf |
memory/2872-49-0x000000013F7E0000-0x000000013FB34000-memory.dmp
memory/2588-43-0x000000013FBA0000-0x000000013FEF4000-memory.dmp
memory/2872-42-0x000000013FBA0000-0x000000013FEF4000-memory.dmp
memory/2872-35-0x000000013FE80000-0x00000001401D4000-memory.dmp
memory/2872-33-0x000000013F550000-0x000000013F8A4000-memory.dmp
memory/2872-31-0x0000000002430000-0x0000000002784000-memory.dmp
C:\Windows\system\jeMeCMQ.exe
| MD5 | 3c7a7365069678b70b60135652f86212 |
| SHA1 | d03185b7041b98cd641f00c1c8d78337efb65f6e |
| SHA256 | 35ba5f37e930e2e39a60febbb4cd0e657a59878f77d0ac69d3003e0444b7d907 |
| SHA512 | b7251ac36c96446805ee53944271e981cd10ea6ef6b1f59c7070f50c92891c9a94e2a2a55338991dfdd3079e6b2df7b42fb64b987abd3d09b539835f93aa714c |
memory/2560-28-0x000000013FE80000-0x00000001401D4000-memory.dmp
memory/2872-27-0x0000000002430000-0x0000000002784000-memory.dmp
memory/2108-20-0x000000013FFF0000-0x0000000140344000-memory.dmp
memory/2588-136-0x000000013FBA0000-0x000000013FEF4000-memory.dmp
memory/2608-137-0x000000013F7E0000-0x000000013FB34000-memory.dmp
memory/2872-138-0x0000000002430000-0x0000000002784000-memory.dmp
memory/2108-139-0x000000013FFF0000-0x0000000140344000-memory.dmp
memory/2560-140-0x000000013FE80000-0x00000001401D4000-memory.dmp
memory/2564-141-0x000000013F100000-0x000000013F454000-memory.dmp
memory/2744-143-0x000000013F550000-0x000000013F8A4000-memory.dmp
memory/2648-142-0x000000013F290000-0x000000013F5E4000-memory.dmp
memory/2588-144-0x000000013FBA0000-0x000000013FEF4000-memory.dmp
memory/2476-145-0x000000013FD50000-0x00000001400A4000-memory.dmp
memory/2824-146-0x000000013F990000-0x000000013FCE4000-memory.dmp
memory/2832-147-0x000000013F500000-0x000000013F854000-memory.dmp
memory/2004-148-0x000000013F2F0000-0x000000013F644000-memory.dmp
memory/1860-150-0x000000013F600000-0x000000013F954000-memory.dmp
memory/1464-149-0x000000013F310000-0x000000013F664000-memory.dmp
memory/2608-151-0x000000013F7E0000-0x000000013FB34000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-29 07:09
Reported
2024-06-29 07:11
Platform
win10v2004-20240611-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\xtFkzNR.exe | N/A |
| N/A | N/A | C:\Windows\System\VRNjlPG.exe | N/A |
| N/A | N/A | C:\Windows\System\qUcyoXv.exe | N/A |
| N/A | N/A | C:\Windows\System\SWzlgKe.exe | N/A |
| N/A | N/A | C:\Windows\System\zNJZXuL.exe | N/A |
| N/A | N/A | C:\Windows\System\BiqfWFc.exe | N/A |
| N/A | N/A | C:\Windows\System\WusEmXY.exe | N/A |
| N/A | N/A | C:\Windows\System\BBaGDUi.exe | N/A |
| N/A | N/A | C:\Windows\System\VDEzOjM.exe | N/A |
| N/A | N/A | C:\Windows\System\xHvSTLA.exe | N/A |
| N/A | N/A | C:\Windows\System\XowUmli.exe | N/A |
| N/A | N/A | C:\Windows\System\sGINYuw.exe | N/A |
| N/A | N/A | C:\Windows\System\rHciSIy.exe | N/A |
| N/A | N/A | C:\Windows\System\mPMyczO.exe | N/A |
| N/A | N/A | C:\Windows\System\ajyOLTv.exe | N/A |
| N/A | N/A | C:\Windows\System\fXuGbTk.exe | N/A |
| N/A | N/A | C:\Windows\System\vVnWNjS.exe | N/A |
| N/A | N/A | C:\Windows\System\DKvEDLT.exe | N/A |
| N/A | N/A | C:\Windows\System\SWaJbdf.exe | N/A |
| N/A | N/A | C:\Windows\System\mSfVNUq.exe | N/A |
| N/A | N/A | C:\Windows\System\TJADsDn.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\xtFkzNR.exe
C:\Windows\System\xtFkzNR.exe
C:\Windows\System\VRNjlPG.exe
C:\Windows\System\VRNjlPG.exe
C:\Windows\System\qUcyoXv.exe
C:\Windows\System\qUcyoXv.exe
C:\Windows\System\SWzlgKe.exe
C:\Windows\System\SWzlgKe.exe
C:\Windows\System\zNJZXuL.exe
C:\Windows\System\zNJZXuL.exe
C:\Windows\System\BiqfWFc.exe
C:\Windows\System\BiqfWFc.exe
C:\Windows\System\WusEmXY.exe
C:\Windows\System\WusEmXY.exe
C:\Windows\System\BBaGDUi.exe
C:\Windows\System\BBaGDUi.exe
C:\Windows\System\VDEzOjM.exe
C:\Windows\System\VDEzOjM.exe
C:\Windows\System\xHvSTLA.exe
C:\Windows\System\xHvSTLA.exe
C:\Windows\System\XowUmli.exe
C:\Windows\System\XowUmli.exe
C:\Windows\System\sGINYuw.exe
C:\Windows\System\sGINYuw.exe
C:\Windows\System\rHciSIy.exe
C:\Windows\System\rHciSIy.exe
C:\Windows\System\mPMyczO.exe
C:\Windows\System\mPMyczO.exe
C:\Windows\System\ajyOLTv.exe
C:\Windows\System\ajyOLTv.exe
C:\Windows\System\fXuGbTk.exe
C:\Windows\System\fXuGbTk.exe
C:\Windows\System\vVnWNjS.exe
C:\Windows\System\vVnWNjS.exe
C:\Windows\System\DKvEDLT.exe
C:\Windows\System\DKvEDLT.exe
C:\Windows\System\SWaJbdf.exe
C:\Windows\System\SWaJbdf.exe
C:\Windows\System\mSfVNUq.exe
C:\Windows\System\mSfVNUq.exe
C:\Windows\System\TJADsDn.exe
C:\Windows\System\TJADsDn.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=2736,i,11069752405888604640,8928124405695604965,262144 --variations-seed-version --mojo-platform-channel-handle=4616 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/216-0-0x00007FF643E90000-0x00007FF6441E4000-memory.dmp
memory/216-1-0x00000147F4D60000-0x00000147F4D70000-memory.dmp
C:\Windows\System\xtFkzNR.exe
| MD5 | 98e6eee31e8467c2f09041b0e19bf324 |
| SHA1 | bfb915e387bab5a592153fb8ce8d220a9db21b52 |
| SHA256 | f024483f130592f9a167b7cdc3afb955c0643b6edfe381b4d1d389da740a6802 |
| SHA512 | 1160abe96ca05880283472da43e9d3ca5db025cc43b7b5b43f4cd7cc1de7cf2288fb357fabbe3210e909f6b38f0505e2f93d2b10a56cca0ba39de1da876903e8 |
C:\Windows\System\qUcyoXv.exe
| MD5 | dcb2faae45f31423457139999ec8e8a5 |
| SHA1 | 5cf9568f386d8c00268942775b02429b75a6e9d7 |
| SHA256 | 380863397e645347153178c7861ed803e972d09a548366c07857c23cc5e15d1a |
| SHA512 | 4b2bbecf8f51350d84caad7bdeabe8e5e1e140ba3bb60a3e0f00bd3e1067cbd3f89e51ff3af6b052c3b87564025310fce6b8bfd9cec081b2ec847a3435f4db36 |
memory/4236-12-0x00007FF615840000-0x00007FF615B94000-memory.dmp
C:\Windows\System\VRNjlPG.exe
| MD5 | 579d16f3ec819cbf0aa20cfab7e8eba8 |
| SHA1 | 95acc3c692e9b0f5cae7b9dbcbf88526691a9611 |
| SHA256 | e10e2c9268eceda9840070078d2e31be4f61f252247805f3e49c938cf3f0bf9b |
| SHA512 | de7d539c4266aa8d44015be4310db6e4eb1a38011e0a18e88c614893acd656c19da2088accc5df17ea471319d0e63bf751bd270ac3116409e72179f854a488cb |
memory/3768-11-0x00007FF66D170000-0x00007FF66D4C4000-memory.dmp
C:\Windows\System\SWzlgKe.exe
| MD5 | f0cf8a88023d673fa86620d623445ac7 |
| SHA1 | c3a23e54a3da3fa194f8f87ae98f260e5a172857 |
| SHA256 | 9138a47660bea74185a13b24d5e97072432f8b7ce1262e2913bb4af584f1fe78 |
| SHA512 | 698d355ff1fe08c0f2ca21456110bf12d8305c5e4b55b1fcafb7e53d2df1bbd1f18c7fe1f6df4acde134a970025028d5bf91d5ca5c80cb2350725b826e91a865 |
memory/1028-22-0x00007FF69E110000-0x00007FF69E464000-memory.dmp
C:\Windows\System\zNJZXuL.exe
| MD5 | 14b50c270ea08de158f9d0cfb047b23b |
| SHA1 | 3e74845e2f27cc400c863b29dfa02eb053c3480f |
| SHA256 | bfd17a01c42af357673f211cbf3de724bd276e29b7f2dceb6aedcfe0bffee5f0 |
| SHA512 | 0eaa8b1cec9d483eebfd9a40d0df663a8e4550f086045a9e833ab66985ceac05a2f871d98bd68de8331a866ee0303204b9d3099197e22c0a695998677bc0d6f6 |
C:\Windows\System\BiqfWFc.exe
| MD5 | c9f92b8721c140211cd64907919e2dbe |
| SHA1 | 835834d854796392c01c6b7265f7014b15fc7202 |
| SHA256 | 72ace101eb22b4acdfb3b0181d29594d156696e849e579cfac5111e2b46ab528 |
| SHA512 | 4b671896eb716b0f9d6be40d266e938a508d3c05a1bb2ad6c8aace989706f57e3cb94377275021f998a3b0ef30b60f819eb3459794806c11b0896f3b536fe35b |
C:\Windows\System\BBaGDUi.exe
| MD5 | a1d7fec84b75dd98a1b3559fc50bcfe5 |
| SHA1 | 7dbe6a786e2ee10d935701e3b37475c7760afa8b |
| SHA256 | a856307e47d20e95969d83d5935774bb1ece5049aec4a96b6c2bb979f82f13a6 |
| SHA512 | 65343703ea1601eddd83480acc9ab709d66f44ea2a6f05250775755bd3b9e1cf6864f86bb9c2581061df5f9480643bb601f36dd3806e03854dc2ef8dbed0859f |
C:\Windows\System\VDEzOjM.exe
| MD5 | 0d66d2ceccfed69d73a9bba2468bdcca |
| SHA1 | 2a3e7a2887426dbd58166fa89942649373019b17 |
| SHA256 | 5284f9595114b3a478939b57c75af03a44c99746e17420bf43e743beae30f20e |
| SHA512 | 5b407b2cee10bd7b8f9410f3cef0616fe43b362ec367868a560628a33486faaca3ca79d636f4824139d495bb0a73767c3042892066824eacb4ec8f5886c7e1a2 |
C:\Windows\System\xHvSTLA.exe
| MD5 | fd1776f1b3b0da7a206560861ae6b64b |
| SHA1 | 84df1f72cb512b65230af809d7ebf08f66ce3c0b |
| SHA256 | 9e7d9d0b8375c7840dd9f9fcb47a95b83190d548a0e306e41fb2b2724ba35907 |
| SHA512 | cb1d7ead01117daba02318d983a38333e61113dc78c805828b447290f849032ba0cafac4ebc91a90c7c3aaf3359ef9c711145d65811f381c9d236d19674eefb6 |
C:\Windows\System\sGINYuw.exe
| MD5 | c63d4a65e705954162e71cc96ab531ce |
| SHA1 | 44d7c7c22c6868f045409fc81fdd80519d306620 |
| SHA256 | d7e93d1e440b9b22368a0603490a14514acbe76e09172859478eb9e0ed265f85 |
| SHA512 | ab3302b824be3477c338557b47eaa9a785758f21954fbec8f24d12a7d3e857454748ac0a4768d176b9a58a3b891d30998468bd7168f8fd71adc8b31c09f4a828 |
C:\Windows\System\SWaJbdf.exe
| MD5 | 14d3fcbb2eb54cebe2f6a4763b1df1b4 |
| SHA1 | 595b130b2569f1b77df749f9bff312e1a34e272b |
| SHA256 | 68c2e72f5b556e20f5c95a08162cef96894d6557a61ade170c3fb26d0cbeafd0 |
| SHA512 | 7ff9b327ac4e7302f47c3001417a6f0bb37d3e63adea7c7a001b2044d14af5af0791300592c3e03f45253e93de992b31b9e8f2cac74df3ac11932a73aeccb5c7 |
C:\Windows\System\TJADsDn.exe
| MD5 | 34c6e7594e987e79c615500afa2fc653 |
| SHA1 | 511611c46b077b9ddd789635a945853c5e9fd914 |
| SHA256 | b230bc4b738cd28699585efa652e3fa473d37666e6a20faf5d6f319f8748956d |
| SHA512 | 242fb9a6224463921acb60cb7dd70a10261ae6a058532deac37d2ba6e2996f85cd09a883263eef1a1b19c5872768223356c5383ab622c480af71411a6efa6b24 |
C:\Windows\System\mSfVNUq.exe
| MD5 | 679988957f8b229d9564879e03c63c72 |
| SHA1 | 4f04790f98a23db2fd3a29d5d846f52452bf90ce |
| SHA256 | a9da683414d40ef3d14e9e7826351ce4c8a6c318bf98e69dcf0f4bee32cc165e |
| SHA512 | b7ba31bf2be7fc9b64f6a209db3c0b91e0543ab6677aed90a7d46cfece841db9374413568d14d189b51f8c9bd65f5b1041ecdc11d1d2b35afb7dfbfc96643591 |
C:\Windows\System\DKvEDLT.exe
| MD5 | e16bf9e6fa3e94d01a8c1b0b524a0773 |
| SHA1 | 04361b99dfd130dc305f243ae2231e1d548f5823 |
| SHA256 | 553d446ab77a11926af9f7a7135085e8b1fbb1d3d6ee755500238913c9d354fc |
| SHA512 | 9aff2c3519cdfba011019a37d66e590ee9255f600050e8b121398cd1e7ad96da236e1d01fc9177d9941b88b0c534fe6ad75c907f3c9cddba9904e2fcbe0f4549 |
C:\Windows\System\vVnWNjS.exe
| MD5 | 22f29600420ba6749b55d599f2c6958e |
| SHA1 | e1c1134d096c1b283f8563bce3fb062cc525334f |
| SHA256 | 82e347af83b0a9f7d29e273dc601ef97ff311d149a807647f60ca4bd985c4703 |
| SHA512 | a55a307e11007be5d9ad94dbbbe577e7f9c6fdb76acd19760995ab448a403fd4a3e855f48ab89cfa37db59e85d4523a42f1512dff364257dcea0aca7418c0df0 |
C:\Windows\System\fXuGbTk.exe
| MD5 | 187fdc7409d00294822a1c95532a927f |
| SHA1 | ca41d54118b3e5a06c00ddadecb86c189f3b817d |
| SHA256 | 3aed9eed1ba9da74a74880904b0a7f41a1b092f158d022796ad10d5cfa40c7b6 |
| SHA512 | bc5ac9e4f443837a55d8d37023dbc4344eaf77e79325f494fdc675a7fa81cb769205d7e3bee9b071e550c3bdad86e6c2c79f4d3e27ab5231e2d37dbab2fabe1f |
C:\Windows\System\ajyOLTv.exe
| MD5 | 831aa6a12dda49102520e21dc7127b3f |
| SHA1 | 5782f5efe41c3c8399ba8c4457c65a7cba962281 |
| SHA256 | de21a4a3a502312e116d6985755d24535bcdc30d077b5fc7a269b683b6a3e6a5 |
| SHA512 | f9c18f7ad9356d04b6d53a5c14c1a195769ebfca95ae8c138b3c91d248b038e5043b03d8ac992d86eda458b29bc6ed3fff7bb23620c207c38f2653384397e1fe |
C:\Windows\System\mPMyczO.exe
| MD5 | afaaab4ea98cf47bbe8867d451de6f38 |
| SHA1 | 31e515e7804350e03966ced5c2852428323cd171 |
| SHA256 | 95f489b053a113db931f063d62400144a6da97b5946362423023667c8d2441e3 |
| SHA512 | a7dc69ff18cf53243308f5c4c2cadc58888cc25b8cef1c57476313c04a462d103542a00315659c43e7ada4d66ca3829f90f0e3b6f21ace1e6aa5de884761e39e |
C:\Windows\System\rHciSIy.exe
| MD5 | 8f977dfa47654bb6c5310f0428ff179c |
| SHA1 | 85c27827fde2b6cd8b5a1ae33711791ece584762 |
| SHA256 | 0f1539a218fe2de461bf291b8da04ea951d97c669e0c81ad58b75883a68cfb6c |
| SHA512 | a7234abd143a392d3ec7a9d95c669ca43f2d79c6c3a37661dd7f02bb18cdf169cdbeeccfd576150132035948272c129abe4b9ec250b3c7b71a03a10245807b71 |
C:\Windows\System\XowUmli.exe
| MD5 | 0f6c48b71a59ceb5e38891fbb7c0639e |
| SHA1 | 2b8889769db207ee39f2c5eae5b55189a9158aa6 |
| SHA256 | 13e749ffe0a8c7750bcf7df324062f562752cbf27c1f9bc2c837668eaee609ad |
| SHA512 | 7d6cdce2ef86610cc80071287ca83e68f49b0c5b95956d161cc422333dcbb76c961f00d366f55119e5d259064a7083e36c34fdefdcb3e0fa6e260992df30c0a0 |
C:\Windows\System\WusEmXY.exe
| MD5 | 5d8004e1905e5beb8473f024ca976f72 |
| SHA1 | a9e99f63b258e013a0a61e517bc057a2e3780a83 |
| SHA256 | c352cdbc019bf0c9a60b7c9ba369252349e54c9c454f70c922f2ce5760c18fec |
| SHA512 | 44e8200d890ea178d6fde6d69c1b048930ee08786fd2c0e2d215601108c893e2bed18d4fee3964a2bf11ea7711180fa6296766f1af41321a5e7637d121ff8ba9 |
memory/2484-34-0x00007FF76DC80000-0x00007FF76DFD4000-memory.dmp
memory/2128-26-0x00007FF62EB70000-0x00007FF62EEC4000-memory.dmp
memory/1948-112-0x00007FF6EEEE0000-0x00007FF6EF234000-memory.dmp
memory/5112-113-0x00007FF7A7940000-0x00007FF7A7C94000-memory.dmp
memory/3192-114-0x00007FF702EC0000-0x00007FF703214000-memory.dmp
memory/3508-115-0x00007FF65A600000-0x00007FF65A954000-memory.dmp
memory/1932-117-0x00007FF773BC0000-0x00007FF773F14000-memory.dmp
memory/3536-118-0x00007FF6E2840000-0x00007FF6E2B94000-memory.dmp
memory/3276-120-0x00007FF7E2BC0000-0x00007FF7E2F14000-memory.dmp
memory/2448-121-0x00007FF739980000-0x00007FF739CD4000-memory.dmp
memory/4924-123-0x00007FF664FB0000-0x00007FF665304000-memory.dmp
memory/1144-125-0x00007FF746760000-0x00007FF746AB4000-memory.dmp
memory/4056-127-0x00007FF74EE30000-0x00007FF74F184000-memory.dmp
memory/3784-126-0x00007FF6E8CF0000-0x00007FF6E9044000-memory.dmp
memory/4228-124-0x00007FF738D60000-0x00007FF7390B4000-memory.dmp
memory/1636-122-0x00007FF674440000-0x00007FF674794000-memory.dmp
memory/5080-119-0x00007FF610360000-0x00007FF6106B4000-memory.dmp
memory/1904-116-0x00007FF6DE3E0000-0x00007FF6DE734000-memory.dmp
memory/216-128-0x00007FF643E90000-0x00007FF6441E4000-memory.dmp
memory/4236-129-0x00007FF615840000-0x00007FF615B94000-memory.dmp
memory/3768-130-0x00007FF66D170000-0x00007FF66D4C4000-memory.dmp
memory/4236-131-0x00007FF615840000-0x00007FF615B94000-memory.dmp
memory/1028-132-0x00007FF69E110000-0x00007FF69E464000-memory.dmp
memory/2128-133-0x00007FF62EB70000-0x00007FF62EEC4000-memory.dmp
memory/2484-134-0x00007FF76DC80000-0x00007FF76DFD4000-memory.dmp
memory/1948-135-0x00007FF6EEEE0000-0x00007FF6EF234000-memory.dmp
memory/3192-136-0x00007FF702EC0000-0x00007FF703214000-memory.dmp
memory/5112-137-0x00007FF7A7940000-0x00007FF7A7C94000-memory.dmp
memory/3508-138-0x00007FF65A600000-0x00007FF65A954000-memory.dmp
memory/1904-140-0x00007FF6DE3E0000-0x00007FF6DE734000-memory.dmp
memory/3276-141-0x00007FF7E2BC0000-0x00007FF7E2F14000-memory.dmp
memory/5080-144-0x00007FF610360000-0x00007FF6106B4000-memory.dmp
memory/1932-143-0x00007FF773BC0000-0x00007FF773F14000-memory.dmp
memory/3536-146-0x00007FF6E2840000-0x00007FF6E2B94000-memory.dmp
memory/4924-145-0x00007FF664FB0000-0x00007FF665304000-memory.dmp
memory/1636-142-0x00007FF674440000-0x00007FF674794000-memory.dmp
memory/2448-139-0x00007FF739980000-0x00007FF739CD4000-memory.dmp
memory/3784-148-0x00007FF6E8CF0000-0x00007FF6E9044000-memory.dmp
memory/1144-149-0x00007FF746760000-0x00007FF746AB4000-memory.dmp
memory/4056-147-0x00007FF74EE30000-0x00007FF74F184000-memory.dmp
memory/4228-150-0x00007FF738D60000-0x00007FF7390B4000-memory.dmp