Analysis Overview
SHA256
da4889eae0a9dcba87de468da19d5fc1ec5b16e673419eb8b9d43bed09f7e7ff
Threat Level: Known bad
The file 2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
Cobaltstrike family
Detects Reflective DLL injection artifacts
Cobaltstrike
XMRig Miner payload
Xmrig family
UPX dump on OEP (original entry point)
xmrig
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-29 14:35
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-29 14:35
Reported
2024-06-29 14:38
Platform
win7-20240508-en
Max time kernel
140s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\eyhCbBZ.exe | N/A |
| N/A | N/A | C:\Windows\System\pwsNBrl.exe | N/A |
| N/A | N/A | C:\Windows\System\yYhkEnp.exe | N/A |
| N/A | N/A | C:\Windows\System\hVoluqX.exe | N/A |
| N/A | N/A | C:\Windows\System\tgPobZI.exe | N/A |
| N/A | N/A | C:\Windows\System\RJudDAN.exe | N/A |
| N/A | N/A | C:\Windows\System\uQwqEbT.exe | N/A |
| N/A | N/A | C:\Windows\System\rfJkERE.exe | N/A |
| N/A | N/A | C:\Windows\System\zFVMZuG.exe | N/A |
| N/A | N/A | C:\Windows\System\XFiutRe.exe | N/A |
| N/A | N/A | C:\Windows\System\vgJEKpb.exe | N/A |
| N/A | N/A | C:\Windows\System\mqBMjgf.exe | N/A |
| N/A | N/A | C:\Windows\System\prrQvDJ.exe | N/A |
| N/A | N/A | C:\Windows\System\gzBZrml.exe | N/A |
| N/A | N/A | C:\Windows\System\lfIyIvG.exe | N/A |
| N/A | N/A | C:\Windows\System\OsYKDPt.exe | N/A |
| N/A | N/A | C:\Windows\System\WAVurIN.exe | N/A |
| N/A | N/A | C:\Windows\System\SGSAXhu.exe | N/A |
| N/A | N/A | C:\Windows\System\zKkYMut.exe | N/A |
| N/A | N/A | C:\Windows\System\CtSkQTX.exe | N/A |
| N/A | N/A | C:\Windows\System\LttLIUC.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\eyhCbBZ.exe
C:\Windows\System\eyhCbBZ.exe
C:\Windows\System\pwsNBrl.exe
C:\Windows\System\pwsNBrl.exe
C:\Windows\System\yYhkEnp.exe
C:\Windows\System\yYhkEnp.exe
C:\Windows\System\hVoluqX.exe
C:\Windows\System\hVoluqX.exe
C:\Windows\System\tgPobZI.exe
C:\Windows\System\tgPobZI.exe
C:\Windows\System\RJudDAN.exe
C:\Windows\System\RJudDAN.exe
C:\Windows\System\uQwqEbT.exe
C:\Windows\System\uQwqEbT.exe
C:\Windows\System\rfJkERE.exe
C:\Windows\System\rfJkERE.exe
C:\Windows\System\zFVMZuG.exe
C:\Windows\System\zFVMZuG.exe
C:\Windows\System\XFiutRe.exe
C:\Windows\System\XFiutRe.exe
C:\Windows\System\vgJEKpb.exe
C:\Windows\System\vgJEKpb.exe
C:\Windows\System\mqBMjgf.exe
C:\Windows\System\mqBMjgf.exe
C:\Windows\System\prrQvDJ.exe
C:\Windows\System\prrQvDJ.exe
C:\Windows\System\gzBZrml.exe
C:\Windows\System\gzBZrml.exe
C:\Windows\System\lfIyIvG.exe
C:\Windows\System\lfIyIvG.exe
C:\Windows\System\OsYKDPt.exe
C:\Windows\System\OsYKDPt.exe
C:\Windows\System\WAVurIN.exe
C:\Windows\System\WAVurIN.exe
C:\Windows\System\SGSAXhu.exe
C:\Windows\System\SGSAXhu.exe
C:\Windows\System\zKkYMut.exe
C:\Windows\System\zKkYMut.exe
C:\Windows\System\CtSkQTX.exe
C:\Windows\System\CtSkQTX.exe
C:\Windows\System\LttLIUC.exe
C:\Windows\System\LttLIUC.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2128-0-0x000000013F300000-0x000000013F654000-memory.dmp
memory/2128-1-0x0000000000080000-0x0000000000090000-memory.dmp
\Windows\system\eyhCbBZ.exe
| MD5 | 59c4be5c1ff3d1145e458bec3a33335e |
| SHA1 | bbb9f57287c1781761a985a4244a14b5668bb8c6 |
| SHA256 | e417df9a947719386aaa3bd49f8f5348ccfb20f2b93be86e62fe0c1c5fec9f80 |
| SHA512 | 3c231bd30c8e86303059bb4debfa8fadb4db30f39fe1c9ee44b3c0fa3db7536b5e4f4021f55009f669598ad84eef9bcc6ed7f169de24327f0c37017bae1a5533 |
\Windows\system\pwsNBrl.exe
| MD5 | f712c5f429648f0f76fa11ed09b91719 |
| SHA1 | 7a6b25ee477462274f59c5ebd835035ecd895bf4 |
| SHA256 | 6c1e1a9405b2c5a30b81fb2916891ed30b018923640d4645e375210b34cb5fc8 |
| SHA512 | e79eb3664dc0c25608218895ed9f8fbbfb1c36a561d9e912b275857522dbac97ef002852d144eff458f8f7885791c75b036fb6452ececbaab0a32ec5d2439012 |
\Windows\system\yYhkEnp.exe
| MD5 | ce88959ff01b99648b309ef849c1308d |
| SHA1 | f86e3e09b0219ede6bb05b8743c46505c93eb50e |
| SHA256 | 6493cccf6a0cd834a01c79164668fdfcc90068b72efedc1c6ec3d45e76df222f |
| SHA512 | 8deaaf99dacca6ef385ce19c89366e7254c372ca21f66a3fdd8d5dc02ff2bff94890d2bf1f18e95676172032daced2fad5ca7eaf837203b30187bd9bc2ab188a |
memory/344-22-0x000000013F840000-0x000000013FB94000-memory.dmp
\Windows\system\hVoluqX.exe
| MD5 | 06c934f618138fc3f7844854ad111b90 |
| SHA1 | 27a5e9f7a6fa3e985905e2ac23c2a880bc29cacf |
| SHA256 | d3fc7dbe97c28deff80d2d0de36ea5e3cac0fa3b58d559a386b45a544e9d6c60 |
| SHA512 | 2e9d2cd82ec611bad64dc006a149f25ffb48c6967ae0b765bb4b1636652ad65de0387200ad3b779a69b9c6bc8966dc204867abe8cff54d05c8ca7f6a2ae47895 |
memory/1716-26-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/2128-36-0x000000013FA30000-0x000000013FD84000-memory.dmp
memory/2128-35-0x000000013FA80000-0x000000013FDD4000-memory.dmp
C:\Windows\system\RJudDAN.exe
| MD5 | d3625746ea7be5b3be57a5678b685c17 |
| SHA1 | 6138c22a8b246af8c23350ec92f248704297c112 |
| SHA256 | c84d880170fe8e1f32d07b0ea6876dfefa1e15a97ea35d3a4f38c54c40537fec |
| SHA512 | b92d01f238e90a762fa0d2fcacf8d91f35a3f96c81cd767796e7bf33e163b1b42fac25d8f9d7699288e775873a8888adaa09df0e09e36589b1acca9ac34c066a |
memory/2812-43-0x000000013F2E0000-0x000000013F634000-memory.dmp
C:\Windows\system\uQwqEbT.exe
| MD5 | fe827197bf7bc60a31acba3503d9b4ff |
| SHA1 | c7b29596cb64413061e2b1952777e2ed2f872a23 |
| SHA256 | b5bd6bc0b34fcdbde659680c798d175c7d0571021e7588a20b5523b81d651b3f |
| SHA512 | 7a0f7225492529256b031f6c25997fb7ab7b544b165d00b120d7b693128ee13ea2e03a78527bdba282640e63b933346322b36739d2722949b7252578372ab4d6 |
C:\Windows\system\rfJkERE.exe
| MD5 | ae0d08c66058b471ae230ad1dd2b4f2f |
| SHA1 | 829b11f6ac5933bb30c6baf3e07c1e1674b2e7e6 |
| SHA256 | 18617fbb07c86a4ec59e2863024f6ac4d05addfb45d91a06650b95b9e0918831 |
| SHA512 | 844a7f95de1b6780329c3e8d840e56bbc4726101c807c519c5be4d9dd322da9be5ec8632b1f45b2e672572e6b1366449aee5f00cc06056bd37abf0000057be98 |
memory/2128-57-0x0000000002310000-0x0000000002664000-memory.dmp
\Windows\system\XFiutRe.exe
| MD5 | bf17e7b09de403ceab1b34ff7d35b38e |
| SHA1 | 802173d3ff363cfc6f7c20b6eff620c24dd87058 |
| SHA256 | 8025f50e9853d3222aa7840daf0f1964270598cbb965112f415b3d19ecaf694f |
| SHA512 | 02e0f4984c7f256508f157dab23873baae2271a95918b37b14eede34c70f81fe5757570bf16815ace76197e49be942c5c6b508292407c4f2fccc25a8dee20409 |
memory/2824-72-0x000000013F2A0000-0x000000013F5F4000-memory.dmp
C:\Windows\system\mqBMjgf.exe
| MD5 | c941b5e703190bb18777493774748ba4 |
| SHA1 | bc57a23c14446afdee919b760e2e93645652d6f2 |
| SHA256 | 76447a02a8b2bbe8ad7dfdbf8afdd76b38c878c5b01bab252b46ce39de3fee7e |
| SHA512 | c20fccd143dcbe2cf0f22519ecab36e97623c4edbf0a24d18ec5a02c9b7034a9f2113469067cb6f44b1119d0b04f2c75903e9b57497c0e0c5e7ef86179280d54 |
memory/2548-93-0x000000013FAA0000-0x000000013FDF4000-memory.dmp
C:\Windows\system\OsYKDPt.exe
| MD5 | ad0e6b824c34f29424e82bbde3d6da8e |
| SHA1 | 32e1428f53bc0795c65b9afaa726eff0ba8c19b7 |
| SHA256 | dcf7b540c0b5fc7b68ec26ef2f3daad536a90d1ef418df86efd2947aedfa2909 |
| SHA512 | 337bd69bbe38696c1a33e70e4676a52dc6fd66e3f15c676f50e656814cdb19616ccd9c1b4f0a9b763517efe688866fd32d3e4f1f6d2b30158304cc1145a8af72 |
C:\Windows\system\CtSkQTX.exe
| MD5 | b22bc8c738cbaf78568bb7e7c425ffca |
| SHA1 | 2144e6f53610fdb5d26218d8c5ed71a910512a70 |
| SHA256 | 8f797006b5928be2da03358f5067036f6403b8121cf607714735906ea45b5ca5 |
| SHA512 | 40eead91048ea0ccd9433c9803cbdb167ffdd444e61f69fa8b5ca7cd4210c4f95342a3f288918957e92ad37847f26102ff6435229c1818aad1f65fdcae1826f6 |
C:\Windows\system\LttLIUC.exe
| MD5 | da1394d6f085c7a0655bf192de6e5792 |
| SHA1 | 662959bb76584f34fb05137dfe9d964f1ce22828 |
| SHA256 | b776411150521be9058878adb6aa4c9a0f419a4feb74bb8907d28d6624cc7ed4 |
| SHA512 | 2206deaf76159bd729643a2773f92f1c1259669b6a6d343fdb2b897c596abd3a62ed8ef648be5e851f12bb33fdecbffe207fe82c4bf77ec2d5ba5ec0155db027 |
C:\Windows\system\zKkYMut.exe
| MD5 | bf517b9538e50c2fd83b6a90065bd1aa |
| SHA1 | 36882d1590a0c817468535a30cfae51af5a59ef0 |
| SHA256 | 354ce775d696f33b906f787522e16d4cee65d20f08926f6f74c19f631c839a89 |
| SHA512 | 84fc06c745a68dc5d40c8654c43e2672181d75e201a5154f875277bfbc4b43daffbb76a3d77c1bc0e8f71c2ca6f8318e46ee4a37fd11ecb6ef58716325b51468 |
C:\Windows\system\SGSAXhu.exe
| MD5 | 441a9f512d27f55329b1e15dc6a60394 |
| SHA1 | 28bb8bc1a729e20bc3dc40c8275b591d81b532c1 |
| SHA256 | 9f4fbd346853fe5ad0d45108a519f224d8f61dbdac10ba06b21bead686c5317c |
| SHA512 | 7702e163f851b6e67045012505fa79bd4f98f149e23b30e6c2bf9207ee3c3f6318a69e9106a35fb8bca381ef12c86e6612cc02ae107c2552f9af169d0f4166ac |
C:\Windows\system\WAVurIN.exe
| MD5 | 50775246ae803655dd9f104d870e2987 |
| SHA1 | 3d01c872fb5692ffd00641f190cb281dd4037c5d |
| SHA256 | d9e457020cc30a80d9faf4e958e07de471c170bf58579aeb70b07e6ce9df68fc |
| SHA512 | 7f68005849b70a0bfc8617f8456553fcd9805c700225d2d21c4a6eb6d204e4a626b1bb3fb35678eadddb1c67087cc1f0066312a472bf2842c3c57f3d501836da |
memory/2128-106-0x000000013FD80000-0x00000001400D4000-memory.dmp
C:\Windows\system\lfIyIvG.exe
| MD5 | 3750ec1e9cc11da8e229d2537eaa36b0 |
| SHA1 | ee341ec7f2cdaf855c2216de33b0be5ff4066a91 |
| SHA256 | 94e87ba1e0a4192436f961c3b9fdc795b94c862b8700f1bcba8cbbeacaf5b6dc |
| SHA512 | a6c02a623c1d06393d37ac6c1b6c9cb9de6d1790336243751955b6f3ed04361c4a7f99106c1e6ece24f8a68564f0f83bd1ddbf1727d87ff500591fd66a618aa3 |
memory/1832-100-0x000000013FE20000-0x0000000140174000-memory.dmp
memory/2128-99-0x000000013FE20000-0x0000000140174000-memory.dmp
memory/2812-136-0x000000013F2E0000-0x000000013F634000-memory.dmp
C:\Windows\system\gzBZrml.exe
| MD5 | 106474fd0e9d4a779d76244a396c6546 |
| SHA1 | 989833b4f09165a6afaaddfaac5e8e88edcfb634 |
| SHA256 | e3e43922a9d5e28e9e772aa36e0cffc6a633bac65ff100267893f3d2f1d6d4c2 |
| SHA512 | 04eaab507ba49430b570efdee2980a7ffa39c4c579d9ac01f39d7167b2793363c136f79895e8881807e6b1a12593dfcb6621cee27b53dff67f56fce762a17c7f |
memory/2128-92-0x000000013FAA0000-0x000000013FDF4000-memory.dmp
memory/2332-86-0x000000013F850000-0x000000013FBA4000-memory.dmp
memory/2128-85-0x000000013F300000-0x000000013F654000-memory.dmp
C:\Windows\system\prrQvDJ.exe
| MD5 | faa6a3b5c842e291dcd9789044ac87b0 |
| SHA1 | 97ea2a823578c2c4bba32531afc9292ff374baa4 |
| SHA256 | 598a73dcd01d3216fdf436165cc48085141bd362b3ad77af7088d210d057882a |
| SHA512 | 51c1d8d480ef7600cdb19aec57683adec4c9a8aec5159b8685c9938678a1bfc4fa92b22585718d219edc762de4456ef0044a93a4edd0ef4c0e7ae707990e949a |
memory/2500-78-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
memory/2128-77-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
C:\Windows\system\vgJEKpb.exe
| MD5 | 0ae5b157635ff87f61e41388060df950 |
| SHA1 | 60e0e27c19a8955aef96981bca73c8ddf942a368 |
| SHA256 | 0278e0cef247085d88d0105abe5762a84e74309ea76064b4fa547d5787cf823c |
| SHA512 | 0332f384380ed8ba841a74eb3672d2d4e98132757dc696f454d4439c0b5eca5367cc57fa930e2fa0b8a6a4c1021c1874ea16d4d3bab417cc7fc90d13bce75a35 |
memory/2128-71-0x0000000002310000-0x0000000002664000-memory.dmp
memory/2700-65-0x000000013FA50000-0x000000013FDA4000-memory.dmp
memory/2128-64-0x000000013FA50000-0x000000013FDA4000-memory.dmp
memory/2696-58-0x000000013F230000-0x000000013F584000-memory.dmp
C:\Windows\system\zFVMZuG.exe
| MD5 | 779e0f85918f4670c3631a9fc1d78396 |
| SHA1 | c7f12fc80cf91bd5bbc0e3fc9055243af9f53e5b |
| SHA256 | b282e7b1636809a531b8c77764e90f36b9360425da2788ac0c48272f44788e07 |
| SHA512 | 3d35941ece088d7759e55dc15d16efb43824bfd648b2d215fb90b26b1333adac99106e455d3cb921a31fbaa36999932aecc67007004d8c69a8dc158570c0f90f |
memory/2636-51-0x000000013F610000-0x000000013F964000-memory.dmp
memory/2128-50-0x0000000002310000-0x0000000002664000-memory.dmp
memory/2128-41-0x0000000002310000-0x0000000002664000-memory.dmp
memory/2828-40-0x000000013FA30000-0x000000013FD84000-memory.dmp
memory/2448-34-0x000000013F480000-0x000000013F7D4000-memory.dmp
memory/2128-33-0x0000000002310000-0x0000000002664000-memory.dmp
memory/1992-32-0x000000013F970000-0x000000013FCC4000-memory.dmp
memory/2128-29-0x000000013F970000-0x000000013FCC4000-memory.dmp
C:\Windows\system\tgPobZI.exe
| MD5 | 236bb6603b471cd16ca8e1bba1ae2b9b |
| SHA1 | 11c826134fc192cdaad4b47a1b5f706b76c47eb9 |
| SHA256 | 1834c0d3f28b7687e512d75b8a66c640f863ff27d0c4033072c2636898c552b5 |
| SHA512 | 8b2e09b785be9765606d0e7d9ff5ba95f8e889169775119e57f4562ba5f2f76e8b1129bdde0bec03b145ef137bd81b17cf39b55fdee133cadeff61b2dd4615f0 |
memory/2128-18-0x000000013F840000-0x000000013FB94000-memory.dmp
memory/2128-137-0x0000000002310000-0x0000000002664000-memory.dmp
memory/2128-138-0x0000000002310000-0x0000000002664000-memory.dmp
memory/2500-139-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
memory/2128-140-0x000000013FAA0000-0x000000013FDF4000-memory.dmp
memory/2128-141-0x000000013FE20000-0x0000000140174000-memory.dmp
memory/2128-142-0x000000013FD80000-0x00000001400D4000-memory.dmp
memory/344-143-0x000000013F840000-0x000000013FB94000-memory.dmp
memory/1716-144-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/1992-145-0x000000013F970000-0x000000013FCC4000-memory.dmp
memory/2448-146-0x000000013F480000-0x000000013F7D4000-memory.dmp
memory/2828-147-0x000000013FA30000-0x000000013FD84000-memory.dmp
memory/2636-149-0x000000013F610000-0x000000013F964000-memory.dmp
memory/2812-148-0x000000013F2E0000-0x000000013F634000-memory.dmp
memory/2696-150-0x000000013F230000-0x000000013F584000-memory.dmp
memory/2700-151-0x000000013FA50000-0x000000013FDA4000-memory.dmp
memory/2824-152-0x000000013F2A0000-0x000000013F5F4000-memory.dmp
memory/2500-153-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
memory/2332-154-0x000000013F850000-0x000000013FBA4000-memory.dmp
memory/2548-155-0x000000013FAA0000-0x000000013FDF4000-memory.dmp
memory/1832-156-0x000000013FE20000-0x0000000140174000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-29 14:35
Reported
2024-06-29 14:38
Platform
win10v2004-20240611-en
Max time kernel
138s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\hjBhuUS.exe | N/A |
| N/A | N/A | C:\Windows\System\JflNDSa.exe | N/A |
| N/A | N/A | C:\Windows\System\hQRPVxt.exe | N/A |
| N/A | N/A | C:\Windows\System\PdSwOSI.exe | N/A |
| N/A | N/A | C:\Windows\System\JHMjwyL.exe | N/A |
| N/A | N/A | C:\Windows\System\TbZRZhZ.exe | N/A |
| N/A | N/A | C:\Windows\System\EttbxQc.exe | N/A |
| N/A | N/A | C:\Windows\System\KvCoBTa.exe | N/A |
| N/A | N/A | C:\Windows\System\BhUbFUI.exe | N/A |
| N/A | N/A | C:\Windows\System\jozCCVH.exe | N/A |
| N/A | N/A | C:\Windows\System\SspVFkW.exe | N/A |
| N/A | N/A | C:\Windows\System\mQxDXGN.exe | N/A |
| N/A | N/A | C:\Windows\System\vAHbPJv.exe | N/A |
| N/A | N/A | C:\Windows\System\IFGvxRz.exe | N/A |
| N/A | N/A | C:\Windows\System\kLtvLKi.exe | N/A |
| N/A | N/A | C:\Windows\System\XQMOKzw.exe | N/A |
| N/A | N/A | C:\Windows\System\nAblNls.exe | N/A |
| N/A | N/A | C:\Windows\System\XCwAfFA.exe | N/A |
| N/A | N/A | C:\Windows\System\skklCNK.exe | N/A |
| N/A | N/A | C:\Windows\System\RdAONPc.exe | N/A |
| N/A | N/A | C:\Windows\System\WnBaPfb.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\hjBhuUS.exe
C:\Windows\System\hjBhuUS.exe
C:\Windows\System\JflNDSa.exe
C:\Windows\System\JflNDSa.exe
C:\Windows\System\hQRPVxt.exe
C:\Windows\System\hQRPVxt.exe
C:\Windows\System\PdSwOSI.exe
C:\Windows\System\PdSwOSI.exe
C:\Windows\System\JHMjwyL.exe
C:\Windows\System\JHMjwyL.exe
C:\Windows\System\TbZRZhZ.exe
C:\Windows\System\TbZRZhZ.exe
C:\Windows\System\EttbxQc.exe
C:\Windows\System\EttbxQc.exe
C:\Windows\System\KvCoBTa.exe
C:\Windows\System\KvCoBTa.exe
C:\Windows\System\BhUbFUI.exe
C:\Windows\System\BhUbFUI.exe
C:\Windows\System\jozCCVH.exe
C:\Windows\System\jozCCVH.exe
C:\Windows\System\SspVFkW.exe
C:\Windows\System\SspVFkW.exe
C:\Windows\System\mQxDXGN.exe
C:\Windows\System\mQxDXGN.exe
C:\Windows\System\vAHbPJv.exe
C:\Windows\System\vAHbPJv.exe
C:\Windows\System\IFGvxRz.exe
C:\Windows\System\IFGvxRz.exe
C:\Windows\System\kLtvLKi.exe
C:\Windows\System\kLtvLKi.exe
C:\Windows\System\XQMOKzw.exe
C:\Windows\System\XQMOKzw.exe
C:\Windows\System\nAblNls.exe
C:\Windows\System\nAblNls.exe
C:\Windows\System\XCwAfFA.exe
C:\Windows\System\XCwAfFA.exe
C:\Windows\System\skklCNK.exe
C:\Windows\System\skklCNK.exe
C:\Windows\System\RdAONPc.exe
C:\Windows\System\RdAONPc.exe
C:\Windows\System\WnBaPfb.exe
C:\Windows\System\WnBaPfb.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 98.58.20.217.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4996-0-0x00007FF7D4850000-0x00007FF7D4BA4000-memory.dmp
memory/4996-1-0x0000027998840000-0x0000027998850000-memory.dmp
C:\Windows\System\hjBhuUS.exe
| MD5 | eab4a688d410c594e2fe104027ba211e |
| SHA1 | 33c02d7027e84fe2cb6d5248dea1f3eba12f995a |
| SHA256 | fe0ec507268f7b8d7e66e90684649c53ca541c6a839c425b7a611c8f7bc0c8e4 |
| SHA512 | 94321a205c23b0866b6269aa0eb73f77c5999e538740d51e80c4a4349d19233a55801e9a1ba1ea4289a414f96cc6feb0ab9378a31aa3d8f1309b731d2ca48b9d |
C:\Windows\System\JflNDSa.exe
| MD5 | fc0731bacd46d0e8bc661e831351d216 |
| SHA1 | 5145b4081569b47e5671b66ec8eed8287d854db5 |
| SHA256 | f9bb3070a17a12e5ed8704a271d4f1e483d63d7497f7c5691868a3a632e881db |
| SHA512 | 5b72762f19d17ab34ce585c5f1c267c85424c38689577d9d2e7e590c95aee8ad60d476a08aab45d303229908019da284f18ce6f106bff8fa4406d6c269a998d5 |
memory/4960-12-0x00007FF600D60000-0x00007FF6010B4000-memory.dmp
C:\Windows\System\hQRPVxt.exe
| MD5 | 1d47947ea2b34a937593ef1c3b295066 |
| SHA1 | 85ad06b384abff4a2c55ccddc534bd2f30eea2fc |
| SHA256 | c2ae01d698e73f5ff8bdb9240208ac36350623cdc20b9bc9803b93f41e059f89 |
| SHA512 | 8a67a8b9254da68086ed001d9491e2b95396fe0b43742d9410697ecc77f95680979e5b0916e2c972fe7cf659b25ba86e713f79d516594d8e4f6085210f0cfd28 |
memory/4604-16-0x00007FF7621C0000-0x00007FF762514000-memory.dmp
memory/2232-20-0x00007FF792490000-0x00007FF7927E4000-memory.dmp
C:\Windows\System\PdSwOSI.exe
| MD5 | b8a015f853dace3516a8c8594c73dcb3 |
| SHA1 | e8f122417e926224cf9d5a0df22fbca9e5678abd |
| SHA256 | 92b0a33131493d396b89f8928665508d2b75da283b8592aa77411c1a488bb55a |
| SHA512 | b19dc0e07a795494a6fb450f6165df646dcd342f2a6513476de8d891dc15ecdd45cc966ea3deaa7fca63259b480b4404e15e84aad41ec7314f01c7e5ba3d3e12 |
memory/1016-26-0x00007FF712E30000-0x00007FF713184000-memory.dmp
memory/1848-32-0x00007FF776A30000-0x00007FF776D84000-memory.dmp
C:\Windows\System\JHMjwyL.exe
| MD5 | 4f5afa2e63e5229ebe6e444c778adc52 |
| SHA1 | be00627fda00035e06e0e44684ad210a53cba479 |
| SHA256 | c33641e6e2ac3e04af82248c5925eeb99b6845d3e7d42498fb7fde911db6f599 |
| SHA512 | 89ec21651320a3dd61ffc0ed860a16e1e02ca5e5ea866af6f0a1419834b2be69fcad8c4182465eabe8177c69f015c7d60591a61d35d88e6406434d9bb7ce3a20 |
C:\Windows\System\TbZRZhZ.exe
| MD5 | 1369ccf623579e93bcfe099685b671b6 |
| SHA1 | 0c9f2ba698bbe43731523709adf46a734c2ec884 |
| SHA256 | 8821b8599cd356334f78cbc992c860af26614659ffc62b7c70f82f083c268028 |
| SHA512 | bd332ef0297fe6b057c3b146aa6bfc1db546ee35285b3d029bad7f41eb0aefc06ab3356f0454170d6fdb8567bb2eea3ae989b3bbdcdb03096554696d96859b78 |
memory/4956-37-0x00007FF7D76D0000-0x00007FF7D7A24000-memory.dmp
C:\Windows\System\EttbxQc.exe
| MD5 | 4f448d1ede7326200a8a61281ceb1512 |
| SHA1 | 27bae6af7aaeaf1ad2ea4beb9e1d405e15fd8de9 |
| SHA256 | 09a33e4f686bb5c4f553a4c762a1f798538da73b9507b2f31b786b34d50b04e1 |
| SHA512 | 0e73d7cd12b44e8da086b33382dded8cf0acbf25e84ab8f2b8de4ccac00d27cc1f9bdd226821a57870420dfc9fcc13d5d1d377f99062c774ffe3d127e3a65817 |
memory/5112-42-0x00007FF64FFF0000-0x00007FF650344000-memory.dmp
C:\Windows\System\KvCoBTa.exe
| MD5 | 5b0bf6c29baffa615af7cec51e54bb51 |
| SHA1 | 6041e4e3fe6822d5331e791fea396d10b616c829 |
| SHA256 | ecbee0ea2faff48627ef9f98984e589c2ad4cdd0c98730e8fcda55e95656b99d |
| SHA512 | c651675521050aaf3b4c9d52288c901013687f9956e23f141cdc47ab4553f35d74a497b16cb9388775596ee4a054767003d84ea3553a0dc106a8c513e9d8f375 |
memory/3624-54-0x00007FF698680000-0x00007FF6989D4000-memory.dmp
C:\Windows\System\jozCCVH.exe
| MD5 | 6b48de963a1ad27e876a2ff06c2dc95e |
| SHA1 | 1f9144645de5a609fc6d7ffeb091c8df52500c7b |
| SHA256 | eba71a18ec0718996b9fff89001ab7fe17e0c9acd73448455514fae1266cae30 |
| SHA512 | 21b8d0bb3161af82179e9dbac04d21d22ded25381d577272aade2523121a1343579eed128430b22c9cfba3d684fd1baec40daa45820efdadcf239b6e39076d60 |
C:\Windows\System\BhUbFUI.exe
| MD5 | ed5a91e831d4ca73d9203ea488048040 |
| SHA1 | e84adebd821b55a538766d01b6390b3e4e7d2f57 |
| SHA256 | 0fb8ed2b1afaa2602bd4d5f627b072d98d77fd47bb20bf884a580fd4b11b64d0 |
| SHA512 | fe4eaa883dfaa09eb0159e150d82a527e42cce43ae619b11a63f6945ef009f5a4f6e80d15d1ce7477213d488fbb28ba36d19161512851a2596366e790be7dc61 |
memory/1808-61-0x00007FF637620000-0x00007FF637974000-memory.dmp
C:\Windows\System\SspVFkW.exe
| MD5 | 6a789ba83776da946192018d590e0622 |
| SHA1 | 7dedad4b4255bdaca3a25f0f1801680debc3b493 |
| SHA256 | af4d34b1f0c78dc836649d0ec46c3057766df3ff28e1d93fdf98d3497970ae4a |
| SHA512 | bfca4fbb38290e77f830181b8e76e7a9ac9b39bcf17267cecc26dcede3d21941c9411363368c2b8715aaecefad62eb664cec13a2e91cceb9ce6e138e5d17cb52 |
memory/1932-71-0x00007FF7C8DD0000-0x00007FF7C9124000-memory.dmp
memory/3288-73-0x00007FF6B16D0000-0x00007FF6B1A24000-memory.dmp
C:\Windows\System\mQxDXGN.exe
| MD5 | 316855076f1f3022a5305702a0521854 |
| SHA1 | 8f173f1f6fc5a125c3c4aea826076c69f9e2d73b |
| SHA256 | 6550b34d3ca33914da840752047a46bc8761ddf798050fa54f44d137e5c1d1f9 |
| SHA512 | 67d32c8cbbf94ea3b895d68682779d51f21b2295f4e48a86f2065b14eefc9f885b2fc0d4c63eca92e4a4588506515377305848295d84307e866c26efef853e91 |
memory/2204-72-0x00007FF7873B0000-0x00007FF787704000-memory.dmp
C:\Windows\System\kLtvLKi.exe
| MD5 | 41c72768be9c40eb4e5ced0440d9c18a |
| SHA1 | 2685542d28cdd67f731260cc085d56ecfa2f6395 |
| SHA256 | 90e9ca0e4dfea887ffca13bc06579b7a7004a058ff68f30b0894f36dd8b4c9a4 |
| SHA512 | 5f20862e8df87a0a09b828de778fe6c7085b4e988ce5f4de3b6607051c18a1fa33d0eaa5eecc76edb2e49a971053c020bcf81575195721b187101caa0be5cf88 |
C:\Windows\System\XCwAfFA.exe
| MD5 | d8af99b747d96d482c278bad603780e4 |
| SHA1 | dd1dc57500ac4f7cb93061f5b1f93a035b0f5037 |
| SHA256 | e36695df6935eb3dcae8cb183eb10ef56d1161e56ecdca600cae88d254294c88 |
| SHA512 | b69c9647942139fcd493b1284cca3b11e1e644f707b48110ec36d49b4f5fda596d8d286ece20c0d3e4a9a9f1e3a6d5ca14fac2ff91e59eb75c52a1bfb0f791ab |
C:\Windows\System\WnBaPfb.exe
| MD5 | 14fbe87ae3cd6db04f9d7e567956390f |
| SHA1 | eaec2e2e9970c5c063645f1c6c315f868ffa3a38 |
| SHA256 | 6f7125721f83842f3f54a6ae5b674132019b5b713418e781bda32af274fa2275 |
| SHA512 | c49cd79bb8a5ea1a787ff25e2d725e0d8ea9804b16cb44348ab67a05f72ae0fd919e17d44322c145a5f8cf7b466d7bc4f04c928bbe476f0477bde8ae8854114e |
C:\Windows\System\RdAONPc.exe
| MD5 | bf5e845af69f73c8e5e198f9b754abd9 |
| SHA1 | 3b026d8f8c9e42bd4fbfaedf7f556edbb7abebbc |
| SHA256 | 0b4dcc470c4d0d889c2f80decd0b994c4f581561c1074a3df635253ff774f560 |
| SHA512 | 0a3528fb47132be99ec0188c7312034112e821d180281346c5bb08e90e0af98404d3bb3e126adfee52378d4aa186692b24c40b52790aa0096398cf209977331f |
C:\Windows\System\skklCNK.exe
| MD5 | f2b396ce7ebc4f54cffd68ee3c7da492 |
| SHA1 | 2578d66d01141c748ce2cbe079086d309bf48ac9 |
| SHA256 | 6fb1ef0c03235b21e865057709229d28d58a575f72fba779745a2ff57614e65e |
| SHA512 | 5847ac086873f120a6c74cfadf45a35d36dae55c143a46347e31f8105d676652b302712731e1b28e2408c56e0a02253123b1e59a5fc610cd6bcfd6ff2f37adb0 |
C:\Windows\System\nAblNls.exe
| MD5 | aec7c4990d9578e86e0603796d0e7c8c |
| SHA1 | c1d9ec7d248c28ecbbea013e1b8bbf79e9f5661a |
| SHA256 | 1bcd45369f814075b132247059722a27ec2ab63aa62abd84e818dc19941c5f2b |
| SHA512 | 78e4b1b69756b31ceba3264aa4111d31210f010196547e167973c7291c4b01b0af1f52572cd64dad600f1f7482161b61e01a304e4f01083c20ca230e3d007818 |
C:\Windows\System\XQMOKzw.exe
| MD5 | 24705da84a98ece1c106eb37edd9bf93 |
| SHA1 | 2c6083df431f1a60cca7d28efda3f1a7dd0e5299 |
| SHA256 | 46e1f57022238cc8826f3d1668e686e28be86620d754e6157182654dfeb4efd5 |
| SHA512 | 7e7d5f8e8360715b27a966c2cf868a0b0e076a8cf12544b355b3f026d221ba1b14cce6e4858cdf6a2c7ce602434c5aa2bb920cfc2067ae178142d6bec563423a |
C:\Windows\System\IFGvxRz.exe
| MD5 | e528d1f30571a20d46b677184c20bff0 |
| SHA1 | 524658b2e1eada8718c96087414312716cf5157f |
| SHA256 | a4ac0429d6e9a32c1a59c00eb348174a7bd08cd10fc59ca13184dd94ca5c29e5 |
| SHA512 | 1fc2199aa8e3c4bfe0da8e9e587f3232e0120055d123dad4f2e807a3bcb3fe95a0e89a059e6e3076eff450b3a7936c61499764a0fa19e67c35da500a1ff916e2 |
C:\Windows\System\vAHbPJv.exe
| MD5 | 82ef9229b2af660ed6ef4c3f852c1eb5 |
| SHA1 | fff060377239add2190190a1ded972b630e91c45 |
| SHA256 | 1f4d3818072206840254986010ba33ddbfd65baab7046b4d6851f614cd6edf6f |
| SHA512 | 50bfc13b3219918bbf0bfdf5c78b0f79902556068826a985e185314ea18167467f5a92f350c1146a072b4b4f41016b300d6279a3cb20c018d971fafc0389e6b1 |
memory/4996-69-0x00007FF7D4850000-0x00007FF7D4BA4000-memory.dmp
memory/4604-120-0x00007FF7621C0000-0x00007FF762514000-memory.dmp
memory/4352-121-0x00007FF770000000-0x00007FF770354000-memory.dmp
memory/2176-122-0x00007FF7E3C00000-0x00007FF7E3F54000-memory.dmp
memory/5032-123-0x00007FF600220000-0x00007FF600574000-memory.dmp
memory/4364-125-0x00007FF71BDA0000-0x00007FF71C0F4000-memory.dmp
memory/3280-126-0x00007FF7522C0000-0x00007FF752614000-memory.dmp
memory/1688-124-0x00007FF7745C0000-0x00007FF774914000-memory.dmp
memory/1212-127-0x00007FF752060000-0x00007FF7523B4000-memory.dmp
memory/2460-128-0x00007FF6A3460000-0x00007FF6A37B4000-memory.dmp
memory/2992-129-0x00007FF6100C0000-0x00007FF610414000-memory.dmp
memory/2232-130-0x00007FF792490000-0x00007FF7927E4000-memory.dmp
memory/1016-131-0x00007FF712E30000-0x00007FF713184000-memory.dmp
memory/4956-132-0x00007FF7D76D0000-0x00007FF7D7A24000-memory.dmp
memory/5112-133-0x00007FF64FFF0000-0x00007FF650344000-memory.dmp
memory/3288-134-0x00007FF6B16D0000-0x00007FF6B1A24000-memory.dmp
memory/4960-135-0x00007FF600D60000-0x00007FF6010B4000-memory.dmp
memory/4604-136-0x00007FF7621C0000-0x00007FF762514000-memory.dmp
memory/2232-137-0x00007FF792490000-0x00007FF7927E4000-memory.dmp
memory/1016-138-0x00007FF712E30000-0x00007FF713184000-memory.dmp
memory/1848-139-0x00007FF776A30000-0x00007FF776D84000-memory.dmp
memory/4956-140-0x00007FF7D76D0000-0x00007FF7D7A24000-memory.dmp
memory/5112-141-0x00007FF64FFF0000-0x00007FF650344000-memory.dmp
memory/3624-142-0x00007FF698680000-0x00007FF6989D4000-memory.dmp
memory/1808-143-0x00007FF637620000-0x00007FF637974000-memory.dmp
memory/1932-144-0x00007FF7C8DD0000-0x00007FF7C9124000-memory.dmp
memory/2204-145-0x00007FF7873B0000-0x00007FF787704000-memory.dmp
memory/3288-146-0x00007FF6B16D0000-0x00007FF6B1A24000-memory.dmp
memory/4352-147-0x00007FF770000000-0x00007FF770354000-memory.dmp
memory/2176-148-0x00007FF7E3C00000-0x00007FF7E3F54000-memory.dmp
memory/5032-149-0x00007FF600220000-0x00007FF600574000-memory.dmp
memory/1688-150-0x00007FF7745C0000-0x00007FF774914000-memory.dmp
memory/4364-151-0x00007FF71BDA0000-0x00007FF71C0F4000-memory.dmp
memory/3280-152-0x00007FF7522C0000-0x00007FF752614000-memory.dmp
memory/2992-154-0x00007FF6100C0000-0x00007FF610414000-memory.dmp
memory/1212-153-0x00007FF752060000-0x00007FF7523B4000-memory.dmp
memory/2460-155-0x00007FF6A3460000-0x00007FF6A37B4000-memory.dmp