Analysis Overview
SHA256
250de0607d512c5ac99ec32e42f059119460410e33b4ac1f9b577a9a5d3325aa
Threat Level: Known bad
The file 2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Xmrig family
Detects Reflective DLL injection artifacts
Cobalt Strike reflective loader
Cobaltstrike
UPX dump on OEP (original entry point)
Cobaltstrike family
XMRig Miner payload
xmrig
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-30 05:48
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-30 05:48
Reported
2024-06-30 05:50
Platform
win7-20240611-en
Max time kernel
141s
Max time network
145s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\urYTxdk.exe | N/A |
| N/A | N/A | C:\Windows\System\BPAelOJ.exe | N/A |
| N/A | N/A | C:\Windows\System\tHslcYK.exe | N/A |
| N/A | N/A | C:\Windows\System\UGUbgKV.exe | N/A |
| N/A | N/A | C:\Windows\System\HpejeBL.exe | N/A |
| N/A | N/A | C:\Windows\System\XJvrCCm.exe | N/A |
| N/A | N/A | C:\Windows\System\bxlqwNG.exe | N/A |
| N/A | N/A | C:\Windows\System\KoItgUY.exe | N/A |
| N/A | N/A | C:\Windows\System\rwoRiJx.exe | N/A |
| N/A | N/A | C:\Windows\System\FokpRNN.exe | N/A |
| N/A | N/A | C:\Windows\System\nBFOCfJ.exe | N/A |
| N/A | N/A | C:\Windows\System\kbZriLR.exe | N/A |
| N/A | N/A | C:\Windows\System\izIlmov.exe | N/A |
| N/A | N/A | C:\Windows\System\qSNKMMb.exe | N/A |
| N/A | N/A | C:\Windows\System\QEkEHdK.exe | N/A |
| N/A | N/A | C:\Windows\System\epyLJll.exe | N/A |
| N/A | N/A | C:\Windows\System\onXnVBY.exe | N/A |
| N/A | N/A | C:\Windows\System\iOeOkHP.exe | N/A |
| N/A | N/A | C:\Windows\System\kaVftuC.exe | N/A |
| N/A | N/A | C:\Windows\System\dcnXTxh.exe | N/A |
| N/A | N/A | C:\Windows\System\OzxenSF.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\urYTxdk.exe
C:\Windows\System\urYTxdk.exe
C:\Windows\System\BPAelOJ.exe
C:\Windows\System\BPAelOJ.exe
C:\Windows\System\tHslcYK.exe
C:\Windows\System\tHslcYK.exe
C:\Windows\System\UGUbgKV.exe
C:\Windows\System\UGUbgKV.exe
C:\Windows\System\HpejeBL.exe
C:\Windows\System\HpejeBL.exe
C:\Windows\System\XJvrCCm.exe
C:\Windows\System\XJvrCCm.exe
C:\Windows\System\bxlqwNG.exe
C:\Windows\System\bxlqwNG.exe
C:\Windows\System\FokpRNN.exe
C:\Windows\System\FokpRNN.exe
C:\Windows\System\KoItgUY.exe
C:\Windows\System\KoItgUY.exe
C:\Windows\System\nBFOCfJ.exe
C:\Windows\System\nBFOCfJ.exe
C:\Windows\System\rwoRiJx.exe
C:\Windows\System\rwoRiJx.exe
C:\Windows\System\kbZriLR.exe
C:\Windows\System\kbZriLR.exe
C:\Windows\System\izIlmov.exe
C:\Windows\System\izIlmov.exe
C:\Windows\System\QEkEHdK.exe
C:\Windows\System\QEkEHdK.exe
C:\Windows\System\qSNKMMb.exe
C:\Windows\System\qSNKMMb.exe
C:\Windows\System\onXnVBY.exe
C:\Windows\System\onXnVBY.exe
C:\Windows\System\epyLJll.exe
C:\Windows\System\epyLJll.exe
C:\Windows\System\kaVftuC.exe
C:\Windows\System\kaVftuC.exe
C:\Windows\System\iOeOkHP.exe
C:\Windows\System\iOeOkHP.exe
C:\Windows\System\dcnXTxh.exe
C:\Windows\System\dcnXTxh.exe
C:\Windows\System\OzxenSF.exe
C:\Windows\System\OzxenSF.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2056-0-0x000000013F410000-0x000000013F764000-memory.dmp
memory/2056-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\urYTxdk.exe
| MD5 | 26df69b71e06cc69f74256b3fa710687 |
| SHA1 | 43b8111eaf32443b9720d5dbb1917e5c02a83e5d |
| SHA256 | 00029b9e8f79c0ef4ec02a95c177198ec78d0fcafaa0909ebadbbab4c5342e28 |
| SHA512 | b4f3d561f0068a9b1e12da4d7fcf991bf328edc2d488c7277e1e1da68f1950539f9213f933a4ed285446f7f30f097eb59628112520c47325867fc5e33484a6bb |
\Windows\system\BPAelOJ.exe
| MD5 | d3dbf4b55a2ceed173d660c0f5b485e4 |
| SHA1 | 3d4341aee01228f715ccd88e7ba322909b75a7ac |
| SHA256 | 6f302bcce9e6c7213ed3e2b64ef11bba633379281f8da8265c99283998f52901 |
| SHA512 | 76658aa1b8d47c611aee1df0493a45bdd4da5bae2b14ceccb35f6250bd5fd1cd5c960db2a4b875a1f774710ce84b43b98eeb73e68f153c722d38d8a0262860b3 |
C:\Windows\system\UGUbgKV.exe
| MD5 | 19f5ef6486fbb1bdfd7c4cec9b267d75 |
| SHA1 | 007921b897fcca6c4e8e4c749587c0333998446e |
| SHA256 | 53b50034445532e73d803c1e0d6a24bd50e63c3a1289fac350bed78de4a72564 |
| SHA512 | 57defd6f56dff4a24c99606004ca88685839654043fa7c63a91b49eb2844b97821578136a54464c93b73f7bf23fc5436e8cd6b1c15687fd7e1e29a9c1f4212dc |
memory/2056-26-0x0000000002300000-0x0000000002654000-memory.dmp
memory/2056-25-0x000000013FFF0000-0x0000000140344000-memory.dmp
\Windows\system\HpejeBL.exe
| MD5 | bcc5808dffe6107e3761fd72275625b9 |
| SHA1 | c46071722c332e1157db7f8043257a23cb2e41d6 |
| SHA256 | a6c10f22bd66c3690e648a189f73543e7112a6cddee0d6180b2c44f99d577438 |
| SHA512 | 16f3af726f115cdf4f64701feb642f3b192ab1fc06ca5807fd95210c65826e9d2a4bbf2f785845782dd7bceceae5e050da08817f8c38e2a47448f03309ca70ef |
C:\Windows\system\tHslcYK.exe
| MD5 | dc702388fa84a533a3e3958045320fe9 |
| SHA1 | 906d23f479052062d60e449a06eeda9c177ef054 |
| SHA256 | c9edb9431296fd1bfb3a9f80dad73317d44f6a8962639f607781b34a21008ffd |
| SHA512 | 577178193fa6fd68098c4545bae8a038b20f296d2a02c0d3801cbef3d4fabb7cac484e82f19b8e71918774efa0aeba11f63e5711193409cb2a92be8d28cd03e5 |
memory/1508-15-0x000000013FBC0000-0x000000013FF14000-memory.dmp
memory/2056-37-0x0000000002300000-0x0000000002654000-memory.dmp
\Windows\system\XJvrCCm.exe
| MD5 | b2d715a04232d421600c0a5ceedd548c |
| SHA1 | 1f926ee8177f7b17ac8b4312f1a9b218c6560088 |
| SHA256 | 0c4ed3962fec6504a3c59998cba8e2935f78084c69ecefd839997f4130b87bf8 |
| SHA512 | ffa7b8074a35856cad43dc875ff9978c6ec3b96c651bb2c6ae9173999457b7817d28d859a176782d0c04ebd0bdb77bcbc125f767fda09368eb62d30293413531 |
\Windows\system\bxlqwNG.exe
| MD5 | 5bc6ac7485f3aa6175d41ed132fd54ac |
| SHA1 | 1574189bf7a1197c9db9587b4015c458a58950aa |
| SHA256 | 40539fa92e41443f48dc8805c8cf0643b608c6cb5bcc875442930a4b1008697a |
| SHA512 | 35e8b8c0052d0312b37c908602de061c2add5bad298a4bd5f7a50eb4a42b0a3952c8bc88f70f9a019a66f51b59c65799c4e426fdd8db69afed8f5ce976d09a4f |
memory/2744-42-0x000000013F4F0000-0x000000013F844000-memory.dmp
memory/2692-35-0x000000013F2F0000-0x000000013F644000-memory.dmp
memory/2580-34-0x000000013F750000-0x000000013FAA4000-memory.dmp
memory/2024-33-0x000000013FFF0000-0x0000000140344000-memory.dmp
memory/2968-32-0x000000013F290000-0x000000013F5E4000-memory.dmp
memory/2056-31-0x0000000002300000-0x0000000002654000-memory.dmp
memory/2624-56-0x000000013F3E0000-0x000000013F734000-memory.dmp
memory/2800-78-0x000000013F110000-0x000000013F464000-memory.dmp
memory/2056-83-0x000000013F410000-0x000000013F764000-memory.dmp
C:\Windows\system\epyLJll.exe
| MD5 | f3c6afeb3cd897549410a1e88b618d2c |
| SHA1 | 48639dcf8d31f6ede1dc3f9d7d97f8b4cb930838 |
| SHA256 | c7bcb953253cc1b020013ee85cca71f90201b928628905c702902c8f3807f343 |
| SHA512 | 015485ec8d6a99a222672e7c81f01b1eb1619168cb0839c4b7257f992645a09c2d6e8ee6ef80659131925864c4b13ce6c5072e9e257ca01dce361fcaae7d3a85 |
C:\Windows\system\onXnVBY.exe
| MD5 | f5aa52dd1ac9089b9421ce8948a91173 |
| SHA1 | 6e342dff6ba55fc05ecb60b84e413dde1eafd1ab |
| SHA256 | a58422b21fc859b9bd31abcfa05374a45527b114c1286f0fa3287108392244c8 |
| SHA512 | 821db3449bfa79d3f081dd8d7acebade34850f2d7d288e6fe23949a85a0e5a72f00ccb2fa1f24b552f07a6c53c97d60acc15b47219c3c4565a369ddb4df48cf4 |
C:\Windows\system\dcnXTxh.exe
| MD5 | 16ba6e151b32abbfa6328ed37cd9403d |
| SHA1 | 3ff5f0463e3f2efd186f4aeb1849d9cd85a16c67 |
| SHA256 | 16cfc2c65b16ad9d2f97a2f2edbae82b28426294f64dec03b958fb2b355f517f |
| SHA512 | ba8f3ba785c934e8a09b20f2442a09d544b13aa74654f2cdb2cb15baa7479acf0044a7ec9659cf8eb6f532e18a3e3e438bb8d92e6820978ade6cbafa13d978bc |
C:\Windows\system\OzxenSF.exe
| MD5 | 7d0cadc7edb1c4b76f079036a601eff4 |
| SHA1 | c9bd96de73526af92aea2a977185e45b498b890b |
| SHA256 | bb49977b477b0564d6b095ebbdba1488963bbba66d04b355b1aaa0fbf4a88654 |
| SHA512 | 6ec9a44c4dca9791f32373d51905f9d56b22f76cb97c4b5b17a100566ba6a573885c610103f8bba835b4fc8edf6cf86c7559eb764be22ecdfb6420759493a2dd |
\Windows\system\kaVftuC.exe
| MD5 | f160fc30d29637ecc64c0d437d08d6ae |
| SHA1 | ec6c19af1d8188144aa934ef9376c08d18411eea |
| SHA256 | 637ecb65206cc3cde881c26625c7c5fe2073586e5ed56638ee6d624ea6d0de5f |
| SHA512 | 362b2089dc70346b29ca6677abec976c9ddc314b2ffce0868bafa9e16ce9996c6f274b9b41ec90f649c01f607e6ecf405fbfee6c6eff1cc85b92e9c97f247a47 |
C:\Windows\system\iOeOkHP.exe
| MD5 | fa4e54d2648a99cbc618513f5d11ade5 |
| SHA1 | b3928dfabd1c6790a5ce44733cc9a8f22ae4815e |
| SHA256 | 784724129cbe2b9b4e34fbd803deeb166dfbedd477ed55339c102b016a32a867 |
| SHA512 | 0b86c338c9f7c89b43646c57cd80504d9f01777b8ca9c136fc84d3aec0608d38cd317963e837cac9202afabbf71071e932ba5a5b64c59ca69e46f97b98a88135 |
memory/2384-108-0x000000013F400000-0x000000013F754000-memory.dmp
\Windows\system\QEkEHdK.exe
| MD5 | 5d53d8bc037febba3268929428439cae |
| SHA1 | a911f184daf51d1f8e5bf759f23478b22c5c2a16 |
| SHA256 | 1ea2754bedd4c2087c725bfdd6aa87fb731251b4f47fb9050bf7668aa8d02208 |
| SHA512 | 42e8060d79d032b9f5635a1b69a8d24313aa8318a03c00a42491931ac81d927f1fc210a0844b7b5533aac28f7fed4b32344b8f5aa2706697a232746775ef0db8 |
C:\Windows\system\qSNKMMb.exe
| MD5 | feb34df9370342533b382949c4247ef3 |
| SHA1 | 54675ddc915da659a6e35df5d8310f3adca397e3 |
| SHA256 | 9effc0ee47245d93d25129cacfadf4e0435932d5af5e855b55f295196fdf55b6 |
| SHA512 | c9c75dbd857e67c6ee5a1d7764cb95724c23e54b842970d0874f58c5832031654d0f32f235e35ced8413c0244a602cc5e67d9fdc0b7373ae5cd3ebf11b932259 |
memory/2056-97-0x0000000002300000-0x0000000002654000-memory.dmp
memory/2576-84-0x000000013FAB0000-0x000000013FE04000-memory.dmp
C:\Windows\system\kbZriLR.exe
| MD5 | 296715622d8cf042f67e184e8682bb76 |
| SHA1 | 1b2bda9c527dd3ce2d3eb505c42887d21cf75b9a |
| SHA256 | 720731c09adff9e773c4f56d83463d72b148c04ead70e291ab070b0ba05b78ae |
| SHA512 | 789002e1e2f07dddf59b00dd8ca8a35e8e7e49bad4357e3e1d4e7518526b259e27abfcffcf18a5b69b4c9d48dc8dda80af1877555a27bd2b47a9af32a084eb51 |
memory/2056-96-0x000000013FF60000-0x00000001402B4000-memory.dmp
memory/2960-95-0x000000013FAC0000-0x000000013FE14000-memory.dmp
memory/2056-94-0x000000013FAC0000-0x000000013FE14000-memory.dmp
C:\Windows\system\izIlmov.exe
| MD5 | ace0cc55def04d14c8987ef26ba2b3a4 |
| SHA1 | f91234bd6c8927fbc1dba5c558a57c8e6ca8ae36 |
| SHA256 | f8a2547fc1e5e13f1296e051954ebaed9bb0588b749b500d7d967673bc7d85fa |
| SHA512 | e27e1b7e2291629832bd7d1ae904dca2b15e934603eff1263e1e66b5b4b6cd6db5e0cca86fb19ed50a35bcb1a9e3af9445d873f34071d3bd16fb77b94e1895a3 |
memory/2056-79-0x000000013FAB0000-0x000000013FE04000-memory.dmp
memory/2876-77-0x000000013FD90000-0x00000001400E4000-memory.dmp
\Windows\system\nBFOCfJ.exe
| MD5 | 3e0258c0af37276f478d475cc8b72485 |
| SHA1 | 40fc5e3eed394a18d64bd9af2593cf2861aa4779 |
| SHA256 | 65a90d8ee7e53c57cb1b9d4bc2b517a47dbda0f7b35d039ed1625e6d9a8bd30b |
| SHA512 | 1bad727bd6f00a3985dc1801fd2005cb7310012cd1067394f5e1f16fe7415d16540ea72c79a1407c1c90293ecef40b8b9682d36aad29cd62344a320ff6002254 |
\Windows\system\FokpRNN.exe
| MD5 | 898792cf21a74f2aed392a48d3b2ebb6 |
| SHA1 | d402ace95e4068e9fd2c83b8a01f2c85031af49d |
| SHA256 | b4d2e909828b4f770342f07a8f5f16cbba31dd43f39dae1fc40f3c3bffde7f67 |
| SHA512 | 019e19d29207d804ea919cbadf2f1fa6298663783959fff1156548a82c0b8e35f91142d498c51e279238490f338d825841865ca83b0d991a3031a98badde484d |
memory/2260-70-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/2672-67-0x000000013FF90000-0x00000001402E4000-memory.dmp
memory/2056-66-0x000000013FF90000-0x00000001402E4000-memory.dmp
memory/2056-65-0x0000000002300000-0x0000000002654000-memory.dmp
memory/2056-64-0x000000013FA80000-0x000000013FDD4000-memory.dmp
C:\Windows\system\rwoRiJx.exe
| MD5 | 990c3d5ebf3e4e80cdadef8ce6e67ccc |
| SHA1 | 604fc9b3f03f51f7dbc2ca36725ed2939117ed17 |
| SHA256 | d5e89375c86bce46d9c3f940a864ac83cfce142a0d532eae20dab9849e29982b |
| SHA512 | 33eda170d6762acb8ad07c6743a893db54a086acd45d677b2b2aa44e85ad6d305990d3acbc324e2e6de30457292007e1277c7fb247819369c91e58c0225ce34b |
C:\Windows\system\KoItgUY.exe
| MD5 | 87ec3a92b99dae2a98ef8ec65a43f8fa |
| SHA1 | bb86151ef824fa8a271ecbe8087ca260d7dd8dfb |
| SHA256 | 0af609251778387bd9eb251cd06ee5065a494d1a758e3903b6a51adeb2ac9955 |
| SHA512 | f20d5eb12bca0111f3a852a0e1e5d4eac2b8a658835ca980bfd385a386604e1cdfe21ea33de0a049f586b5a1f04da3552a2d7f346d8e55d4b2a793816b4ab5af |
memory/2056-61-0x000000013FD90000-0x00000001400E4000-memory.dmp
memory/2056-134-0x0000000002300000-0x0000000002654000-memory.dmp
memory/2672-135-0x000000013FF90000-0x00000001402E4000-memory.dmp
memory/2260-136-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/2056-137-0x000000013FAC0000-0x000000013FE14000-memory.dmp
memory/2056-138-0x000000013FF60000-0x00000001402B4000-memory.dmp
memory/1508-139-0x000000013FBC0000-0x000000013FF14000-memory.dmp
memory/2968-141-0x000000013F290000-0x000000013F5E4000-memory.dmp
memory/2024-140-0x000000013FFF0000-0x0000000140344000-memory.dmp
memory/2692-142-0x000000013F2F0000-0x000000013F644000-memory.dmp
memory/2580-143-0x000000013F750000-0x000000013FAA4000-memory.dmp
memory/2744-144-0x000000013F4F0000-0x000000013F844000-memory.dmp
memory/2624-145-0x000000013F3E0000-0x000000013F734000-memory.dmp
memory/2672-146-0x000000013FF90000-0x00000001402E4000-memory.dmp
memory/2260-147-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/2800-149-0x000000013F110000-0x000000013F464000-memory.dmp
memory/2876-148-0x000000013FD90000-0x00000001400E4000-memory.dmp
memory/2576-150-0x000000013FAB0000-0x000000013FE04000-memory.dmp
memory/2960-151-0x000000013FAC0000-0x000000013FE14000-memory.dmp
memory/2384-152-0x000000013F400000-0x000000013F754000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-30 05:48
Reported
2024-06-30 05:50
Platform
win10v2004-20240611-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\urYTxdk.exe | N/A |
| N/A | N/A | C:\Windows\System\BPAelOJ.exe | N/A |
| N/A | N/A | C:\Windows\System\tHslcYK.exe | N/A |
| N/A | N/A | C:\Windows\System\UGUbgKV.exe | N/A |
| N/A | N/A | C:\Windows\System\HpejeBL.exe | N/A |
| N/A | N/A | C:\Windows\System\XJvrCCm.exe | N/A |
| N/A | N/A | C:\Windows\System\bxlqwNG.exe | N/A |
| N/A | N/A | C:\Windows\System\FokpRNN.exe | N/A |
| N/A | N/A | C:\Windows\System\KoItgUY.exe | N/A |
| N/A | N/A | C:\Windows\System\nBFOCfJ.exe | N/A |
| N/A | N/A | C:\Windows\System\rwoRiJx.exe | N/A |
| N/A | N/A | C:\Windows\System\kbZriLR.exe | N/A |
| N/A | N/A | C:\Windows\System\izIlmov.exe | N/A |
| N/A | N/A | C:\Windows\System\QEkEHdK.exe | N/A |
| N/A | N/A | C:\Windows\System\qSNKMMb.exe | N/A |
| N/A | N/A | C:\Windows\System\onXnVBY.exe | N/A |
| N/A | N/A | C:\Windows\System\epyLJll.exe | N/A |
| N/A | N/A | C:\Windows\System\kaVftuC.exe | N/A |
| N/A | N/A | C:\Windows\System\iOeOkHP.exe | N/A |
| N/A | N/A | C:\Windows\System\dcnXTxh.exe | N/A |
| N/A | N/A | C:\Windows\System\OzxenSF.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\urYTxdk.exe
C:\Windows\System\urYTxdk.exe
C:\Windows\System\BPAelOJ.exe
C:\Windows\System\BPAelOJ.exe
C:\Windows\System\tHslcYK.exe
C:\Windows\System\tHslcYK.exe
C:\Windows\System\UGUbgKV.exe
C:\Windows\System\UGUbgKV.exe
C:\Windows\System\HpejeBL.exe
C:\Windows\System\HpejeBL.exe
C:\Windows\System\XJvrCCm.exe
C:\Windows\System\XJvrCCm.exe
C:\Windows\System\bxlqwNG.exe
C:\Windows\System\bxlqwNG.exe
C:\Windows\System\FokpRNN.exe
C:\Windows\System\FokpRNN.exe
C:\Windows\System\KoItgUY.exe
C:\Windows\System\KoItgUY.exe
C:\Windows\System\nBFOCfJ.exe
C:\Windows\System\nBFOCfJ.exe
C:\Windows\System\rwoRiJx.exe
C:\Windows\System\rwoRiJx.exe
C:\Windows\System\kbZriLR.exe
C:\Windows\System\kbZriLR.exe
C:\Windows\System\izIlmov.exe
C:\Windows\System\izIlmov.exe
C:\Windows\System\QEkEHdK.exe
C:\Windows\System\QEkEHdK.exe
C:\Windows\System\qSNKMMb.exe
C:\Windows\System\qSNKMMb.exe
C:\Windows\System\onXnVBY.exe
C:\Windows\System\onXnVBY.exe
C:\Windows\System\epyLJll.exe
C:\Windows\System\epyLJll.exe
C:\Windows\System\kaVftuC.exe
C:\Windows\System\kaVftuC.exe
C:\Windows\System\iOeOkHP.exe
C:\Windows\System\iOeOkHP.exe
C:\Windows\System\dcnXTxh.exe
C:\Windows\System\dcnXTxh.exe
C:\Windows\System\OzxenSF.exe
C:\Windows\System\OzxenSF.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4304,i,5229431749694857451,16836185654682871752,262144 --variations-seed-version --mojo-platform-channel-handle=3864 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/232-0-0x00007FF7BD2A0000-0x00007FF7BD5F4000-memory.dmp
memory/232-1-0x000001FE7BC70000-0x000001FE7BC80000-memory.dmp
C:\Windows\System\urYTxdk.exe
| MD5 | 26df69b71e06cc69f74256b3fa710687 |
| SHA1 | 43b8111eaf32443b9720d5dbb1917e5c02a83e5d |
| SHA256 | 00029b9e8f79c0ef4ec02a95c177198ec78d0fcafaa0909ebadbbab4c5342e28 |
| SHA512 | b4f3d561f0068a9b1e12da4d7fcf991bf328edc2d488c7277e1e1da68f1950539f9213f933a4ed285446f7f30f097eb59628112520c47325867fc5e33484a6bb |
memory/2696-6-0x00007FF706E30000-0x00007FF707184000-memory.dmp
C:\Windows\System\tHslcYK.exe
| MD5 | dc702388fa84a533a3e3958045320fe9 |
| SHA1 | 906d23f479052062d60e449a06eeda9c177ef054 |
| SHA256 | c9edb9431296fd1bfb3a9f80dad73317d44f6a8962639f607781b34a21008ffd |
| SHA512 | 577178193fa6fd68098c4545bae8a038b20f296d2a02c0d3801cbef3d4fabb7cac484e82f19b8e71918774efa0aeba11f63e5711193409cb2a92be8d28cd03e5 |
C:\Windows\System\BPAelOJ.exe
| MD5 | d3dbf4b55a2ceed173d660c0f5b485e4 |
| SHA1 | 3d4341aee01228f715ccd88e7ba322909b75a7ac |
| SHA256 | 6f302bcce9e6c7213ed3e2b64ef11bba633379281f8da8265c99283998f52901 |
| SHA512 | 76658aa1b8d47c611aee1df0493a45bdd4da5bae2b14ceccb35f6250bd5fd1cd5c960db2a4b875a1f774710ce84b43b98eeb73e68f153c722d38d8a0262860b3 |
memory/3628-12-0x00007FF755DD0000-0x00007FF756124000-memory.dmp
memory/4884-18-0x00007FF68EE70000-0x00007FF68F1C4000-memory.dmp
C:\Windows\System\UGUbgKV.exe
| MD5 | 19f5ef6486fbb1bdfd7c4cec9b267d75 |
| SHA1 | 007921b897fcca6c4e8e4c749587c0333998446e |
| SHA256 | 53b50034445532e73d803c1e0d6a24bd50e63c3a1289fac350bed78de4a72564 |
| SHA512 | 57defd6f56dff4a24c99606004ca88685839654043fa7c63a91b49eb2844b97821578136a54464c93b73f7bf23fc5436e8cd6b1c15687fd7e1e29a9c1f4212dc |
C:\Windows\System\XJvrCCm.exe
| MD5 | b2d715a04232d421600c0a5ceedd548c |
| SHA1 | 1f926ee8177f7b17ac8b4312f1a9b218c6560088 |
| SHA256 | 0c4ed3962fec6504a3c59998cba8e2935f78084c69ecefd839997f4130b87bf8 |
| SHA512 | ffa7b8074a35856cad43dc875ff9978c6ec3b96c651bb2c6ae9173999457b7817d28d859a176782d0c04ebd0bdb77bcbc125f767fda09368eb62d30293413531 |
C:\Windows\System\HpejeBL.exe
| MD5 | bcc5808dffe6107e3761fd72275625b9 |
| SHA1 | c46071722c332e1157db7f8043257a23cb2e41d6 |
| SHA256 | a6c10f22bd66c3690e648a189f73543e7112a6cddee0d6180b2c44f99d577438 |
| SHA512 | 16f3af726f115cdf4f64701feb642f3b192ab1fc06ca5807fd95210c65826e9d2a4bbf2f785845782dd7bceceae5e050da08817f8c38e2a47448f03309ca70ef |
C:\Windows\System\bxlqwNG.exe
| MD5 | 5bc6ac7485f3aa6175d41ed132fd54ac |
| SHA1 | 1574189bf7a1197c9db9587b4015c458a58950aa |
| SHA256 | 40539fa92e41443f48dc8805c8cf0643b608c6cb5bcc875442930a4b1008697a |
| SHA512 | 35e8b8c0052d0312b37c908602de061c2add5bad298a4bd5f7a50eb4a42b0a3952c8bc88f70f9a019a66f51b59c65799c4e426fdd8db69afed8f5ce976d09a4f |
C:\Windows\System\FokpRNN.exe
| MD5 | 898792cf21a74f2aed392a48d3b2ebb6 |
| SHA1 | d402ace95e4068e9fd2c83b8a01f2c85031af49d |
| SHA256 | b4d2e909828b4f770342f07a8f5f16cbba31dd43f39dae1fc40f3c3bffde7f67 |
| SHA512 | 019e19d29207d804ea919cbadf2f1fa6298663783959fff1156548a82c0b8e35f91142d498c51e279238490f338d825841865ca83b0d991a3031a98badde484d |
C:\Windows\System\KoItgUY.exe
| MD5 | 87ec3a92b99dae2a98ef8ec65a43f8fa |
| SHA1 | bb86151ef824fa8a271ecbe8087ca260d7dd8dfb |
| SHA256 | 0af609251778387bd9eb251cd06ee5065a494d1a758e3903b6a51adeb2ac9955 |
| SHA512 | f20d5eb12bca0111f3a852a0e1e5d4eac2b8a658835ca980bfd385a386604e1cdfe21ea33de0a049f586b5a1f04da3552a2d7f346d8e55d4b2a793816b4ab5af |
C:\Windows\System\nBFOCfJ.exe
| MD5 | 3e0258c0af37276f478d475cc8b72485 |
| SHA1 | 40fc5e3eed394a18d64bd9af2593cf2861aa4779 |
| SHA256 | 65a90d8ee7e53c57cb1b9d4bc2b517a47dbda0f7b35d039ed1625e6d9a8bd30b |
| SHA512 | 1bad727bd6f00a3985dc1801fd2005cb7310012cd1067394f5e1f16fe7415d16540ea72c79a1407c1c90293ecef40b8b9682d36aad29cd62344a320ff6002254 |
C:\Windows\System\rwoRiJx.exe
| MD5 | 990c3d5ebf3e4e80cdadef8ce6e67ccc |
| SHA1 | 604fc9b3f03f51f7dbc2ca36725ed2939117ed17 |
| SHA256 | d5e89375c86bce46d9c3f940a864ac83cfce142a0d532eae20dab9849e29982b |
| SHA512 | 33eda170d6762acb8ad07c6743a893db54a086acd45d677b2b2aa44e85ad6d305990d3acbc324e2e6de30457292007e1277c7fb247819369c91e58c0225ce34b |
C:\Windows\System\QEkEHdK.exe
| MD5 | 5d53d8bc037febba3268929428439cae |
| SHA1 | a911f184daf51d1f8e5bf759f23478b22c5c2a16 |
| SHA256 | 1ea2754bedd4c2087c725bfdd6aa87fb731251b4f47fb9050bf7668aa8d02208 |
| SHA512 | 42e8060d79d032b9f5635a1b69a8d24313aa8318a03c00a42491931ac81d927f1fc210a0844b7b5533aac28f7fed4b32344b8f5aa2706697a232746775ef0db8 |
C:\Windows\System\onXnVBY.exe
| MD5 | f5aa52dd1ac9089b9421ce8948a91173 |
| SHA1 | 6e342dff6ba55fc05ecb60b84e413dde1eafd1ab |
| SHA256 | a58422b21fc859b9bd31abcfa05374a45527b114c1286f0fa3287108392244c8 |
| SHA512 | 821db3449bfa79d3f081dd8d7acebade34850f2d7d288e6fe23949a85a0e5a72f00ccb2fa1f24b552f07a6c53c97d60acc15b47219c3c4565a369ddb4df48cf4 |
C:\Windows\System\kaVftuC.exe
| MD5 | f160fc30d29637ecc64c0d437d08d6ae |
| SHA1 | ec6c19af1d8188144aa934ef9376c08d18411eea |
| SHA256 | 637ecb65206cc3cde881c26625c7c5fe2073586e5ed56638ee6d624ea6d0de5f |
| SHA512 | 362b2089dc70346b29ca6677abec976c9ddc314b2ffce0868bafa9e16ce9996c6f274b9b41ec90f649c01f607e6ecf405fbfee6c6eff1cc85b92e9c97f247a47 |
C:\Windows\System\OzxenSF.exe
| MD5 | 7d0cadc7edb1c4b76f079036a601eff4 |
| SHA1 | c9bd96de73526af92aea2a977185e45b498b890b |
| SHA256 | bb49977b477b0564d6b095ebbdba1488963bbba66d04b355b1aaa0fbf4a88654 |
| SHA512 | 6ec9a44c4dca9791f32373d51905f9d56b22f76cb97c4b5b17a100566ba6a573885c610103f8bba835b4fc8edf6cf86c7559eb764be22ecdfb6420759493a2dd |
C:\Windows\System\dcnXTxh.exe
| MD5 | 16ba6e151b32abbfa6328ed37cd9403d |
| SHA1 | 3ff5f0463e3f2efd186f4aeb1849d9cd85a16c67 |
| SHA256 | 16cfc2c65b16ad9d2f97a2f2edbae82b28426294f64dec03b958fb2b355f517f |
| SHA512 | ba8f3ba785c934e8a09b20f2442a09d544b13aa74654f2cdb2cb15baa7479acf0044a7ec9659cf8eb6f532e18a3e3e438bb8d92e6820978ade6cbafa13d978bc |
C:\Windows\System\iOeOkHP.exe
| MD5 | fa4e54d2648a99cbc618513f5d11ade5 |
| SHA1 | b3928dfabd1c6790a5ce44733cc9a8f22ae4815e |
| SHA256 | 784724129cbe2b9b4e34fbd803deeb166dfbedd477ed55339c102b016a32a867 |
| SHA512 | 0b86c338c9f7c89b43646c57cd80504d9f01777b8ca9c136fc84d3aec0608d38cd317963e837cac9202afabbf71071e932ba5a5b64c59ca69e46f97b98a88135 |
C:\Windows\System\epyLJll.exe
| MD5 | f3c6afeb3cd897549410a1e88b618d2c |
| SHA1 | 48639dcf8d31f6ede1dc3f9d7d97f8b4cb930838 |
| SHA256 | c7bcb953253cc1b020013ee85cca71f90201b928628905c702902c8f3807f343 |
| SHA512 | 015485ec8d6a99a222672e7c81f01b1eb1619168cb0839c4b7257f992645a09c2d6e8ee6ef80659131925864c4b13ce6c5072e9e257ca01dce361fcaae7d3a85 |
C:\Windows\System\qSNKMMb.exe
| MD5 | feb34df9370342533b382949c4247ef3 |
| SHA1 | 54675ddc915da659a6e35df5d8310f3adca397e3 |
| SHA256 | 9effc0ee47245d93d25129cacfadf4e0435932d5af5e855b55f295196fdf55b6 |
| SHA512 | c9c75dbd857e67c6ee5a1d7764cb95724c23e54b842970d0874f58c5832031654d0f32f235e35ced8413c0244a602cc5e67d9fdc0b7373ae5cd3ebf11b932259 |
C:\Windows\System\izIlmov.exe
| MD5 | ace0cc55def04d14c8987ef26ba2b3a4 |
| SHA1 | f91234bd6c8927fbc1dba5c558a57c8e6ca8ae36 |
| SHA256 | f8a2547fc1e5e13f1296e051954ebaed9bb0588b749b500d7d967673bc7d85fa |
| SHA512 | e27e1b7e2291629832bd7d1ae904dca2b15e934603eff1263e1e66b5b4b6cd6db5e0cca86fb19ed50a35bcb1a9e3af9445d873f34071d3bd16fb77b94e1895a3 |
C:\Windows\System\kbZriLR.exe
| MD5 | 296715622d8cf042f67e184e8682bb76 |
| SHA1 | 1b2bda9c527dd3ce2d3eb505c42887d21cf75b9a |
| SHA256 | 720731c09adff9e773c4f56d83463d72b148c04ead70e291ab070b0ba05b78ae |
| SHA512 | 789002e1e2f07dddf59b00dd8ca8a35e8e7e49bad4357e3e1d4e7518526b259e27abfcffcf18a5b69b4c9d48dc8dda80af1877555a27bd2b47a9af32a084eb51 |
memory/1964-52-0x00007FF7D8CB0000-0x00007FF7D9004000-memory.dmp
memory/2500-42-0x00007FF7DB0D0000-0x00007FF7DB424000-memory.dmp
memory/2704-34-0x00007FF69DB00000-0x00007FF69DE54000-memory.dmp
memory/3324-29-0x00007FF656250000-0x00007FF6565A4000-memory.dmp
memory/1684-26-0x00007FF610FB0000-0x00007FF611304000-memory.dmp
memory/4256-117-0x00007FF78D1C0000-0x00007FF78D514000-memory.dmp
memory/408-118-0x00007FF66A0A0000-0x00007FF66A3F4000-memory.dmp
memory/1140-119-0x00007FF6DD0B0000-0x00007FF6DD404000-memory.dmp
memory/4416-116-0x00007FF7AD510000-0x00007FF7AD864000-memory.dmp
memory/2672-115-0x00007FF6C2D70000-0x00007FF6C30C4000-memory.dmp
memory/2680-120-0x00007FF626A30000-0x00007FF626D84000-memory.dmp
memory/4968-121-0x00007FF6633B0000-0x00007FF663704000-memory.dmp
memory/3356-122-0x00007FF6E07E0000-0x00007FF6E0B34000-memory.dmp
memory/1944-123-0x00007FF60ED10000-0x00007FF60F064000-memory.dmp
memory/3388-125-0x00007FF772FF0000-0x00007FF773344000-memory.dmp
memory/2440-126-0x00007FF69FC00000-0x00007FF69FF54000-memory.dmp
memory/4640-124-0x00007FF65ED00000-0x00007FF65F054000-memory.dmp
memory/4124-127-0x00007FF7B85B0000-0x00007FF7B8904000-memory.dmp
memory/232-128-0x00007FF7BD2A0000-0x00007FF7BD5F4000-memory.dmp
memory/2696-129-0x00007FF706E30000-0x00007FF707184000-memory.dmp
memory/3628-130-0x00007FF755DD0000-0x00007FF756124000-memory.dmp
memory/4884-131-0x00007FF68EE70000-0x00007FF68F1C4000-memory.dmp
memory/3324-132-0x00007FF656250000-0x00007FF6565A4000-memory.dmp
memory/2704-133-0x00007FF69DB00000-0x00007FF69DE54000-memory.dmp
memory/2500-134-0x00007FF7DB0D0000-0x00007FF7DB424000-memory.dmp
memory/2696-135-0x00007FF706E30000-0x00007FF707184000-memory.dmp
memory/3628-136-0x00007FF755DD0000-0x00007FF756124000-memory.dmp
memory/1684-137-0x00007FF610FB0000-0x00007FF611304000-memory.dmp
memory/4884-138-0x00007FF68EE70000-0x00007FF68F1C4000-memory.dmp
memory/3324-139-0x00007FF656250000-0x00007FF6565A4000-memory.dmp
memory/2672-141-0x00007FF6C2D70000-0x00007FF6C30C4000-memory.dmp
memory/2500-140-0x00007FF7DB0D0000-0x00007FF7DB424000-memory.dmp
memory/2704-143-0x00007FF69DB00000-0x00007FF69DE54000-memory.dmp
memory/1964-142-0x00007FF7D8CB0000-0x00007FF7D9004000-memory.dmp
memory/4968-145-0x00007FF6633B0000-0x00007FF663704000-memory.dmp
memory/2440-151-0x00007FF69FC00000-0x00007FF69FF54000-memory.dmp
memory/3388-154-0x00007FF772FF0000-0x00007FF773344000-memory.dmp
memory/4640-153-0x00007FF65ED00000-0x00007FF65F054000-memory.dmp
memory/4416-152-0x00007FF7AD510000-0x00007FF7AD864000-memory.dmp
memory/4124-150-0x00007FF7B85B0000-0x00007FF7B8904000-memory.dmp
memory/4256-149-0x00007FF78D1C0000-0x00007FF78D514000-memory.dmp
memory/1140-147-0x00007FF6DD0B0000-0x00007FF6DD404000-memory.dmp
memory/2680-146-0x00007FF626A30000-0x00007FF626D84000-memory.dmp
memory/408-148-0x00007FF66A0A0000-0x00007FF66A3F4000-memory.dmp
memory/3356-144-0x00007FF6E07E0000-0x00007FF6E0B34000-memory.dmp
memory/1944-155-0x00007FF60ED10000-0x00007FF60F064000-memory.dmp