Analysis Overview
SHA256
0f834825e381d257401550e01f5cbb614c613420b683b53c4fb9a4822c21a517
Threat Level: Known bad
The file 2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
Cobalt Strike reflective loader
Cobaltstrike family
Xmrig family
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-30 05:49
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-30 05:49
Reported
2024-06-30 05:52
Platform
win7-20240221-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\zqtpqeM.exe | N/A |
| N/A | N/A | C:\Windows\System\LyzHETX.exe | N/A |
| N/A | N/A | C:\Windows\System\FSUAFUx.exe | N/A |
| N/A | N/A | C:\Windows\System\xRcpVlb.exe | N/A |
| N/A | N/A | C:\Windows\System\aocPJyK.exe | N/A |
| N/A | N/A | C:\Windows\System\kHoVBff.exe | N/A |
| N/A | N/A | C:\Windows\System\mroSnaF.exe | N/A |
| N/A | N/A | C:\Windows\System\VkGoaaD.exe | N/A |
| N/A | N/A | C:\Windows\System\wgBtMEe.exe | N/A |
| N/A | N/A | C:\Windows\System\zCwGBlX.exe | N/A |
| N/A | N/A | C:\Windows\System\BRQcdML.exe | N/A |
| N/A | N/A | C:\Windows\System\ySJDbsy.exe | N/A |
| N/A | N/A | C:\Windows\System\PvWucwC.exe | N/A |
| N/A | N/A | C:\Windows\System\lPjLJKz.exe | N/A |
| N/A | N/A | C:\Windows\System\MrjASOa.exe | N/A |
| N/A | N/A | C:\Windows\System\RWODoVb.exe | N/A |
| N/A | N/A | C:\Windows\System\epFeYvi.exe | N/A |
| N/A | N/A | C:\Windows\System\dYzVTTO.exe | N/A |
| N/A | N/A | C:\Windows\System\YhFRJIm.exe | N/A |
| N/A | N/A | C:\Windows\System\feJhtJz.exe | N/A |
| N/A | N/A | C:\Windows\System\SnsvSnH.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\zqtpqeM.exe
C:\Windows\System\zqtpqeM.exe
C:\Windows\System\LyzHETX.exe
C:\Windows\System\LyzHETX.exe
C:\Windows\System\FSUAFUx.exe
C:\Windows\System\FSUAFUx.exe
C:\Windows\System\xRcpVlb.exe
C:\Windows\System\xRcpVlb.exe
C:\Windows\System\aocPJyK.exe
C:\Windows\System\aocPJyK.exe
C:\Windows\System\kHoVBff.exe
C:\Windows\System\kHoVBff.exe
C:\Windows\System\mroSnaF.exe
C:\Windows\System\mroSnaF.exe
C:\Windows\System\VkGoaaD.exe
C:\Windows\System\VkGoaaD.exe
C:\Windows\System\wgBtMEe.exe
C:\Windows\System\wgBtMEe.exe
C:\Windows\System\zCwGBlX.exe
C:\Windows\System\zCwGBlX.exe
C:\Windows\System\BRQcdML.exe
C:\Windows\System\BRQcdML.exe
C:\Windows\System\ySJDbsy.exe
C:\Windows\System\ySJDbsy.exe
C:\Windows\System\PvWucwC.exe
C:\Windows\System\PvWucwC.exe
C:\Windows\System\lPjLJKz.exe
C:\Windows\System\lPjLJKz.exe
C:\Windows\System\MrjASOa.exe
C:\Windows\System\MrjASOa.exe
C:\Windows\System\RWODoVb.exe
C:\Windows\System\RWODoVb.exe
C:\Windows\System\epFeYvi.exe
C:\Windows\System\epFeYvi.exe
C:\Windows\System\dYzVTTO.exe
C:\Windows\System\dYzVTTO.exe
C:\Windows\System\YhFRJIm.exe
C:\Windows\System\YhFRJIm.exe
C:\Windows\System\feJhtJz.exe
C:\Windows\System\feJhtJz.exe
C:\Windows\System\SnsvSnH.exe
C:\Windows\System\SnsvSnH.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/756-0-0x000000013FE60000-0x00000001401B4000-memory.dmp
memory/756-1-0x00000000001F0000-0x0000000000200000-memory.dmp
\Windows\system\zqtpqeM.exe
| MD5 | 86d5ad997e98ddcd792baca56d83e7ad |
| SHA1 | 6394332506be7c520dbe3a02d4474635b213bd13 |
| SHA256 | ce893359a042f471c65649b27751cbd31f875c0066aee0ed4f391bf64888b626 |
| SHA512 | e276483c42e06592ad329f71ff7b188142fad35b477370b7871581f46659254946e56052e81cd430092ca7911ceae97e46e38fa5efeb6e9bd4fe75ee019fea13 |
memory/2352-9-0x000000013F4E0000-0x000000013F834000-memory.dmp
memory/756-8-0x000000013F4E0000-0x000000013F834000-memory.dmp
\Windows\system\LyzHETX.exe
| MD5 | 4598eff25b32a744ebc6e9b94a532797 |
| SHA1 | be9d6859e3b2bd7541db5b3bde395afaed8d60a5 |
| SHA256 | e04323fdfd7c8f14af4c911d506c20f7718d47abf467b508f79662e8fc0ae14d |
| SHA512 | ee0f47ead3f92de6e79b21d2533956fe3899b29aae29f7811d5ac8ab889cc8be8d4ca48f779c9fc43ef128b32dddfab375cfc03d771de0fdd5b797edb071282c |
memory/2264-15-0x000000013F250000-0x000000013F5A4000-memory.dmp
memory/756-14-0x000000013F250000-0x000000013F5A4000-memory.dmp
C:\Windows\system\FSUAFUx.exe
| MD5 | 583fff7ae87900d861886e124314565f |
| SHA1 | 9095ec5ce06a55e6a4940e1f65e3fa9679f48c1c |
| SHA256 | 8a8a5caf98c6443d3f970579cb30b7d50214b0e2d59af76b4e50eb5961d86e3a |
| SHA512 | 726c4b7321697dfcac7e8d4e5ff67071df3093c7cd2b3b1e4706aa7da853bb3f46440c419e01857a97e0b10a37ed135b11d44773f58be2436e55c1a791bcb973 |
memory/2588-21-0x000000013FF90000-0x00000001402E4000-memory.dmp
\Windows\system\xRcpVlb.exe
| MD5 | 2f59113600917b365de089624b7b7cca |
| SHA1 | 97408e1abd3e1dff66a7effb24afce3feb4ea448 |
| SHA256 | 1c5d34152abe9b4de7f2b0e5c1a8d259ced08b55a5c5272cc9244ac2b2d5f807 |
| SHA512 | b7f1fda7fec9fcaa879269a0eb9951bad35d1fa0bb037c6199f6a55c96e477201173e1ef8bb64d9e73aa552e34e9385cc3efa489b7d3fa7049fdbb47a0e75709 |
memory/756-37-0x000000013F6D0000-0x000000013FA24000-memory.dmp
memory/756-51-0x000000013FE60000-0x00000001401B4000-memory.dmp
C:\Windows\system\zCwGBlX.exe
| MD5 | 7b7ec9d5ec62f2f827fffcda459fb601 |
| SHA1 | f5cc06819d6ff9474c3369438a6a17eedac574c2 |
| SHA256 | 5760b6c83fa49adf4ed232186ac453bd48e35c0428c990bd5ccd11c66208f82c |
| SHA512 | 67449529cf5f372a9d2e8efb33e2de5c2c2e8df257b827d60ed5223bb0cd142bfeab92df710d0ff6f8723ce826e23f2de39468af12e0477ec634ce13e08bfb51 |
C:\Windows\system\BRQcdML.exe
| MD5 | c45d1d56386744e690d569dac1b88700 |
| SHA1 | 40a60521859bfde9e77a0616fcb8ff143976932d |
| SHA256 | 5a3d1123c43dd2e5e69c276b7c7af43340159978456a24053d79a700c8ac996a |
| SHA512 | fd5740ae96c2c53288d7c0792330c404eb56f3f7c890f90dbd8ebe47f6d49c3b64117c7e406fec0aec4359f43b61513e8311b28767dec43a95f3723678de99e3 |
memory/756-76-0x000000013F830000-0x000000013FB84000-memory.dmp
C:\Windows\system\RWODoVb.exe
| MD5 | 221eed26cd2b08b69d7c9b90e0ebbb63 |
| SHA1 | 0b2088799ea17f0c2ea281c4905635c6e842ff58 |
| SHA256 | 52aeb808cde8130fdb51dea202bf9a73e00ac48e92640b641e1ef23f5802c58c |
| SHA512 | 3d374961afcf1c17c4fe7916775706e7f5e00a1b200e3f7eac75003989387f12ef7f6c8c184bc80dbc1d17d83d9a495829d7a40eedc8c9ca8ebc32549e99939c |
\Windows\system\SnsvSnH.exe
| MD5 | f87f4ce5cc287480fe05f498a81a49c8 |
| SHA1 | abddda7461c1768fd3d8cfc52492f1d0720363c3 |
| SHA256 | 2f4bd13f83917adae7f0accdff0546f6cf865d24e0a5a8db2ea551ba56980beb |
| SHA512 | c86668d58d3af46225aa493cf4ef917aea466615cc6d37f5a495afe1e32d508aa0414c961a9ca5415371200f8798cb14c85ad148b74746bb290f58860cc67739 |
C:\Windows\system\feJhtJz.exe
| MD5 | ed99b1eff963854d27cf7a99418e0a88 |
| SHA1 | 52e72475c9215e5186dab38770cb9f76b59d5c79 |
| SHA256 | 51225a2b839b9d43580a79fd096cbfee666c31814a59918cc7330018e62f2ceb |
| SHA512 | bf48a98861544d4377f33b7fab14c6ecbd87755b0568a6e8e3f0eb14c6ed5f64300875bd556770bc22bc4b20488b1b898b9db94ad0fab524ffea04f065464c3a |
C:\Windows\system\YhFRJIm.exe
| MD5 | 949395f2a6a8265233584931c3943ef6 |
| SHA1 | 99121a7b1ed0946b034f6ec8e54e8589c803c1a2 |
| SHA256 | 20d5062c787841e6cc0c43a24607d067543223bc490890fb6987ee52f7b613fd |
| SHA512 | 63fe612c5bd46b875bb3de2b653db170e46fa8bae484c3815e01758d5f189e707b569db552e5260a301b2f46e4c69f338a6d68849c6b8e3c4bab85ee0e5d4c70 |
C:\Windows\system\epFeYvi.exe
| MD5 | 391e1f65d17e80a6e1583b894a1fb679 |
| SHA1 | c92bd3521823c51d2c9c14db87bc674469f9a1b0 |
| SHA256 | bb731274d111a9519e2bdb6c5d22bc64a0ce99fec5c6d5b19730d93d7bc8d408 |
| SHA512 | 170595bf9a19594aac2aa3611df26bcbb3832606a1e3f19be6d032a5c4d32d4f06ca95fbd6dd7248959f03b6d0ce18ead8b13b6397e1f1cb1939b63a4cbc8cfa |
memory/756-93-0x000000013F860000-0x000000013FBB4000-memory.dmp
C:\Windows\system\dYzVTTO.exe
| MD5 | dcf6678c64eef0fc1612e3498f724cee |
| SHA1 | 79567cf92b2d5d1c535c401fb761b1f13d12adaa |
| SHA256 | 3ad511fbd957de595bd8857e4d7f91b6e96d717e04ed4ca65792cae8bd8301c6 |
| SHA512 | 26372011a678dd68475230bcbc149b06747e560bdea2e96093f029a4566a0e7406227e8e1e240f167ceb5489c69c359e11069f1fe50c24d7c3eb43f069889c9d |
C:\Windows\system\MrjASOa.exe
| MD5 | f5f873c5b4755301aaeb54f021d03e65 |
| SHA1 | 9a701b78eed0459fb7e3c995342bb28fc544b8e1 |
| SHA256 | cf04013b2aed2a04518b886d55a39c4fc6e27028cc413bd98b624b5e8e293c74 |
| SHA512 | 4801bf8862398a8654a81f145b34a3b49c46c5938dafb3ed9a98215ae10d9f12303c8fa2d5cf448306c126f524c5f466f0bd6aebf62fc05c6b9c89659eab6ed5 |
memory/2972-88-0x000000013FA30000-0x000000013FD84000-memory.dmp
memory/1452-83-0x000000013F790000-0x000000013FAE4000-memory.dmp
C:\Windows\system\lPjLJKz.exe
| MD5 | ba52332e9c8c93a8ddbed4ba9ec77d67 |
| SHA1 | 08f420ae520424c7c545ab6ef88a039fb36c7996 |
| SHA256 | 218a34f6ed901992108809c9ed60b60750c1b2f1d1c0fd2e139b1a090afb2448 |
| SHA512 | 5b02eb4b5d42cc68175ea5dede2bab6a9ab67bb33194e681271e8618c20db55f153e22f881aed40f111752d5fab83fc2c7735ab05ff07aac095bac776bce2760 |
memory/756-82-0x000000013F790000-0x000000013FAE4000-memory.dmp
C:\Windows\system\PvWucwC.exe
| MD5 | eabead199db2dbcdecfcc58ac196caf1 |
| SHA1 | c9a234d34b678bf4894b4ddbd530d8968671cf28 |
| SHA256 | cb73765880f192509398824e8ed2339c83d343a79196e89a78bfe5d885d4b272 |
| SHA512 | 7dc18e7b2b4c965c8f510c712dd1cb75aa89222989de11df1b338b6303273640be356198e80592ffffe9f18cf827fb1ae266ddadfd30dd6380c18f3db15deb64 |
memory/2324-77-0x000000013F830000-0x000000013FB84000-memory.dmp
memory/2564-71-0x000000013F0D0000-0x000000013F424000-memory.dmp
C:\Windows\system\ySJDbsy.exe
| MD5 | f969bb82de5307b6b07a8d6d143506f6 |
| SHA1 | 70b8901037b5f80db3005bc206ab1cc513ca05b6 |
| SHA256 | daa04463d2fb21badcefb3b938a6c7cb50ce9d7922e5c9b336b7c136b84f6b4a |
| SHA512 | bdd6e7089ae349ef361798cd44eba15aa714bd202f73e12bc31e25e7a970a9f3a8ab0775ce498319890bf9c832f04c10fcb176db091dca7e4c45d923e9bebdaf |
memory/756-70-0x000000013F0D0000-0x000000013F424000-memory.dmp
memory/2588-69-0x000000013FF90000-0x00000001402E4000-memory.dmp
memory/2432-64-0x000000013F850000-0x000000013FBA4000-memory.dmp
memory/756-63-0x000000013F850000-0x000000013FBA4000-memory.dmp
memory/2264-62-0x000000013F250000-0x000000013F5A4000-memory.dmp
memory/2484-56-0x000000013F080000-0x000000013F3D4000-memory.dmp
C:\Windows\system\wgBtMEe.exe
| MD5 | 2745b03b47f154aad713da9813dffbff |
| SHA1 | 90cfba4d80e755d183698945ec28b45a4a72da48 |
| SHA256 | 9aa2a17da7e5d2e6e5217765e0d6ef92e6137c9422b076833276b4c2b61d40fa |
| SHA512 | 3f9e47804dcef45b60ca801c54f7288f99d776d5a911345b115fcbf09ba2fb85fa33b986adc4908b2c8c7dd2100526d8efc58ca29f6b3ba36966f978c328423e |
memory/3056-52-0x000000013F320000-0x000000013F674000-memory.dmp
C:\Windows\system\VkGoaaD.exe
| MD5 | 4ef5c9231a1290e22021d50630a22349 |
| SHA1 | 18c2504e3cfa642f586e39c682cef084c9b1b0c8 |
| SHA256 | b3776257e94264aedf1adb5000a71f5725b2cbed9334daf9ec44c986ea62d5c9 |
| SHA512 | 71c3ec8752860c38eeef3b4c10068bb29f1fa8ef605f0550755841d4814a67416087d1f95257cf770c3488b872b2e7bcb15bff28fc37447ae55b200be18a675a |
memory/756-48-0x000000013F320000-0x000000013F674000-memory.dmp
memory/2472-45-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/756-44-0x00000000023A0000-0x00000000026F4000-memory.dmp
C:\Windows\system\mroSnaF.exe
| MD5 | c1ebc773865451e0b2ea076e6b48e82d |
| SHA1 | f2561ffe851ec60d1ca8525f285f05268be49041 |
| SHA256 | e09efd445e97720fbfc987a8f1ddb9f3ac558d3e0fa6f6dffacf5534185b273e |
| SHA512 | 865bd44cf1d03da4df566927f207e5cd6c87edff2bf51b5d487491c0a8f319dedc50c362dae6ed8fef645ce3d73f9ce2d7cfbd1f32815c700a3dcbdee843c6fa |
memory/1724-38-0x000000013F6D0000-0x000000013FA24000-memory.dmp
C:\Windows\system\kHoVBff.exe
| MD5 | 063bdfac8297b6b5b5a3ff9e0a158131 |
| SHA1 | 8432da9b93fe333e4bee24f6275b52c364539b3e |
| SHA256 | beaf9d39802b8785e6ab688940f7ca5f946bd306bc8215c682ebfb49a8028bad |
| SHA512 | 0f6031faaa62a68eda5f4184a58e6cb70f5fb802d1800846c12b6745933553416f80fdb3e68c9a763a9a869680fc4c192683531f62c1aca53a6e0df88334c15f |
memory/2592-33-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/756-32-0x000000013F280000-0x000000013F5D4000-memory.dmp
C:\Windows\system\aocPJyK.exe
| MD5 | 11aaeb6a54c045cd600ac1d0c8deea2c |
| SHA1 | 4ecb12e350f6dc147b670899f25b53441c23b7c0 |
| SHA256 | 4f132ac72046f6a3f039af38981ca372befac07b0771b796f5ed9e0d51e7defe |
| SHA512 | 01ab7395a35bfc5723b0f05c75a9f5e62bf194e0ee9d5deae38c27584a83d2505abe98caedff31d11b0406e4dbb6d1bef965a9cb140a4560fef857ffa5cfeb44 |
memory/2656-27-0x000000013F100000-0x000000013F454000-memory.dmp
memory/756-25-0x000000013F100000-0x000000013F454000-memory.dmp
memory/756-20-0x00000000023A0000-0x00000000026F4000-memory.dmp
memory/756-117-0x000000013F850000-0x000000013FBA4000-memory.dmp
memory/756-118-0x000000013F0D0000-0x000000013F424000-memory.dmp
memory/756-139-0x000000013F830000-0x000000013FB84000-memory.dmp
memory/756-140-0x000000013F790000-0x000000013FAE4000-memory.dmp
memory/1452-141-0x000000013F790000-0x000000013FAE4000-memory.dmp
memory/756-142-0x000000013FA30000-0x000000013FD84000-memory.dmp
memory/2972-143-0x000000013FA30000-0x000000013FD84000-memory.dmp
memory/756-144-0x000000013F860000-0x000000013FBB4000-memory.dmp
memory/2352-145-0x000000013F4E0000-0x000000013F834000-memory.dmp
memory/2264-146-0x000000013F250000-0x000000013F5A4000-memory.dmp
memory/1724-155-0x000000013F6D0000-0x000000013FA24000-memory.dmp
memory/2324-157-0x000000013F830000-0x000000013FB84000-memory.dmp
memory/2472-156-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/2588-154-0x000000013FF90000-0x00000001402E4000-memory.dmp
memory/2972-153-0x000000013FA30000-0x000000013FD84000-memory.dmp
memory/2564-152-0x000000013F0D0000-0x000000013F424000-memory.dmp
memory/2656-151-0x000000013F100000-0x000000013F454000-memory.dmp
memory/1452-150-0x000000013F790000-0x000000013FAE4000-memory.dmp
memory/2432-149-0x000000013F850000-0x000000013FBA4000-memory.dmp
memory/2484-148-0x000000013F080000-0x000000013F3D4000-memory.dmp
memory/3056-147-0x000000013F320000-0x000000013F674000-memory.dmp
memory/2592-158-0x000000013F280000-0x000000013F5D4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-30 05:49
Reported
2024-06-30 05:52
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\CbVUJFF.exe | N/A |
| N/A | N/A | C:\Windows\System\YhsPGCM.exe | N/A |
| N/A | N/A | C:\Windows\System\gKDfOeA.exe | N/A |
| N/A | N/A | C:\Windows\System\XRNAqVN.exe | N/A |
| N/A | N/A | C:\Windows\System\qPRKeXN.exe | N/A |
| N/A | N/A | C:\Windows\System\nQTJXNr.exe | N/A |
| N/A | N/A | C:\Windows\System\wUlDfIG.exe | N/A |
| N/A | N/A | C:\Windows\System\nrrkXkh.exe | N/A |
| N/A | N/A | C:\Windows\System\yRsIAWg.exe | N/A |
| N/A | N/A | C:\Windows\System\LcNPKpA.exe | N/A |
| N/A | N/A | C:\Windows\System\flwBQHG.exe | N/A |
| N/A | N/A | C:\Windows\System\ytFtPah.exe | N/A |
| N/A | N/A | C:\Windows\System\VEmGwCo.exe | N/A |
| N/A | N/A | C:\Windows\System\OdopPpV.exe | N/A |
| N/A | N/A | C:\Windows\System\LPMxVcK.exe | N/A |
| N/A | N/A | C:\Windows\System\aBCIvEW.exe | N/A |
| N/A | N/A | C:\Windows\System\vqKNuYN.exe | N/A |
| N/A | N/A | C:\Windows\System\iVeUbsU.exe | N/A |
| N/A | N/A | C:\Windows\System\RGxdzaD.exe | N/A |
| N/A | N/A | C:\Windows\System\vOzKpGE.exe | N/A |
| N/A | N/A | C:\Windows\System\VhzKRqY.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\CbVUJFF.exe
C:\Windows\System\CbVUJFF.exe
C:\Windows\System\YhsPGCM.exe
C:\Windows\System\YhsPGCM.exe
C:\Windows\System\gKDfOeA.exe
C:\Windows\System\gKDfOeA.exe
C:\Windows\System\XRNAqVN.exe
C:\Windows\System\XRNAqVN.exe
C:\Windows\System\qPRKeXN.exe
C:\Windows\System\qPRKeXN.exe
C:\Windows\System\nQTJXNr.exe
C:\Windows\System\nQTJXNr.exe
C:\Windows\System\wUlDfIG.exe
C:\Windows\System\wUlDfIG.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1296,i,17325488789339133686,9539570259395798500,262144 --variations-seed-version --mojo-platform-channel-handle=3760 /prefetch:8
C:\Windows\System\nrrkXkh.exe
C:\Windows\System\nrrkXkh.exe
C:\Windows\System\yRsIAWg.exe
C:\Windows\System\yRsIAWg.exe
C:\Windows\System\LcNPKpA.exe
C:\Windows\System\LcNPKpA.exe
C:\Windows\System\flwBQHG.exe
C:\Windows\System\flwBQHG.exe
C:\Windows\System\ytFtPah.exe
C:\Windows\System\ytFtPah.exe
C:\Windows\System\VEmGwCo.exe
C:\Windows\System\VEmGwCo.exe
C:\Windows\System\OdopPpV.exe
C:\Windows\System\OdopPpV.exe
C:\Windows\System\LPMxVcK.exe
C:\Windows\System\LPMxVcK.exe
C:\Windows\System\aBCIvEW.exe
C:\Windows\System\aBCIvEW.exe
C:\Windows\System\vqKNuYN.exe
C:\Windows\System\vqKNuYN.exe
C:\Windows\System\iVeUbsU.exe
C:\Windows\System\iVeUbsU.exe
C:\Windows\System\RGxdzaD.exe
C:\Windows\System\RGxdzaD.exe
C:\Windows\System\vOzKpGE.exe
C:\Windows\System\vOzKpGE.exe
C:\Windows\System\VhzKRqY.exe
C:\Windows\System\VhzKRqY.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3532-0-0x00007FF6A9C40000-0x00007FF6A9F94000-memory.dmp
memory/3532-1-0x000001EBE9CF0000-0x000001EBE9D00000-memory.dmp
C:\Windows\System\CbVUJFF.exe
| MD5 | fbb89110113d3948e22040fccba4d151 |
| SHA1 | b56c57e7bd45dd9abb0e977de3e8d383fa2f36aa |
| SHA256 | 67d9c168d7dbbc5519305b88bb29193cb018401fb7ce18796fe1f34f372be2b5 |
| SHA512 | 36a823ca68aa886be9992b3b6337e293d6534e0e31907ae5adad464a571f124319ab01672b68e6e041f780b1a961c666af6796e7379c8c5744f937c9b85a6348 |
C:\Windows\System\gKDfOeA.exe
| MD5 | 01509851b723a3b9f428ff0601cb2611 |
| SHA1 | c7fb69366d3db5673fea9e05c0010a25808b708a |
| SHA256 | 3cde1c348ea54cad604fa5eb619d4fb5ad6d1caa8e627b33f12ae7fd5610861a |
| SHA512 | 32c6ecd04efdbaa71ecc23a9086bd9f46d68fca628392a4cfee714b8b5d1bf32ec9bbf02526c36b8ea24b40883506c0092cace8569b3ab4cea0da0340e4e9f85 |
C:\Windows\System\qPRKeXN.exe
| MD5 | 6db8d1822f4ea1b4e9101d752a2377d6 |
| SHA1 | 0f948d035c6a324b3044aa055712b81df6725388 |
| SHA256 | 9376a63fd371020e72880268b0957445abfc76e8c52efcb007f113498bbbc391 |
| SHA512 | 677054098e1a3064f9d1dc4efacf3c67f03f6c89c783dacf6062204e23967582bc783dbd4135a2eb152fa291bf70ccea5bf4d112589befba72d439ae93ec9fed |
memory/4152-27-0x00007FF7D3010000-0x00007FF7D3364000-memory.dmp
C:\Windows\System\nQTJXNr.exe
| MD5 | 2897f39ce4744a32dfb4d0e681720463 |
| SHA1 | 1a71cc60876fea859c59c7570bc01f0a7ed5dbd6 |
| SHA256 | fbc0082a6117e962caac95352e0653d21c3e8f00e333247495edb2a64e553de3 |
| SHA512 | 8da5107c7419069ab566656c1451e74927cbf457b1a976d850cad08ab34c65f100b92a9fc292a0e68f17487310138c5455ff09ee886bb378ad3d3d2425774f43 |
memory/3456-35-0x00007FF683980000-0x00007FF683CD4000-memory.dmp
memory/2356-34-0x00007FF72B6A0000-0x00007FF72B9F4000-memory.dmp
memory/2620-28-0x00007FF78F400000-0x00007FF78F754000-memory.dmp
memory/1940-22-0x00007FF70ABE0000-0x00007FF70AF34000-memory.dmp
C:\Windows\System\XRNAqVN.exe
| MD5 | 1ba1f65468efbd722ce49fce5016976a |
| SHA1 | 2aef6d700995b1ea43c695a5be1910c3ba19314b |
| SHA256 | 5b56a4888960ca42bf3f6ba098949bed68a89df7c535cf71699a1532df6bba6e |
| SHA512 | 627044642724711a7685b20919ea970b69c4eadbf5f6d1f226c6ee6be37ffc554ed43525c02f066b514de2c55aee2cf5c30e5b9e45e6f23c64a8b094a8c6fe3f |
C:\Windows\System\YhsPGCM.exe
| MD5 | 2da91d9aa18fa52d85525dc1f83033ae |
| SHA1 | 9bf518d7e83a54a4fb52a632d4d28fb6c9a79e79 |
| SHA256 | f938b5dcaa9fa349734bfc79b8a4600c5217d60789417aa5256ea971a0496375 |
| SHA512 | d2b2d3601f358237cd40b3dffb471ef18d6886e27a13ab43d19fab1c0bc097632d6bb2b8f87a7f2809f413250c2cc61a85391e3d208827c3e060b211b7be8f06 |
memory/2828-11-0x00007FF6C85F0000-0x00007FF6C8944000-memory.dmp
C:\Windows\System\wUlDfIG.exe
| MD5 | d936a10029209be27a239bd1e6d43459 |
| SHA1 | 67cf43ad3f0022a26479da33691e26838480b964 |
| SHA256 | ef646e755ab2be6583356baf3303e7f698df211bb8aa7f8d5a3ab4611fd6560d |
| SHA512 | 78aab960537450f67016cc6326d233429739415002b016fd8b44def099da6a5e692f7f7d8c6ae18e4b3d7f1c505ba01023ddc3c5b561e18aff4862ec8591942e |
memory/4508-44-0x00007FF7DAFF0000-0x00007FF7DB344000-memory.dmp
memory/520-50-0x00007FF7EC5C0000-0x00007FF7EC914000-memory.dmp
C:\Windows\System\nrrkXkh.exe
| MD5 | e051c1ebb387c9d186f143647064225f |
| SHA1 | bad912b8ccb3f01531df8b08c6654f47c9593eaa |
| SHA256 | 3da403ce26e92b5387af34199d8b4656eed78f1b61951a26ba95afec7e46b5c5 |
| SHA512 | 13563494572715fac85db22472998727200d1070cfb9f372425e07108309c8d496fac4e741a62e13fc5a99829d726ed6413b128ea1570e8a01d42240fd382c29 |
C:\Windows\System\yRsIAWg.exe
| MD5 | e34370fdbfa4e924f29640cfb793aa8f |
| SHA1 | 2499af9bfe2c34e37bb4e8dd211de4e13edc2894 |
| SHA256 | 5542ff2c9fa0292151fa0c6b3381bd8df6d2640502102eaf44d19143d8ae6d2f |
| SHA512 | a54a3f32d80ab91623eed130ebb036510132aca48b24ebd2fc8ce4a5795694fde5478f3f117d33169b03217cf256325bdc88064556cc9cc8bdda652f9c313539 |
memory/4428-56-0x00007FF744EE0000-0x00007FF745234000-memory.dmp
C:\Windows\System\LcNPKpA.exe
| MD5 | c4407826f5a77ad3a29d7c70db2b6158 |
| SHA1 | b1514c5237df7f0c3a923d394961ade337585190 |
| SHA256 | 4f485a2dac3b027658a045ca9ca776451119649753ecc6f08cd02bccd3e02e4e |
| SHA512 | 2b225fc90a5a12ec5e64c9e3addae28a1f40cac72e35675231b3a670e7485ca391867369de7fa27bcaa656b82214ea777603390b96aab78783397e2515ad925e |
C:\Windows\System\flwBQHG.exe
| MD5 | 7eca1c3dac4d6e6909a442bdd89ec0f7 |
| SHA1 | 0878c0fc1bd2a17378824ea7cea1ab45b7c28b64 |
| SHA256 | c25863793c5ef19e552bcf3c806d6fcb0ba4afe78a1099ffa3600b8cb4f03670 |
| SHA512 | b31ecd0802c7c04b5a34c17f238eaad633270bc44c8b07f88c3bcc72bad44072a54e9dee7f28fc6d21ec4a92520cd86db5e7e0c576bca9bffb857705e4e758e3 |
C:\Windows\System\ytFtPah.exe
| MD5 | 9c8383ad30c763a685382f0db5ea324c |
| SHA1 | ba5517d2003a387d888175ed6f6256e37ca6d5a4 |
| SHA256 | c966a589e9f449c6b8ce6a2337c973ae4b22efeffddd065f7031edb9dcb1363b |
| SHA512 | cfeb3445e4ef687eb214dddb0a7c5967e85b94fefc204d2fa7c1b8952aca5533a50a7cb2de28cac928f7686b421c579400728b2b25e889e7952df536ea8c9b0f |
memory/5032-72-0x00007FF7B70A0000-0x00007FF7B73F4000-memory.dmp
memory/3232-69-0x00007FF625760000-0x00007FF625AB4000-memory.dmp
memory/3320-62-0x00007FF7F4090000-0x00007FF7F43E4000-memory.dmp
C:\Windows\System\VEmGwCo.exe
| MD5 | 5bda4db9c904d9517ec3bbab5eabed65 |
| SHA1 | 466b2f4e035d1a92bab2d4f6d842a2180d88effc |
| SHA256 | b66fc34571f43266130192f03bebf1648addde82aafeb970aa06ec164f72e7ee |
| SHA512 | c72a5c237fc8072aae751e51baede40efc566e9604d7aa8307fed6e35ffde6de5164ace41aab227e1a07550cdfc3dadb7491adaa29a83c62d38a7d8359add045 |
memory/5108-85-0x00007FF691DB0000-0x00007FF692104000-memory.dmp
C:\Windows\System\LPMxVcK.exe
| MD5 | 9ea28d843536186f2386e5f4f98ffcef |
| SHA1 | 308560df89997fba30a70adeb092e3fc52b2ef5d |
| SHA256 | cd82665c197ec0b6ea63b4404f75bcac4982c831af511e313967a900a17f98cd |
| SHA512 | 2be601ad0b184977cae244205a2707e118e32c1c39dba6162c58cc082fc46fff389d5c91de4b15ead414b8b5f0e7029115ccdbd0482e6a40f5766957e99deada |
C:\Windows\System\aBCIvEW.exe
| MD5 | 6126d9399a249c9294b1933da19d537b |
| SHA1 | b88c7e67c0f8e6cc874f6705450fa379481121d0 |
| SHA256 | fe70cc8b636857ba3f300d42836f3679000e7153a3e653999b9004330d3540e5 |
| SHA512 | a8dc171ff47d0bcfa3585fdd82d5df22e2370f16e176170fd76b3321a155e6122a02d88eafb8cf7fc144505b64ae285b9c6de79021891956520914da7c82ceda |
C:\Windows\System\vqKNuYN.exe
| MD5 | 21660b3d07c33a77550a7e015f89d52e |
| SHA1 | 6c6d243e11cabc6b0514fdf7d8ede2665d93791d |
| SHA256 | a113a329771b065de4509f77cf82ee135a04d88801b8ccbaf6ffdd5b71588331 |
| SHA512 | 402035f6ce9508cd2b17b0ed00d10d869db7e63087dd442168a65e26c52c3c3d813e13b6b2fb90af93c9dfddf1f40dc0f78c7ab2e6d99d74b1b58f8ceaa7d8ad |
memory/1500-109-0x00007FF69DAB0000-0x00007FF69DE04000-memory.dmp
memory/3456-108-0x00007FF683980000-0x00007FF683CD4000-memory.dmp
memory/1412-107-0x00007FF7BD7B0000-0x00007FF7BDB04000-memory.dmp
memory/2620-103-0x00007FF78F400000-0x00007FF78F754000-memory.dmp
memory/384-99-0x00007FF661E20000-0x00007FF662174000-memory.dmp
C:\Windows\System\OdopPpV.exe
| MD5 | a5c0d7149d51d53ddca0539fdba89e7b |
| SHA1 | f06fb8fe8ad710e0b396a74bc8ae511c88c1c58f |
| SHA256 | 0db3cd1e032f6551f9a0df67ca1146f0c6963faa659292c57c94db273b6d3bfd |
| SHA512 | 48168508b9631856b8442ca6143cbe2ce55809f5b9517c23b929a7bf32d47131b38299e8ce1d5ef476df268cd620cdca3beb56d77fde6e5c0b2a49a7da178cee |
memory/2356-94-0x00007FF72B6A0000-0x00007FF72B9F4000-memory.dmp
memory/4272-93-0x00007FF737B90000-0x00007FF737EE4000-memory.dmp
memory/4152-89-0x00007FF7D3010000-0x00007FF7D3364000-memory.dmp
memory/1940-86-0x00007FF70ABE0000-0x00007FF70AF34000-memory.dmp
memory/2828-81-0x00007FF6C85F0000-0x00007FF6C8944000-memory.dmp
memory/3532-80-0x00007FF6A9C40000-0x00007FF6A9F94000-memory.dmp
C:\Windows\System\iVeUbsU.exe
| MD5 | 45be6ac93bc2de6bd51a7daa43caf4ee |
| SHA1 | 9487699896b9e67d5fc7c491ea83528af41c0cc7 |
| SHA256 | ac5fe50247359e163ca290c51f6dbd25d534554dd0a30ed8d5ad83fe2fffc0c9 |
| SHA512 | 515d22edf3ac7e0f8914fefcd1b69432032c7601a4862ded07a6875a7086052418560c46fa54e48def30e3a47a1d645d38447a1d615face13b471b712f1e3251 |
C:\Windows\System\RGxdzaD.exe
| MD5 | 9f7a613b017cde67913864f97f7a58d1 |
| SHA1 | fc4f68d67ead4dfc2230e3ecb722ca1cb2c50796 |
| SHA256 | 2061606e47900234770be7ec507557fb476048bef0df1734d8bf6726adcb7c8b |
| SHA512 | e646dbe929ef2083ee4d22c926d6cea6a1362a072ea2acb9d676e2b5090398f908abeda7a8b737c221c4835ccdaa57ccc7c5d9a8e454da8a4b7c24a71eb6e3e9 |
C:\Windows\System\vOzKpGE.exe
| MD5 | 8c84479efe22dab6b2b9f1e31bc28f8e |
| SHA1 | 4b56bcfc8ad606b10b1cbbb82289d22159d2dac5 |
| SHA256 | 5f2e2a6427913f754b684dfb90b933cae8c3d884cf58f4e8734e9fb9b0b61501 |
| SHA512 | 3d178025f534366c7ecc5fb04c591db927adf792b79c398a35d47b172231468e17ff666a93546b090011e598bd42d72baaf92524f01836d70d9eb2765eb3ac41 |
memory/4600-124-0x00007FF747E50000-0x00007FF7481A4000-memory.dmp
memory/3424-128-0x00007FF791830000-0x00007FF791B84000-memory.dmp
memory/3244-117-0x00007FF775210000-0x00007FF775564000-memory.dmp
C:\Windows\System\VhzKRqY.exe
| MD5 | 458802432ddb0c5cfd243cb3f8e12aa1 |
| SHA1 | 3b1b54a95bd6066132fae75fd5ea1e37af307fd2 |
| SHA256 | 3bbf794b431e56ff778439c0c04f8093e1404c7a2bade3bc61a5eff85dac3e59 |
| SHA512 | 8582eb6c24a8b34bf68627ec610b348594fa9b5867f988047b035cc167d10f09bd516fbe5b5d46983dfbb169938940822cf98116e7a1141b8992e62dc19565bb |
memory/3320-134-0x00007FF7F4090000-0x00007FF7F43E4000-memory.dmp
memory/2240-135-0x00007FF6AD390000-0x00007FF6AD6E4000-memory.dmp
memory/5032-136-0x00007FF7B70A0000-0x00007FF7B73F4000-memory.dmp
memory/4272-137-0x00007FF737B90000-0x00007FF737EE4000-memory.dmp
memory/384-138-0x00007FF661E20000-0x00007FF662174000-memory.dmp
memory/1412-139-0x00007FF7BD7B0000-0x00007FF7BDB04000-memory.dmp
memory/1500-140-0x00007FF69DAB0000-0x00007FF69DE04000-memory.dmp
memory/3424-141-0x00007FF791830000-0x00007FF791B84000-memory.dmp
memory/2828-142-0x00007FF6C85F0000-0x00007FF6C8944000-memory.dmp
memory/1940-143-0x00007FF70ABE0000-0x00007FF70AF34000-memory.dmp
memory/4152-144-0x00007FF7D3010000-0x00007FF7D3364000-memory.dmp
memory/2620-145-0x00007FF78F400000-0x00007FF78F754000-memory.dmp
memory/3456-146-0x00007FF683980000-0x00007FF683CD4000-memory.dmp
memory/2356-147-0x00007FF72B6A0000-0x00007FF72B9F4000-memory.dmp
memory/4508-148-0x00007FF7DAFF0000-0x00007FF7DB344000-memory.dmp
memory/520-149-0x00007FF7EC5C0000-0x00007FF7EC914000-memory.dmp
memory/4428-150-0x00007FF744EE0000-0x00007FF745234000-memory.dmp
memory/3232-151-0x00007FF625760000-0x00007FF625AB4000-memory.dmp
memory/3320-152-0x00007FF7F4090000-0x00007FF7F43E4000-memory.dmp
memory/5032-153-0x00007FF7B70A0000-0x00007FF7B73F4000-memory.dmp
memory/5108-154-0x00007FF691DB0000-0x00007FF692104000-memory.dmp
memory/4272-155-0x00007FF737B90000-0x00007FF737EE4000-memory.dmp
memory/384-156-0x00007FF661E20000-0x00007FF662174000-memory.dmp
memory/1412-157-0x00007FF7BD7B0000-0x00007FF7BDB04000-memory.dmp
memory/1500-158-0x00007FF69DAB0000-0x00007FF69DE04000-memory.dmp
memory/3244-159-0x00007FF775210000-0x00007FF775564000-memory.dmp
memory/4600-160-0x00007FF747E50000-0x00007FF7481A4000-memory.dmp
memory/3424-161-0x00007FF791830000-0x00007FF791B84000-memory.dmp
memory/2240-162-0x00007FF6AD390000-0x00007FF6AD6E4000-memory.dmp