Analysis Overview
SHA256
eb9b61923469bcee5a18282bb4296973d5ace255a66b32ac5950e792b75b10ba
Threat Level: Known bad
The file 2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Xmrig family
Cobaltstrike
xmrig
Cobalt Strike reflective loader
XMRig Miner payload
UPX dump on OEP (original entry point)
Cobaltstrike family
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-30 05:53
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-30 05:53
Reported
2024-06-30 05:55
Platform
win7-20240220-en
Max time kernel
142s
Max time network
146s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\mpwRZMs.exe | N/A |
| N/A | N/A | C:\Windows\System\UkzsSbU.exe | N/A |
| N/A | N/A | C:\Windows\System\GCoolKQ.exe | N/A |
| N/A | N/A | C:\Windows\System\BEWXYsd.exe | N/A |
| N/A | N/A | C:\Windows\System\QuQaDss.exe | N/A |
| N/A | N/A | C:\Windows\System\oPhgscW.exe | N/A |
| N/A | N/A | C:\Windows\System\mLNWrXB.exe | N/A |
| N/A | N/A | C:\Windows\System\MwkRyIJ.exe | N/A |
| N/A | N/A | C:\Windows\System\eIehZtt.exe | N/A |
| N/A | N/A | C:\Windows\System\GiHeXrB.exe | N/A |
| N/A | N/A | C:\Windows\System\urwiPtt.exe | N/A |
| N/A | N/A | C:\Windows\System\RVjcfdM.exe | N/A |
| N/A | N/A | C:\Windows\System\iDEeojR.exe | N/A |
| N/A | N/A | C:\Windows\System\fOngIcp.exe | N/A |
| N/A | N/A | C:\Windows\System\WWQKZbM.exe | N/A |
| N/A | N/A | C:\Windows\System\RnfWDGS.exe | N/A |
| N/A | N/A | C:\Windows\System\RVqAzdF.exe | N/A |
| N/A | N/A | C:\Windows\System\OoyOoRt.exe | N/A |
| N/A | N/A | C:\Windows\System\HmkYGNu.exe | N/A |
| N/A | N/A | C:\Windows\System\sWBBNKb.exe | N/A |
| N/A | N/A | C:\Windows\System\AIkgNHV.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\mpwRZMs.exe
C:\Windows\System\mpwRZMs.exe
C:\Windows\System\UkzsSbU.exe
C:\Windows\System\UkzsSbU.exe
C:\Windows\System\GCoolKQ.exe
C:\Windows\System\GCoolKQ.exe
C:\Windows\System\BEWXYsd.exe
C:\Windows\System\BEWXYsd.exe
C:\Windows\System\QuQaDss.exe
C:\Windows\System\QuQaDss.exe
C:\Windows\System\oPhgscW.exe
C:\Windows\System\oPhgscW.exe
C:\Windows\System\mLNWrXB.exe
C:\Windows\System\mLNWrXB.exe
C:\Windows\System\MwkRyIJ.exe
C:\Windows\System\MwkRyIJ.exe
C:\Windows\System\eIehZtt.exe
C:\Windows\System\eIehZtt.exe
C:\Windows\System\GiHeXrB.exe
C:\Windows\System\GiHeXrB.exe
C:\Windows\System\urwiPtt.exe
C:\Windows\System\urwiPtt.exe
C:\Windows\System\RVjcfdM.exe
C:\Windows\System\RVjcfdM.exe
C:\Windows\System\iDEeojR.exe
C:\Windows\System\iDEeojR.exe
C:\Windows\System\fOngIcp.exe
C:\Windows\System\fOngIcp.exe
C:\Windows\System\WWQKZbM.exe
C:\Windows\System\WWQKZbM.exe
C:\Windows\System\RnfWDGS.exe
C:\Windows\System\RnfWDGS.exe
C:\Windows\System\RVqAzdF.exe
C:\Windows\System\RVqAzdF.exe
C:\Windows\System\OoyOoRt.exe
C:\Windows\System\OoyOoRt.exe
C:\Windows\System\HmkYGNu.exe
C:\Windows\System\HmkYGNu.exe
C:\Windows\System\sWBBNKb.exe
C:\Windows\System\sWBBNKb.exe
C:\Windows\System\AIkgNHV.exe
C:\Windows\System\AIkgNHV.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1892-0-0x000000013F460000-0x000000013F7B4000-memory.dmp
memory/1892-1-0x00000000001F0000-0x0000000000200000-memory.dmp
\Windows\system\mpwRZMs.exe
| MD5 | 4fc361aa8ffd3685699ee4b1ec6e82cd |
| SHA1 | 87240ad7d8c54bb65d023caa15d138ee79634dcc |
| SHA256 | 3a2d39fe8247e2ca36cbddf26beee9765ef67e8066d0e5279d1e7529683f837a |
| SHA512 | 5644ead83d9faa4f36e7ad555ce419d6ff08d08cee4b32e538964e843cf7af8f174661b00be8986a16436dfc45d3c8a6726fa401cc89045491b444409bd7a9d2 |
memory/1892-6-0x0000000002460000-0x00000000027B4000-memory.dmp
\Windows\system\UkzsSbU.exe
| MD5 | b2e12922c3fa24a472c2612e2fd7c57d |
| SHA1 | 20a3e85068b1537daeb475531a93bd3d23c1f5d5 |
| SHA256 | 6cfcdf393aa441f93cfeef91cabcfe745712fce72ecf52a50bc1de9f61b4d230 |
| SHA512 | 48af392ffbe2de41508c41f7e7a2a58d402ff99aa193a723354f4bdea99a1c96f42eef1fa448ac09a92f9fbc3b3e5974ef1de9ef9a84b6a6732d0478ca193f55 |
C:\Windows\system\GCoolKQ.exe
| MD5 | d8fb333cd9cfc3504bcbfe3c37e49d5a |
| SHA1 | 16c42ab51f859dfbd3908893475596360a807832 |
| SHA256 | fb6dbc05fd0abe6c320ca66dcce388408f696b9c0887150d83d06f3d0f197869 |
| SHA512 | 8c884a35404886339c392fbe3748c8ea6bf58fc76e3ae8b035e2e3ecf29f72c9973f7e7716b210bd42e88813863364eaca7babb32cf28674d62c06d3bcaeb982 |
memory/2496-18-0x000000013F190000-0x000000013F4E4000-memory.dmp
memory/1892-20-0x000000013F0A0000-0x000000013F3F4000-memory.dmp
memory/1892-17-0x0000000002460000-0x00000000027B4000-memory.dmp
memory/2528-22-0x000000013F0A0000-0x000000013F3F4000-memory.dmp
memory/2688-14-0x000000013F6F0000-0x000000013FA44000-memory.dmp
\Windows\system\BEWXYsd.exe
| MD5 | 8b734510f3c58fdcba1ba3589d927304 |
| SHA1 | e0f5951d09d338055a0909a7e33fef030031b97f |
| SHA256 | 7f94ffcacea9c68e7fd79a774617bb122c6e27399a6e8faaeb271adc0de55167 |
| SHA512 | f6a0f9709b594312a927a501483ac717ba07735167dba7a7c603d8fadd442618b804e8c7426c65634fa564a02ad84174051b541fec3afd62ca1fb5d62b9eb5bf |
memory/1892-27-0x0000000002460000-0x00000000027B4000-memory.dmp
memory/2584-30-0x000000013F370000-0x000000013F6C4000-memory.dmp
C:\Windows\system\oPhgscW.exe
| MD5 | ffca5baeb63f9850c7ba81f124ed6bfe |
| SHA1 | c565a269938b16880e238debb8ffdf6794e1190b |
| SHA256 | da6b0e67d94a5d1a9be9814e0419f7a4626f23c540539f6a468dc52d51955f1e |
| SHA512 | dd0eaa481bf907fb7593cfbfffaf2ae1d7167ac6b06fcbc199f6313ec37bfffbd4ce3453978e6f6f0f643aabc207bdde63b93488f2e90318717f44cf1a8998c8 |
memory/1892-41-0x0000000002460000-0x00000000027B4000-memory.dmp
memory/2304-43-0x000000013F310000-0x000000013F664000-memory.dmp
\Windows\system\mLNWrXB.exe
| MD5 | 5ab2f956342af23a30264f5120d6b0f1 |
| SHA1 | 2f9a74729b0b69250ebfcd35364792e75f3cc6b2 |
| SHA256 | 8a39f3c768999a00142136681e769d8c83d663c08d6df96ff678fc1f38905f56 |
| SHA512 | df8b7e944b95f102d390b3a81413aa59ad91c02a54b28ea9442b7a111220406b0e9d235cd45d3018c96e72091efa0aa3e7cd256321e071c27b03955e584aa4b2 |
memory/2448-50-0x000000013FC20000-0x000000013FF74000-memory.dmp
memory/2416-57-0x000000013F2E0000-0x000000013F634000-memory.dmp
C:\Windows\system\GiHeXrB.exe
| MD5 | 0ee3d7794e3e26ff326f0757967709cb |
| SHA1 | 40a8b2484d15b419f57b4b267c4633e95bd73d9d |
| SHA256 | b55270a21c0947d24ff2e6552772b0c4702fa805b06cac225e7913afb51adabd |
| SHA512 | 72326fbeaad3d9b20f7632b3b801fc92f2172347440959b6e09d6d5c05faebd2b08a4534cdc514516bbcf4bc7701d16de595cb694a72a5652afdd501a4e15d9a |
memory/2856-64-0x000000013FC90000-0x000000013FFE4000-memory.dmp
memory/2864-71-0x000000013FD00000-0x0000000140054000-memory.dmp
C:\Windows\system\urwiPtt.exe
| MD5 | daba168571df35a33b7a4563e3df4249 |
| SHA1 | 32c77aac422afd5551ad02c86e49bd9cad018068 |
| SHA256 | 4e005c434aef0bc5848b515110b7dc646c69d5d58bfda24751bbc1ec7b47b678 |
| SHA512 | d5b9b9cb477e2b1cb81f128c37073ee18598c7dee03f68b71992a0b78116ab65e37381f803f2d74f6e9994e873dfe3a37be8243a8fe361c05dcc60b5077d37b4 |
memory/2528-85-0x000000013F0A0000-0x000000013F3F4000-memory.dmp
memory/2640-86-0x000000013F8B0000-0x000000013FC04000-memory.dmp
memory/1892-102-0x000000013FBB0000-0x000000013FF04000-memory.dmp
C:\Windows\system\HmkYGNu.exe
| MD5 | dbf9adc8ed242f1dcea5c4d61fabbff3 |
| SHA1 | 47350a33ed2dfb4b0779c579153c0b10cec1165e |
| SHA256 | 72c0536f66e7bd859409d5ff773c09020a46f91de344165645a1970446c42853 |
| SHA512 | 57dac34a63453558f52d4fd8d4ebf82b7fe92b69d35a46c7bb3af46580483b2d8675a5df4438c93dfaad30dabe5f88197ef4442cf6bc9d24e628bb995f291f59 |
\Windows\system\AIkgNHV.exe
| MD5 | d0d0c2a44857bbf8d6d1808951146480 |
| SHA1 | e112a82f4e27e2e7a80881e0ae8e75f0fab22cf3 |
| SHA256 | b6e7b85fb921fb04dd58871f4079680a02ceb7e7b2607d9ce99036b011458435 |
| SHA512 | c5a1497428fc0c528bda13a9053a6955cde247c53cd6f7396399efa84cae4640d9b9d0d13502b230b4e45d794d7bdf470a1d623c04be37fffbaa4b7bce263011 |
C:\Windows\system\sWBBNKb.exe
| MD5 | f1dd038708574da93481aa4c79d1b8f8 |
| SHA1 | 59c53b9b5abf79c7b55fccfa557f19e8ba84aa89 |
| SHA256 | 0f27ed1a2edab13c474b1ffb6f1f25c1407365ca6e63a14df2c167f9abd4305a |
| SHA512 | 49e1c5194d214dba68979f4b024374fa3b7e2b3a88c14163dcd417cd1c63deb85b43805d21dd39202774375e65e80639a44e4dd62977416247ea6b5e4b513a47 |
C:\Windows\system\RVqAzdF.exe
| MD5 | 37877a78701dfd88f102ae855e1389c6 |
| SHA1 | 6cd99893e5fa7603c7fe84764197583873cfe8d1 |
| SHA256 | e5c85921b1cd91eaefaa61fd75d3da225fef65b22bacc7ea6e93576ff9e32492 |
| SHA512 | 6796ca3ca868e0acaa95e732027c19bd014bc4f359023304209210206db171bfb7d97db4d9da96eee832084351fc0637cd014a410039be7e94f02bca0fcde9c5 |
C:\Windows\system\OoyOoRt.exe
| MD5 | 87064d32aca9d90ed5fedcf5af111323 |
| SHA1 | fe8a8ae67116623ae1d76d325bf8768a1f8972e3 |
| SHA256 | f39e4b6e0cf9dda0d51de0d963a629c5f6f45842d4c5bdd0a1e9a486b757de6c |
| SHA512 | a72e0efd1158edbc79506ae142a3c1fb97b97fc6add1acb4cd2f0c26d66343dd5b894bf6f083466faf1effa1610c38f255914b5b8519297cbef17fb0241c0d4d |
memory/1892-111-0x0000000002460000-0x00000000027B4000-memory.dmp
memory/2448-110-0x000000013FC20000-0x000000013FF74000-memory.dmp
C:\Windows\system\WWQKZbM.exe
| MD5 | 20c18f48e3e6bd035c0b39cb652aa573 |
| SHA1 | be8719c8a32279471acc54aaf39ea3f467749295 |
| SHA256 | 3ff0a4f3ecc9fbc307967efa6d2d976c29db5a74dc3cf8ecc85bfca58cbf64ea |
| SHA512 | 7d79c13a0b89ddbd4c3b9c879a55d488aa0d4c459834108819a6c1066cfa0439388ff49461a3f2e67b1d6e9a894a0fccc396c6e30a8f19f437d21131b99ff3c8 |
C:\Windows\system\RnfWDGS.exe
| MD5 | ac016a56da1d3c84f1ba915f83eda7ad |
| SHA1 | 394716bfac93c65deeb7f3fe27e97c780873cde3 |
| SHA256 | 26cd96776f728ca0fb8848899b9faf47fad7fc483735e8ee0009c882897a538c |
| SHA512 | aa55873ad216ff76afd3934dae02d83898a652315212ec222804a5350179e2ef8051646209ad0757b482f873b462e274ef4e582f95c01478a43826ae09eef23e |
memory/2844-103-0x000000013FBB0000-0x000000013FF04000-memory.dmp
memory/2304-101-0x000000013F310000-0x000000013F664000-memory.dmp
C:\Windows\system\fOngIcp.exe
| MD5 | 2e7b007c55c9f0200350231925815a58 |
| SHA1 | 6eaa0b720c9bcb23d7c60df58d9a5dc4be4c5673 |
| SHA256 | 0ec5e9be123e9c4b94e6efeeda1468b4368b802674bafcc74731a7b6c8f0c46a |
| SHA512 | 135561b9a66d58caeffb337d2b1fc046039339ef84c2ead7b2c62a09110c29e78e8b903473c7e1b75fd5b81b7316d793555bd3df934bf69399b09eefbe0d394f |
memory/2820-95-0x000000013F980000-0x000000013FCD4000-memory.dmp
C:\Windows\system\iDEeojR.exe
| MD5 | 1fb6b2df3a71873e11ebf8faaec8b2f2 |
| SHA1 | 73426c2099627f606904c9709d1a7143f626f6c2 |
| SHA256 | 61d21930eae744dd810cd6260155391bf8bfddc484342e4f75c4503184c91f41 |
| SHA512 | 2bec0a4351e9f9b8d6e5507af7f0e5ebe3830ee5e6c1eaddb9fea5544d3f09b9da24ddbe9fac2d4d01a9d6aad7cc48a151bc26a7c4ded0d16a40a5763840fa64 |
memory/1892-92-0x000000013F980000-0x000000013FCD4000-memory.dmp
memory/2584-91-0x000000013F370000-0x000000013F6C4000-memory.dmp
memory/2044-79-0x000000013F630000-0x000000013F984000-memory.dmp
memory/1892-78-0x0000000002460000-0x00000000027B4000-memory.dmp
memory/2496-77-0x000000013F190000-0x000000013F4E4000-memory.dmp
C:\Windows\system\RVjcfdM.exe
| MD5 | 0b1c25445faa4e3b67aa59426ed32af3 |
| SHA1 | 12329ed97ad95397468a3e4f2a856d300beb3ed8 |
| SHA256 | ebdeae83f2bb3f6fa5f7cd9bf270da030bb411bf9551750b20d061ea99f332b4 |
| SHA512 | 98310f05efb9e569ba67298ef9bb2f2e27d78a91e473c1ebd05a05a7ae78f908e61de19cf49b99e20e724a3c7deeef546280bce3a23411dec1c1fe19829a099b |
memory/1892-82-0x000000013F8B0000-0x000000013FC04000-memory.dmp
memory/1892-63-0x000000013F460000-0x000000013F7B4000-memory.dmp
C:\Windows\system\eIehZtt.exe
| MD5 | e4c88cd9544e9b194272843083d9a94c |
| SHA1 | 44c5c05eee6997672a46bd90b4dc31823548f6a5 |
| SHA256 | 017b0b825cdb4171f881aedf1e2d949595cf971e2dbb09861a6ee3ad22fe9011 |
| SHA512 | c059f7f5945b2288c1249c7ef976198b96868b812dce59e0072fa1589aade1376b8ebb17ce4b0b7ab84df0825f81b0f4422d9dbf83cf559c15d1b3bbbbc30c5c |
memory/2688-70-0x000000013F6F0000-0x000000013FA44000-memory.dmp
memory/2856-141-0x000000013FC90000-0x000000013FFE4000-memory.dmp
memory/1892-56-0x0000000002460000-0x00000000027B4000-memory.dmp
memory/1892-49-0x000000013FC20000-0x000000013FF74000-memory.dmp
C:\Windows\system\MwkRyIJ.exe
| MD5 | e7d41265dc6d65a8713301ea99b88b75 |
| SHA1 | 2bd77852ec265980ec3bdd565a38698415b2071f |
| SHA256 | cf417f49ff41bc7cbdfdb5c7bc64f23641e32343195bdc5923215df8a49278b5 |
| SHA512 | 48cf3c7a35743800d1a85480dcfe642e0cb2c46a5bc1ca85b68479be9c829d982ca534678eb431c75d4ca3db1e33062ad193385345556caca8d740a636f26bc7 |
memory/2504-37-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/1892-36-0x0000000002460000-0x00000000027B4000-memory.dmp
C:\Windows\system\QuQaDss.exe
| MD5 | 724a6ad0ffa10fa594d97db56340994e |
| SHA1 | 47fcef88f7398c941f86166708edb52e408ac48e |
| SHA256 | 86fd7dfd4073a033165cf8c5fe19a059dbbfad5d877b18c6738d4a1266c2492c |
| SHA512 | 235631c9060cd364cf88d3ecdb0571a0182c6fae2b3921060f80e87d342d4359fc7d25e922235264c75666aa9ad81dbb6f2cadab7acb2d254f2f5806bc36f47c |
memory/2864-142-0x000000013FD00000-0x0000000140054000-memory.dmp
memory/1892-143-0x0000000002460000-0x00000000027B4000-memory.dmp
memory/2044-144-0x000000013F630000-0x000000013F984000-memory.dmp
memory/1892-145-0x000000013F8B0000-0x000000013FC04000-memory.dmp
memory/2640-146-0x000000013F8B0000-0x000000013FC04000-memory.dmp
memory/1892-147-0x000000013F980000-0x000000013FCD4000-memory.dmp
memory/2820-148-0x000000013F980000-0x000000013FCD4000-memory.dmp
memory/1892-149-0x000000013FBB0000-0x000000013FF04000-memory.dmp
memory/2844-150-0x000000013FBB0000-0x000000013FF04000-memory.dmp
memory/2688-151-0x000000013F6F0000-0x000000013FA44000-memory.dmp
memory/2496-152-0x000000013F190000-0x000000013F4E4000-memory.dmp
memory/2584-153-0x000000013F370000-0x000000013F6C4000-memory.dmp
memory/2528-154-0x000000013F0A0000-0x000000013F3F4000-memory.dmp
memory/2504-155-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/2304-156-0x000000013F310000-0x000000013F664000-memory.dmp
memory/2416-157-0x000000013F2E0000-0x000000013F634000-memory.dmp
memory/2448-158-0x000000013FC20000-0x000000013FF74000-memory.dmp
memory/2856-159-0x000000013FC90000-0x000000013FFE4000-memory.dmp
memory/2864-160-0x000000013FD00000-0x0000000140054000-memory.dmp
memory/2044-161-0x000000013F630000-0x000000013F984000-memory.dmp
memory/2640-162-0x000000013F8B0000-0x000000013FC04000-memory.dmp
memory/2820-163-0x000000013F980000-0x000000013FCD4000-memory.dmp
memory/2844-164-0x000000013FBB0000-0x000000013FF04000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-30 05:53
Reported
2024-06-30 05:55
Platform
win10v2004-20240611-en
Max time kernel
143s
Max time network
153s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\wmMHdoN.exe | N/A |
| N/A | N/A | C:\Windows\System\WtgAZVn.exe | N/A |
| N/A | N/A | C:\Windows\System\zeaddxZ.exe | N/A |
| N/A | N/A | C:\Windows\System\rEPLjft.exe | N/A |
| N/A | N/A | C:\Windows\System\UfHLPhk.exe | N/A |
| N/A | N/A | C:\Windows\System\DzVvqZH.exe | N/A |
| N/A | N/A | C:\Windows\System\ICwSUkV.exe | N/A |
| N/A | N/A | C:\Windows\System\QhzFxWl.exe | N/A |
| N/A | N/A | C:\Windows\System\cFNbSDr.exe | N/A |
| N/A | N/A | C:\Windows\System\xSGMyEj.exe | N/A |
| N/A | N/A | C:\Windows\System\JiwwkWe.exe | N/A |
| N/A | N/A | C:\Windows\System\RoXsecU.exe | N/A |
| N/A | N/A | C:\Windows\System\ucINEzi.exe | N/A |
| N/A | N/A | C:\Windows\System\DmEUiSw.exe | N/A |
| N/A | N/A | C:\Windows\System\KHWvbTH.exe | N/A |
| N/A | N/A | C:\Windows\System\AOoqhIS.exe | N/A |
| N/A | N/A | C:\Windows\System\PgYJVpv.exe | N/A |
| N/A | N/A | C:\Windows\System\GdfWVgS.exe | N/A |
| N/A | N/A | C:\Windows\System\XTcKlZB.exe | N/A |
| N/A | N/A | C:\Windows\System\ljymuIh.exe | N/A |
| N/A | N/A | C:\Windows\System\ipHpcgc.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\wmMHdoN.exe
C:\Windows\System\wmMHdoN.exe
C:\Windows\System\WtgAZVn.exe
C:\Windows\System\WtgAZVn.exe
C:\Windows\System\zeaddxZ.exe
C:\Windows\System\zeaddxZ.exe
C:\Windows\System\rEPLjft.exe
C:\Windows\System\rEPLjft.exe
C:\Windows\System\UfHLPhk.exe
C:\Windows\System\UfHLPhk.exe
C:\Windows\System\DzVvqZH.exe
C:\Windows\System\DzVvqZH.exe
C:\Windows\System\ICwSUkV.exe
C:\Windows\System\ICwSUkV.exe
C:\Windows\System\QhzFxWl.exe
C:\Windows\System\QhzFxWl.exe
C:\Windows\System\cFNbSDr.exe
C:\Windows\System\cFNbSDr.exe
C:\Windows\System\xSGMyEj.exe
C:\Windows\System\xSGMyEj.exe
C:\Windows\System\JiwwkWe.exe
C:\Windows\System\JiwwkWe.exe
C:\Windows\System\RoXsecU.exe
C:\Windows\System\RoXsecU.exe
C:\Windows\System\ucINEzi.exe
C:\Windows\System\ucINEzi.exe
C:\Windows\System\DmEUiSw.exe
C:\Windows\System\DmEUiSw.exe
C:\Windows\System\KHWvbTH.exe
C:\Windows\System\KHWvbTH.exe
C:\Windows\System\AOoqhIS.exe
C:\Windows\System\AOoqhIS.exe
C:\Windows\System\PgYJVpv.exe
C:\Windows\System\PgYJVpv.exe
C:\Windows\System\GdfWVgS.exe
C:\Windows\System\GdfWVgS.exe
C:\Windows\System\XTcKlZB.exe
C:\Windows\System\XTcKlZB.exe
C:\Windows\System\ljymuIh.exe
C:\Windows\System\ljymuIh.exe
C:\Windows\System\ipHpcgc.exe
C:\Windows\System\ipHpcgc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/5096-0-0x00007FF75A010000-0x00007FF75A364000-memory.dmp
memory/5096-1-0x000001ED243E0000-0x000001ED243F0000-memory.dmp
C:\Windows\System\wmMHdoN.exe
| MD5 | 1c1aca97941f91233568451f1c5f447a |
| SHA1 | 07ee6a841f211c125d1c2024eb0fd1c166c05c71 |
| SHA256 | 00e1bb7b41e8b77687f293fce3c362d22827a9643ef62960ea2436fec00597c6 |
| SHA512 | 8708e40806b192f178c85f199cea5304a08c18a542ba1cee371edb04e76b86f59eb9bfa0936d16603641ac29d49f7f9415a1fb598d550d2767c61e446e471d08 |
C:\Windows\System\zeaddxZ.exe
| MD5 | e3368dd6ae1c1065fad9f322771328fa |
| SHA1 | ae6a82f13bf826a168a4bc5eac964e0d45860364 |
| SHA256 | 2c19f215ffcc8689e2df8444e49df99601be2a9be83bf51b89c0cb0729c37282 |
| SHA512 | 59b125515e4b61ee46b6c994e69bc45d49c952065abc3418293fb6d11b80067f9ab44a0219af4d4acc8ab1c4249224390ee354548e1b39f4e51b616a71f63521 |
memory/1864-6-0x00007FF786370000-0x00007FF7866C4000-memory.dmp
C:\Windows\System\WtgAZVn.exe
| MD5 | 24a25458fb0736849566d2ae6995b444 |
| SHA1 | b7700534b744d2846fcc278d6a5ac52672533739 |
| SHA256 | e95d1e28c525f951193534d2675ac0e7dd833b2c509b07621e3d5e5eac7f8674 |
| SHA512 | d10d366fb2d645006916978c4025a1519802f01d6d3a06f8a83e732fe329002c6f24f538923b457d299c0ff874611e23be9840ad6a0a289e618e91c3176c144d |
memory/5016-15-0x00007FF6A7480000-0x00007FF6A77D4000-memory.dmp
C:\Windows\System\rEPLjft.exe
| MD5 | d6243a5a31c8a0461f9a30d71dace669 |
| SHA1 | c633310f914680bf1365a56c2a4d161d329ad949 |
| SHA256 | 84bf0c04ca96bce7eb54f7d4be04989bddce70bd06f9bf460d575d1c1658ee2d |
| SHA512 | d08f891f3056c33a38837a49a500de6754f2729397d4a288fa177c18d28e5d05b1ec28a77a9b60a33c0dcc12c6f0fc199af9ecdf063e9d67c208b35b3d3e75e4 |
C:\Windows\System\DzVvqZH.exe
| MD5 | 8f6f806c091e80ab4cf39e3c6745fa74 |
| SHA1 | 4a9ad969fa9afa98dbf0a16b99eaeccfbf88e6be |
| SHA256 | ddbc7b1714c3bcda0d9dbbfd1bd12bdee655699c9d3806db00bfc8cf3bf36aee |
| SHA512 | 56cdaf739814510b7587644435690b2f64e159b9144ea980bf052375328bf97c3cfe6827e33b102fd1b71180ebcaef31ce5ab18b0bb9d892bf443ea25dea9f10 |
C:\Windows\System\UfHLPhk.exe
| MD5 | 840049ddda257c115a0cb3a18cfdefc2 |
| SHA1 | 4ae38221f9273851fa59a8e221e7b32946711e99 |
| SHA256 | 25a0141a813f1789b4de1cf66552659922e2714dda7bd6e7ac8b6ad4dd00c28b |
| SHA512 | 624a535d2da11e4bcd6356d534a7a1944b57c0ceaf21a11362f4b87138b1c10ee258e93b81e0b8c38c768dff5025f98f15e57d0166148656b28b9ad777737d38 |
C:\Windows\System\QhzFxWl.exe
| MD5 | cfc2848239fa1bedbbfe4354aafcc578 |
| SHA1 | ca3498f17c20628d40d80b4ce6b6673a39a24a43 |
| SHA256 | 5b626289fc1fe357bc05473d1425b230cb82a5ba2b3fa2fe86bd070ccef7142a |
| SHA512 | 8d372db15b6ab61ee4ee238b6f955f23d69d908b1715a332941907fe1c2dc2b9338d26a8a33e91fc4aeeb7981c308e2d5657d31c3cf545a9c5a0ca36b698b50b |
C:\Windows\System\ICwSUkV.exe
| MD5 | 630cf0097c375a64529ac2efe001e718 |
| SHA1 | 635362db1313f9e7a589ec9141e11a51c9f205bd |
| SHA256 | 44adf266367d4ff095ca26616453c960e8956947c5c8132c1963565f3301a30c |
| SHA512 | 4879b2fe544cba9b616f2ad1213efc35b6d64dfa201c83753d6e5048bce7048184dea985038d683c32eff28d0f5fe3b41b82b5d0ffd435f1a82023330b19e642 |
memory/4528-48-0x00007FF6CA6B0000-0x00007FF6CAA04000-memory.dmp
C:\Windows\System\cFNbSDr.exe
| MD5 | bbb5452142202a68e396fbaaf3a34bc6 |
| SHA1 | 625127fa911443aa31dfa444861f58878b73750a |
| SHA256 | df3bb4bc31ee417e1b1c688f330932ac267f177482d323daad37785fbe437dfa |
| SHA512 | 128d965924c36668bbab7d5de39e91eab21334aef9b0d64df213516889b2aff6e7207b8f622b874806cada0c22c5bb57e809b53fde63214b7d7e7f0e073b130c |
C:\Windows\System\JiwwkWe.exe
| MD5 | 8b2f6fd6496f202f3a9cb4af77ff639e |
| SHA1 | 72adb60a66feaf82810c3ece349aaaaf54780290 |
| SHA256 | 3621ef25d3d7f44fd5f5feeddc8b8247dd09ec8dbea8f0df4e21e96cdce2d2ed |
| SHA512 | 8850c6916ee7916f27c2f40cc606bb5539a88ea28a22409822a1097cd4c7dc6fa6327e3eac797652f90323eb1e7d2814f7225dfc447ade5016eaa77fe3914b0a |
C:\Windows\System\RoXsecU.exe
| MD5 | 9e82101b3b96e0827969d93e634d6495 |
| SHA1 | f474da87662ac0e166a35fefbafee94d23cf7083 |
| SHA256 | cf9409f50496ecbaa00ae4a0b4334bd1d4668917d4d13e7471f9f48abbf79c3b |
| SHA512 | 87d591aa75d6bc4284b091d7ac7038583b75a5c8a9d830415ab1b6d275290015826deba533db188052c963b34914d5d7d2fbcbc6808806c7275f3ccdae8a59f1 |
C:\Windows\System\DmEUiSw.exe
| MD5 | 700497c7cd22f531b7c1628586cde270 |
| SHA1 | 598c622bf829eda719f69cd1a4dcedcd070fcb94 |
| SHA256 | 3560bc12a732091da2bc65fb80e27d75312ce3ad93d0cdc9e4a81adcb46bee7a |
| SHA512 | 0da551766a322669546cc7a2b4f72176ce433267939bc9814353fc8375fe1d0e0651cd10802e4589230279b91ec9d962cc07f1cbcc6f8095adc1e191b5f4abb4 |
memory/1692-79-0x00007FF69D1D0000-0x00007FF69D524000-memory.dmp
C:\Windows\System\ucINEzi.exe
| MD5 | a89c79ea05140756daa6611bff4f4f00 |
| SHA1 | 4241d3b80d838ee0eb7a0370cf31ec850f4e3850 |
| SHA256 | 15b617b3d23fa877f38f3c31a4620f0fc6c1e6c8b21900f784fff2a9195f43f1 |
| SHA512 | a5d43fc6ce11bd6d745188651c667cbc3aa360cb2c5db7cc327e3a6848c9e1f6ebdcc4cee07a6aa214a821c0c0d531d781b275085a5f6a1daa333eaa16a7f35f |
memory/4508-85-0x00007FF616B60000-0x00007FF616EB4000-memory.dmp
memory/2516-84-0x00007FF7F2310000-0x00007FF7F2664000-memory.dmp
memory/4156-81-0x00007FF771940000-0x00007FF771C94000-memory.dmp
memory/3244-80-0x00007FF79C7B0000-0x00007FF79CB04000-memory.dmp
memory/5096-78-0x00007FF75A010000-0x00007FF75A364000-memory.dmp
C:\Windows\System\xSGMyEj.exe
| MD5 | 6e4a47a83aa5c66304d34ec8b402adcb |
| SHA1 | 8264f6b5b75731327a72a7464eb9e551201fb31b |
| SHA256 | fa20338a762e312c3805b4b1e9d09bf3e047f7b6590f4124d1387c0261abf345 |
| SHA512 | 8ce570d8a22fb28584efa7de1734c931e27de1a1f04bc4705b87d19612f22c3df42853a05d61ada7c9d9591d3f830d61bef524ef67bb4a70b00186b3ba317648 |
memory/4044-52-0x00007FF685D10000-0x00007FF686064000-memory.dmp
memory/4812-47-0x00007FF7EBC90000-0x00007FF7EBFE4000-memory.dmp
memory/2868-38-0x00007FF6E5400000-0x00007FF6E5754000-memory.dmp
memory/2484-35-0x00007FF695230000-0x00007FF695584000-memory.dmp
memory/2540-28-0x00007FF619900000-0x00007FF619C54000-memory.dmp
memory/2348-20-0x00007FF777EC0000-0x00007FF778214000-memory.dmp
C:\Windows\System\KHWvbTH.exe
| MD5 | 2bddfd3b017a14ec5421fc523f8706a6 |
| SHA1 | 366caf529b7a58c063c088839532efa290d80337 |
| SHA256 | 572cb8e490951b1b0699c4c1e3d8065e06693a6358829f9bc74b3439343d60f0 |
| SHA512 | 0f8225e1f18604ef747931fbd7ca3ade5a333f8955915a0eda38560b12b00a395d31efe9c79afbfb8a9d4bff5ebeda1600fb4aeea4953bbfe87fe2d610f0f1db |
memory/1864-93-0x00007FF786370000-0x00007FF7866C4000-memory.dmp
C:\Windows\System\AOoqhIS.exe
| MD5 | bba52c4a2e95ddd3692cacc32c92fe89 |
| SHA1 | 949b126cf2455c33cc4cbf01c04a50c80d0a8143 |
| SHA256 | f4f7ee0e529417f810804c7cd21c8ffe20fd6255253c767b1f40b1024cd7b4ea |
| SHA512 | 7d9610a0965746ffa1f652c7f21c63dd570f77d8d8c5af1a3c7ae8c956447db7522750c5eb22925c9cba6f6dc642d2112247f2f01340a930e0b31f155cb33105 |
C:\Windows\System\PgYJVpv.exe
| MD5 | b4dae17f1695910549f304260139bb49 |
| SHA1 | 2a826b0ed4928170a68637157e18b399bd5bd39e |
| SHA256 | fb7b63805725328cf8d431f57e40ebcb8abbb3bd3d399f34c968940f9bef1d16 |
| SHA512 | 84877e6cfdde606d0511c80fc3ef4e2cf6a7d1e3f50a91db4471ef825bb8e2f61d15777b139332f2425ca3353655ddc541e38d5bee2c495f00acf8a3c25d2c4f |
C:\Windows\System\GdfWVgS.exe
| MD5 | ec72e9f8d46439393d1f2e7c5f756792 |
| SHA1 | 0eeab93a93f437ef1fc67f3ac7cfdd5fa0430459 |
| SHA256 | dd54c4c64438b1696de7be02641fd6d8fd438460a4de11d82c143ba784804837 |
| SHA512 | 4f59172fa12a0c4d50d538a8c39ac216c5a45446810291e96e05354a375c2802a183d9eeb703aa25145d9927167af5e4cb5dd829cc678ebe6c0609f2fb0ea0b3 |
C:\Windows\System\ljymuIh.exe
| MD5 | 3e82ebca1b09607f5283641ba6185868 |
| SHA1 | 87937b089ff29149ff94818ee3ff19043937d2a5 |
| SHA256 | 2c07483e64f78ae96769d025cbf3fdc41c327fe9de447c208fbb581bddd6042c |
| SHA512 | 26fe6019fea1d1622c02ace414f91b8712889fd0c315f22cf8ce668c11a44eb324b52fb40fe83c445749fc212dce8d27755551d2286bd1e86b754647a423c096 |
C:\Windows\System\XTcKlZB.exe
| MD5 | af34913a98855b33b34b9ed294e37561 |
| SHA1 | a1ef94b13074dbf68420870d8938110d9f4e50bb |
| SHA256 | 8397cbb2527f1f249371282fa19cc694f5317eaf02535dd60bfb17b30304d80b |
| SHA512 | c5555bc987cb12cf2f9b198451ddc9a7b21d111c544a6dcef592d3ac15a493e458c7d5ec23a8f09f3e1b870ceb4543f079b688c9cb94c82808a50678d281c8ae |
memory/1704-113-0x00007FF6AEA70000-0x00007FF6AEDC4000-memory.dmp
memory/2484-112-0x00007FF695230000-0x00007FF695584000-memory.dmp
memory/4792-106-0x00007FF6C1D70000-0x00007FF6C20C4000-memory.dmp
memory/3036-103-0x00007FF718270000-0x00007FF7185C4000-memory.dmp
memory/1136-99-0x00007FF6E5AE0000-0x00007FF6E5E34000-memory.dmp
memory/3044-125-0x00007FF7A2340000-0x00007FF7A2694000-memory.dmp
memory/3712-124-0x00007FF7FBCA0000-0x00007FF7FBFF4000-memory.dmp
C:\Windows\System\ipHpcgc.exe
| MD5 | 43c4edf90636880a2000a773318503c6 |
| SHA1 | 28b25db242b8133c72853afde9df14d30213cfc8 |
| SHA256 | 1a171f7213c0e189a7d808d910b52c199b87503490fd5b01d7a93f48dfa1ae44 |
| SHA512 | 7dec552ecf9a37d23c6880b0cfd9c622261bdb2d388d6d18ac891ed3215897108dfb4c6cda1f506c96793036a5a2a1e9fabd5c167ba842b7c1ba134f904c314d |
memory/2868-130-0x00007FF6E5400000-0x00007FF6E5754000-memory.dmp
memory/2824-131-0x00007FF7E2A60000-0x00007FF7E2DB4000-memory.dmp
memory/4528-132-0x00007FF6CA6B0000-0x00007FF6CAA04000-memory.dmp
memory/4044-133-0x00007FF685D10000-0x00007FF686064000-memory.dmp
memory/2516-134-0x00007FF7F2310000-0x00007FF7F2664000-memory.dmp
memory/4508-135-0x00007FF616B60000-0x00007FF616EB4000-memory.dmp
memory/4792-136-0x00007FF6C1D70000-0x00007FF6C20C4000-memory.dmp
memory/1704-137-0x00007FF6AEA70000-0x00007FF6AEDC4000-memory.dmp
memory/1864-138-0x00007FF786370000-0x00007FF7866C4000-memory.dmp
memory/5016-139-0x00007FF6A7480000-0x00007FF6A77D4000-memory.dmp
memory/2348-140-0x00007FF777EC0000-0x00007FF778214000-memory.dmp
memory/2540-141-0x00007FF619900000-0x00007FF619C54000-memory.dmp
memory/2484-142-0x00007FF695230000-0x00007FF695584000-memory.dmp
memory/2868-143-0x00007FF6E5400000-0x00007FF6E5754000-memory.dmp
memory/4812-144-0x00007FF7EBC90000-0x00007FF7EBFE4000-memory.dmp
memory/4044-145-0x00007FF685D10000-0x00007FF686064000-memory.dmp
memory/4528-146-0x00007FF6CA6B0000-0x00007FF6CAA04000-memory.dmp
memory/1692-147-0x00007FF69D1D0000-0x00007FF69D524000-memory.dmp
memory/3244-148-0x00007FF79C7B0000-0x00007FF79CB04000-memory.dmp
memory/2516-149-0x00007FF7F2310000-0x00007FF7F2664000-memory.dmp
memory/4508-151-0x00007FF616B60000-0x00007FF616EB4000-memory.dmp
memory/4156-150-0x00007FF771940000-0x00007FF771C94000-memory.dmp
memory/1136-152-0x00007FF6E5AE0000-0x00007FF6E5E34000-memory.dmp
memory/3036-153-0x00007FF718270000-0x00007FF7185C4000-memory.dmp
memory/4792-154-0x00007FF6C1D70000-0x00007FF6C20C4000-memory.dmp
memory/1704-155-0x00007FF6AEA70000-0x00007FF6AEDC4000-memory.dmp
memory/3044-157-0x00007FF7A2340000-0x00007FF7A2694000-memory.dmp
memory/3712-156-0x00007FF7FBCA0000-0x00007FF7FBFF4000-memory.dmp
memory/2824-158-0x00007FF7E2A60000-0x00007FF7E2DB4000-memory.dmp