Analysis Overview
SHA256
6a7bd644a8817e5c2e39d33f553f9177160a8ed0ba4bdd162448710bf9d133b7
Threat Level: Known bad
The file 2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Detects Reflective DLL injection artifacts
XMRig Miner payload
Xmrig family
Cobaltstrike family
UPX dump on OEP (original entry point)
Cobaltstrike
xmrig
Cobalt Strike reflective loader
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-30 05:55
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-30 05:55
Reported
2024-06-30 05:58
Platform
win7-20240508-en
Max time kernel
140s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\vglFdjZ.exe | N/A |
| N/A | N/A | C:\Windows\System\IlurEjo.exe | N/A |
| N/A | N/A | C:\Windows\System\hlRWMNy.exe | N/A |
| N/A | N/A | C:\Windows\System\NSApSca.exe | N/A |
| N/A | N/A | C:\Windows\System\MUEuIAW.exe | N/A |
| N/A | N/A | C:\Windows\System\nqQtJtN.exe | N/A |
| N/A | N/A | C:\Windows\System\bMlFVEw.exe | N/A |
| N/A | N/A | C:\Windows\System\lLmKSYV.exe | N/A |
| N/A | N/A | C:\Windows\System\kpthtVA.exe | N/A |
| N/A | N/A | C:\Windows\System\DocSFKL.exe | N/A |
| N/A | N/A | C:\Windows\System\ZCFPysE.exe | N/A |
| N/A | N/A | C:\Windows\System\QSCXTRX.exe | N/A |
| N/A | N/A | C:\Windows\System\NGdXaGq.exe | N/A |
| N/A | N/A | C:\Windows\System\dIljkPr.exe | N/A |
| N/A | N/A | C:\Windows\System\yTmunOh.exe | N/A |
| N/A | N/A | C:\Windows\System\aGLtBFM.exe | N/A |
| N/A | N/A | C:\Windows\System\exQYvJm.exe | N/A |
| N/A | N/A | C:\Windows\System\DFcvBMg.exe | N/A |
| N/A | N/A | C:\Windows\System\xbqHnph.exe | N/A |
| N/A | N/A | C:\Windows\System\vRgJfkE.exe | N/A |
| N/A | N/A | C:\Windows\System\ERCjhRg.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\vglFdjZ.exe
C:\Windows\System\vglFdjZ.exe
C:\Windows\System\IlurEjo.exe
C:\Windows\System\IlurEjo.exe
C:\Windows\System\hlRWMNy.exe
C:\Windows\System\hlRWMNy.exe
C:\Windows\System\NSApSca.exe
C:\Windows\System\NSApSca.exe
C:\Windows\System\MUEuIAW.exe
C:\Windows\System\MUEuIAW.exe
C:\Windows\System\nqQtJtN.exe
C:\Windows\System\nqQtJtN.exe
C:\Windows\System\bMlFVEw.exe
C:\Windows\System\bMlFVEw.exe
C:\Windows\System\lLmKSYV.exe
C:\Windows\System\lLmKSYV.exe
C:\Windows\System\kpthtVA.exe
C:\Windows\System\kpthtVA.exe
C:\Windows\System\DocSFKL.exe
C:\Windows\System\DocSFKL.exe
C:\Windows\System\ZCFPysE.exe
C:\Windows\System\ZCFPysE.exe
C:\Windows\System\QSCXTRX.exe
C:\Windows\System\QSCXTRX.exe
C:\Windows\System\NGdXaGq.exe
C:\Windows\System\NGdXaGq.exe
C:\Windows\System\dIljkPr.exe
C:\Windows\System\dIljkPr.exe
C:\Windows\System\yTmunOh.exe
C:\Windows\System\yTmunOh.exe
C:\Windows\System\aGLtBFM.exe
C:\Windows\System\aGLtBFM.exe
C:\Windows\System\exQYvJm.exe
C:\Windows\System\exQYvJm.exe
C:\Windows\System\DFcvBMg.exe
C:\Windows\System\DFcvBMg.exe
C:\Windows\System\xbqHnph.exe
C:\Windows\System\xbqHnph.exe
C:\Windows\System\vRgJfkE.exe
C:\Windows\System\vRgJfkE.exe
C:\Windows\System\ERCjhRg.exe
C:\Windows\System\ERCjhRg.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2756-0-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/2756-1-0x00000000002F0000-0x0000000000300000-memory.dmp
\Windows\system\vglFdjZ.exe
| MD5 | cd37a6f74dc1536b82c5e523eccdcccf |
| SHA1 | 9c47da06a13662585825ee441fbca39b18a4bd7c |
| SHA256 | 3839df782a9003cf8007b716ce43d38a6f3ff48e7d47f158a6e5e167dab16ce9 |
| SHA512 | c916ef7ef0e858f4dfc0822364a63914acbc00756b67cc1e2db491b0e9b8bd11191f0857e79af4369e04ede9da5e063cc8d762b5b3bc32623639b81ba5e0281f |
\Windows\system\IlurEjo.exe
| MD5 | 7d86801ee399be68b2cb0cd55fadf6c0 |
| SHA1 | fa9cb2bab9070c637dad70b774915b0479dccab0 |
| SHA256 | 6a33115996e77447c867a5cb6c24473b5ef0618e195e16ea0ce6be7d957dcc93 |
| SHA512 | 5588d75a84b08b2595e961c8184197e46ff589bdd1156cbf1e73527166bdbf29fafc45cd4b9ae4d56783677737008697580a8ebae01e2c7a463d025b75696840 |
\Windows\system\hlRWMNy.exe
| MD5 | 0ae2f17ced1f4a50b627e6b9b6e57962 |
| SHA1 | b84e9984ebc4b64589fa4ac12023ff52e5ec4a8b |
| SHA256 | fbf4022d254401d8b90a358099e6be53db83de5573604e01b0b7cd9eafa07a57 |
| SHA512 | 11d925541c80226e5133a8e3bc2f2452af320b6f6d276897f7d6f32442de3b2df78149792b423bcad1d6760e4ef343edfd3fcebc5b4fe3bee9885ca031e59c3e |
memory/2992-15-0x000000013FD30000-0x0000000140084000-memory.dmp
memory/2624-23-0x000000013FFB0000-0x0000000140304000-memory.dmp
\Windows\system\NSApSca.exe
| MD5 | fd63ab95680836a9be621002f5d59bf5 |
| SHA1 | 2f7ccab6e95ca614ff7ef5279fff2dcb0c7eeaa7 |
| SHA256 | 6bfefd38ba68c740e3eaa8f9b4d095d4442bcb30112b33e0b5e512ee73f62d43 |
| SHA512 | a1e21ff3876cbf54fd8399eed8dcfd67f7f0e85ea64a8616f8712e2af44e5d1b93ba92adafcde3d48c53406d8afa81276fae378894a0cd48fb4b02a728f9fdec |
C:\Windows\system\nqQtJtN.exe
| MD5 | 3bd0cceccc7a97f1724ae72bee148617 |
| SHA1 | 396bef6b21996e421ade9d2d58091c441ec7feee |
| SHA256 | 4f65440da796831a75240e3610bac4df1e242acd674f150c1dc92c53b788270d |
| SHA512 | e643d851cd1521a27b959e073a5c71a83690e811d755b0c1785fc2ef0490ae2ad047c9052fb143ead0b5f1c1e300f4936409c96870511b3eac30dc8cf9f582a5 |
memory/2756-40-0x0000000002290000-0x00000000025E4000-memory.dmp
memory/2516-41-0x000000013F0D0000-0x000000013F424000-memory.dmp
C:\Windows\system\bMlFVEw.exe
| MD5 | 4b83783e4ace8b9ade23580208fe3411 |
| SHA1 | 2018a9ca4e76f25b670ed873af9055adc7a0a3d6 |
| SHA256 | a36da6db86fff88c32c5cf1e5ef7b38a8a1d06f871dc3b8cd7a83e22477aae2a |
| SHA512 | d0f2d3a172aae16cc0a2276b484c782054cae10c64efa64088f9d722474c753d4cdbbaa843302b86c9868b9d0c49703c8d4c6eb288a7e2065eae269d8a9e9063 |
C:\Windows\system\lLmKSYV.exe
| MD5 | d1fbd16bca4773b71b2a379c4ca18657 |
| SHA1 | d9f9ddcb279d4ea121dff3fc01ac94c6441508a7 |
| SHA256 | 497d05f6a1ca8ebdec25701a7ecd3ac3c2da0d9f4aad81115eb5c5eb1a4dd865 |
| SHA512 | dc9aceec7d0dd656c355b5128ecdbabd22970f77d4161d62fe9cd4cf297024656b8a7cf8b606e8d230c428dcac681e97c35077cd0fe13edbd30de6dee8228de7 |
memory/2496-58-0x000000013FD80000-0x00000001400D4000-memory.dmp
C:\Windows\system\kpthtVA.exe
| MD5 | 225ccc294e5cba89c2ead9525e0061b0 |
| SHA1 | b920424b0c2d00618a6876a27405726174e91c7b |
| SHA256 | 261a6c061713e93f3587d9a6f93cb44e0034fa5a5de6b122dc45fe0e5a0b9339 |
| SHA512 | d09e0cfb3e1e315e06f25b72ee6fbb38798f56fd53e8f672cc5b8916b639a0964fbb3ccc7f105194de4a7c90bcdce58d794789666d306db7c264b2df51ef0a61 |
memory/2756-71-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/2524-73-0x000000013F150000-0x000000013F4A4000-memory.dmp
memory/1596-82-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/2820-96-0x000000013FA80000-0x000000013FDD4000-memory.dmp
C:\Windows\system\yTmunOh.exe
| MD5 | a15e2ba2cb2e9186040bee537944a780 |
| SHA1 | 15b47afe34a14d54f8b926aefce342a515f9de8a |
| SHA256 | cd23b37743b2649c4648b88ada791b2bf0b037d1d5075a45acf97464bbb3a5a2 |
| SHA512 | 5f1f0f6feccb61000ce683b04b99b37bcec1170eb421aa9b24d2a7b2163a0d3edb53dafd86b3bc55d5dd683d9acf460bd01a1a12b074b8db35854c1f1e4dda01 |
C:\Windows\system\DFcvBMg.exe
| MD5 | 02e202269766c96f79f736dc3da5452a |
| SHA1 | d0bc2987a05ca64a2e213df07787fbde832d2996 |
| SHA256 | d927a45d11f871ab085a27a4ad795d2a86dc53d759b47fdb0a062551acbf28a0 |
| SHA512 | 67136a9f4172194f30939ee64780656f277a7482f33c0b85d3c162135c66bca737195921b3a0adc9ff57f40161ffa71273a34a629b39d9bfdf9ffdfbb504b006 |
C:\Windows\system\xbqHnph.exe
| MD5 | 8fbcaa1c22e83794c9c7000ca4c073d3 |
| SHA1 | a4ccc58c27fd4d381c2bcfcb00ab27bd7084f8f3 |
| SHA256 | b67537f9d5304ef863f31e6decde0f39e2dbb92ad06d8a4693d2aebda8a6e365 |
| SHA512 | e7ba1c5e0d32c8be75203eed3699df002ae1987e17b51ff03219b9ae76ff8c89c593367690dc513d73cd64180fffd2eb6b7ef800668b4c5f3220fba4a7b52aee |
\Windows\system\ERCjhRg.exe
| MD5 | 59d6648895844aca613841196db29ecf |
| SHA1 | e67eb40aabf4a736a845890e08eb141e2d67d89c |
| SHA256 | 95c848836758073a174d4ac07cc4ca30f136c52d1ffe926d776c72281672ef01 |
| SHA512 | 40f5fbdb5363ade58c060267aca81a92fb0c27ecf6ccdb36d4fdc506fce55ba7f22ed702f1df8bd1f38fafdb8b8d8c57d9824c3558f59e1ab89bef77d69282d5 |
C:\Windows\system\vRgJfkE.exe
| MD5 | 13d032be7860ca136516887900f9a240 |
| SHA1 | 7ac5983e8cd4f36d9819927901a84018267b9531 |
| SHA256 | 73735fb9df4ed13c0307d6a6c9d45c4dc197ee8fc85a613f8ef0ef4f3c9e06d2 |
| SHA512 | e8bfcdc688dd8ddfa5ef13937d237f0b3f3850611f2b22fcdff6234abf35edb936478fb4cbedd40c1050f56f44d928b1902db296a41e261f341d3306c8b5a07e |
C:\Windows\system\exQYvJm.exe
| MD5 | 69e393a730077a3bb336f8c491bd852a |
| SHA1 | a71f499fda91eccac96165867406a4c1993dc6e8 |
| SHA256 | 03a5eacab204a3ceadacd8607f5dc72825b26604880c33d0130038f4c79e896f |
| SHA512 | 9a02eec19fbf79efddf34c9a4b273d401aa8e9c2f2e4055cf2660f1f3c93d72910a75641afb353c1ed652fb817429b8eeddb202719b3b40854026023cf721969 |
C:\Windows\system\aGLtBFM.exe
| MD5 | dfef88503838bcf6037eb83f1152e252 |
| SHA1 | 3113da8e7dac04aba66393722d65462011dffcb8 |
| SHA256 | d376ae861cf6f8c311991c04eb0f5a03a50e60ca46fe860dfcd3bb2b9d40e7d7 |
| SHA512 | a7c0222caef152b07b351e18aa5065aeaf197892746ffa5d2169c0c7c330a220f3eeb2a96e51f16c5cb72789dc3d392305b4ca656a815aea198b50ee69fcc846 |
memory/2756-110-0x0000000002290000-0x00000000025E4000-memory.dmp
memory/2744-109-0x000000013FA30000-0x000000013FD84000-memory.dmp
memory/1968-103-0x000000013F330000-0x000000013F684000-memory.dmp
memory/2756-102-0x0000000002290000-0x00000000025E4000-memory.dmp
C:\Windows\system\dIljkPr.exe
| MD5 | 6ee1b380abcbc59cab24fc750c00acab |
| SHA1 | 82af126cfb9fb5dd47a808cc0ddaec900b446363 |
| SHA256 | 28bcf1cfed1d3911b9e259b6fba6d699eec8288f3fda3153d24fd95c8bc51107 |
| SHA512 | 5601a6c675b24a330ff77b613137dad4338bdf8ca07395929d59aa8346b693e43d285c24bfbea422224d6b728269c9deba4f1916e1923f76e0c6bdbcaa9a1b35 |
memory/2724-141-0x000000013F160000-0x000000013F4B4000-memory.dmp
memory/2516-140-0x000000013F0D0000-0x000000013F424000-memory.dmp
memory/2756-95-0x000000013FA80000-0x000000013FDD4000-memory.dmp
C:\Windows\system\NGdXaGq.exe
| MD5 | 1c61d9714227e679000a2cbaf01851ad |
| SHA1 | 8226a4fbc2f376b8cc9d19534f4bdcf853f34a47 |
| SHA256 | 21a079720aa6ea5637cd7eb7a10d7e240b66b95f2c40104c2140a90b760048fc |
| SHA512 | 0ac9a08240e62bcd883eac297978a25007adacd2163e795126911d226389a1e7d9a73645333a74cdf4631cb4cd38316dc777b2d6693c8a59ffb6b7a20a800c27 |
memory/2576-89-0x000000013FA70000-0x000000013FDC4000-memory.dmp
memory/2756-88-0x000000013FA70000-0x000000013FDC4000-memory.dmp
memory/2696-81-0x000000013F5C0000-0x000000013F914000-memory.dmp
memory/2992-80-0x000000013FD30000-0x0000000140084000-memory.dmp
memory/2756-79-0x000000013FD30000-0x0000000140084000-memory.dmp
C:\Windows\system\QSCXTRX.exe
| MD5 | cc903842430f829876b32b44e1e59218 |
| SHA1 | c17e5f4bdeee670c80d4c2188dcc7a2e7388008c |
| SHA256 | 5d1e520af5287f6f34d8683e04cb3f52a48ba83eced37694915cf9a1df7fd483 |
| SHA512 | 4b2c5835df3f99a54fa5ade20fe89e8d5d40fd7f23ad2c847e109a90b139f4197238e4f5f4a70d9779461117ff170281a8284f13c2fdd8ccb080c847fdf35bcd |
C:\Windows\system\ZCFPysE.exe
| MD5 | 65e86e4cc8556623f05fabfc44f6171c |
| SHA1 | 215385a0fe45c92450236639226c2fc18a7b2d0b |
| SHA256 | d228274f4f9f3c98274dd6e8874a2e2be65502044c109f606f6c9d2d9132420e |
| SHA512 | aed2223a5091950d1f059cc7295bc33d71fe917ccc5a377d5a5765bb234a423e252703680517ec83185d13a372c3cce9d3bb46f941ca77633a7d91528ac726d0 |
memory/2756-72-0x0000000002290000-0x00000000025E4000-memory.dmp
C:\Windows\system\DocSFKL.exe
| MD5 | 2da870afda917d4b060a3b236004eef8 |
| SHA1 | 37e228840290a12c1d4f818d223f292bbb427d75 |
| SHA256 | 9809f4c4984e5168df79addfc7cf6b5a1b6b9a37c46067df9b8c22392e28764e |
| SHA512 | 44432fab2d2ec62a4c69c003d8f10f8b6c01e01dc7695808846f3d0bc068fee6dfcbbd3d7cffa1c6ba28d303ef7d05004f9f3b485b2fb2e6605bbd3f5a5f5195 |
memory/3008-65-0x000000013F040000-0x000000013F394000-memory.dmp
memory/2756-64-0x0000000002290000-0x00000000025E4000-memory.dmp
memory/2756-57-0x000000013FD80000-0x00000001400D4000-memory.dmp
memory/2724-56-0x000000013F160000-0x000000013F4B4000-memory.dmp
memory/2756-50-0x0000000002290000-0x00000000025E4000-memory.dmp
memory/2744-36-0x000000013FA30000-0x000000013FD84000-memory.dmp
C:\Windows\system\MUEuIAW.exe
| MD5 | 681a63f7e61af6a487b06f2a9a736c0a |
| SHA1 | 89fd416aed6fe28b6bc93861609a89cc494746a0 |
| SHA256 | da77e550c824f92986488e0c5e373705deb5d603dab05e6a969336c8efef807d |
| SHA512 | cdd23bcf3123d5de657a1e8034e951ce93b3787fc7ba024b2c9ea6cc4a3b8aa0453e2ab5cab78697ce9bec0a0d7e74c0fb028824f9bf88b532b74259c6cdeab7 |
memory/2600-34-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/2756-33-0x000000013FA30000-0x000000013FD84000-memory.dmp
memory/2756-31-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/2756-30-0x000000013F5C0000-0x000000013F914000-memory.dmp
memory/2696-28-0x000000013F5C0000-0x000000013F914000-memory.dmp
memory/2756-19-0x000000013FFB0000-0x0000000140304000-memory.dmp
memory/2756-6-0x000000013FD30000-0x0000000140084000-memory.dmp
memory/2756-142-0x0000000002290000-0x00000000025E4000-memory.dmp
memory/2756-143-0x000000013FA70000-0x000000013FDC4000-memory.dmp
memory/2756-144-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/2624-146-0x000000013FFB0000-0x0000000140304000-memory.dmp
memory/2992-145-0x000000013FD30000-0x0000000140084000-memory.dmp
memory/2696-147-0x000000013F5C0000-0x000000013F914000-memory.dmp
memory/2600-148-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/2516-150-0x000000013F0D0000-0x000000013F424000-memory.dmp
memory/2744-149-0x000000013FA30000-0x000000013FD84000-memory.dmp
memory/2496-151-0x000000013FD80000-0x00000001400D4000-memory.dmp
memory/3008-153-0x000000013F040000-0x000000013F394000-memory.dmp
memory/2724-152-0x000000013F160000-0x000000013F4B4000-memory.dmp
memory/2524-154-0x000000013F150000-0x000000013F4A4000-memory.dmp
memory/1596-155-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/2576-156-0x000000013FA70000-0x000000013FDC4000-memory.dmp
memory/2820-157-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/1968-158-0x000000013F330000-0x000000013F684000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-30 05:55
Reported
2024-06-30 05:58
Platform
win10v2004-20240508-en
Max time kernel
139s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\vglFdjZ.exe | N/A |
| N/A | N/A | C:\Windows\System\IlurEjo.exe | N/A |
| N/A | N/A | C:\Windows\System\hlRWMNy.exe | N/A |
| N/A | N/A | C:\Windows\System\NSApSca.exe | N/A |
| N/A | N/A | C:\Windows\System\MUEuIAW.exe | N/A |
| N/A | N/A | C:\Windows\System\nqQtJtN.exe | N/A |
| N/A | N/A | C:\Windows\System\bMlFVEw.exe | N/A |
| N/A | N/A | C:\Windows\System\lLmKSYV.exe | N/A |
| N/A | N/A | C:\Windows\System\kpthtVA.exe | N/A |
| N/A | N/A | C:\Windows\System\DocSFKL.exe | N/A |
| N/A | N/A | C:\Windows\System\ZCFPysE.exe | N/A |
| N/A | N/A | C:\Windows\System\QSCXTRX.exe | N/A |
| N/A | N/A | C:\Windows\System\NGdXaGq.exe | N/A |
| N/A | N/A | C:\Windows\System\dIljkPr.exe | N/A |
| N/A | N/A | C:\Windows\System\yTmunOh.exe | N/A |
| N/A | N/A | C:\Windows\System\aGLtBFM.exe | N/A |
| N/A | N/A | C:\Windows\System\exQYvJm.exe | N/A |
| N/A | N/A | C:\Windows\System\DFcvBMg.exe | N/A |
| N/A | N/A | C:\Windows\System\xbqHnph.exe | N/A |
| N/A | N/A | C:\Windows\System\vRgJfkE.exe | N/A |
| N/A | N/A | C:\Windows\System\ERCjhRg.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\vglFdjZ.exe
C:\Windows\System\vglFdjZ.exe
C:\Windows\System\IlurEjo.exe
C:\Windows\System\IlurEjo.exe
C:\Windows\System\hlRWMNy.exe
C:\Windows\System\hlRWMNy.exe
C:\Windows\System\NSApSca.exe
C:\Windows\System\NSApSca.exe
C:\Windows\System\MUEuIAW.exe
C:\Windows\System\MUEuIAW.exe
C:\Windows\System\nqQtJtN.exe
C:\Windows\System\nqQtJtN.exe
C:\Windows\System\bMlFVEw.exe
C:\Windows\System\bMlFVEw.exe
C:\Windows\System\lLmKSYV.exe
C:\Windows\System\lLmKSYV.exe
C:\Windows\System\kpthtVA.exe
C:\Windows\System\kpthtVA.exe
C:\Windows\System\DocSFKL.exe
C:\Windows\System\DocSFKL.exe
C:\Windows\System\ZCFPysE.exe
C:\Windows\System\ZCFPysE.exe
C:\Windows\System\QSCXTRX.exe
C:\Windows\System\QSCXTRX.exe
C:\Windows\System\NGdXaGq.exe
C:\Windows\System\NGdXaGq.exe
C:\Windows\System\dIljkPr.exe
C:\Windows\System\dIljkPr.exe
C:\Windows\System\yTmunOh.exe
C:\Windows\System\yTmunOh.exe
C:\Windows\System\aGLtBFM.exe
C:\Windows\System\aGLtBFM.exe
C:\Windows\System\exQYvJm.exe
C:\Windows\System\exQYvJm.exe
C:\Windows\System\DFcvBMg.exe
C:\Windows\System\DFcvBMg.exe
C:\Windows\System\xbqHnph.exe
C:\Windows\System\xbqHnph.exe
C:\Windows\System\vRgJfkE.exe
C:\Windows\System\vRgJfkE.exe
C:\Windows\System\ERCjhRg.exe
C:\Windows\System\ERCjhRg.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3192-0-0x00007FF74A200000-0x00007FF74A554000-memory.dmp
memory/3192-1-0x000001906B2D0000-0x000001906B2E0000-memory.dmp
C:\Windows\System\vglFdjZ.exe
| MD5 | cd37a6f74dc1536b82c5e523eccdcccf |
| SHA1 | 9c47da06a13662585825ee441fbca39b18a4bd7c |
| SHA256 | 3839df782a9003cf8007b716ce43d38a6f3ff48e7d47f158a6e5e167dab16ce9 |
| SHA512 | c916ef7ef0e858f4dfc0822364a63914acbc00756b67cc1e2db491b0e9b8bd11191f0857e79af4369e04ede9da5e063cc8d762b5b3bc32623639b81ba5e0281f |
memory/2624-7-0x00007FF7F0CB0000-0x00007FF7F1004000-memory.dmp
C:\Windows\System\IlurEjo.exe
| MD5 | 7d86801ee399be68b2cb0cd55fadf6c0 |
| SHA1 | fa9cb2bab9070c637dad70b774915b0479dccab0 |
| SHA256 | 6a33115996e77447c867a5cb6c24473b5ef0618e195e16ea0ce6be7d957dcc93 |
| SHA512 | 5588d75a84b08b2595e961c8184197e46ff589bdd1156cbf1e73527166bdbf29fafc45cd4b9ae4d56783677737008697580a8ebae01e2c7a463d025b75696840 |
C:\Windows\System\hlRWMNy.exe
| MD5 | 0ae2f17ced1f4a50b627e6b9b6e57962 |
| SHA1 | b84e9984ebc4b64589fa4ac12023ff52e5ec4a8b |
| SHA256 | fbf4022d254401d8b90a358099e6be53db83de5573604e01b0b7cd9eafa07a57 |
| SHA512 | 11d925541c80226e5133a8e3bc2f2452af320b6f6d276897f7d6f32442de3b2df78149792b423bcad1d6760e4ef343edfd3fcebc5b4fe3bee9885ca031e59c3e |
memory/1100-14-0x00007FF664A70000-0x00007FF664DC4000-memory.dmp
memory/2064-20-0x00007FF72E390000-0x00007FF72E6E4000-memory.dmp
C:\Windows\System\NSApSca.exe
| MD5 | fd63ab95680836a9be621002f5d59bf5 |
| SHA1 | 2f7ccab6e95ca614ff7ef5279fff2dcb0c7eeaa7 |
| SHA256 | 6bfefd38ba68c740e3eaa8f9b4d095d4442bcb30112b33e0b5e512ee73f62d43 |
| SHA512 | a1e21ff3876cbf54fd8399eed8dcfd67f7f0e85ea64a8616f8712e2af44e5d1b93ba92adafcde3d48c53406d8afa81276fae378894a0cd48fb4b02a728f9fdec |
memory/740-24-0x00007FF7B7940000-0x00007FF7B7C94000-memory.dmp
C:\Windows\System\MUEuIAW.exe
| MD5 | 681a63f7e61af6a487b06f2a9a736c0a |
| SHA1 | 89fd416aed6fe28b6bc93861609a89cc494746a0 |
| SHA256 | da77e550c824f92986488e0c5e373705deb5d603dab05e6a969336c8efef807d |
| SHA512 | cdd23bcf3123d5de657a1e8034e951ce93b3787fc7ba024b2c9ea6cc4a3b8aa0453e2ab5cab78697ce9bec0a0d7e74c0fb028824f9bf88b532b74259c6cdeab7 |
memory/4132-32-0x00007FF751460000-0x00007FF7517B4000-memory.dmp
C:\Windows\System\nqQtJtN.exe
| MD5 | 3bd0cceccc7a97f1724ae72bee148617 |
| SHA1 | 396bef6b21996e421ade9d2d58091c441ec7feee |
| SHA256 | 4f65440da796831a75240e3610bac4df1e242acd674f150c1dc92c53b788270d |
| SHA512 | e643d851cd1521a27b959e073a5c71a83690e811d755b0c1785fc2ef0490ae2ad047c9052fb143ead0b5f1c1e300f4936409c96870511b3eac30dc8cf9f582a5 |
memory/1120-38-0x00007FF6F1430000-0x00007FF6F1784000-memory.dmp
C:\Windows\System\bMlFVEw.exe
| MD5 | 4b83783e4ace8b9ade23580208fe3411 |
| SHA1 | 2018a9ca4e76f25b670ed873af9055adc7a0a3d6 |
| SHA256 | a36da6db86fff88c32c5cf1e5ef7b38a8a1d06f871dc3b8cd7a83e22477aae2a |
| SHA512 | d0f2d3a172aae16cc0a2276b484c782054cae10c64efa64088f9d722474c753d4cdbbaa843302b86c9868b9d0c49703c8d4c6eb288a7e2065eae269d8a9e9063 |
memory/1296-44-0x00007FF735570000-0x00007FF7358C4000-memory.dmp
C:\Windows\System\lLmKSYV.exe
| MD5 | d1fbd16bca4773b71b2a379c4ca18657 |
| SHA1 | d9f9ddcb279d4ea121dff3fc01ac94c6441508a7 |
| SHA256 | 497d05f6a1ca8ebdec25701a7ecd3ac3c2da0d9f4aad81115eb5c5eb1a4dd865 |
| SHA512 | dc9aceec7d0dd656c355b5128ecdbabd22970f77d4161d62fe9cd4cf297024656b8a7cf8b606e8d230c428dcac681e97c35077cd0fe13edbd30de6dee8228de7 |
memory/4792-48-0x00007FF728200000-0x00007FF728554000-memory.dmp
C:\Windows\System\kpthtVA.exe
| MD5 | 225ccc294e5cba89c2ead9525e0061b0 |
| SHA1 | b920424b0c2d00618a6876a27405726174e91c7b |
| SHA256 | 261a6c061713e93f3587d9a6f93cb44e0034fa5a5de6b122dc45fe0e5a0b9339 |
| SHA512 | d09e0cfb3e1e315e06f25b72ee6fbb38798f56fd53e8f672cc5b8916b639a0964fbb3ccc7f105194de4a7c90bcdce58d794789666d306db7c264b2df51ef0a61 |
C:\Windows\System\DocSFKL.exe
| MD5 | 2da870afda917d4b060a3b236004eef8 |
| SHA1 | 37e228840290a12c1d4f818d223f292bbb427d75 |
| SHA256 | 9809f4c4984e5168df79addfc7cf6b5a1b6b9a37c46067df9b8c22392e28764e |
| SHA512 | 44432fab2d2ec62a4c69c003d8f10f8b6c01e01dc7695808846f3d0bc068fee6dfcbbd3d7cffa1c6ba28d303ef7d05004f9f3b485b2fb2e6605bbd3f5a5f5195 |
C:\Windows\System\ZCFPysE.exe
| MD5 | 65e86e4cc8556623f05fabfc44f6171c |
| SHA1 | 215385a0fe45c92450236639226c2fc18a7b2d0b |
| SHA256 | d228274f4f9f3c98274dd6e8874a2e2be65502044c109f606f6c9d2d9132420e |
| SHA512 | aed2223a5091950d1f059cc7295bc33d71fe917ccc5a377d5a5765bb234a423e252703680517ec83185d13a372c3cce9d3bb46f941ca77633a7d91528ac726d0 |
memory/932-70-0x00007FF7B0FD0000-0x00007FF7B1324000-memory.dmp
memory/2624-67-0x00007FF7F0CB0000-0x00007FF7F1004000-memory.dmp
memory/3192-62-0x00007FF74A200000-0x00007FF74A554000-memory.dmp
memory/4392-66-0x00007FF638A70000-0x00007FF638DC4000-memory.dmp
memory/4612-58-0x00007FF72BD50000-0x00007FF72C0A4000-memory.dmp
C:\Windows\System\QSCXTRX.exe
| MD5 | cc903842430f829876b32b44e1e59218 |
| SHA1 | c17e5f4bdeee670c80d4c2188dcc7a2e7388008c |
| SHA256 | 5d1e520af5287f6f34d8683e04cb3f52a48ba83eced37694915cf9a1df7fd483 |
| SHA512 | 4b2c5835df3f99a54fa5ade20fe89e8d5d40fd7f23ad2c847e109a90b139f4197238e4f5f4a70d9779461117ff170281a8284f13c2fdd8ccb080c847fdf35bcd |
memory/3004-76-0x00007FF66ABC0000-0x00007FF66AF14000-memory.dmp
C:\Windows\System\NGdXaGq.exe
| MD5 | 1c61d9714227e679000a2cbaf01851ad |
| SHA1 | 8226a4fbc2f376b8cc9d19534f4bdcf853f34a47 |
| SHA256 | 21a079720aa6ea5637cd7eb7a10d7e240b66b95f2c40104c2140a90b760048fc |
| SHA512 | 0ac9a08240e62bcd883eac297978a25007adacd2163e795126911d226389a1e7d9a73645333a74cdf4631cb4cd38316dc777b2d6693c8a59ffb6b7a20a800c27 |
memory/4908-82-0x00007FF796540000-0x00007FF796894000-memory.dmp
C:\Windows\System\dIljkPr.exe
| MD5 | 6ee1b380abcbc59cab24fc750c00acab |
| SHA1 | 82af126cfb9fb5dd47a808cc0ddaec900b446363 |
| SHA256 | 28bcf1cfed1d3911b9e259b6fba6d699eec8288f3fda3153d24fd95c8bc51107 |
| SHA512 | 5601a6c675b24a330ff77b613137dad4338bdf8ca07395929d59aa8346b693e43d285c24bfbea422224d6b728269c9deba4f1916e1923f76e0c6bdbcaa9a1b35 |
C:\Windows\System\yTmunOh.exe
| MD5 | a15e2ba2cb2e9186040bee537944a780 |
| SHA1 | 15b47afe34a14d54f8b926aefce342a515f9de8a |
| SHA256 | cd23b37743b2649c4648b88ada791b2bf0b037d1d5075a45acf97464bbb3a5a2 |
| SHA512 | 5f1f0f6feccb61000ce683b04b99b37bcec1170eb421aa9b24d2a7b2163a0d3edb53dafd86b3bc55d5dd683d9acf460bd01a1a12b074b8db35854c1f1e4dda01 |
memory/2480-101-0x00007FF6ABA90000-0x00007FF6ABDE4000-memory.dmp
C:\Windows\System\exQYvJm.exe
| MD5 | 69e393a730077a3bb336f8c491bd852a |
| SHA1 | a71f499fda91eccac96165867406a4c1993dc6e8 |
| SHA256 | 03a5eacab204a3ceadacd8607f5dc72825b26604880c33d0130038f4c79e896f |
| SHA512 | 9a02eec19fbf79efddf34c9a4b273d401aa8e9c2f2e4055cf2660f1f3c93d72910a75641afb353c1ed652fb817429b8eeddb202719b3b40854026023cf721969 |
C:\Windows\System\aGLtBFM.exe
| MD5 | dfef88503838bcf6037eb83f1152e252 |
| SHA1 | 3113da8e7dac04aba66393722d65462011dffcb8 |
| SHA256 | d376ae861cf6f8c311991c04eb0f5a03a50e60ca46fe860dfcd3bb2b9d40e7d7 |
| SHA512 | a7c0222caef152b07b351e18aa5065aeaf197892746ffa5d2169c0c7c330a220f3eeb2a96e51f16c5cb72789dc3d392305b4ca656a815aea198b50ee69fcc846 |
memory/4732-97-0x00007FF7F94A0000-0x00007FF7F97F4000-memory.dmp
memory/4000-91-0x00007FF6F98D0000-0x00007FF6F9C24000-memory.dmp
memory/740-90-0x00007FF7B7940000-0x00007FF7B7C94000-memory.dmp
memory/2760-107-0x00007FF647140000-0x00007FF647494000-memory.dmp
memory/4792-119-0x00007FF728200000-0x00007FF728554000-memory.dmp
C:\Windows\System\vRgJfkE.exe
| MD5 | 13d032be7860ca136516887900f9a240 |
| SHA1 | 7ac5983e8cd4f36d9819927901a84018267b9531 |
| SHA256 | 73735fb9df4ed13c0307d6a6c9d45c4dc197ee8fc85a613f8ef0ef4f3c9e06d2 |
| SHA512 | e8bfcdc688dd8ddfa5ef13937d237f0b3f3850611f2b22fcdff6234abf35edb936478fb4cbedd40c1050f56f44d928b1902db296a41e261f341d3306c8b5a07e |
memory/4692-120-0x00007FF706630000-0x00007FF706984000-memory.dmp
memory/4552-127-0x00007FF6F9DF0000-0x00007FF6FA144000-memory.dmp
memory/4392-126-0x00007FF638A70000-0x00007FF638DC4000-memory.dmp
C:\Windows\System\xbqHnph.exe
| MD5 | 8fbcaa1c22e83794c9c7000ca4c073d3 |
| SHA1 | a4ccc58c27fd4d381c2bcfcb00ab27bd7084f8f3 |
| SHA256 | b67537f9d5304ef863f31e6decde0f39e2dbb92ad06d8a4693d2aebda8a6e365 |
| SHA512 | e7ba1c5e0d32c8be75203eed3699df002ae1987e17b51ff03219b9ae76ff8c89c593367690dc513d73cd64180fffd2eb6b7ef800668b4c5f3220fba4a7b52aee |
C:\Windows\System\DFcvBMg.exe
| MD5 | 02e202269766c96f79f736dc3da5452a |
| SHA1 | d0bc2987a05ca64a2e213df07787fbde832d2996 |
| SHA256 | d927a45d11f871ab085a27a4ad795d2a86dc53d759b47fdb0a062551acbf28a0 |
| SHA512 | 67136a9f4172194f30939ee64780656f277a7482f33c0b85d3c162135c66bca737195921b3a0adc9ff57f40161ffa71273a34a629b39d9bfdf9ffdfbb504b006 |
memory/2580-111-0x00007FF60F0D0000-0x00007FF60F424000-memory.dmp
C:\Windows\System\ERCjhRg.exe
| MD5 | 59d6648895844aca613841196db29ecf |
| SHA1 | e67eb40aabf4a736a845890e08eb141e2d67d89c |
| SHA256 | 95c848836758073a174d4ac07cc4ca30f136c52d1ffe926d776c72281672ef01 |
| SHA512 | 40f5fbdb5363ade58c060267aca81a92fb0c27ecf6ccdb36d4fdc506fce55ba7f22ed702f1df8bd1f38fafdb8b8d8c57d9824c3558f59e1ab89bef77d69282d5 |
memory/3076-132-0x00007FF7311A0000-0x00007FF7314F4000-memory.dmp
memory/932-133-0x00007FF7B0FD0000-0x00007FF7B1324000-memory.dmp
memory/4732-134-0x00007FF7F94A0000-0x00007FF7F97F4000-memory.dmp
memory/2480-135-0x00007FF6ABA90000-0x00007FF6ABDE4000-memory.dmp
memory/2580-136-0x00007FF60F0D0000-0x00007FF60F424000-memory.dmp
memory/2624-137-0x00007FF7F0CB0000-0x00007FF7F1004000-memory.dmp
memory/1100-138-0x00007FF664A70000-0x00007FF664DC4000-memory.dmp
memory/2064-139-0x00007FF72E390000-0x00007FF72E6E4000-memory.dmp
memory/740-140-0x00007FF7B7940000-0x00007FF7B7C94000-memory.dmp
memory/4132-141-0x00007FF751460000-0x00007FF7517B4000-memory.dmp
memory/1120-142-0x00007FF6F1430000-0x00007FF6F1784000-memory.dmp
memory/1296-143-0x00007FF735570000-0x00007FF7358C4000-memory.dmp
memory/4792-144-0x00007FF728200000-0x00007FF728554000-memory.dmp
memory/4612-145-0x00007FF72BD50000-0x00007FF72C0A4000-memory.dmp
memory/4392-146-0x00007FF638A70000-0x00007FF638DC4000-memory.dmp
memory/932-147-0x00007FF7B0FD0000-0x00007FF7B1324000-memory.dmp
memory/3004-148-0x00007FF66ABC0000-0x00007FF66AF14000-memory.dmp
memory/4908-149-0x00007FF796540000-0x00007FF796894000-memory.dmp
memory/4000-150-0x00007FF6F98D0000-0x00007FF6F9C24000-memory.dmp
memory/4732-151-0x00007FF7F94A0000-0x00007FF7F97F4000-memory.dmp
memory/2760-153-0x00007FF647140000-0x00007FF647494000-memory.dmp
memory/2480-152-0x00007FF6ABA90000-0x00007FF6ABDE4000-memory.dmp
memory/2580-154-0x00007FF60F0D0000-0x00007FF60F424000-memory.dmp
memory/4692-155-0x00007FF706630000-0x00007FF706984000-memory.dmp
memory/4552-156-0x00007FF6F9DF0000-0x00007FF6FA144000-memory.dmp
memory/3076-157-0x00007FF7311A0000-0x00007FF7314F4000-memory.dmp