Analysis Overview
SHA256
b501f3100bfac73023d7772e7fec733787acf11561c6c0bd6c0f34ba0682ae58
Threat Level: Known bad
The file 2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Xmrig family
xmrig
Cobaltstrike family
XMRig Miner payload
Detects Reflective DLL injection artifacts
Cobaltstrike
Cobalt Strike reflective loader
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-28 00:02
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-28 00:02
Reported
2024-06-28 00:04
Platform
win10v2004-20240611-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\bOjnijp.exe | N/A |
| N/A | N/A | C:\Windows\System\LNPwPcB.exe | N/A |
| N/A | N/A | C:\Windows\System\DFHEDmv.exe | N/A |
| N/A | N/A | C:\Windows\System\SEXMdTw.exe | N/A |
| N/A | N/A | C:\Windows\System\ZcFAASW.exe | N/A |
| N/A | N/A | C:\Windows\System\aqAnxVr.exe | N/A |
| N/A | N/A | C:\Windows\System\StulbEu.exe | N/A |
| N/A | N/A | C:\Windows\System\lMfFUdk.exe | N/A |
| N/A | N/A | C:\Windows\System\Wloeezj.exe | N/A |
| N/A | N/A | C:\Windows\System\GKlAixp.exe | N/A |
| N/A | N/A | C:\Windows\System\bCgKacg.exe | N/A |
| N/A | N/A | C:\Windows\System\lEjoXtk.exe | N/A |
| N/A | N/A | C:\Windows\System\RUmRLbR.exe | N/A |
| N/A | N/A | C:\Windows\System\SaVDShz.exe | N/A |
| N/A | N/A | C:\Windows\System\zagAOab.exe | N/A |
| N/A | N/A | C:\Windows\System\PXDakyW.exe | N/A |
| N/A | N/A | C:\Windows\System\heawLuc.exe | N/A |
| N/A | N/A | C:\Windows\System\ZuJDENN.exe | N/A |
| N/A | N/A | C:\Windows\System\KjatxbA.exe | N/A |
| N/A | N/A | C:\Windows\System\tAAXhKS.exe | N/A |
| N/A | N/A | C:\Windows\System\wcTqzAn.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\bOjnijp.exe
C:\Windows\System\bOjnijp.exe
C:\Windows\System\LNPwPcB.exe
C:\Windows\System\LNPwPcB.exe
C:\Windows\System\DFHEDmv.exe
C:\Windows\System\DFHEDmv.exe
C:\Windows\System\SEXMdTw.exe
C:\Windows\System\SEXMdTw.exe
C:\Windows\System\ZcFAASW.exe
C:\Windows\System\ZcFAASW.exe
C:\Windows\System\aqAnxVr.exe
C:\Windows\System\aqAnxVr.exe
C:\Windows\System\StulbEu.exe
C:\Windows\System\StulbEu.exe
C:\Windows\System\lMfFUdk.exe
C:\Windows\System\lMfFUdk.exe
C:\Windows\System\Wloeezj.exe
C:\Windows\System\Wloeezj.exe
C:\Windows\System\GKlAixp.exe
C:\Windows\System\GKlAixp.exe
C:\Windows\System\bCgKacg.exe
C:\Windows\System\bCgKacg.exe
C:\Windows\System\lEjoXtk.exe
C:\Windows\System\lEjoXtk.exe
C:\Windows\System\RUmRLbR.exe
C:\Windows\System\RUmRLbR.exe
C:\Windows\System\SaVDShz.exe
C:\Windows\System\SaVDShz.exe
C:\Windows\System\zagAOab.exe
C:\Windows\System\zagAOab.exe
C:\Windows\System\PXDakyW.exe
C:\Windows\System\PXDakyW.exe
C:\Windows\System\heawLuc.exe
C:\Windows\System\heawLuc.exe
C:\Windows\System\ZuJDENN.exe
C:\Windows\System\ZuJDENN.exe
C:\Windows\System\KjatxbA.exe
C:\Windows\System\KjatxbA.exe
C:\Windows\System\tAAXhKS.exe
C:\Windows\System\tAAXhKS.exe
C:\Windows\System\wcTqzAn.exe
C:\Windows\System\wcTqzAn.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| N/A | 40.119.249.228:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp |
Files
memory/380-0-0x00007FF799DB0000-0x00007FF79A104000-memory.dmp
memory/380-1-0x000002803DF50000-0x000002803DF60000-memory.dmp
C:\Windows\System\bOjnijp.exe
| MD5 | 86725d7c403593bf38fb1173cbc52824 |
| SHA1 | 9c272993fb86fe906fa1c210d8a36702f956ee7a |
| SHA256 | 3556bff6bca69f179b9a1d842ecf26cd86ff86834a516b89bb519ccf3d28b876 |
| SHA512 | 004d19350b0607890c14faf1608b9c68005cbff80dfc9abce30a9c666d4f08868026fc20a4772e85e0abe13d86cc1f281914904b22aa39170fec409d681fc887 |
memory/3820-7-0x00007FF7B77E0000-0x00007FF7B7B34000-memory.dmp
C:\Windows\System\LNPwPcB.exe
| MD5 | 3b86323c4e790e08e4dc0b16481934ca |
| SHA1 | f37ecf2714ae888e22f4828392d59ab816fc999d |
| SHA256 | 5c3e95af2a205bd529d5f106266fc274690039094dedd20d31e26f048e74a199 |
| SHA512 | ea7f04e801b7d9daa20b1a0fb5b7067a4aad143bc0ab29cb2126a4a5069e567e05d70b99d59c44ca052e9249b598f81e6cfcccf7c100f998cb939053a1fa0c99 |
memory/3988-12-0x00007FF647C60000-0x00007FF647FB4000-memory.dmp
C:\Windows\System\DFHEDmv.exe
| MD5 | 3ae9f7afeca901af6f3eecb50547ee35 |
| SHA1 | 718e45016eb114e2f16cafe538ec715e61c56e38 |
| SHA256 | f992bf32a14d8f4908fe24b0a7f26141d8ff9862ad6d85adc82ed645988ad591 |
| SHA512 | 1addcebacf1927eea4e5920673ea5af9760aab151f39942cea38abce5bb7b9a7718aacb7e769093cd9a7239e432996c3bba5986cce6dd798a609068f37d1f8c0 |
memory/4392-20-0x00007FF73FF50000-0x00007FF7402A4000-memory.dmp
C:\Windows\System\SEXMdTw.exe
| MD5 | e9eeb70be3f2276819cc347c0eba6b98 |
| SHA1 | c7630c92f2ae380e4d772ffc45424d4d32354c2b |
| SHA256 | 81acd64e0666d4c80b783116911cee4e63e563ca66a031e36b03db4211c12fd3 |
| SHA512 | 9d4fc8598333aff6b33dba3c7fc2c18b0d747d9fdd91d9673a1acd89e878eb8a609cde1cabfea8a1433e8880ee434ae6271f54fd2099ddf1f91f3afe125cdc51 |
memory/5020-24-0x00007FF6CBE20000-0x00007FF6CC174000-memory.dmp
C:\Windows\System\ZcFAASW.exe
| MD5 | 878e6934e17d7ad9f5562708bab9dda2 |
| SHA1 | 702876682dadf5aed440a52c24a9c473ad0d46c4 |
| SHA256 | fa4a7be3abf5abf440b0daae8a6a68e0b71f2bda8901f6dee9d97ebf0d391711 |
| SHA512 | 911089f78f7bd7fc5a176c2778ca1f6d640ad61f795b6a2e8f39fcbda16172e1870ab2df900976d381294884f7bcbd23e42872aa54cbf9468edb1b4be7752eda |
memory/3164-31-0x00007FF6E4C70000-0x00007FF6E4FC4000-memory.dmp
C:\Windows\System\aqAnxVr.exe
| MD5 | d6cc3b0635997fc24d34cfde15225248 |
| SHA1 | 3fed23a5bd353cb3d6aaf4a940817ab208dad16d |
| SHA256 | df71e2d158496c2ba327f26674d17992d59420481a8f249746d621c6a4d7c072 |
| SHA512 | e522f45bc6ae1dab991491d36bb96867bcdd21b2a73f3b8fd59b49b3069b0bb1b45ab63f907140172f2a8bc4b07cf974bd1897bd2dd0bbac051c444632d6b079 |
memory/4000-36-0x00007FF6B5770000-0x00007FF6B5AC4000-memory.dmp
C:\Windows\System\StulbEu.exe
| MD5 | cc551ad7ac3e3951d62398640d2f161f |
| SHA1 | f4e4f7ae629baf1074277faffe493522bf56dec9 |
| SHA256 | 424a7c5e777b64fca324e19cb17643c631fda6d7b28864456120e5ea8f6e4e94 |
| SHA512 | 387d295d59bf134b333e2d0cb40e3200203d8d0efc0d90f62651620f4a2e332af79b88041137d87f4483234b43c101f4c5c47a8f227069e4c8afa86af42a04e3 |
C:\Windows\System\lMfFUdk.exe
| MD5 | 0e461985b9a1c46ca8e42d4a7c03afac |
| SHA1 | ae72de69e92f10b96bb6b63d12fa77049c5db1b8 |
| SHA256 | 37350a892a335b6dde24ba3db4e936a8c0f6070d107d0195b6b2af71dacc7a25 |
| SHA512 | 8b192efaa77d775556a8e1bd89edd135238da592521b40473071504d813ff6f60896c6d8321359764e774cf23a2a34912ad6d68c62a340d9d126fe317c325dec |
memory/3196-48-0x00007FF68C7F0000-0x00007FF68CB44000-memory.dmp
memory/4200-43-0x00007FF604550000-0x00007FF6048A4000-memory.dmp
C:\Windows\System\Wloeezj.exe
| MD5 | 81abf6d8880400abdee73eaeea8a194f |
| SHA1 | a2d13da37dbd8ce54dbfa882cee3ed1b3f8bc253 |
| SHA256 | ba11904a9c7335fe9b328d3a7b108b2f828742462eb1acbf04fb8636ddd99236 |
| SHA512 | 17c0da93790ad62f9d3976b59fa4ce44177868201614d990aad18b2e326de130108f3f5755f46b3584b0846b4a8cd3ba6c068dcf42c2b42a100643381c35e610 |
memory/1564-56-0x00007FF7DBA40000-0x00007FF7DBD94000-memory.dmp
C:\Windows\System\GKlAixp.exe
| MD5 | 0c4204ec30834d561264ba54049aa26d |
| SHA1 | 86b90460229a08eace2511c3f10c7e8d0fffce05 |
| SHA256 | 27ec6be70a1ad19bb396b2e2b1d8a8305f8a9a1c2c611a85f06f461e82eec265 |
| SHA512 | a2669e4acb2b9138fd14d67211e110577db407be7b0b6311398bf52ec68152f941dffe9707d05916dc5948065da3bfc626d7d7cb68fe8a7710af37d410534d7a |
C:\Windows\System\bCgKacg.exe
| MD5 | dc7a3b19e847ce5c72716ecd2ec85083 |
| SHA1 | e2aad7dccd82a4a6ccc2a120df6fb7734e13eb1d |
| SHA256 | 41f69669c4fbb92f29d3a57a9a47a5acfafdea5e24ad497ba699d28d9d08a17e |
| SHA512 | cdf491b8779fb04778d98a0c4c843699a66818429033a6b4719a7f640a2c9ee1c6491a7ffa9835cdbbdb8273f75245626a40b21529d9bed526762b173f622cc8 |
memory/1264-73-0x00007FF682460000-0x00007FF6827B4000-memory.dmp
C:\Windows\System\lEjoXtk.exe
| MD5 | 38fc4870401f53485d11dd3d8c346a07 |
| SHA1 | 8f71019c4382d905d2b2cd76bd48d9bcf72bc0e1 |
| SHA256 | c410e1da37eb340b2ee7c8d2ad18df2964786c6b057150f0a2d45221b943e1be |
| SHA512 | 16e8b724c56fb90ec1d8e8e89adf2e61cec47a43c8867a79440c1c17f48b2ed8348ea5786346af040c260ab1a85ff0fa304c7351eabe905d481f9c7f79d3b29f |
memory/2324-74-0x00007FF6FBBF0000-0x00007FF6FBF44000-memory.dmp
memory/3820-71-0x00007FF7B77E0000-0x00007FF7B7B34000-memory.dmp
memory/2172-65-0x00007FF72CB30000-0x00007FF72CE84000-memory.dmp
memory/380-62-0x00007FF799DB0000-0x00007FF79A104000-memory.dmp
C:\Windows\System\RUmRLbR.exe
| MD5 | 8059c8d877a91c8a0ed35d201d107ac5 |
| SHA1 | caa9126e8d8d911f42fa4620197bbeed9f71abcf |
| SHA256 | bc6a9fe53b371528b3cf013c622f7080411e94129b774d17cdcd2be04a7d70be |
| SHA512 | e37f63db1a5cc9609a2aa4c360faed55578e5926cf56f1dd5dc25abab87b7539c317193eb24810e2bf003484e92de740f7c6dce2d6d6e454527e5cbd9065306b |
memory/3988-82-0x00007FF647C60000-0x00007FF647FB4000-memory.dmp
memory/3472-85-0x00007FF6C0450000-0x00007FF6C07A4000-memory.dmp
C:\Windows\System\SaVDShz.exe
| MD5 | 7b7de6a298491cc6be09a825c8fe8688 |
| SHA1 | 53ce3caa8220bace6aafad13896ef2adce5e4949 |
| SHA256 | 0c91cd3e2be69e2f0e88d947705a22161ec9a8587019b6934bd74ecfe90d36c0 |
| SHA512 | 39e94a3013a8fc0a55329791b1e5f9d1fcc51639b28f167df58772e5d01ea10d0a469e37d0d6049c7a76aca65811305acf3b8cf28c6cfe6b2ec94ab2ed10b3cc |
C:\Windows\System\zagAOab.exe
| MD5 | bb8d02853f85b7bf5f7cab33748912bc |
| SHA1 | 0df6fbcc98ab3a874d9f51dff72068af54b3a29e |
| SHA256 | ee88ad88aff3348e7c44543c58438f6311cb1ab5c88230e7f64e1d8708a89711 |
| SHA512 | a7b749da164bb04fd11018d7a9845d9c19ff566dac9f7bf22cd4036a17224f044d47d3b6235db877c9fe3e3260c99bc6c84394750bcfd0426562f206bd5e6290 |
memory/5020-95-0x00007FF6CBE20000-0x00007FF6CC174000-memory.dmp
memory/2056-96-0x00007FF662100000-0x00007FF662454000-memory.dmp
memory/1624-90-0x00007FF7EEB70000-0x00007FF7EEEC4000-memory.dmp
memory/4392-89-0x00007FF73FF50000-0x00007FF7402A4000-memory.dmp
C:\Windows\System\PXDakyW.exe
| MD5 | 8045228cdc6e928c3e92e287d207a163 |
| SHA1 | 2e9feeac06a4cf77999f30a0191683be133f02d1 |
| SHA256 | 78a60e9c93691c2d3bb1500e013f1f788ab9164185b456e7e4e2080c3fa6b125 |
| SHA512 | 521844d5ce0effafc4966edc487b16ec07c581b3e11c79cf00b33a1235ad055655233b62686e06fc177e1d132e5c14d1c5ddb5fbb36b8e89b01c05530a3f134a |
memory/4316-102-0x00007FF60EB60000-0x00007FF60EEB4000-memory.dmp
memory/3164-101-0x00007FF6E4C70000-0x00007FF6E4FC4000-memory.dmp
C:\Windows\System\heawLuc.exe
| MD5 | 19bee620104d5c6f7365bd157d0bc828 |
| SHA1 | fcf2c1b330cd47eec726fe5be2dc318a05e67dad |
| SHA256 | 6623fd8ea026fc55e905bd7de26763ea67d9144565851b52c49aaa4410a424a0 |
| SHA512 | 5e88814edaf89b989aeff400dcfeedf2c3c73ced50c602dccea860dfb6ee87fed95f4095a2a48f9a2cbc73293917d590ed3b33c5436007b12c445728e313334c |
memory/528-111-0x00007FF618750000-0x00007FF618AA4000-memory.dmp
C:\Windows\System\ZuJDENN.exe
| MD5 | 24c12d470a0770703461d47feda16b6b |
| SHA1 | 453a1d74ad68b327fd3607a57a03a53be19534aa |
| SHA256 | 1fdd6a88e7a5def776af3fd33a51fb6dd751f72c22670a8b6c68831d2ec4f398 |
| SHA512 | 096deed53d2d64bf782fc764e7dd8a14aaba524580c3e4e3c4e1f81c19f8493ffd1fc0318b2c0f1a547f5703c7d24ee2a0df0ae04b4009a63d38fb0ed4061aa3 |
memory/4000-110-0x00007FF6B5770000-0x00007FF6B5AC4000-memory.dmp
memory/4200-116-0x00007FF604550000-0x00007FF6048A4000-memory.dmp
memory/828-118-0x00007FF64ACB0000-0x00007FF64B004000-memory.dmp
C:\Windows\System\KjatxbA.exe
| MD5 | 27a5ddfcf7ac976e3affd020bacb13db |
| SHA1 | 7b329de25b78543ee62276a439cc5cce124253da |
| SHA256 | 1c6d68748c56f569820fe8b94db6ad7fd9a6f2f6c43b16291a6e11af75abafcf |
| SHA512 | 60ef7db1d30092868536410a8f44e4b6d3ed4b9781106e330643e1ebea42ed9f2ac5da2b4af91536730535c8cc900d72283a61205d3e3376de0db24f12094130 |
memory/3196-124-0x00007FF68C7F0000-0x00007FF68CB44000-memory.dmp
memory/928-125-0x00007FF621FD0000-0x00007FF622324000-memory.dmp
C:\Windows\System\tAAXhKS.exe
| MD5 | dc13784d02fcb98df4af6bc10712bd82 |
| SHA1 | 3cf1c34f983444ec32a41ddf01a6426b52454554 |
| SHA256 | 8ac197e6a0cd3323c0ee0da9575cf83d50ca5fe1dd30246a80e00d33d54f96f2 |
| SHA512 | bc56fd544b44084949bbe389a47300dea2ce82af593ba7ded8d1ed7b644e713f82bd474915ea30485feb91cf80914c896141aae04ff4c50c46054a37d7c71b32 |
C:\Windows\System\wcTqzAn.exe
| MD5 | 167c49133913898bc81bd834ffeab5f5 |
| SHA1 | 04a4cc5ba715f0752ce85469c65c6924a54421f9 |
| SHA256 | 1a49548285d55c854c410c5a38d704abdd239d4016abcef747a409bce5652f72 |
| SHA512 | 9537c862e5c4dca0390920cdb6afb662f5a70bf24b03e9978540bb17a4bfc67e83bc12899d9f81c7a897c4e83ed602b3714cbf28e2fb0b8bffd6428fa13b6aa5 |
memory/1564-135-0x00007FF7DBA40000-0x00007FF7DBD94000-memory.dmp
memory/1312-136-0x00007FF61CCE0000-0x00007FF61D034000-memory.dmp
memory/1672-137-0x00007FF6083D0000-0x00007FF608724000-memory.dmp
memory/2324-138-0x00007FF6FBBF0000-0x00007FF6FBF44000-memory.dmp
memory/2056-139-0x00007FF662100000-0x00007FF662454000-memory.dmp
memory/4316-140-0x00007FF60EB60000-0x00007FF60EEB4000-memory.dmp
memory/828-141-0x00007FF64ACB0000-0x00007FF64B004000-memory.dmp
memory/928-142-0x00007FF621FD0000-0x00007FF622324000-memory.dmp
memory/3820-143-0x00007FF7B77E0000-0x00007FF7B7B34000-memory.dmp
memory/3988-144-0x00007FF647C60000-0x00007FF647FB4000-memory.dmp
memory/4392-145-0x00007FF73FF50000-0x00007FF7402A4000-memory.dmp
memory/5020-146-0x00007FF6CBE20000-0x00007FF6CC174000-memory.dmp
memory/3164-147-0x00007FF6E4C70000-0x00007FF6E4FC4000-memory.dmp
memory/4000-148-0x00007FF6B5770000-0x00007FF6B5AC4000-memory.dmp
memory/4200-149-0x00007FF604550000-0x00007FF6048A4000-memory.dmp
memory/3196-150-0x00007FF68C7F0000-0x00007FF68CB44000-memory.dmp
memory/1564-151-0x00007FF7DBA40000-0x00007FF7DBD94000-memory.dmp
memory/2172-152-0x00007FF72CB30000-0x00007FF72CE84000-memory.dmp
memory/1264-153-0x00007FF682460000-0x00007FF6827B4000-memory.dmp
memory/2324-154-0x00007FF6FBBF0000-0x00007FF6FBF44000-memory.dmp
memory/3472-155-0x00007FF6C0450000-0x00007FF6C07A4000-memory.dmp
memory/1624-156-0x00007FF7EEB70000-0x00007FF7EEEC4000-memory.dmp
memory/2056-157-0x00007FF662100000-0x00007FF662454000-memory.dmp
memory/4316-158-0x00007FF60EB60000-0x00007FF60EEB4000-memory.dmp
memory/528-159-0x00007FF618750000-0x00007FF618AA4000-memory.dmp
memory/828-160-0x00007FF64ACB0000-0x00007FF64B004000-memory.dmp
memory/928-161-0x00007FF621FD0000-0x00007FF622324000-memory.dmp
memory/1672-162-0x00007FF6083D0000-0x00007FF608724000-memory.dmp
memory/1312-163-0x00007FF61CCE0000-0x00007FF61D034000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-28 00:02
Reported
2024-06-28 00:04
Platform
win7-20240419-en
Max time kernel
135s
Max time network
144s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\YePAPIE.exe | N/A |
| N/A | N/A | C:\Windows\System\rfVwMtM.exe | N/A |
| N/A | N/A | C:\Windows\System\VOgZmbs.exe | N/A |
| N/A | N/A | C:\Windows\System\kwlBJrK.exe | N/A |
| N/A | N/A | C:\Windows\System\XZWzjof.exe | N/A |
| N/A | N/A | C:\Windows\System\JBIFflc.exe | N/A |
| N/A | N/A | C:\Windows\System\JIxBjWt.exe | N/A |
| N/A | N/A | C:\Windows\System\TFmBXTG.exe | N/A |
| N/A | N/A | C:\Windows\System\cBxOxZh.exe | N/A |
| N/A | N/A | C:\Windows\System\ujUsZtM.exe | N/A |
| N/A | N/A | C:\Windows\System\EqAlnhl.exe | N/A |
| N/A | N/A | C:\Windows\System\lenyjLB.exe | N/A |
| N/A | N/A | C:\Windows\System\KMWGrVX.exe | N/A |
| N/A | N/A | C:\Windows\System\qNPZMCd.exe | N/A |
| N/A | N/A | C:\Windows\System\AtDCTMr.exe | N/A |
| N/A | N/A | C:\Windows\System\GrPOdOT.exe | N/A |
| N/A | N/A | C:\Windows\System\QdUFpYp.exe | N/A |
| N/A | N/A | C:\Windows\System\ZJagHJi.exe | N/A |
| N/A | N/A | C:\Windows\System\cyevwoA.exe | N/A |
| N/A | N/A | C:\Windows\System\ljLTzpX.exe | N/A |
| N/A | N/A | C:\Windows\System\mQStkON.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\YePAPIE.exe
C:\Windows\System\YePAPIE.exe
C:\Windows\System\rfVwMtM.exe
C:\Windows\System\rfVwMtM.exe
C:\Windows\System\VOgZmbs.exe
C:\Windows\System\VOgZmbs.exe
C:\Windows\System\kwlBJrK.exe
C:\Windows\System\kwlBJrK.exe
C:\Windows\System\JBIFflc.exe
C:\Windows\System\JBIFflc.exe
C:\Windows\System\XZWzjof.exe
C:\Windows\System\XZWzjof.exe
C:\Windows\System\JIxBjWt.exe
C:\Windows\System\JIxBjWt.exe
C:\Windows\System\TFmBXTG.exe
C:\Windows\System\TFmBXTG.exe
C:\Windows\System\cBxOxZh.exe
C:\Windows\System\cBxOxZh.exe
C:\Windows\System\ujUsZtM.exe
C:\Windows\System\ujUsZtM.exe
C:\Windows\System\EqAlnhl.exe
C:\Windows\System\EqAlnhl.exe
C:\Windows\System\lenyjLB.exe
C:\Windows\System\lenyjLB.exe
C:\Windows\System\KMWGrVX.exe
C:\Windows\System\KMWGrVX.exe
C:\Windows\System\qNPZMCd.exe
C:\Windows\System\qNPZMCd.exe
C:\Windows\System\AtDCTMr.exe
C:\Windows\System\AtDCTMr.exe
C:\Windows\System\GrPOdOT.exe
C:\Windows\System\GrPOdOT.exe
C:\Windows\System\QdUFpYp.exe
C:\Windows\System\QdUFpYp.exe
C:\Windows\System\cyevwoA.exe
C:\Windows\System\cyevwoA.exe
C:\Windows\System\ZJagHJi.exe
C:\Windows\System\ZJagHJi.exe
C:\Windows\System\mQStkON.exe
C:\Windows\System\mQStkON.exe
C:\Windows\System\ljLTzpX.exe
C:\Windows\System\ljLTzpX.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1028-0-0x000000013FD40000-0x0000000140094000-memory.dmp
memory/1028-1-0x00000000001F0000-0x0000000000200000-memory.dmp
C:\Windows\system\YePAPIE.exe
| MD5 | 4a2e29d92118c84fd7e26080a75ad32b |
| SHA1 | 96c9c8a52c80215d20da2b7f4f708e5e7456c92a |
| SHA256 | 56f2692ea1fc9377861723ba10ed3c4db5f3c1203861b390f8fa7e88fc8d8606 |
| SHA512 | e716bb2117bc4c404e43a5dc5bcf7b10f866897d5af0a3c2277952d391956b0041b7dc89c7c376243afe7053778b1b9537caaa7ceb57153f40db234f996a0fb0 |
C:\Windows\system\VOgZmbs.exe
| MD5 | 9f1249d2415f5edcde72833cc21f0f9a |
| SHA1 | 70dab8b1b9be297aec44c71b3ed279342f985175 |
| SHA256 | c34d3b61b1738ed442b84383f8ba14b12106f2c12e942c3eeebbccc2f6a08b5f |
| SHA512 | 895b5d327eab27821f2d755c8e2b5a09999f3fb5fb261e22720620c05a90672f41de39c2f59985e712dbd9e670abfcf990e0b65b0e8d76012eb769b8e69b8e0d |
\Windows\system\rfVwMtM.exe
| MD5 | 5d3520957469a213ad4098cfbd559940 |
| SHA1 | 623d3b705baefcbdda03fa65e7fb98f12f4ea6a4 |
| SHA256 | 3293404f98406007efa20f9112a4493860d50d2eb54f7a850d53cf054ea7a3de |
| SHA512 | 52b0431fe93709925095645c778d7b4387966b936ca8c35521fb4b81e31fe1b791d396821ce025601905c825891a56e4f0916974621069077bca034de83e7061 |
memory/1028-21-0x000000013F1E0000-0x000000013F534000-memory.dmp
memory/2652-23-0x000000013F1E0000-0x000000013F534000-memory.dmp
memory/2012-22-0x000000013FC40000-0x000000013FF94000-memory.dmp
memory/1028-20-0x0000000002250000-0x00000000025A4000-memory.dmp
memory/1028-28-0x0000000002250000-0x00000000025A4000-memory.dmp
C:\Windows\system\kwlBJrK.exe
| MD5 | 9c8a4aa17afdb30105e4f23ced8c2f10 |
| SHA1 | 85339b7dc00cd2db8fc7d4166638854243c0c77b |
| SHA256 | 787456210248d9692d0ec8eeaabc34dadb93e186c69bf83da0a0f597dfe7c98b |
| SHA512 | 54b9bd41d768a2b2b70e924511966c107b050c2fba645c86036d45e8d85ed21ed44a7073a0e2b95b5bd107d5ac1a44467c30560d36e4c5ba6ac0016e089d6fd6 |
\Windows\system\XZWzjof.exe
| MD5 | 9f99fc51cf4374b71853e0bf199d6cb6 |
| SHA1 | 2c881758c6ae6d81c09660b47b6815fe5ef27c7f |
| SHA256 | 954196210b5c99cb5bff4eb1e31dd8791c578f875d01266f8235f1b811cd2b2c |
| SHA512 | bbbb275202891abcfa11fa2f7db496a4a9f843087afd409fc0081eae7c4801f60f91e221e48d72a9d2a8232c91969d1c3b969db60093fc4edb20b3bb4494586a |
\Windows\system\JBIFflc.exe
| MD5 | 42ebb672a8365fa71ae98c3cbb6ae738 |
| SHA1 | 6dae2744b9eec1bb47b5107c1a7494080d46d998 |
| SHA256 | 98c835449098415470837969a938a80a03e2416c80a99d70b4a4cbb487ece1c2 |
| SHA512 | be19f151805dafdcca8a0b9c9e895e5b07ec050252b9b2b5548ea7fa4b6cc1acee7cf21ddeabd091811d0f8a577f93afbffad09899bc174d72706fa1941456aa |
memory/2656-41-0x000000013F600000-0x000000013F954000-memory.dmp
memory/1028-46-0x000000013F380000-0x000000013F6D4000-memory.dmp
\Windows\system\JIxBjWt.exe
| MD5 | 80a25897db053e80099428309f1394c7 |
| SHA1 | 584a54c255ce6a3d9c79ba1db648bf92e65e5545 |
| SHA256 | 19636999665e57ed3051029643a15fe755d3afd96821394cbba1171fcafba658 |
| SHA512 | 3339473de5932b7392af446e005e845e936ea000313acf26b9562e42ea6483ee6cb14fbb04c7b0ca0f450e30ad523325fbdcf4d1aa649316734e9d03f88f8b4b |
memory/2628-44-0x000000013FCF0000-0x0000000140044000-memory.dmp
memory/1028-43-0x0000000002250000-0x00000000025A4000-memory.dmp
memory/1028-40-0x000000013F600000-0x000000013F954000-memory.dmp
memory/2816-37-0x000000013FCF0000-0x0000000140044000-memory.dmp
memory/1740-18-0x000000013F620000-0x000000013F974000-memory.dmp
memory/1028-15-0x000000013F620000-0x000000013F974000-memory.dmp
\Windows\system\TFmBXTG.exe
| MD5 | 125ef8396756ec72c9a594f44bcaf72a |
| SHA1 | b725c398514d865cf6e71ce62a46dc795f276c7a |
| SHA256 | 64bda3eba7d6563fe6d27251a32d768d41b6d8858a78657b8238727dbf652f69 |
| SHA512 | d1fc1076d24c2e49482bc9b7c6a42d78cec2a5c6946bee6b41af87e545e680b7c3b6d42a535a79d25a714e6facf040fad021c831be630488b753d68d9dddfbaa |
C:\Windows\system\cBxOxZh.exe
| MD5 | c1e46e114a530c5e3e6cfdd4caaacc43 |
| SHA1 | f3255a28fbec310c7b62aa2f438d3d6916b5ab1a |
| SHA256 | 82bc03ea8f5c71377129c44c668ade232c9ccf722a913991aa78df6f77e67770 |
| SHA512 | b3988e27f034ccd606dc7f968c78c5dd7488aba34085d20789e809d31fbf3fc0b0283521e3fc2d06ebc0996f420abe08f3f824a7c193ec6e172549fc7f616f82 |
memory/2540-57-0x000000013F4A0000-0x000000013F7F4000-memory.dmp
\Windows\system\ujUsZtM.exe
| MD5 | 13ad8ab197b488c9e92a9f5390c8c262 |
| SHA1 | 7c276e6943f2167cf9a688a8f69d9562049316ce |
| SHA256 | 7577e6b79d98c5b640a8c577ebd544668552d4703b1cf1b1105b4091e4800dde |
| SHA512 | d2ea6b3a0df38b419325e56a489cb686812d743780090954538a05d67dbc0ee46f2fb4a4a15f14c5c6a1558b62af2e4444c5db0d2430a72ea0eab95fdd807745 |
memory/1028-55-0x000000013F4A0000-0x000000013F7F4000-memory.dmp
memory/1028-68-0x000000013FD40000-0x0000000140094000-memory.dmp
\Windows\system\EqAlnhl.exe
| MD5 | aa854a3fbd0e5039d85ef1c6a554588a |
| SHA1 | 961f781651a4ab7b10d6355e81496ed3efa1549c |
| SHA256 | 9533e04069be095abc4726e97b00c215059adb1889aea0df0d8da85e75f91209 |
| SHA512 | 67f89c761e1209842b28076d87cdfef2d1d1b8c3134f7907f4cf4b683520e6dfe3442d061966c18edd7ef8cac3c08a28220a22fe3ed7c597e6e8cdede39c5652 |
memory/2872-51-0x000000013F380000-0x000000013F6D4000-memory.dmp
\Windows\system\AtDCTMr.exe
| MD5 | 9846901833aef7fc5a5ec1376a09808e |
| SHA1 | a1d7e6b64a35195e83fbb516534289d7463fcd40 |
| SHA256 | 21dd7f2b2e371bc9bd0a5ee1dd45e50e7343c32cd59b67a8f0d05833a2f5eeda |
| SHA512 | 9962aaa94c53a164faab54d60ab57f6ce26ab4c5adb6ff555d02da18a59044138dfef73c24c4ea330fed184fabd44c9b6305335a83c3fd0c6d8ff7a0ee5303f7 |
\Windows\system\GrPOdOT.exe
| MD5 | 63ecb1456bfb210ca61de609eecfe0f3 |
| SHA1 | 138afce48fceae2ae8660c9a96189aaa1ac032e6 |
| SHA256 | 430bd625afb3d6f8e7e5782231f8ddca807626d700df9b8846764542eca29c25 |
| SHA512 | 938a173c124834bd9302db663b521e909de1056e9d79b8551ff9396e95f7c5e48e9df3b8db7aabf93f3d20f14a789e1f4e6fca4d68b0e12d5f79223c027a1bf2 |
C:\Windows\system\ZJagHJi.exe
| MD5 | 6ac36276726e844f16197e2cec5e2cd9 |
| SHA1 | c4a3ec4b8cec3d93fe514a696d37b87d00e69800 |
| SHA256 | 2be6c8dcf36e190011df1fff833d5d7f9c20aa14b65a953915a507d298f2a105 |
| SHA512 | 73633a21f5d2c8edd99878c8730697d25a79752416a5ca10cd0de2cb9cee9d4cc4b6f7ec9e5278806f609f2bf1a83782b61e826ed9834a256014044b7553e17d |
C:\Windows\system\QdUFpYp.exe
| MD5 | 32aa2c5a15a460f20709fa527ec3a9cb |
| SHA1 | 873da4c2322b19837cf936758641ea37719c66ed |
| SHA256 | 6fac3369d2b05dda3b43251be34d96559fff6bcacabc3cb98d93003bbe642944 |
| SHA512 | 066327ce81a342f50498d16d2a485110b23d5caf0456b9e6b83789e59d85021185fba0e771aad61d09aec0f0afc0292bf6d829bfaea63afc0a55e72163f12f49 |
\Windows\system\cyevwoA.exe
| MD5 | 04626313ab0c01c8434b46f2e40f105d |
| SHA1 | 4d2f14c24b28e0a2d69d6b3e670d47b844ff3def |
| SHA256 | e318e1d84e48fd696588e5a67af419d27f4f208c07240e07e6470a56d5d54cdd |
| SHA512 | 8452a3d2c1beeb5044a9cee9abd46967dfd7e78b0ede36432ef2fb547c2b2ab80a2802766623015c826869207cdd33cbb591c392d5c68b5777834c1c92dc06e9 |
memory/2908-130-0x000000013F8A0000-0x000000013FBF4000-memory.dmp
memory/1028-129-0x000000013F8A0000-0x000000013FBF4000-memory.dmp
memory/1028-133-0x000000013F350000-0x000000013F6A4000-memory.dmp
memory/1028-134-0x000000013F380000-0x000000013F6D4000-memory.dmp
memory/3044-132-0x000000013FAD0000-0x000000013FE24000-memory.dmp
memory/1028-131-0x0000000002250000-0x00000000025A4000-memory.dmp
C:\Windows\system\mQStkON.exe
| MD5 | c759e4f00ae7ece2a20fb8ff9e0e472f |
| SHA1 | ac98da93e6ef5f5ed570cf468d90af82fc97aab6 |
| SHA256 | f3013fad9dcb2f8ec3fe360393104744839b3f3c5a1e6d9fc6da5c755aff6958 |
| SHA512 | 9aca99614bb1bcfe07ecca2d170fcca18f07cd23f0fce33edbe6550fc0a159812779f1d438140f09b5e634acb46e65b04c562586ee872e82d8a1b29ae37fbb9a |
memory/2868-122-0x000000013F380000-0x000000013F6D4000-memory.dmp
C:\Windows\system\ljLTzpX.exe
| MD5 | 13f1b11165fc84b417ae4bbce301d35c |
| SHA1 | 0370a9d8169729a93a6eed0a1bf775c2b2cfaa3e |
| SHA256 | f2244f36b3dd01d7b49c440a620b08d4a605769001896165616609b24524d5a6 |
| SHA512 | de8d7da0a2e4ce20e0f7805a2c53e9ebc989dc2a90afcd758120a8f8ed4470f33f4f8bff9339fd5bb485f89d8c312c838968ef5218214694e2c967dfcb748d9b |
memory/2692-116-0x000000013F6B0000-0x000000013FA04000-memory.dmp
memory/316-120-0x000000013F350000-0x000000013F6A4000-memory.dmp
memory/1160-119-0x000000013FE30000-0x0000000140184000-memory.dmp
memory/1028-101-0x000000013F6B0000-0x000000013FA04000-memory.dmp
\Windows\system\qNPZMCd.exe
| MD5 | dbfaac8c8ba94151de1b2f178eaad647 |
| SHA1 | ba0810428d81548c671a4a5ecaed2c60a19341c6 |
| SHA256 | 17c087909ec390bebfbecc14f1f43a332dabf64a44e53ac88c6bf2b8d2c33053 |
| SHA512 | 2c722c926a96d621ff6072660bd3238bbd0752c41bb202c1715238b518f89c98ca0805e1c097b84519954287178aae25d251d06af0d97b3dc8e269ec29a92c9a |
C:\Windows\system\KMWGrVX.exe
| MD5 | 9f175a2fac2c024ad67c2b5b29d224b7 |
| SHA1 | 74457d45e3f0abfe81318837e91a97643b904898 |
| SHA256 | ce1b034a7beb5c8a10f93fe5662d0f6c5366249589ba77449a45b08eaa3839e9 |
| SHA512 | e80cc693be25ef88488b53524a53203a3c79ea233997f8d71f892c3fbc4811a0ade9ac233627bbece6d0cfedc381f0a7abcad4c1d4b97f1d6b593107e0f7b254 |
C:\Windows\system\lenyjLB.exe
| MD5 | 01d8d21c8cc43f8ae21ffbe1d41ac44f |
| SHA1 | 9eab48366f84a4da8b75795eb8687e5fd51d107d |
| SHA256 | a30d746ecf1cb771403b0d21578334a95f8c6c66fd7e7b4ec64abb3da5f52524 |
| SHA512 | 8e8e9a6bc89388d24c2173900cb436b6e20135036815f1830438f84b82b2169ce94b6ba4f9870f38cf48f5eb9d8af2523145f309ef0544a0864a788466c57ec4 |
memory/2816-135-0x000000013FCF0000-0x0000000140044000-memory.dmp
memory/2540-136-0x000000013F4A0000-0x000000013F7F4000-memory.dmp
memory/1028-138-0x000000013F380000-0x000000013F6D4000-memory.dmp
memory/1028-137-0x000000013F350000-0x000000013F6A4000-memory.dmp
memory/2652-141-0x000000013F1E0000-0x000000013F534000-memory.dmp
memory/2012-140-0x000000013FC40000-0x000000013FF94000-memory.dmp
memory/1740-139-0x000000013F620000-0x000000013F974000-memory.dmp
memory/2656-143-0x000000013F600000-0x000000013F954000-memory.dmp
memory/2628-144-0x000000013FCF0000-0x0000000140044000-memory.dmp
memory/2816-142-0x000000013FCF0000-0x0000000140044000-memory.dmp
memory/2872-145-0x000000013F380000-0x000000013F6D4000-memory.dmp
memory/2692-147-0x000000013F6B0000-0x000000013FA04000-memory.dmp
memory/2540-146-0x000000013F4A0000-0x000000013F7F4000-memory.dmp
memory/1160-148-0x000000013FE30000-0x0000000140184000-memory.dmp
memory/316-149-0x000000013F350000-0x000000013F6A4000-memory.dmp
memory/2868-150-0x000000013F380000-0x000000013F6D4000-memory.dmp
memory/3044-151-0x000000013FAD0000-0x000000013FE24000-memory.dmp
memory/2908-152-0x000000013F8A0000-0x000000013FBF4000-memory.dmp