Analysis Overview
SHA256
c866fd74a259d82124228e798b2b359742482802064e606ac015187b32bc9546
Threat Level: Known bad
The file 2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
UPX dump on OEP (original entry point)
XMRig Miner payload
Xmrig family
xmrig
Detects Reflective DLL injection artifacts
Cobaltstrike
Cobaltstrike family
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-28 00:03
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-28 00:03
Reported
2024-06-28 00:06
Platform
win10v2004-20240226-en
Max time kernel
157s
Max time network
163s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\mElHPpi.exe | N/A |
| N/A | N/A | C:\Windows\System\aMIuLwN.exe | N/A |
| N/A | N/A | C:\Windows\System\akWthba.exe | N/A |
| N/A | N/A | C:\Windows\System\ydOCuGI.exe | N/A |
| N/A | N/A | C:\Windows\System\KRJHAJM.exe | N/A |
| N/A | N/A | C:\Windows\System\jIhfjMN.exe | N/A |
| N/A | N/A | C:\Windows\System\ElsHgtI.exe | N/A |
| N/A | N/A | C:\Windows\System\kXbduzy.exe | N/A |
| N/A | N/A | C:\Windows\System\DdOtKnm.exe | N/A |
| N/A | N/A | C:\Windows\System\ENSEawX.exe | N/A |
| N/A | N/A | C:\Windows\System\VZbiPtN.exe | N/A |
| N/A | N/A | C:\Windows\System\XRbSxuN.exe | N/A |
| N/A | N/A | C:\Windows\System\kTCKACZ.exe | N/A |
| N/A | N/A | C:\Windows\System\gbfwXKy.exe | N/A |
| N/A | N/A | C:\Windows\System\IUfEnMw.exe | N/A |
| N/A | N/A | C:\Windows\System\OpgNKXS.exe | N/A |
| N/A | N/A | C:\Windows\System\QxQxrBg.exe | N/A |
| N/A | N/A | C:\Windows\System\ibwPEaK.exe | N/A |
| N/A | N/A | C:\Windows\System\lwPaLKK.exe | N/A |
| N/A | N/A | C:\Windows\System\IZQfjVr.exe | N/A |
| N/A | N/A | C:\Windows\System\EuZdOnh.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\mElHPpi.exe
C:\Windows\System\mElHPpi.exe
C:\Windows\System\aMIuLwN.exe
C:\Windows\System\aMIuLwN.exe
C:\Windows\System\akWthba.exe
C:\Windows\System\akWthba.exe
C:\Windows\System\ydOCuGI.exe
C:\Windows\System\ydOCuGI.exe
C:\Windows\System\KRJHAJM.exe
C:\Windows\System\KRJHAJM.exe
C:\Windows\System\jIhfjMN.exe
C:\Windows\System\jIhfjMN.exe
C:\Windows\System\ElsHgtI.exe
C:\Windows\System\ElsHgtI.exe
C:\Windows\System\kXbduzy.exe
C:\Windows\System\kXbduzy.exe
C:\Windows\System\DdOtKnm.exe
C:\Windows\System\DdOtKnm.exe
C:\Windows\System\ENSEawX.exe
C:\Windows\System\ENSEawX.exe
C:\Windows\System\VZbiPtN.exe
C:\Windows\System\VZbiPtN.exe
C:\Windows\System\XRbSxuN.exe
C:\Windows\System\XRbSxuN.exe
C:\Windows\System\kTCKACZ.exe
C:\Windows\System\kTCKACZ.exe
C:\Windows\System\gbfwXKy.exe
C:\Windows\System\gbfwXKy.exe
C:\Windows\System\IUfEnMw.exe
C:\Windows\System\IUfEnMw.exe
C:\Windows\System\OpgNKXS.exe
C:\Windows\System\OpgNKXS.exe
C:\Windows\System\QxQxrBg.exe
C:\Windows\System\QxQxrBg.exe
C:\Windows\System\ibwPEaK.exe
C:\Windows\System\ibwPEaK.exe
C:\Windows\System\lwPaLKK.exe
C:\Windows\System\lwPaLKK.exe
C:\Windows\System\IZQfjVr.exe
C:\Windows\System\IZQfjVr.exe
C:\Windows\System\EuZdOnh.exe
C:\Windows\System\EuZdOnh.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4140 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| GB | 142.250.187.202:443 | chromewebstore.googleapis.com | tcp |
| GB | 142.250.187.202:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 202.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 120.150.79.40.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4660-0-0x00007FF76B200000-0x00007FF76B554000-memory.dmp
memory/4660-1-0x0000019E59BA0000-0x0000019E59BB0000-memory.dmp
C:\Windows\System\mElHPpi.exe
| MD5 | 24431caeba60865396028200fbd3720a |
| SHA1 | ed68acba72d9f8bc963f7f6b7e58fa1aa1036aa8 |
| SHA256 | 923c96a3b5dc87b43af4265c73feba9af3579c12ec22a66fc2ce63ca8065084c |
| SHA512 | eee61b5122c3b7da7ca761c03884781b97900b1d838a4e41661e2f5d44e0e5ef7bcdcc5b4ee90e6715c5f1b3e615cc4fcc1d4f3e1d6aa205ebbde8bfb3f1677e |
memory/4384-8-0x00007FF6024D0000-0x00007FF602824000-memory.dmp
C:\Windows\System\aMIuLwN.exe
| MD5 | 670d86bffc00e96da48a0aa7bd6f4642 |
| SHA1 | 2395439546d5aadc32aadebc82ea80f59f9497d3 |
| SHA256 | d01f4e05b4c260b39a3b1449adc65de27337069fe071d73c41d05e46bda9161c |
| SHA512 | 5cfa538b611ce9e19b5c110b9a697ac9c82f93f5b1997cbd40ef5106cd4ab76333afd2df722265e8d6ba4fc0a0e31888cd03e497312a1c6807edccfc6a554c5c |
memory/2320-14-0x00007FF7ED2B0000-0x00007FF7ED604000-memory.dmp
C:\Windows\System\akWthba.exe
| MD5 | 9b4afd2bd671931379d01f20afe7bb06 |
| SHA1 | 942463ed57e3a31ebae5fcdeac67c57ee8a5d8bb |
| SHA256 | 432c74aac08dfd0caea381590e07f55fc131d629f2bbd6806145b95fce558cdc |
| SHA512 | f8f238bb1cb259a16d8003622c3ce0640ca9618a88c31222e361f931cad72bea7e8d799a3a06bc8c79d791cf6a4c6c57a2518a207f311ecbd4e04f26397bfc92 |
memory/1844-20-0x00007FF7009B0000-0x00007FF700D04000-memory.dmp
C:\Windows\System\ydOCuGI.exe
| MD5 | 8d9645a9e195ed1e82661a86fbccee31 |
| SHA1 | b6710ade85d0895e6dabe238d2c381d0fe6aa7bc |
| SHA256 | 1b974b8ec64200ad618ce300bfe4870fe86cc78b1842f9794f996aedd7d11085 |
| SHA512 | 53afe635cbf31b63f8e3ecbfc7373d7eae380942f6f9f166e07a9cf0f95f99a598ff6f7ea9a7ee83f1feb91a084538d052e70495b7b7404a8ec19b1d5d98ff7a |
memory/928-26-0x00007FF620570000-0x00007FF6208C4000-memory.dmp
C:\Windows\System\KRJHAJM.exe
| MD5 | 5408772a47d89ed7a3c84a69438887c9 |
| SHA1 | 54ac9cca64bb400925abc90ed82ebd3118afd7be |
| SHA256 | 75ba0a0adc9aa0734eb479cef523d66077ed7d2f22fe25f9d3180efaa5cab715 |
| SHA512 | d369ff6f6f330d5e5404979e6dec7ca70e245d1a8e4494eaef37df09763e2cb5ed87cfcd854da4ef5955382dcff0eda69481cd6254a1fd3dfc5323fc4cde1ffc |
memory/1568-32-0x00007FF7851D0000-0x00007FF785524000-memory.dmp
C:\Windows\System\jIhfjMN.exe
| MD5 | 3955cd0de42c1efe9b90a042345054ec |
| SHA1 | b0b1e44d95aa651390e87de2b0025d114cf59ba3 |
| SHA256 | 4a5f862f19b7ea5eb360e1fc405752ed2e3968bfb1b9be599f07a7b9d8412e2c |
| SHA512 | dd6c2bf38b8fc417bdb6f690e9fd4530c76079acbbf75a32331fcbe7e3a2ef7f8dc3c2d8d159df1e1a8ba6ccdaea0880794f8b9d0bf8dd0ec34a1a7bde10c7ba |
memory/3808-38-0x00007FF69E030000-0x00007FF69E384000-memory.dmp
C:\Windows\System\ElsHgtI.exe
| MD5 | 308461950a8a0437affd703bc8db14f4 |
| SHA1 | 86f4e094011b8a5e4a95422671a273250d155794 |
| SHA256 | e7dfd015ac5fcc7044297965bbcadcbb2861cde03b2d9240972b45547b0ea670 |
| SHA512 | 7e794e7236404b4d12ee4692199d43bca32acadb78c7ca87b4490fbee1acf5472de2639989d1a4adfd35695e376bf61a13625c2d7ba7fcbda4bfca7e02f7d23f |
memory/2304-43-0x00007FF710230000-0x00007FF710584000-memory.dmp
C:\Windows\System\kXbduzy.exe
| MD5 | 3d2b915d14cbde7bab25beef9e941aa9 |
| SHA1 | ab879e6314254f86fa301c4c9d92c43cf55e1f6a |
| SHA256 | ab6e461d864062085f4065b62b84dc3d8dd41c8f09def985cbe59badc7974171 |
| SHA512 | 8fe18f84fe605b04bccfea202fda1485fc1da017f5f7e48ea2578ed51d6d78039d00c0e8d88cd5f5c4f47d50bc00e299d25d17f610b9a58c75c763c0a450c7d6 |
memory/2884-50-0x00007FF71B200000-0x00007FF71B554000-memory.dmp
C:\Windows\System\DdOtKnm.exe
| MD5 | 9e19aa8cfcbcdc44d6c379ecaa6cca31 |
| SHA1 | 0bd6f23b2a90fe3cf79cc0b02f48faaaa6367a14 |
| SHA256 | 02122060e255938e33f25f7d0e98d6be6209ba7ffbc85ab6874a95eb4d9200b0 |
| SHA512 | a38ba9f1a4c7342465717affd168b30add520788f62a72f63959a7ed63524e1b7d7690c9ba5b7801cb09f84683263a70cf5ac5574753cad8f80ba433dac8901a |
memory/448-56-0x00007FF702580000-0x00007FF7028D4000-memory.dmp
C:\Windows\System\ENSEawX.exe
| MD5 | f5143e3027e0939a7cd566b63adc6fa6 |
| SHA1 | 431444e9256d564a862e7be670340e3cdc2a5585 |
| SHA256 | e915527ada344341cf413f1b222c2c3372ff838950abb4898d6fe24d3053855c |
| SHA512 | 221223b520fdc25505d3be7640e2909a667f883cb6f0a3463e4436fe78c04397e44ce21edaf9e7fc41ffd4083e4d2ce0ade15245518dbf0c5e5eb89cf04917e3 |
memory/4660-62-0x00007FF76B200000-0x00007FF76B554000-memory.dmp
memory/4676-63-0x00007FF73F5A0000-0x00007FF73F8F4000-memory.dmp
C:\Windows\System\VZbiPtN.exe
| MD5 | 681297d9e62e2ece64a3006213c84e75 |
| SHA1 | 01d3d16e879f39de3a4658fc6712af5cd87c22f4 |
| SHA256 | 75f9d16168e63fea76215d633f073a48025673b6db3e009b0c6e378a67ce2770 |
| SHA512 | c2759e9a4f6799af07a814915cca1c735ea80f21b3f345705e7b75c0bdc16abf0c896725053f50c4b80d146e017a6c4b558817df20816747bab969096d270bf3 |
memory/4384-67-0x00007FF6024D0000-0x00007FF602824000-memory.dmp
memory/3756-70-0x00007FF77E110000-0x00007FF77E464000-memory.dmp
C:\Windows\System\XRbSxuN.exe
| MD5 | 0027c5a1661375a61198060dbe9ec874 |
| SHA1 | 768fb1aff5f4f11ea975e372446ad2c537dca9af |
| SHA256 | 0c204a98a3b8bc343d9b420eb3535390fd468d230730242ae4abf22eb61d611a |
| SHA512 | c975c7161bb235234b2e1adbc42614dc73503a4523080f77afb6121f88d022c7dccf0def9e3b2bda062f2e800c524f14635528b42f502afcff134180affc987d |
memory/2320-75-0x00007FF7ED2B0000-0x00007FF7ED604000-memory.dmp
memory/2696-77-0x00007FF706820000-0x00007FF706B74000-memory.dmp
C:\Windows\System\kTCKACZ.exe
| MD5 | 8b20a082bc612a2a5a1776f3776d912f |
| SHA1 | 9e07642cc3f5dec7146f666df05e1dcccfe9fff2 |
| SHA256 | 20a7163c5f552e24772287d9159cdef0a54d57677347187e790a870b3840d6e0 |
| SHA512 | ddbd943d7b0eaf390cdd258ec57768658158fe8f7a3afca95b8e6f35762a16937a10de7ef94233074983ac440515cd60537fe4ffedc788f19bdc2ab60f8b005c |
memory/1216-84-0x00007FF7D4790000-0x00007FF7D4AE4000-memory.dmp
memory/1844-83-0x00007FF7009B0000-0x00007FF700D04000-memory.dmp
C:\Windows\System\gbfwXKy.exe
| MD5 | 5d74c32d4bbe2c8d9216173228567498 |
| SHA1 | cc85b93f1543294cde77d5a847d4368cc7183ec9 |
| SHA256 | 739bc2cca7cf5bd9b5aa13fcbd92d220fa6a55b5f4854e920bd2893f118fd126 |
| SHA512 | 4f063c9d5ff633821a2cc2736c3d42b669547f6763b1fd7d9f52cdbdad2f555a546bf1bca587116b85242a45dec0aec80dbc44ce01d07cb1bf4c895cacc5b0b5 |
memory/1792-89-0x00007FF724050000-0x00007FF7243A4000-memory.dmp
memory/928-88-0x00007FF620570000-0x00007FF6208C4000-memory.dmp
C:\Windows\System\IUfEnMw.exe
| MD5 | d9c47551abb1da741e331264e37482e3 |
| SHA1 | bdcb2273ad4279db53bc5ee460d901fd36b26891 |
| SHA256 | 3c060e48ba5e312f44101bcfbb40361b7c4185a18ab0c4986314187a69f437c5 |
| SHA512 | 01244f3d5796d24d412c3b159245baf1d9bda65e9b6d52a63a700f22d5e130d4926e391bc0fa18681fd37cb5d17b3b3937b4325421dfb6f3f09367a36cf81cdd |
memory/1568-96-0x00007FF7851D0000-0x00007FF785524000-memory.dmp
memory/224-98-0x00007FF677FC0000-0x00007FF678314000-memory.dmp
C:\Windows\System\OpgNKXS.exe
| MD5 | bbb07ef29759ac2adb7b100a54b6df75 |
| SHA1 | 9e1296c03f92deb6b70ff6a63b6a1bf25e0bb99e |
| SHA256 | de533be185e47a10a46d410a480b1fcd9ad9a912bccaded6d28ff1f1de35880d |
| SHA512 | f6f5f8a0499e20652358526040e30939e8f855a5677be546b5f34882b5ca113ced8813fe46d30870b0ceafd1d806778a44e28b95ff3aa7aab163c0fa1ce55bbb |
memory/4084-106-0x00007FF602D80000-0x00007FF6030D4000-memory.dmp
C:\Windows\System\QxQxrBg.exe
| MD5 | d6d0fab8e3366af3fe71f10b45108d69 |
| SHA1 | 656ff75b349ae9236a227874f699946f3525a9a2 |
| SHA256 | 072ed5f3daf1330353e4b821b3d27cbc8c8fed66a4c494bb07d331391ce6f6f6 |
| SHA512 | 8d41fc82137c516d6c0b2d135c088fc6ea224a379df10d8e13876ec4cb1e92369a7fc351ef77d60b08769c1fb922bfec2b084c3c27ad9e67274fb23d586e8357 |
memory/2304-110-0x00007FF710230000-0x00007FF710584000-memory.dmp
memory/1728-113-0x00007FF680B60000-0x00007FF680EB4000-memory.dmp
C:\Windows\System\lwPaLKK.exe
| MD5 | ae16963c08318d0535886a3a299f6fc8 |
| SHA1 | 253bd00f44563d77da40cf717ef8ddc532c99bcf |
| SHA256 | 335e1409b03f8d18aa909ee9455a1716ad269d9fc06e907ca57ec3a0c31a5874 |
| SHA512 | 6dd37f5496da0dd95d4827b82ea8207e7ad6b0219c7bbfb4ede6ac340fa8230f3409617bb987543d855895caa850a93ab0abd58e26ab66370eedccc0726a352e |
C:\Windows\System\ibwPEaK.exe
| MD5 | afec3d42486cab33c1006f08b39c37df |
| SHA1 | 5607e20183b6ff673e8fcb537267098949e853da |
| SHA256 | d0d26d69cba64f9c0ca292b13a4ab4ce06e41bffa782d7a4e119038e022a09cb |
| SHA512 | c4c8b707e0bb43b1cab09a264b18c0925c273ec3f29fe958944e0e6f929d1dda743e61376b7d9b1812011c6e54a7d684468a92a5817f3778dd935d0960406da7 |
memory/2884-120-0x00007FF71B200000-0x00007FF71B554000-memory.dmp
C:\Windows\System\IZQfjVr.exe
| MD5 | 09da4b4a77600120113d13b61a6890ad |
| SHA1 | 5e2f07d3bf577f22156026345773e1641525cc2a |
| SHA256 | 2a1d019d5502599a5ab7e658e25af27950f1f8a7e48b62ef17849a041433a28e |
| SHA512 | 6772217ddf42dde26787ff763ac165256c3d7c20a2689496cf1e531115c56ae26982d327a6425bba735be114eabac0f20953f18a5b8dabc97cd73495672df352 |
memory/3580-126-0x00007FF7BF0F0000-0x00007FF7BF444000-memory.dmp
memory/3276-128-0x00007FF7174E0000-0x00007FF717834000-memory.dmp
C:\Windows\System\EuZdOnh.exe
| MD5 | b318be8a8be73f74666abf604a161d94 |
| SHA1 | a574ad915c3cda7df439faede5a3459241a1a931 |
| SHA256 | 0c4dd9cc572c8a479dd0e29081a13a72d3ab5ecd254d49a20acf4bcfd8684798 |
| SHA512 | 230cc26c325ab5865fc001833ec4060ed2892986a2fddfefe41381ca5ec47400ae45affb3b244ce36f75216c8bac6f6b33a45fa29a0447780ce8d17773aafa4b |
memory/2512-123-0x00007FF6C88F0000-0x00007FF6C8C44000-memory.dmp
memory/1520-135-0x00007FF7E9F50000-0x00007FF7EA2A4000-memory.dmp
memory/1792-136-0x00007FF724050000-0x00007FF7243A4000-memory.dmp
memory/2512-137-0x00007FF6C88F0000-0x00007FF6C8C44000-memory.dmp
memory/4384-138-0x00007FF6024D0000-0x00007FF602824000-memory.dmp
memory/3276-139-0x00007FF7174E0000-0x00007FF717834000-memory.dmp
memory/2320-140-0x00007FF7ED2B0000-0x00007FF7ED604000-memory.dmp
memory/1844-141-0x00007FF7009B0000-0x00007FF700D04000-memory.dmp
memory/928-142-0x00007FF620570000-0x00007FF6208C4000-memory.dmp
memory/1568-143-0x00007FF7851D0000-0x00007FF785524000-memory.dmp
memory/3808-144-0x00007FF69E030000-0x00007FF69E384000-memory.dmp
memory/2304-145-0x00007FF710230000-0x00007FF710584000-memory.dmp
memory/2884-146-0x00007FF71B200000-0x00007FF71B554000-memory.dmp
memory/448-147-0x00007FF702580000-0x00007FF7028D4000-memory.dmp
memory/4676-148-0x00007FF73F5A0000-0x00007FF73F8F4000-memory.dmp
memory/3756-149-0x00007FF77E110000-0x00007FF77E464000-memory.dmp
memory/2696-150-0x00007FF706820000-0x00007FF706B74000-memory.dmp
memory/1216-151-0x00007FF7D4790000-0x00007FF7D4AE4000-memory.dmp
memory/1792-152-0x00007FF724050000-0x00007FF7243A4000-memory.dmp
memory/224-153-0x00007FF677FC0000-0x00007FF678314000-memory.dmp
memory/4084-154-0x00007FF602D80000-0x00007FF6030D4000-memory.dmp
memory/1728-155-0x00007FF680B60000-0x00007FF680EB4000-memory.dmp
memory/3580-156-0x00007FF7BF0F0000-0x00007FF7BF444000-memory.dmp
memory/3276-157-0x00007FF7174E0000-0x00007FF717834000-memory.dmp
memory/2512-158-0x00007FF6C88F0000-0x00007FF6C8C44000-memory.dmp
memory/1520-159-0x00007FF7E9F50000-0x00007FF7EA2A4000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-28 00:03
Reported
2024-06-28 00:06
Platform
win7-20240221-en
Max time kernel
142s
Max time network
145s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\pSrZlUz.exe | N/A |
| N/A | N/A | C:\Windows\System\TjtOXUO.exe | N/A |
| N/A | N/A | C:\Windows\System\KMaoRBO.exe | N/A |
| N/A | N/A | C:\Windows\System\izLMAzd.exe | N/A |
| N/A | N/A | C:\Windows\System\MYSnAfA.exe | N/A |
| N/A | N/A | C:\Windows\System\cLzyBsd.exe | N/A |
| N/A | N/A | C:\Windows\System\bHzQDnN.exe | N/A |
| N/A | N/A | C:\Windows\System\BXQFHHt.exe | N/A |
| N/A | N/A | C:\Windows\System\dyrzJeN.exe | N/A |
| N/A | N/A | C:\Windows\System\wNotxgj.exe | N/A |
| N/A | N/A | C:\Windows\System\oCsLcjm.exe | N/A |
| N/A | N/A | C:\Windows\System\wsEuehh.exe | N/A |
| N/A | N/A | C:\Windows\System\aOHWWUs.exe | N/A |
| N/A | N/A | C:\Windows\System\IOoheHg.exe | N/A |
| N/A | N/A | C:\Windows\System\xJXMDhi.exe | N/A |
| N/A | N/A | C:\Windows\System\SClfJlR.exe | N/A |
| N/A | N/A | C:\Windows\System\iGuvvdH.exe | N/A |
| N/A | N/A | C:\Windows\System\zNieVyo.exe | N/A |
| N/A | N/A | C:\Windows\System\UQlztaZ.exe | N/A |
| N/A | N/A | C:\Windows\System\FMVHQPu.exe | N/A |
| N/A | N/A | C:\Windows\System\xfTtiKB.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\pSrZlUz.exe
C:\Windows\System\pSrZlUz.exe
C:\Windows\System\TjtOXUO.exe
C:\Windows\System\TjtOXUO.exe
C:\Windows\System\KMaoRBO.exe
C:\Windows\System\KMaoRBO.exe
C:\Windows\System\izLMAzd.exe
C:\Windows\System\izLMAzd.exe
C:\Windows\System\MYSnAfA.exe
C:\Windows\System\MYSnAfA.exe
C:\Windows\System\cLzyBsd.exe
C:\Windows\System\cLzyBsd.exe
C:\Windows\System\bHzQDnN.exe
C:\Windows\System\bHzQDnN.exe
C:\Windows\System\BXQFHHt.exe
C:\Windows\System\BXQFHHt.exe
C:\Windows\System\wsEuehh.exe
C:\Windows\System\wsEuehh.exe
C:\Windows\System\dyrzJeN.exe
C:\Windows\System\dyrzJeN.exe
C:\Windows\System\aOHWWUs.exe
C:\Windows\System\aOHWWUs.exe
C:\Windows\System\wNotxgj.exe
C:\Windows\System\wNotxgj.exe
C:\Windows\System\IOoheHg.exe
C:\Windows\System\IOoheHg.exe
C:\Windows\System\oCsLcjm.exe
C:\Windows\System\oCsLcjm.exe
C:\Windows\System\xJXMDhi.exe
C:\Windows\System\xJXMDhi.exe
C:\Windows\System\SClfJlR.exe
C:\Windows\System\SClfJlR.exe
C:\Windows\System\iGuvvdH.exe
C:\Windows\System\iGuvvdH.exe
C:\Windows\System\zNieVyo.exe
C:\Windows\System\zNieVyo.exe
C:\Windows\System\UQlztaZ.exe
C:\Windows\System\UQlztaZ.exe
C:\Windows\System\FMVHQPu.exe
C:\Windows\System\FMVHQPu.exe
C:\Windows\System\xfTtiKB.exe
C:\Windows\System\xfTtiKB.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1924-1-0x000000013FFC0000-0x0000000140314000-memory.dmp
memory/1924-0-0x00000000003F0000-0x0000000000400000-memory.dmp
\Windows\system\pSrZlUz.exe
| MD5 | e61b44209f6e62d2154753741d348cba |
| SHA1 | 78e621dc2bc859a991a3f18065129b5f2c58e325 |
| SHA256 | 7425e4a18c2ed221fa9bee737619a96df1849f7f3541446d4e7d7aff3cd3c906 |
| SHA512 | eb8fa29b0bca450b66c56fe7a0b5602ba1592ef56f8620d78e54400f7539db5f855eb652ac207af25b79c6f836485c8e0935d37cadbdc73243a5f65ea6a4ce14 |
C:\Windows\system\TjtOXUO.exe
| MD5 | 9584f88a916fb23c3cea499cdabe69b8 |
| SHA1 | 0b4f777ea817a1e25586f609efc82f38085c5751 |
| SHA256 | 83826d289145a66fce64cd1b143615d3e207e75ddc1756cefb684abab50318e1 |
| SHA512 | 35c15603cf255a4b0e162429d636af846b4f1abdb207c054511aa0fef1523760208aa2bf4e441641e83b8a16f477f77f5a04a54c04b974a68f0e8c0be8710453 |
C:\Windows\system\KMaoRBO.exe
| MD5 | 275abd2a2ba9a08ca4fb06e59702bad6 |
| SHA1 | 026dc6fbfa5fa7de184137cc86a9386127f96881 |
| SHA256 | 3a941edbae3289a08530df777e54e38beb2747cc486cd7f073ce560d187bac2f |
| SHA512 | 676b10140ec1510d3dce3bf93c96453137072a9f92d16134d5451a665ff588023654438a541b445daed5c49fbf685a66cfe44d3a2b6f7002eb8c83a52b50c4c0 |
memory/2484-18-0x000000013FAB0000-0x000000013FE04000-memory.dmp
memory/1924-17-0x000000013FAB0000-0x000000013FE04000-memory.dmp
\Windows\system\izLMAzd.exe
| MD5 | 96c205fb9080365f9dc670fbad2a0d35 |
| SHA1 | 892021b9679716b32a365fb0735e31bb697ebe99 |
| SHA256 | e3666fcc913c1870feb241511c19f259585c157d0666d5fbfdf64987d6017728 |
| SHA512 | 8eb97f54fcee91a3eff82ca519e67a58a9dd0e32d8dab09a912bfd52bcd4b61a99796e16f2c7b69824caf05b1927825fc3751d7ab339619f0d60f1ddb1bf7248 |
memory/2056-21-0x000000013F260000-0x000000013F5B4000-memory.dmp
memory/1924-25-0x000000013F530000-0x000000013F884000-memory.dmp
memory/2612-27-0x000000013F530000-0x000000013F884000-memory.dmp
memory/1924-14-0x000000013F260000-0x000000013F5B4000-memory.dmp
memory/2320-13-0x000000013FF70000-0x00000001402C4000-memory.dmp
C:\Windows\system\MYSnAfA.exe
| MD5 | b4c0b74d744aee45ecf6714acef7cf3e |
| SHA1 | 37bf5130b8ff62078c484db54eb0c8dc278e5976 |
| SHA256 | 02903a6213e4a86b06f235e0aa6f2c64cbc24888394d6655d23b5dff51ea962a |
| SHA512 | a0854f0de8266315c0f4c2072018b36732e54d66cd3e342d0e0dc6a8c56b3a3aea17cf2a8c2bab3a3f562c54fe0a12f3d0413f38f6eb165dd41eacd0a31d111f |
memory/2700-35-0x000000013F8D0000-0x000000013FC24000-memory.dmp
memory/1924-37-0x0000000002300000-0x0000000002654000-memory.dmp
\Windows\system\cLzyBsd.exe
| MD5 | 1bd343ba1307aa72e70a3afbe7b0f953 |
| SHA1 | f61cb2f76d66e0d631a763ed74563a7ce481c2e8 |
| SHA256 | b563137aeb9b9f9e3602dfbbca69c2e0d932d3eed70edd1680b7490cfb131acb |
| SHA512 | 95736db208d4bf97d3ed6756347fd1b3fcfe92387562d36f87fe61c6eb07454d168aeed7bb00149f69d0c6b9b619e61ee45b63170805700d118e662857e6208b |
memory/1924-34-0x000000013F8D0000-0x000000013FC24000-memory.dmp
memory/2816-42-0x000000013FD70000-0x00000001400C4000-memory.dmp
\Windows\system\bHzQDnN.exe
| MD5 | a156368ce4b825ece70516e64bdc2640 |
| SHA1 | 9a2fcd83c007862f45e4f538e4b26effc8b474fe |
| SHA256 | e7cbd62eb51c26a6beb94e764f20755570235edf6e223e1dc78fee714e92a2fc |
| SHA512 | 4105d4781343cd23ce4593707c7722b2ba62f5fe2dc1433096b9d82c6fd3743fdfec1508dd9c58777fbcb2e971e8d97ebea805c2387e5012976c803efc836a16 |
memory/2556-50-0x000000013F130000-0x000000013F484000-memory.dmp
memory/1924-49-0x000000013F130000-0x000000013F484000-memory.dmp
\Windows\system\BXQFHHt.exe
| MD5 | 619ef588264cbc611358474177ce71bb |
| SHA1 | 65a704c38a23715fa6df967387bc2992a1027d77 |
| SHA256 | 2abad0d6eb83c26d26290763e7d41d172dfa8919a29622c0485cca2930a9b656 |
| SHA512 | 246f92d941d5b6b28712a869943d1147656d123a57bf7657dc565b100fe69fa2196c377a7e96731d0021d6f248660e405e4c2a55f15a2c8622ba497ca0926d25 |
memory/1924-65-0x0000000002300000-0x0000000002654000-memory.dmp
C:\Windows\system\wNotxgj.exe
| MD5 | 6e5a23f03cea7513a99d3687dd2d85b5 |
| SHA1 | 660b85df5cb563adba2955522ccaca574affe7ab |
| SHA256 | 1e383d18689a177d0d726253af317fa1d160e59d08c8e0f8f9b16b24d35dbbd3 |
| SHA512 | c2b893201e35ef587e7cd3ce93598b76158122677347ed67442c546fc455cc2b90ba1f430a929ed5374c486aee4a23a325a7b94c5db40970f1a8eed3c79a69d5 |
memory/1924-79-0x0000000002300000-0x0000000002654000-memory.dmp
\Windows\system\oCsLcjm.exe
| MD5 | 3c78ad00044a8d7e0786878bb240616d |
| SHA1 | 306b63c18896d5165cde111473578bdd5d8236fa |
| SHA256 | b2562d1e7ce5f973115e09df5d0f249d3028a420a0a1ef1bf7e3e7a1b21a08a2 |
| SHA512 | 096aab5feaec1bf77e2ff4832eae917bc71e9bc6aca7a55cd15f4d27d967cc3a85b10d1cb305cd30aacc993d7724bc3b77b6d1136a8b215e28f7f6f2ebc6e01c |
memory/1924-90-0x000000013F1D0000-0x000000013F524000-memory.dmp
memory/2720-93-0x000000013F1D0000-0x000000013F524000-memory.dmp
C:\Windows\system\dyrzJeN.exe
| MD5 | f3fda021e270d30a4a2f80870dab009e |
| SHA1 | 93060ccb503bb04895b8dc883189314b5358c452 |
| SHA256 | 8913961bc82a9902579bed14652250d96c82641509723b7a21a145f05229f814 |
| SHA512 | 21291453efd4a27a4f3a1b0fffa91dd3e4461c686011cf4b53c20acc776b6c736a5a25182fa1d94aa12f891c119e23fbc3e763957db52275b174e0eea2239b29 |
C:\Windows\system\wsEuehh.exe
| MD5 | 3797b3c55f66656bcabac038d779c1d3 |
| SHA1 | 823206bc57bdb915e60d0166a0d239a0739837ea |
| SHA256 | 7b895c55cc09a18d9a911d827b89f1a14bbf2aaf0a70f875fd1b036aefedb6dd |
| SHA512 | 3c5c9717d383d91333dfcdbe46a9f87650125dcf33efb9756d105a6fb6f846a1a927d645fd02ed703f82c65e004194848eb1c50b57f8bec5f1ef5d076dd90daf |
memory/2816-99-0x000000013FD70000-0x00000001400C4000-memory.dmp
C:\Windows\system\IOoheHg.exe
| MD5 | 5cdc9d661741cb91da511921afccb4de |
| SHA1 | ad293ef6f10bc9d166696bff46b05ffdf4a89b17 |
| SHA256 | 26d9802b460a5d8bc6154aeca0abe69b40c95fd90b41e70a629a368eb0205805 |
| SHA512 | c2b14543eb897ac6dd994457fcb18f7d2b1b3986e3c7c0acb86e9ce040bb955a28e9e8d3ac51426bbfbc63a4371cde170cd5f9284b64a407f9c20fe06063fcf1 |
C:\Windows\system\SClfJlR.exe
| MD5 | 0fa420bb399b170b0f6a7a3e48eb694b |
| SHA1 | 79044c9768bd38828cb9be870ad0734c483d2469 |
| SHA256 | d7662852b525e887594e51eab7dc8ac8c801781bec3f90024c36502e14ff1e85 |
| SHA512 | 609e8fabaf92729667a613db004ca146fabe3dd9fa7e61b1afbf0e52c888a21d4ecda35b7ed4735ae48e17ad1f0a9bea920702ff4fab512ec243e92f047c4b29 |
C:\Windows\system\FMVHQPu.exe
| MD5 | d774656d0ec882caa834a17519594b52 |
| SHA1 | 15fb3916ade5d4eeea0f5085b48800e59fa83606 |
| SHA256 | 68b8eb2f537feadbdb44719d575bcef68b6d57fbc1021b3035973be19da9706e |
| SHA512 | 97e354f184cf2f77fd3471163a94f50534478d508e6a83e868285b4bb5029bfcfc8edeee67a77ec03b24801926551a96c1589033b927b6b44414b6e7d26b0608 |
\Windows\system\xfTtiKB.exe
| MD5 | 7921d781d3e3185603de4d87a84c5198 |
| SHA1 | 98465fbc90760d0e5966bde7f9cf75312d59ab41 |
| SHA256 | e7ded7ccdcb8eb4b1f7ee9c45ea2e14a9ea87f2515ea6b709af253275301eee6 |
| SHA512 | 676f7508659eb27e7b306f76b59d853c1b86cf3a4a5302a2f0be593033cb12d32ce42812b18bbfd6b886ab4e5affa03b36f5393d3cd851a0d0d382e45e587409 |
C:\Windows\system\UQlztaZ.exe
| MD5 | af9cbb5552be0214215a33986a7b8337 |
| SHA1 | 77eb0ae760be86ae493953bbacc7a27c4587b26e |
| SHA256 | 4e36595c44ac0c1cf47db926ad80319b169bc3a9d2c1da588853e2719195b85e |
| SHA512 | 0f75051f28e6678208d4d90b58935e5da742e84751df3daf6bd50953811c3e6a291e7530668250ba60c5cfa473414c33a51003d045bb2a33b0c3fc0c2f050836 |
C:\Windows\system\zNieVyo.exe
| MD5 | 94dfba64e63ce76b89932cafa992d609 |
| SHA1 | dc12b246c5ebe0e5acff6fec2519bdb2756a961c |
| SHA256 | a66f38c44d591c2a13975aaae345a7c79b4f098c9a2e330c134ba15f6304369c |
| SHA512 | 1f6f927eabad324af9c7faa49a77209c9bd58313c4f173ebfb59d1d878d5dd04b64f86c31757b00b59741c8f38b43ed45ee56bd24c50909158175c508ad30aea |
C:\Windows\system\iGuvvdH.exe
| MD5 | 5c30cf73ee59a5d14196cb5b48c4db24 |
| SHA1 | 60d16a5537294566d3879c2896cf30cd2ba5d4fa |
| SHA256 | 9cbe8a9e82fd26aaaaf134159b584756d018fc658d2790bc9f011ff76f4cd4df |
| SHA512 | 0a08d876bf0d780cdf6cacdea4505a5181c3ce9c2e526ce14f9550f59af9e556e556c715a004bb10611081d8be84805fc8e008da19eb80c0b8d8184cd98cc69c |
memory/2568-108-0x000000013FEA0000-0x00000001401F4000-memory.dmp
C:\Windows\system\xJXMDhi.exe
| MD5 | 61e61418952bdc252c7ac41760cf06bc |
| SHA1 | 5286b0d19e90eb831eab91105307591a888f216b |
| SHA256 | 991962c51d697fbdb66d7082f934d99fee49fce86bd82f3e7a3d7dd8748831e3 |
| SHA512 | dd92e06c467c46f3dfbe95b4d066ddb9fad9020831958a4a66623517d1d16773c4822aaf6b3f6614f2e6ba7d1ec2588bc253bc90ccd1ff927656d7798d5e0b20 |
memory/2056-84-0x000000013F260000-0x000000013F5B4000-memory.dmp
memory/1924-70-0x000000013F230000-0x000000013F584000-memory.dmp
\Windows\system\aOHWWUs.exe
| MD5 | bf201f930e1a18625ca8816930391fc9 |
| SHA1 | 8d5cfd9d932a20687d1cb7f8a61c6e477c3426a3 |
| SHA256 | c3aefc8ad7925624af6be6f95fb03b6a121f268bd7ca6e7fe959ff6ccf0edc10 |
| SHA512 | 8e1d92210294349bb762c6744b7c9d8e76c323b922121effe4f4ecd7df990cecc0ab5593b292b34de209f5b6b1f21c231cb9f6589f6ede6d2a7c167dc65d9616 |
memory/760-100-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/2904-97-0x000000013F230000-0x000000013F584000-memory.dmp
memory/1924-139-0x000000013F230000-0x000000013F584000-memory.dmp
memory/2700-92-0x000000013F8D0000-0x000000013FC24000-memory.dmp
memory/2612-91-0x000000013F530000-0x000000013F884000-memory.dmp
memory/1924-86-0x0000000002300000-0x0000000002654000-memory.dmp
memory/2668-80-0x000000013FD90000-0x00000001400E4000-memory.dmp
memory/1924-78-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/2908-76-0x000000013F190000-0x000000013F4E4000-memory.dmp
memory/2408-63-0x000000013F900000-0x000000013FC54000-memory.dmp
memory/2320-57-0x000000013FF70000-0x00000001402C4000-memory.dmp
memory/1924-56-0x000000013FFC0000-0x0000000140314000-memory.dmp
memory/1924-140-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/1924-141-0x0000000002300000-0x0000000002654000-memory.dmp
memory/1924-142-0x000000013F1D0000-0x000000013F524000-memory.dmp
memory/2720-143-0x000000013F1D0000-0x000000013F524000-memory.dmp
memory/760-144-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/2320-145-0x000000013FF70000-0x00000001402C4000-memory.dmp
memory/2484-146-0x000000013FAB0000-0x000000013FE04000-memory.dmp
memory/2056-147-0x000000013F260000-0x000000013F5B4000-memory.dmp
memory/2612-148-0x000000013F530000-0x000000013F884000-memory.dmp
memory/2700-149-0x000000013F8D0000-0x000000013FC24000-memory.dmp
memory/2556-150-0x000000013F130000-0x000000013F484000-memory.dmp
memory/2816-151-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/2408-152-0x000000013F900000-0x000000013FC54000-memory.dmp
memory/2908-153-0x000000013F190000-0x000000013F4E4000-memory.dmp
memory/2668-154-0x000000013FD90000-0x00000001400E4000-memory.dmp
memory/2720-155-0x000000013F1D0000-0x000000013F524000-memory.dmp
memory/2904-156-0x000000013F230000-0x000000013F584000-memory.dmp
memory/760-157-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/2568-158-0x000000013FEA0000-0x00000001401F4000-memory.dmp