Analysis Overview
SHA256
a7cf964013e0b1cf2842ba8c2cc9edce7bb17e829c22ffda9fea8ef4c5764436
Threat Level: Known bad
The file 2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
Cobaltstrike
Xmrig family
Detects Reflective DLL injection artifacts
Cobalt Strike reflective loader
xmrig
Cobaltstrike family
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-28 08:50
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-28 08:50
Reported
2024-06-28 08:53
Platform
win10v2004-20240508-en
Max time kernel
140s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\nLdPVdM.exe | N/A |
| N/A | N/A | C:\Windows\System\oqniZcK.exe | N/A |
| N/A | N/A | C:\Windows\System\GLzeqTJ.exe | N/A |
| N/A | N/A | C:\Windows\System\sEbxpxY.exe | N/A |
| N/A | N/A | C:\Windows\System\piXvaGT.exe | N/A |
| N/A | N/A | C:\Windows\System\slGfwgI.exe | N/A |
| N/A | N/A | C:\Windows\System\jgUvNft.exe | N/A |
| N/A | N/A | C:\Windows\System\dNknnRT.exe | N/A |
| N/A | N/A | C:\Windows\System\FhgEtsM.exe | N/A |
| N/A | N/A | C:\Windows\System\rpxAizt.exe | N/A |
| N/A | N/A | C:\Windows\System\dmMhXqw.exe | N/A |
| N/A | N/A | C:\Windows\System\VdUqWIw.exe | N/A |
| N/A | N/A | C:\Windows\System\yMGPJYS.exe | N/A |
| N/A | N/A | C:\Windows\System\KclfuBB.exe | N/A |
| N/A | N/A | C:\Windows\System\geUDvvt.exe | N/A |
| N/A | N/A | C:\Windows\System\dAaBUkt.exe | N/A |
| N/A | N/A | C:\Windows\System\XfytqnK.exe | N/A |
| N/A | N/A | C:\Windows\System\ygObmpj.exe | N/A |
| N/A | N/A | C:\Windows\System\kcWndlU.exe | N/A |
| N/A | N/A | C:\Windows\System\mxbbdCp.exe | N/A |
| N/A | N/A | C:\Windows\System\AiKRwIF.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\nLdPVdM.exe
C:\Windows\System\nLdPVdM.exe
C:\Windows\System\oqniZcK.exe
C:\Windows\System\oqniZcK.exe
C:\Windows\System\GLzeqTJ.exe
C:\Windows\System\GLzeqTJ.exe
C:\Windows\System\sEbxpxY.exe
C:\Windows\System\sEbxpxY.exe
C:\Windows\System\piXvaGT.exe
C:\Windows\System\piXvaGT.exe
C:\Windows\System\slGfwgI.exe
C:\Windows\System\slGfwgI.exe
C:\Windows\System\jgUvNft.exe
C:\Windows\System\jgUvNft.exe
C:\Windows\System\dNknnRT.exe
C:\Windows\System\dNknnRT.exe
C:\Windows\System\FhgEtsM.exe
C:\Windows\System\FhgEtsM.exe
C:\Windows\System\rpxAizt.exe
C:\Windows\System\rpxAizt.exe
C:\Windows\System\dmMhXqw.exe
C:\Windows\System\dmMhXqw.exe
C:\Windows\System\VdUqWIw.exe
C:\Windows\System\VdUqWIw.exe
C:\Windows\System\yMGPJYS.exe
C:\Windows\System\yMGPJYS.exe
C:\Windows\System\KclfuBB.exe
C:\Windows\System\KclfuBB.exe
C:\Windows\System\geUDvvt.exe
C:\Windows\System\geUDvvt.exe
C:\Windows\System\dAaBUkt.exe
C:\Windows\System\dAaBUkt.exe
C:\Windows\System\XfytqnK.exe
C:\Windows\System\XfytqnK.exe
C:\Windows\System\ygObmpj.exe
C:\Windows\System\ygObmpj.exe
C:\Windows\System\kcWndlU.exe
C:\Windows\System\kcWndlU.exe
C:\Windows\System\mxbbdCp.exe
C:\Windows\System\mxbbdCp.exe
C:\Windows\System\AiKRwIF.exe
C:\Windows\System\AiKRwIF.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1860-0-0x00007FF6DDF70000-0x00007FF6DE2C4000-memory.dmp
memory/1860-1-0x0000016BEE4E0000-0x0000016BEE4F0000-memory.dmp
C:\Windows\System\nLdPVdM.exe
| MD5 | bea22b7c4cf20239a69e2bf663ef72ba |
| SHA1 | f5afa0737144f5a32210ad065435e5b58d27f66b |
| SHA256 | 5a9727a0d743b61b98eccb24252d472071ff3134b9d66989caf96f180dc78c4f |
| SHA512 | 8c94da93aec2fea9fed1c4c805f0ba996663f119e1bdde82a70d45d73818100d5530489cd4abebfa92a8e225468b86a270ad1e937c20b81a652d3919360a7076 |
C:\Windows\System\oqniZcK.exe
| MD5 | 9df48cb8d51dda757687ecc0e02b5541 |
| SHA1 | 84e1193f737c747a0043297a97abbd09416e293e |
| SHA256 | b8ca2a532ef8ccfb76f61d8bfdeebd7e2b6d9636f6932cb71a40992beeb0ae3d |
| SHA512 | 006af90d00d1f20e5bf971ce370112e68e2614d671799ea7aa4b841dcf40e859b19aea7e0008183aeb1ba408f78ac32b2d44b69b13454d13d7bd981ede95da9f |
C:\Windows\System\GLzeqTJ.exe
| MD5 | cb6b8fb56c68cada5b1bd88e9268314e |
| SHA1 | 76d232403db163c936b50845632a727e0fd0d74e |
| SHA256 | 423184b7d9e40cc236407109a797a85505eb811a1c893da8b9b562d753ec857f |
| SHA512 | 31a690879720beedc5427aea8952019966e865f011458bb1688efbfa28e9c86fb19850c029d5418581c8cd085e73bfbf10e31dd7a4fd5edf43fb2845dc7aa111 |
memory/800-14-0x00007FF623B20000-0x00007FF623E74000-memory.dmp
memory/5028-7-0x00007FF7A0FB0000-0x00007FF7A1304000-memory.dmp
C:\Windows\System\sEbxpxY.exe
| MD5 | 5ff91b6e457c738766b75c737b94008f |
| SHA1 | 5b00a3051492d6f050cdf40e7c5efd8eca6a512c |
| SHA256 | ac7a7252eb3fae9c4b2bf58572ee8ed409b989c9683a07563ac6ee12aa2728c2 |
| SHA512 | 534f24df7b02475b6481c67a3affb4c7eec30e5953c5890a6ad397a822ac602d937789df9f41fb3cddf032e93c54ba0c53d5df41462d443d22007dcf602ba0be |
C:\Windows\System\piXvaGT.exe
| MD5 | e8ee17dd9e4b236660b4e90704046e2c |
| SHA1 | b1c2a6347a6ae513861a6959e9351844074dc372 |
| SHA256 | 648c03fbb1b2ac3c6c8a143766241f341dd09ac3f505310ae17a026883ed16d1 |
| SHA512 | 50fbe101c1d3e69939173c55eee183840dbf881611a2d6b9ed764a3de5fd0726becedf0f79b573d3f8854590fde318f1dea06dada2498fabd5c052d9cc521afa |
C:\Windows\System\jgUvNft.exe
| MD5 | 46b8423ba9deb5d303aa2f2281a5a868 |
| SHA1 | 29178bf20b9e985cc1893bf03f0c491bf227833f |
| SHA256 | 1a928e0584c009e49989d9bb564765ff2e69d7a5ef59b06e3a70c2638be74580 |
| SHA512 | 2bbdf8352b05a246163b8eb1f3173f38e4f1e582afc5ef2d0138127e1f67a7469dc103db556c71d09564f640024786e035ea76d9f9de6e0c26d8fac2952c2388 |
C:\Windows\System\dNknnRT.exe
| MD5 | f166c61dd6aaa6d18c8a2121ed691221 |
| SHA1 | 6118d1d0354d38cc2ea8e58f0e07fb0303794ecf |
| SHA256 | 646048e26a4eefb272e959199df7e26bace4b5768d72c33f4517ed5bf883392e |
| SHA512 | 1b13f8c3c056b53704fa8568d9744b6ea8b66a32d01d5185035d0f3bc1b7a6ee4123abf44fa55d5196d14d13116d817849c558b17e9079e6e74f427232ae2243 |
C:\Windows\System\FhgEtsM.exe
| MD5 | 73057017cf80feb76485c167d48acc0b |
| SHA1 | f5e0c4f9b61c915f1fc535f6c6eb24266e826fbb |
| SHA256 | 0f17cfb66431cca0ff26af0fd9344cd311c9fc52855ee75d8fbed69782de78b4 |
| SHA512 | 8afb5e55bb05312c24cffd78b6bdb43cb61df1bd103e549453a1c900da136b392271235d712270e505ebee6fa5db53a004d516dc609f71e35a81136c39388fef |
C:\Windows\System\rpxAizt.exe
| MD5 | e3e0058ce29cfb8dc01fd02daaa41ba3 |
| SHA1 | 963a2796ee834562c7c600213b769ace508dfa6a |
| SHA256 | 68b6a3744d1ad3801267aca6fe7d761b76ff95b718faa059db820221d90c8304 |
| SHA512 | 05937ced40aa715bffb33d6b35962bcc3b0fb5780006fc581e82a5878ba23f585e9ee1d2d35132ddc8eddd30557e97a704045c3e0e6ee064c3d5c08c7ad0b90f |
C:\Windows\System\yMGPJYS.exe
| MD5 | 91a2e3e94e7a61dcce50f299f3111cb4 |
| SHA1 | d9bae4e673f31943802c14b41d273841b76a5f29 |
| SHA256 | 5a7cd367433e7ebd74269b7d6b3a0747c4ee2db0445c98fb27892d835b8cf229 |
| SHA512 | 768a20d16915f50b8c859ec88021d98e4e336535d73c0fe3a976d5220a451372c5d5584392ec5dec0f33705bbeadda08d0852bd66c9c636833ed2208491aee28 |
C:\Windows\System\geUDvvt.exe
| MD5 | 69e9c97de85b7a13a9019192f130dbf4 |
| SHA1 | 64331d2386cf7574db825f7de16922b9f2ed2f4b |
| SHA256 | bdf538b88aba6350af22945d348be0a26476cbb78ceebd62d94abda9e5ae5952 |
| SHA512 | 852767feade48f612984e178f2bc9e3768f6c3ceddf569af3511e0d9200267b68f53e7424a1d91b53f91b10d1b71857a22fecd4e6400e2845f445d93b19cd983 |
C:\Windows\System\ygObmpj.exe
| MD5 | 7188d820cdb47a8ae0b636e21b480d47 |
| SHA1 | 99da54392aa102e9b5c3fb23bf0d6ff8f05a8d87 |
| SHA256 | 0928c5410ef5ae638bbdeca844e96dcc9e88c7972ef91dba6bea955f996712a9 |
| SHA512 | d1c844cc727df612465c5758935ad8e639c7d3245610867d12655102f18e76613838ced728a5ed9acbd3c161e49dc82990277d99e98f81e76562c64cddbdb8a3 |
C:\Windows\System\AiKRwIF.exe
| MD5 | 62fd12c617da0b288ae84747d91b261e |
| SHA1 | 5f3089affd2bc335774a5f3093cf167e8a8d20a9 |
| SHA256 | b13863431a74a46cc7b2ed9e72144b83e264df0d0646461ca2606ac2496c02fe |
| SHA512 | 38e2d70f465d22253e46f151b43381ecbc9ad67d785767e8d40859210719f751ea42da7974cb41dbd2aaaafddf625601c2733e89cddf4bec1e2d7ad8b4269fac |
C:\Windows\System\mxbbdCp.exe
| MD5 | 1b07e64b5103630a8f3baff84d521249 |
| SHA1 | 2efc48c86941e718d91524d9f74a3333c26f67f3 |
| SHA256 | ba15cb26ec0df153eeb48a5d7fb5409778233de221ce292af91de363d9783655 |
| SHA512 | 18ce792a1b39f4465918257c5af911e5cc49e23a4cbe2e961e4b6f50ab7d3d6104ca173ae890b45307778fd79865ceb76ef58c195ebb4a086f165f34adaac2be |
C:\Windows\System\kcWndlU.exe
| MD5 | 65cdd9efe8b11126820fc6807929499e |
| SHA1 | 3e57f0befe18ce16fe35675eb5a2c20dbe4dee53 |
| SHA256 | 8182ba4b6384dcd0f315ff086fdeaa6cb2ada571292aa5699d0e7bb238457c96 |
| SHA512 | df0b2c37352d2891beaa055618aaf409250caf16e1a8aa408cab30af0b6ce39612e24015aa158e707f83cb7f3f385f1f9bb52a264bc03a4ef18269afce682f08 |
C:\Windows\System\XfytqnK.exe
| MD5 | 95580cc6f3c35456180376e9eb0747d2 |
| SHA1 | 8c4f942bc57a04b2b6b24aafd05ba2d5cc56ad6b |
| SHA256 | 09dba446902aba7acb2a1394534c3edfe8e829f6797f494620735066a0a0554a |
| SHA512 | 106cc4fac01bcc1bcab64864c13407b3ad4371b80faecb4dab15797020b8187ddaf0f90190d6f958a8043c526922aabeec5efe6fcd246a0765bec488cde39d72 |
C:\Windows\System\dAaBUkt.exe
| MD5 | 7b1e2f9afb38ea01a0a381fb860a04c8 |
| SHA1 | 0cc81b7228c632d5b2b1a822da413f8e81ba1430 |
| SHA256 | 7ad404e177d1192076e057cce56c7a27d0e94d80bd58cddfe8f0420ce402a928 |
| SHA512 | 89fb146eff811cd7ccaed7b58ee8ae6751110b648f7fb4cff04bd154521277c76f17c8325fd4bf5c0a75486abc6ac5ccdcdac7b25bf3967221242ec28241ddde |
C:\Windows\System\KclfuBB.exe
| MD5 | 6a38a1acc96f5111e4cd8c30f219a456 |
| SHA1 | 10ceeee8ebe900715d0250a70abe4429cc242e06 |
| SHA256 | 2f79984771d6a71a39e836553b11828ac1cdaf3917fc4beadbb536b2c6a66112 |
| SHA512 | 10826103778e4662d5bfdd05814b36c442c0708f490a62a33ac7c1cb69511e987d23f31fab94f9fd1023b2910b848dc942b4954a3a7f9dfa263c2c780d514988 |
C:\Windows\System\VdUqWIw.exe
| MD5 | c940ed003cb92f0f1c8b8331e26d7842 |
| SHA1 | 37cbf66609a226391a9824d519a25056410739c2 |
| SHA256 | 1e73f08b911e63c3182c8d501da07c0fe10127a97361a78af30d9b205f7a30bc |
| SHA512 | f216d257791612f719e533f2716287ef76ff518221d636b25d6e89ec9949f2c1c863639a3850b91e199cfa8b0e96615a52f0db20a9d8ad83a335edbf787c84d8 |
C:\Windows\System\dmMhXqw.exe
| MD5 | 4f28a93703f408671dfb2601efe03f74 |
| SHA1 | e1f446aeb536c657258cce58d0c12fdedcc66260 |
| SHA256 | d377700b011fef58eb6c94c465f1b6902d43ff058891290bb37784fc0a261fb1 |
| SHA512 | 5954220419b652b623ea7811d3dc69c3d2e89f8fdec4ec938a7fd29707014a6ef90b2f592b936ed96730e459008716397350029ff99b47dd0f29dbda664cf867 |
memory/4624-42-0x00007FF7B5890000-0x00007FF7B5BE4000-memory.dmp
memory/1756-40-0x00007FF646AF0000-0x00007FF646E44000-memory.dmp
C:\Windows\System\slGfwgI.exe
| MD5 | d2594f38215751c3bf4fc52a6d6d060b |
| SHA1 | ec573ff4255229d2f06617a521c54b2c1bbbf4c3 |
| SHA256 | e49d0cf90f71bd3beb7dfaf722623355ee7ca573d38b91aff66f965f837cd0db |
| SHA512 | cae2ab542664676ffa2f02043efa6902bdabc46f334d6bb546b656f8b2e43a362d68fb89ef1801df5fa2e092f99d6abf0941fe5f042f674c217156bb4b7f7ab6 |
memory/1428-34-0x00007FF644690000-0x00007FF6449E4000-memory.dmp
memory/1836-27-0x00007FF6AE4F0000-0x00007FF6AE844000-memory.dmp
memory/3260-20-0x00007FF7BE140000-0x00007FF7BE494000-memory.dmp
memory/3188-114-0x00007FF7901C0000-0x00007FF790514000-memory.dmp
memory/2448-116-0x00007FF778250000-0x00007FF7785A4000-memory.dmp
memory/3180-118-0x00007FF75C660000-0x00007FF75C9B4000-memory.dmp
memory/1840-120-0x00007FF7809D0000-0x00007FF780D24000-memory.dmp
memory/4968-121-0x00007FF7530F0000-0x00007FF753444000-memory.dmp
memory/3948-122-0x00007FF60A3E0000-0x00007FF60A734000-memory.dmp
memory/2528-123-0x00007FF788B30000-0x00007FF788E84000-memory.dmp
memory/2396-124-0x00007FF74D890000-0x00007FF74DBE4000-memory.dmp
memory/3256-119-0x00007FF7F68B0000-0x00007FF7F6C04000-memory.dmp
memory/2184-117-0x00007FF6E55C0000-0x00007FF6E5914000-memory.dmp
memory/676-115-0x00007FF7DCDD0000-0x00007FF7DD124000-memory.dmp
memory/368-126-0x00007FF68C360000-0x00007FF68C6B4000-memory.dmp
memory/1384-127-0x00007FF6079A0000-0x00007FF607CF4000-memory.dmp
memory/3316-125-0x00007FF659E60000-0x00007FF65A1B4000-memory.dmp
memory/1860-128-0x00007FF6DDF70000-0x00007FF6DE2C4000-memory.dmp
memory/5028-129-0x00007FF7A0FB0000-0x00007FF7A1304000-memory.dmp
memory/1756-130-0x00007FF646AF0000-0x00007FF646E44000-memory.dmp
memory/4624-131-0x00007FF7B5890000-0x00007FF7B5BE4000-memory.dmp
memory/5028-132-0x00007FF7A0FB0000-0x00007FF7A1304000-memory.dmp
memory/800-133-0x00007FF623B20000-0x00007FF623E74000-memory.dmp
memory/3260-134-0x00007FF7BE140000-0x00007FF7BE494000-memory.dmp
memory/1836-135-0x00007FF6AE4F0000-0x00007FF6AE844000-memory.dmp
memory/1428-136-0x00007FF644690000-0x00007FF6449E4000-memory.dmp
memory/1756-137-0x00007FF646AF0000-0x00007FF646E44000-memory.dmp
memory/4624-138-0x00007FF7B5890000-0x00007FF7B5BE4000-memory.dmp
memory/3188-139-0x00007FF7901C0000-0x00007FF790514000-memory.dmp
memory/676-140-0x00007FF7DCDD0000-0x00007FF7DD124000-memory.dmp
memory/3180-143-0x00007FF75C660000-0x00007FF75C9B4000-memory.dmp
memory/2184-142-0x00007FF6E55C0000-0x00007FF6E5914000-memory.dmp
memory/2448-141-0x00007FF778250000-0x00007FF7785A4000-memory.dmp
memory/3256-144-0x00007FF7F68B0000-0x00007FF7F6C04000-memory.dmp
memory/1840-145-0x00007FF7809D0000-0x00007FF780D24000-memory.dmp
memory/2528-148-0x00007FF788B30000-0x00007FF788E84000-memory.dmp
memory/4968-147-0x00007FF7530F0000-0x00007FF753444000-memory.dmp
memory/3948-146-0x00007FF60A3E0000-0x00007FF60A734000-memory.dmp
memory/3316-149-0x00007FF659E60000-0x00007FF65A1B4000-memory.dmp
memory/2396-150-0x00007FF74D890000-0x00007FF74DBE4000-memory.dmp
memory/1384-152-0x00007FF6079A0000-0x00007FF607CF4000-memory.dmp
memory/368-151-0x00007FF68C360000-0x00007FF68C6B4000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-28 08:50
Reported
2024-06-28 08:53
Platform
win7-20240611-en
Max time kernel
139s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\kaJbDCU.exe | N/A |
| N/A | N/A | C:\Windows\System\THtiXBV.exe | N/A |
| N/A | N/A | C:\Windows\System\SExfcVm.exe | N/A |
| N/A | N/A | C:\Windows\System\XTQrhJG.exe | N/A |
| N/A | N/A | C:\Windows\System\ZzaAFhZ.exe | N/A |
| N/A | N/A | C:\Windows\System\hccrayw.exe | N/A |
| N/A | N/A | C:\Windows\System\ZvWLdpk.exe | N/A |
| N/A | N/A | C:\Windows\System\KyrrqPq.exe | N/A |
| N/A | N/A | C:\Windows\System\DwooMaS.exe | N/A |
| N/A | N/A | C:\Windows\System\XGorZvQ.exe | N/A |
| N/A | N/A | C:\Windows\System\HagIcvB.exe | N/A |
| N/A | N/A | C:\Windows\System\dLZIiaG.exe | N/A |
| N/A | N/A | C:\Windows\System\sEivhSY.exe | N/A |
| N/A | N/A | C:\Windows\System\iXgBgWm.exe | N/A |
| N/A | N/A | C:\Windows\System\hGkFAgR.exe | N/A |
| N/A | N/A | C:\Windows\System\UclwFBq.exe | N/A |
| N/A | N/A | C:\Windows\System\HfsCUSe.exe | N/A |
| N/A | N/A | C:\Windows\System\BjkceYV.exe | N/A |
| N/A | N/A | C:\Windows\System\zvWbnKD.exe | N/A |
| N/A | N/A | C:\Windows\System\eMtxoFk.exe | N/A |
| N/A | N/A | C:\Windows\System\ppDuoFo.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\kaJbDCU.exe
C:\Windows\System\kaJbDCU.exe
C:\Windows\System\THtiXBV.exe
C:\Windows\System\THtiXBV.exe
C:\Windows\System\XTQrhJG.exe
C:\Windows\System\XTQrhJG.exe
C:\Windows\System\SExfcVm.exe
C:\Windows\System\SExfcVm.exe
C:\Windows\System\ZzaAFhZ.exe
C:\Windows\System\ZzaAFhZ.exe
C:\Windows\System\hccrayw.exe
C:\Windows\System\hccrayw.exe
C:\Windows\System\ZvWLdpk.exe
C:\Windows\System\ZvWLdpk.exe
C:\Windows\System\KyrrqPq.exe
C:\Windows\System\KyrrqPq.exe
C:\Windows\System\DwooMaS.exe
C:\Windows\System\DwooMaS.exe
C:\Windows\System\XGorZvQ.exe
C:\Windows\System\XGorZvQ.exe
C:\Windows\System\HagIcvB.exe
C:\Windows\System\HagIcvB.exe
C:\Windows\System\dLZIiaG.exe
C:\Windows\System\dLZIiaG.exe
C:\Windows\System\sEivhSY.exe
C:\Windows\System\sEivhSY.exe
C:\Windows\System\iXgBgWm.exe
C:\Windows\System\iXgBgWm.exe
C:\Windows\System\hGkFAgR.exe
C:\Windows\System\hGkFAgR.exe
C:\Windows\System\UclwFBq.exe
C:\Windows\System\UclwFBq.exe
C:\Windows\System\HfsCUSe.exe
C:\Windows\System\HfsCUSe.exe
C:\Windows\System\BjkceYV.exe
C:\Windows\System\BjkceYV.exe
C:\Windows\System\zvWbnKD.exe
C:\Windows\System\zvWbnKD.exe
C:\Windows\System\eMtxoFk.exe
C:\Windows\System\eMtxoFk.exe
C:\Windows\System\ppDuoFo.exe
C:\Windows\System\ppDuoFo.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2372-2-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/2372-0-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\kaJbDCU.exe
| MD5 | 3dfa26f46e7527cc9de8775b60a4e917 |
| SHA1 | 2e9bf163d29ed186b818d47f4b62e1cd1e27baea |
| SHA256 | 6ae5addc435cca3ac14011550bf7c4f651d4dde2ba0e2cc8bb14b3f99b0e5abd |
| SHA512 | 18a7b25ed03083942b026a45e89ff7ebff5440169417a214a1996f41269405621f17803d7aed651aab96981bdf3ff9f98ad3e9ade0fa666c5e27a1ea01567f4a |
\Windows\system\XTQrhJG.exe
| MD5 | 0d868ecf46f0f837835c6b22952cc63b |
| SHA1 | 7b0ef054a5fad97e37c48e76c2c0c09726873faa |
| SHA256 | bebc6e19750287f017d12d5da843b4272cbf2ecd9301fdf2e5789cdd42c8aa04 |
| SHA512 | 9f3b07fb76f465614e69865ace79bfe57bca5845b2e9d4b066d8270622bdde4305e562968af321befefc4af6715a6d3185d9ca47a7bc7692a8f80fa145b734f9 |
C:\Windows\system\SExfcVm.exe
| MD5 | 006b09e15945a1bf9bc635051bb22459 |
| SHA1 | ca78b7ae626c4086b5e24044faa67777afedc24b |
| SHA256 | 0fb4528c853282234bebb3c09720f2b5621b9e7834cb3e6c519b4c2291f3cd11 |
| SHA512 | dd7ba8ef3c399c147e5fda3c024670f5f7eba2b2d253b42ebc7c6a4fe1abb9ff2b94728a6dd944d0bd52eb9802fa45b5d29d6168a43555862f8a97f50ca2097c |
memory/2848-28-0x000000013F700000-0x000000013FA54000-memory.dmp
memory/1660-16-0x000000013F980000-0x000000013FCD4000-memory.dmp
C:\Windows\system\THtiXBV.exe
| MD5 | a6bded2b2cf026cce0bc448e4dd16d1e |
| SHA1 | e6d170d6cdac103779da7998432bd64a8d9179d7 |
| SHA256 | 68ea70fd2edcec2fa6c5fdcf91817df3ec10cc6b4b3fa5be61389194dc83f28d |
| SHA512 | 31a459e0e332a9f5ab797b39d3c1f0766843662fb89156203be0bcb9c6d350dc1ea1263c9f8a64a1aeba99374a7becf21d9e519ed2df1b559ad0dac560dcc13e |
memory/2508-26-0x000000013FA40000-0x000000013FD94000-memory.dmp
memory/2372-23-0x000000013FA40000-0x000000013FD94000-memory.dmp
memory/2372-22-0x000000013F700000-0x000000013FA54000-memory.dmp
memory/1944-20-0x000000013FB30000-0x000000013FE84000-memory.dmp
memory/2372-7-0x000000013F980000-0x000000013FCD4000-memory.dmp
C:\Windows\system\ZzaAFhZ.exe
| MD5 | 696097a82c4b7510174077b0fc7eef6f |
| SHA1 | ff6e569b81e2176d3664cc99ffa9cb0bb6096f14 |
| SHA256 | e2d845880315ee16331ba5f6a4746d3588af1b72d1f71f46832a1058bdf9f4c3 |
| SHA512 | ce5a6ce6ae5c9ac2b67bc253440a3224d0b1d42df7a5bfb23e3db4df5cd67e547485d2ff4b01eece6959fdf07e76c0b4512450335fb05bdb7fe4325552b3ec19 |
memory/2632-34-0x000000013F6F0000-0x000000013FA44000-memory.dmp
\Windows\system\hccrayw.exe
| MD5 | 510730e0f2a3018a2e28979d519736f7 |
| SHA1 | 08d3b7aa7c2fdc583223a5aa52e4376a8ceebf8b |
| SHA256 | b9c315df67d3f39ea1117d10511401ab8ee17b663e14cdff8a469227bcf092bc |
| SHA512 | 781b2f57771d8751f22d5ba74ae25f715dba0d0e9c969a69f52dfea92fecb4f219fde17bf6525c378a6031a4001244a416925723fb10a1442093c37f74341fb4 |
memory/2764-40-0x000000013F520000-0x000000013F874000-memory.dmp
memory/2892-52-0x000000013F470000-0x000000013F7C4000-memory.dmp
memory/2372-51-0x000000013F470000-0x000000013F7C4000-memory.dmp
C:\Windows\system\XGorZvQ.exe
| MD5 | c2657242151643f629418b7985ef3aa1 |
| SHA1 | 54d524900864c643ea84fdac8cf14595402897f4 |
| SHA256 | e1f9433b5b676a4679fc4ee2c129ce26e18515825f65daaf5c1d39a666643fdc |
| SHA512 | bfda86b61ad742218ccbdcf89611b30f41c5400d69f47cef73874f33b8f46c325fbd5a01b23ed28dd453e77f95dc5023bf8f35f4aec44d32300dc5ad68269103 |
C:\Windows\system\HagIcvB.exe
| MD5 | a3bd86d39a4a6c048a73d6e94532f2f7 |
| SHA1 | e78e8f007a7460120adc492a749a0d33f7d14c9a |
| SHA256 | f766f433bb692ce2544d9b17f962b7939195af8c8bb451c406b99451f7efff3c |
| SHA512 | 8d3211af76d0af16aa3080c3ca8412ce12b3b5dc7d46330053ff43a684ecd5dd676df4c25a086fa70d35dfbec39f0534a73e1e2b7a273ee4dc9f341381966077 |
memory/2480-77-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/2848-87-0x000000013F700000-0x000000013FA54000-memory.dmp
C:\Windows\system\BjkceYV.exe
| MD5 | d28eae58f67ff9f871a5fc032a8c8784 |
| SHA1 | b851e4409eadb46c08c444918d57301efb16ede1 |
| SHA256 | 2c9bb3997922871a03dd00554f793ba88bceb9498e2c9060a000cea10a9f1e5d |
| SHA512 | 1b2d2704daf31f0b100682ac01b89f09a5d986ca33d5be41420e82fa9774737fb5029340e765d79765bd1a42915d86690121fa0a90e75a1ed73b4af2900a320a |
\Windows\system\ppDuoFo.exe
| MD5 | 69b6a98c2b2d245c2cce86eb89fd38a6 |
| SHA1 | f442af2679f334e655e6aa6d803ba8770408d798 |
| SHA256 | f3dceb27fc5a4d0fe0000275f0f6a8cf7ec4559ed0963770758c92e31798d89b |
| SHA512 | e6ff8710212aad3c728fd306344ba0c4b19dfa39ffd6868d95e118c1be110a3799bfe01983008a8a33a9d80156eb637f040def483d551aa9accdc028a380e7cd |
C:\Windows\system\eMtxoFk.exe
| MD5 | c95840de56bcb877296e78de6fcdcc40 |
| SHA1 | 382298d2bd7c472afbee000e8d44e67fd4b6a946 |
| SHA256 | 189f95cff858b7d72538a7fd210bc333a724382942fc21efc02fd7c101beef98 |
| SHA512 | 52f451a14f7367b4743fe6af17eb28a37a76f9f93013b65fd60f46310fa191bc9e555aa999e03c52043733d1118b49025003cc092923299aaa14b70c91275faa |
C:\Windows\system\zvWbnKD.exe
| MD5 | 1c9e84c5f8cd4b444290a858228d6598 |
| SHA1 | be33da5b2d9a0e2630cfe6dc0f39c1692821dc41 |
| SHA256 | 1dbd461a6be0db03f25146d2d2f7bda9e5341ce918d9117ef6ad3eac535e8e8d |
| SHA512 | e49cbd1bdc89200b439b860daac5cca9ee32e54a49c79ddd1981331bf382b1ed0818180d11e7bf626c54287b02228d6a6c4293d6303f67221c6d9de9b96955fe |
C:\Windows\system\HfsCUSe.exe
| MD5 | 9e9e419d6c9ba87cf5d33b9a99c11040 |
| SHA1 | f461d5c3bfab31c2073d928643d3a8deb4d21d92 |
| SHA256 | 4d0b9f8eba2206c9265d8ae5b594f4f7d98890d11075fad78b8b1a63e73cfc63 |
| SHA512 | 6de6c740c81dae7b33c269e64ec2b51208e22a31c5a25bf89b6436f42bb11eee863b6ef5b0bc55fd1f5c127f388bf324ab4db649d3ee26b80a0f95dca1e24a44 |
C:\Windows\system\UclwFBq.exe
| MD5 | 5b7bc1b1d98a1595629ce0a22eea8979 |
| SHA1 | e96aa9433eeb77c692657d18c5c3cf01d29aaaa0 |
| SHA256 | 74f3a17b6a287f15807fff2ce9480d5080032c18d4445f80288ea5aa5f0cd437 |
| SHA512 | 065b8cfece46e009166936bbddb8f91ebbe2228c3a0f06ed0034be2f17d25768e758c999c8b99e613afb3fdec4a4b24163174c1476d6aed866d22274dcc5ba85 |
memory/2372-96-0x000000013F410000-0x000000013F764000-memory.dmp
memory/2632-95-0x000000013F6F0000-0x000000013FA44000-memory.dmp
memory/2372-94-0x000000013F6F0000-0x000000013FA44000-memory.dmp
C:\Windows\system\hGkFAgR.exe
| MD5 | eb4afa259067f80b63f83e6ce0e36a43 |
| SHA1 | 44887fa14d21f8ad66da21a3e2a9c85f82885114 |
| SHA256 | 78affb3aeebc3c3b3e5130a9bec424c40a66d2caee852d4c5f370c12dfe0da6e |
| SHA512 | b12f75110de5b592bcc6bc00436367cff2f4420cdb688837a7f7ccbabf6c0d75807629a73ce61eff73bc622d33ef1a17454d1c16c42be98d35448e6528369582 |
memory/2832-89-0x000000013F850000-0x000000013FBA4000-memory.dmp
memory/2372-88-0x000000013F850000-0x000000013FBA4000-memory.dmp
C:\Windows\system\iXgBgWm.exe
| MD5 | 8cfc89d90d240f0ba35942cd048689e0 |
| SHA1 | 833797eed8e3a76a891596d69a2856d28059de87 |
| SHA256 | 079088c55663157ac19144c1a83b25ecef96081744987b81fc8bf089253621b9 |
| SHA512 | f4bf130cdf24fd66e9969442b1a8acf7319de911b8f74ad636b9dfe201e0dac5dc4b00ec7690e07325b50c4e21077d153f0495fa34088a7c4d56140a5fc15ba9 |
C:\Windows\system\sEivhSY.exe
| MD5 | 23d0d4a8000c41e4c12bc80673cb50cd |
| SHA1 | 74970739ee8c6a83a5def587befe1f5c58a81b78 |
| SHA256 | 75ce04068c844711dc3195085c452afdf4749dec9cfe846a8b80f38b2f3c4389 |
| SHA512 | 422250da6df5400a834876d6e5e5e2171b1eeea16a6eff5247513834259a3e50ed0703767ffa2822fad4d593b2cdfc7e61404253852773698490478e01e7dbc1 |
memory/2372-80-0x000000013F470000-0x000000013F7C4000-memory.dmp
memory/2372-76-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/2508-75-0x000000013FA40000-0x000000013FD94000-memory.dmp
memory/2416-70-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
memory/2372-69-0x0000000002360000-0x00000000026B4000-memory.dmp
C:\Windows\system\dLZIiaG.exe
| MD5 | 45f4a2cf393ce82be8de58b310251d8b |
| SHA1 | d89103e1a01962e5fef8b1efa3926c1b7e352781 |
| SHA256 | bd4391bfe41ef7658352a679671ee28de5b1e2a1bfcd236edfbd8153b09b35cc |
| SHA512 | b1fb0857c3fedf832618803af396d89b3064a1fd16c901a317e2747fb607e4fe616a82e933000d7a5fc0909a1c7f1be8d7865d064b0f53693aa41edd12bdd58e |
memory/2640-64-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/2732-58-0x000000013F980000-0x000000013FCD4000-memory.dmp
memory/1944-63-0x000000013FB30000-0x000000013FE84000-memory.dmp
memory/2372-57-0x000000013FDF0000-0x0000000140144000-memory.dmp
C:\Windows\system\DwooMaS.exe
| MD5 | 99bb1e7304c8d40ce47c0bab292e7e65 |
| SHA1 | 418d58f834f776bafbfc73a43852765124f8cc07 |
| SHA256 | f0d645ef39e8bdfac213c41aa17a715b8ba5f85cb48dae8cef989a1a97090bbb |
| SHA512 | ed11cd8073a7da6f6e2f3ef02e4dee11f889b246cb8de7e806ed83856be7075315c47d9cb8f00fb54e720399d25f7bdd5122ce960b568591b6f5ab94fa4feb89 |
memory/2652-46-0x000000013FAE0000-0x000000013FE34000-memory.dmp
memory/2372-45-0x0000000002360000-0x00000000026B4000-memory.dmp
C:\Windows\system\KyrrqPq.exe
| MD5 | 8140f808c62739a547349b0d2bfe6ba4 |
| SHA1 | 5737ba719f6338da45e6ea8231e20bae98ea3d72 |
| SHA256 | 58c1afcee3ed54636289a606f185328340e57fd2eecb37bbaf5eb4d555d1f72f |
| SHA512 | 0719724568d73af84a8a3ba8f5fccf09bcfbbc7a7eb1f552438a6fc502f4a1d793744cc2befb5ae7c1487ce056ce989b21f67f0b28ab7aa99ddc2a35fbf0452a |
C:\Windows\system\ZvWLdpk.exe
| MD5 | fe2ab940cec6ce9df32943b6230bea01 |
| SHA1 | acfffd9aa41c92542347960cafa048e2fed087ca |
| SHA256 | 7f83917db4acc702fff1256f347eab301cef7fde67e5c70903f36a2f8ec9e6ab |
| SHA512 | 8e36f4125a90eae623ae786e13a87f84348a0842179849257f652b79fbb6529e66a3b185a3d8478a4ff97d397401e07761909b22e8d89aa4d6db75574de7c255 |
memory/2372-39-0x000000013F520000-0x000000013F874000-memory.dmp
memory/2892-137-0x000000013F470000-0x000000013F7C4000-memory.dmp
memory/2732-138-0x000000013F980000-0x000000013FCD4000-memory.dmp
memory/2372-139-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/2640-140-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/2372-141-0x0000000002360000-0x00000000026B4000-memory.dmp
memory/2416-142-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
memory/2372-143-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/2480-144-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/2684-145-0x000000013F470000-0x000000013F7C4000-memory.dmp
memory/2832-146-0x000000013F850000-0x000000013FBA4000-memory.dmp
memory/2372-147-0x000000013F410000-0x000000013F764000-memory.dmp
memory/1660-148-0x000000013F980000-0x000000013FCD4000-memory.dmp
memory/1944-149-0x000000013FB30000-0x000000013FE84000-memory.dmp
memory/2508-150-0x000000013FA40000-0x000000013FD94000-memory.dmp
memory/2848-151-0x000000013F700000-0x000000013FA54000-memory.dmp
memory/2892-153-0x000000013F470000-0x000000013F7C4000-memory.dmp
memory/2832-156-0x000000013F850000-0x000000013FBA4000-memory.dmp
memory/2480-155-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/2640-154-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/2632-157-0x000000013F6F0000-0x000000013FA44000-memory.dmp
memory/2684-160-0x000000013F470000-0x000000013F7C4000-memory.dmp
memory/2732-159-0x000000013F980000-0x000000013FCD4000-memory.dmp
memory/2652-158-0x000000013FAE0000-0x000000013FE34000-memory.dmp
memory/2764-152-0x000000013F520000-0x000000013F874000-memory.dmp
memory/2416-161-0x000000013FCA0000-0x000000013FFF4000-memory.dmp