Analysis Overview
SHA256
926b0754561e66c80d9fcb2e21990f0679311998321c9faf77a31ef0c6dbd816
Threat Level: Known bad
The file 2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
xmrig
Cobaltstrike
UPX dump on OEP (original entry point)
XMRig Miner payload
Cobaltstrike family
Detects Reflective DLL injection artifacts
Xmrig family
Cobalt Strike reflective loader
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-29 07:08
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-29 07:08
Reported
2024-06-29 07:11
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\DzBHtco.exe | N/A |
| N/A | N/A | C:\Windows\System\lJxUhOb.exe | N/A |
| N/A | N/A | C:\Windows\System\MQMUiDJ.exe | N/A |
| N/A | N/A | C:\Windows\System\ZcWMmoD.exe | N/A |
| N/A | N/A | C:\Windows\System\aHDWJPg.exe | N/A |
| N/A | N/A | C:\Windows\System\eooMBWG.exe | N/A |
| N/A | N/A | C:\Windows\System\PdNuTRn.exe | N/A |
| N/A | N/A | C:\Windows\System\wLIArfx.exe | N/A |
| N/A | N/A | C:\Windows\System\zLRtbAJ.exe | N/A |
| N/A | N/A | C:\Windows\System\DdRwUTn.exe | N/A |
| N/A | N/A | C:\Windows\System\HUFBdeS.exe | N/A |
| N/A | N/A | C:\Windows\System\RqOMMTO.exe | N/A |
| N/A | N/A | C:\Windows\System\NiNheSx.exe | N/A |
| N/A | N/A | C:\Windows\System\qFeyUiI.exe | N/A |
| N/A | N/A | C:\Windows\System\InwFwRV.exe | N/A |
| N/A | N/A | C:\Windows\System\rVNMZpm.exe | N/A |
| N/A | N/A | C:\Windows\System\pwCaugY.exe | N/A |
| N/A | N/A | C:\Windows\System\IgcMpER.exe | N/A |
| N/A | N/A | C:\Windows\System\ihnOzGP.exe | N/A |
| N/A | N/A | C:\Windows\System\XlbRKFl.exe | N/A |
| N/A | N/A | C:\Windows\System\uVsaSvc.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\DzBHtco.exe
C:\Windows\System\DzBHtco.exe
C:\Windows\System\lJxUhOb.exe
C:\Windows\System\lJxUhOb.exe
C:\Windows\System\MQMUiDJ.exe
C:\Windows\System\MQMUiDJ.exe
C:\Windows\System\ZcWMmoD.exe
C:\Windows\System\ZcWMmoD.exe
C:\Windows\System\aHDWJPg.exe
C:\Windows\System\aHDWJPg.exe
C:\Windows\System\eooMBWG.exe
C:\Windows\System\eooMBWG.exe
C:\Windows\System\PdNuTRn.exe
C:\Windows\System\PdNuTRn.exe
C:\Windows\System\wLIArfx.exe
C:\Windows\System\wLIArfx.exe
C:\Windows\System\zLRtbAJ.exe
C:\Windows\System\zLRtbAJ.exe
C:\Windows\System\DdRwUTn.exe
C:\Windows\System\DdRwUTn.exe
C:\Windows\System\RqOMMTO.exe
C:\Windows\System\RqOMMTO.exe
C:\Windows\System\HUFBdeS.exe
C:\Windows\System\HUFBdeS.exe
C:\Windows\System\NiNheSx.exe
C:\Windows\System\NiNheSx.exe
C:\Windows\System\qFeyUiI.exe
C:\Windows\System\qFeyUiI.exe
C:\Windows\System\InwFwRV.exe
C:\Windows\System\InwFwRV.exe
C:\Windows\System\rVNMZpm.exe
C:\Windows\System\rVNMZpm.exe
C:\Windows\System\pwCaugY.exe
C:\Windows\System\pwCaugY.exe
C:\Windows\System\IgcMpER.exe
C:\Windows\System\IgcMpER.exe
C:\Windows\System\ihnOzGP.exe
C:\Windows\System\ihnOzGP.exe
C:\Windows\System\XlbRKFl.exe
C:\Windows\System\XlbRKFl.exe
C:\Windows\System\uVsaSvc.exe
C:\Windows\System\uVsaSvc.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 52.111.229.43:443 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3040-0-0x00007FF7EB210000-0x00007FF7EB564000-memory.dmp
memory/3040-1-0x0000015EFD190000-0x0000015EFD1A0000-memory.dmp
C:\Windows\System\DzBHtco.exe
| MD5 | 9a39609e131b62597647b94ab28c9ad2 |
| SHA1 | 3bc5f54290cb2582e268133e72ba4d08a2bc4b3e |
| SHA256 | 1cd38c05ee4c655bed869637d61e24f7e8a2a369ca0496a2f7444bd7d6adc3e0 |
| SHA512 | 11eb49858fae24a4fe7b4dca9c599a84953da1acaf171e568a25414fe257964967fda4b07f63f7de33f98d89b71a3c9f3341367016300fc0e73f0021b6e7a664 |
C:\Windows\System\lJxUhOb.exe
| MD5 | 125ff3c5a4052c2c4bda1acab0f2f2e5 |
| SHA1 | dfa37f96b02bd5543cca820b6c39881de31939ed |
| SHA256 | 550606fb3cb6636142ae7da29fd8ba850a831b6f7368eadbe8285e3e6e1eb938 |
| SHA512 | 5a972b90931d4d0becfd80c3c4d395156e85951c032aacc80b9a2c0cd8436375756c2edee5318b124fcee1c1c1516d36d63e3bd3417cddb9051a027e675dbb3a |
C:\Windows\System\MQMUiDJ.exe
| MD5 | d9288c76989f2e5da80a067ed415603a |
| SHA1 | 1bfbb3ac32b77719ed2b90869373db024115c7a5 |
| SHA256 | 7eab711018e15aad6a711472d74112e7d0bfc6ca56a52125aae63ef756665865 |
| SHA512 | 42818a5f8485e0646b496002e9952d02755f47188f415aca45286e88487f37c3c45f5096cd5a91b41b637ca3c117b7bab3cba203d8c40dfe652900a4e84b5a6d |
C:\Windows\System\eooMBWG.exe
| MD5 | a44f6587a6cf04724b7202782b39041b |
| SHA1 | b5cf0a3f57ccb7e97efa5cfa549a1c81f5365ae1 |
| SHA256 | b05ac91461e6bd23dae30e09d430ec632e25ca60eecf1352ba0ce4978d57dfa3 |
| SHA512 | acf6cb87fb55705a2e8b62aed07a1db74ebb4f8dec25413611d4400e50c996506c98b489bd8cecb87a5007cbfdf7150320772744c1b0346149165570db254b77 |
memory/4172-41-0x00007FF73E200000-0x00007FF73E554000-memory.dmp
C:\Windows\System\PdNuTRn.exe
| MD5 | 556e65a6024dfaac37dcd3b0e989d437 |
| SHA1 | e9f647c46ad4a8ade865b6f1a078c73c4477c2a5 |
| SHA256 | 7acadd29e47c892651e9a9b3947e5454ebd34e926a90fec55dd0aa03e472faa7 |
| SHA512 | 1ecdc7e6f4a260074f3178a338bf0a79fff2a0c5fb18e437646699bb69c77252c37512161445b0032dad890abe4d250efda713a295fce6105e5682dfb293b70d |
memory/216-48-0x00007FF6093C0000-0x00007FF609714000-memory.dmp
memory/1836-44-0x00007FF6AA070000-0x00007FF6AA3C4000-memory.dmp
C:\Windows\System\wLIArfx.exe
| MD5 | 693aed710a094c72314f43ebc1f17e68 |
| SHA1 | 687b5d3739cf7ab91cfa95752ae680ae6d382634 |
| SHA256 | 5a5086a0a18c960b94e663bfb8d1bf0468eaf872539f576a0b05148945a8729e |
| SHA512 | 8d673e61a6b706aaf81379becc2161467faa17b630e3fde400f0ca31639da75cd1016593a0ba9a800bf8b682ec21120423aa6f57980e7aa3a82b266344d313d9 |
C:\Windows\System\aHDWJPg.exe
| MD5 | b298724441c387779a9c76230e09a2ac |
| SHA1 | 81cd5563239fac3e19a43153c63a187b718890a5 |
| SHA256 | 1b4bb1b1c2741453f847f91df978f35a493a665f9bf90754d5698474a2bfc634 |
| SHA512 | ed63b959d2f16e8dfe27f1f7408d9e7750001ded9472b258c58adf0662b1063d5fa8f04304afcc91f03daa5a5f7892bf2413406c6f7303ddcb9a31ae3e747133 |
memory/3704-30-0x00007FF7B0890000-0x00007FF7B0BE4000-memory.dmp
C:\Windows\System\ZcWMmoD.exe
| MD5 | f2443f7b1f979eb455729f4a7e5beee8 |
| SHA1 | b2f4d51e17a7a2f78fe8eaeebfd6fb69db93fa70 |
| SHA256 | c89432a27166236b607573de8291bd79e37356bd15adf7c89629c21fee2081ce |
| SHA512 | a87690df6b7699ec5a1cb4f18ee28fb5c225c33fe4d155cd42a49ad276d3036ad29732e09c851053de017f9fee3f5217b9b2ef1497def8933bd102281cc11e03 |
memory/3012-22-0x00007FF698800000-0x00007FF698B54000-memory.dmp
memory/3968-21-0x00007FF6D6670000-0x00007FF6D69C4000-memory.dmp
memory/4164-19-0x00007FF675D30000-0x00007FF676084000-memory.dmp
memory/3668-18-0x00007FF677010000-0x00007FF677364000-memory.dmp
C:\Windows\System\zLRtbAJ.exe
| MD5 | 67e7eb9e779bcfe4d1a5caade147c1bd |
| SHA1 | fd193ac90ef74d7e378adc06d817e649b05f9632 |
| SHA256 | de2e134cf8446d9ba7118d8e455fba4dbb6a1c00cb029a787df6f2b7967e2b81 |
| SHA512 | f6d1b7c3d58bdd341184db154628d284b84313f256d4ef53dbe0bc4d0ec3029cd77294bf660af41953c1af04eaf457892d0c6e355877efe791c340cf085f5c66 |
memory/1492-56-0x00007FF7959D0000-0x00007FF795D24000-memory.dmp
C:\Windows\System\DdRwUTn.exe
| MD5 | 54aa8434bf025352a8c981f7448e2b47 |
| SHA1 | fd7c657ddea97a6b8693b24fa8d5eb00a500ae3c |
| SHA256 | 308882925ef12019d5109696a810047f339027193902a7311a8f5c765c688d0b |
| SHA512 | 9b950f3af68236675fa0ebe91285703633049fbf2995b0edaa3b9a5b21019fa391735bfa47380e3b87fd63a1f2749ec66cc7d3b96c16a25ae141d3cb8c3edd13 |
C:\Windows\System\NiNheSx.exe
| MD5 | 3d3440c6620b4e1f05e572553d57b243 |
| SHA1 | f8dcb06e160284f164ca6b7846101505506a3ed9 |
| SHA256 | c58a1496eca055d5f57b7c6ce8ce68b92930ec63028943a6f99124c2e1e96f7f |
| SHA512 | 205931ed421b989ae6d5a5c058bdbd84047ca62546fa4048317e81db3523a73d5f9f8b718bba544712017ea13dc17f089033207156a6812329f652d01e577404 |
memory/2020-74-0x00007FF683F70000-0x00007FF6842C4000-memory.dmp
C:\Windows\System\RqOMMTO.exe
| MD5 | 16b068a0d43508f370fdf0595a9b8fd3 |
| SHA1 | 5b8bc9f3d785c0f293a4ac90f44fcc54bfcae9f8 |
| SHA256 | d72312c44c6892ac460eb2684734af7b18276a2aa1372b6cff403628c3abf8bc |
| SHA512 | 149f07d0e3202200342a40379344101027726439a306a01f8272683013cba35c45091f60121cf8f8bc3b06bcb547ac5e9dbdb3fbfc8c4a4ceff042ad5e48b49d |
C:\Windows\System\qFeyUiI.exe
| MD5 | 7ca05e48a185c7a55b0d54ceb90bb000 |
| SHA1 | e4d26f033102a15d29f84a0b26df9d3f99e7be83 |
| SHA256 | 7fc2e9b860b3060a6431bd7734e4ae9e61bd9a1a8531a36d68d034e894c1303d |
| SHA512 | 6ec343ce82939c0ee481630684454c6cbcc03e6f8111a9d1581d4830f615d410c710f9c7272a36678fca8436f9747d68e81ca57f8d008e6057757a76376100f9 |
memory/3256-84-0x00007FF6628E0000-0x00007FF662C34000-memory.dmp
memory/2016-80-0x00007FF648930000-0x00007FF648C84000-memory.dmp
memory/3432-75-0x00007FF758890000-0x00007FF758BE4000-memory.dmp
C:\Windows\System\HUFBdeS.exe
| MD5 | c63098afc847f8229efab41ddbfd0fdc |
| SHA1 | dc6fd8eed999e0ee81385fe4265375a482b0b42a |
| SHA256 | 4dd32d8510207324330867face7fbac3ef264604de31bcec1ea274cb57622351 |
| SHA512 | 67e1ea034eb588879dc3b30c233e1e9faed2ccfac7b2e13201dbf2f71c4e974b66037c8cc2a9a066de2e4fdaec7655fafc3cecd70d49070af70e19950c2bef62 |
memory/4380-66-0x00007FF68AFC0000-0x00007FF68B314000-memory.dmp
C:\Windows\System\InwFwRV.exe
| MD5 | e2819476a519b4e09ebb929554a84e9f |
| SHA1 | c1ff5a32417b46629f5da31a660e0c69c933dd66 |
| SHA256 | 9942ec0359ba2eb2787f2632199457268354cb86c355528d790252ffcd4cd4d7 |
| SHA512 | f68148f4f5b82526596c7819711eba216a43aa7599478ba1669308c3f8636280eddb73cae1ed551a9642e9492d145ff7f66a5f1b1cacc56c7b6c661f03a04519 |
memory/4164-94-0x00007FF675D30000-0x00007FF676084000-memory.dmp
memory/2404-102-0x00007FF7156A0000-0x00007FF7159F4000-memory.dmp
C:\Windows\System\rVNMZpm.exe
| MD5 | 7c9a60ebcf0445dc3c2b327b09a57bf9 |
| SHA1 | 657e7a8104a6007fde63be0b8593b41f498431ba |
| SHA256 | 588a47719220694e29f1d0b8420205eb6e69a6911945ed8bc1db2bdc2beaf73e |
| SHA512 | 191ff2e635b73a060da2f3dd91891c2f3ba35d3bd508727cbd5f9e825d80a94186f8c625ad781aa26176bfdf116a36f23a4a1d34eeccfad01ffdde3b4d8b96a1 |
C:\Windows\System\IgcMpER.exe
| MD5 | 7998352ee9335ee91df913b8f17ac469 |
| SHA1 | d1f046308bf8a7586d6c8a12b354e12ce9c1b51a |
| SHA256 | 0a9592bd01972256809bc59c1902fa2e6b060b8a4fbb8614c4b779e274e23ad9 |
| SHA512 | 21973ed95306ad1f8b390682c0f7875e8d83bf7e706ddfbf991d4dc50c1174af9dd20bd945c323da4b67310706076d5f4680a168fefb984248f8a97026051315 |
C:\Windows\System\pwCaugY.exe
| MD5 | 1579d1b4e353b37cbc3d842d78b938f2 |
| SHA1 | 95f0d3b8b5acfdb39c346e3a8ca75c82edc24eb0 |
| SHA256 | 66ed2853bf5afdd2f01a61fc868b110f5a3fbdfee551c5c3098ef600d95107d3 |
| SHA512 | f21b92ca8d0e1de07db6cdfecd4939109f1aa4ee765cc2a0b7ca8f2173708eadbb27d10d115c4d820fb0e69bebaa132428490a66fd1347bd57237816909b2e18 |
memory/4340-106-0x00007FF695020000-0x00007FF695374000-memory.dmp
memory/3012-103-0x00007FF698800000-0x00007FF698B54000-memory.dmp
memory/2076-98-0x00007FF73DCB0000-0x00007FF73E004000-memory.dmp
memory/3040-91-0x00007FF7EB210000-0x00007FF7EB564000-memory.dmp
memory/3704-113-0x00007FF7B0890000-0x00007FF7B0BE4000-memory.dmp
memory/3772-119-0x00007FF7C0480000-0x00007FF7C07D4000-memory.dmp
C:\Windows\System\XlbRKFl.exe
| MD5 | 73bb3ff349695dfb2ba0735c126a5f16 |
| SHA1 | 05dc272b2f24f2585b04eba1fb1de3421f9b1240 |
| SHA256 | ff05492db2375eddef48590636ba22e73dc10e7671b29a1933d67645bc4f7317 |
| SHA512 | a11428b6b5bd32edeebb57011000d9c5fa33c2f52c261d8a3a9fae12cecb90a4e8964a5542e80c026376d14c0e0ac938514542122be8818f03502bdc690bbca6 |
memory/1836-121-0x00007FF6AA070000-0x00007FF6AA3C4000-memory.dmp
C:\Windows\System\uVsaSvc.exe
| MD5 | 22fb8bf409ba6c2284e73d45fcd89201 |
| SHA1 | 2e9b863a257cb1c34774501eaaacdeaece695a40 |
| SHA256 | bb65866eaf17f914b0924d29634624b05909e84d65323d4124f2b002c90088cb |
| SHA512 | f2fc87ffd5fdf40c8e70b814858a123a4e3f44f7945137cd2a82508c702ea00743f7128f0f6739ff40a08a05965692e0ba7a30d8965ddff1c81ef225209c22e2 |
memory/4812-129-0x00007FF63E390000-0x00007FF63E6E4000-memory.dmp
memory/216-127-0x00007FF6093C0000-0x00007FF609714000-memory.dmp
C:\Windows\System\ihnOzGP.exe
| MD5 | 1b54b798fa921130d4d9b4758ceedd84 |
| SHA1 | 22cef904ae85acfcc54056f8aae7bf3bb30d3384 |
| SHA256 | 05ca0ffa2dd24e4df3ba4d2d614c769f6af3db8cd56dffedb9ff0b10e2184dc4 |
| SHA512 | 69afcd89f1097eb2194c6b53e51a2988dd553060a2d781cbabdd663468b94f2dd8f6e0808960b55ac7465a7ea92e32440e2b2caf8bfad92f51d555f8d555d1bf |
memory/2848-123-0x00007FF7B71B0000-0x00007FF7B7504000-memory.dmp
memory/1492-133-0x00007FF7959D0000-0x00007FF795D24000-memory.dmp
memory/4380-134-0x00007FF68AFC0000-0x00007FF68B314000-memory.dmp
memory/2816-135-0x00007FF61B460000-0x00007FF61B7B4000-memory.dmp
memory/2016-136-0x00007FF648930000-0x00007FF648C84000-memory.dmp
memory/3432-137-0x00007FF758890000-0x00007FF758BE4000-memory.dmp
memory/3256-138-0x00007FF6628E0000-0x00007FF662C34000-memory.dmp
memory/2076-139-0x00007FF73DCB0000-0x00007FF73E004000-memory.dmp
memory/2404-140-0x00007FF7156A0000-0x00007FF7159F4000-memory.dmp
memory/4340-141-0x00007FF695020000-0x00007FF695374000-memory.dmp
memory/2848-142-0x00007FF7B71B0000-0x00007FF7B7504000-memory.dmp
memory/3668-143-0x00007FF677010000-0x00007FF677364000-memory.dmp
memory/3968-144-0x00007FF6D6670000-0x00007FF6D69C4000-memory.dmp
memory/4164-145-0x00007FF675D30000-0x00007FF676084000-memory.dmp
memory/3704-146-0x00007FF7B0890000-0x00007FF7B0BE4000-memory.dmp
memory/3012-147-0x00007FF698800000-0x00007FF698B54000-memory.dmp
memory/4172-148-0x00007FF73E200000-0x00007FF73E554000-memory.dmp
memory/1836-149-0x00007FF6AA070000-0x00007FF6AA3C4000-memory.dmp
memory/216-150-0x00007FF6093C0000-0x00007FF609714000-memory.dmp
memory/1492-151-0x00007FF7959D0000-0x00007FF795D24000-memory.dmp
memory/4380-152-0x00007FF68AFC0000-0x00007FF68B314000-memory.dmp
memory/2020-153-0x00007FF683F70000-0x00007FF6842C4000-memory.dmp
memory/3432-154-0x00007FF758890000-0x00007FF758BE4000-memory.dmp
memory/2016-155-0x00007FF648930000-0x00007FF648C84000-memory.dmp
memory/3256-156-0x00007FF6628E0000-0x00007FF662C34000-memory.dmp
memory/2076-157-0x00007FF73DCB0000-0x00007FF73E004000-memory.dmp
memory/4340-159-0x00007FF695020000-0x00007FF695374000-memory.dmp
memory/3772-158-0x00007FF7C0480000-0x00007FF7C07D4000-memory.dmp
memory/2404-160-0x00007FF7156A0000-0x00007FF7159F4000-memory.dmp
memory/4812-161-0x00007FF63E390000-0x00007FF63E6E4000-memory.dmp
memory/2848-162-0x00007FF7B71B0000-0x00007FF7B7504000-memory.dmp
memory/2816-163-0x00007FF61B460000-0x00007FF61B7B4000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-29 07:08
Reported
2024-06-29 07:11
Platform
win7-20240221-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\AOhcaBw.exe | N/A |
| N/A | N/A | C:\Windows\System\QaEUenm.exe | N/A |
| N/A | N/A | C:\Windows\System\dYdpRtG.exe | N/A |
| N/A | N/A | C:\Windows\System\zUsCRMS.exe | N/A |
| N/A | N/A | C:\Windows\System\cfJYnpu.exe | N/A |
| N/A | N/A | C:\Windows\System\KgGboqm.exe | N/A |
| N/A | N/A | C:\Windows\System\FsQSbbe.exe | N/A |
| N/A | N/A | C:\Windows\System\WwPEuUT.exe | N/A |
| N/A | N/A | C:\Windows\System\xbZWvaH.exe | N/A |
| N/A | N/A | C:\Windows\System\rvzoLPK.exe | N/A |
| N/A | N/A | C:\Windows\System\veivZYT.exe | N/A |
| N/A | N/A | C:\Windows\System\HuKLxvj.exe | N/A |
| N/A | N/A | C:\Windows\System\HZxVKMD.exe | N/A |
| N/A | N/A | C:\Windows\System\OrYTODu.exe | N/A |
| N/A | N/A | C:\Windows\System\SPMPBCl.exe | N/A |
| N/A | N/A | C:\Windows\System\ipZIKGj.exe | N/A |
| N/A | N/A | C:\Windows\System\YvwrQKt.exe | N/A |
| N/A | N/A | C:\Windows\System\DkxMhnD.exe | N/A |
| N/A | N/A | C:\Windows\System\xznBIny.exe | N/A |
| N/A | N/A | C:\Windows\System\IBtnNIh.exe | N/A |
| N/A | N/A | C:\Windows\System\ibkDKkM.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\AOhcaBw.exe
C:\Windows\System\AOhcaBw.exe
C:\Windows\System\QaEUenm.exe
C:\Windows\System\QaEUenm.exe
C:\Windows\System\dYdpRtG.exe
C:\Windows\System\dYdpRtG.exe
C:\Windows\System\zUsCRMS.exe
C:\Windows\System\zUsCRMS.exe
C:\Windows\System\KgGboqm.exe
C:\Windows\System\KgGboqm.exe
C:\Windows\System\cfJYnpu.exe
C:\Windows\System\cfJYnpu.exe
C:\Windows\System\FsQSbbe.exe
C:\Windows\System\FsQSbbe.exe
C:\Windows\System\WwPEuUT.exe
C:\Windows\System\WwPEuUT.exe
C:\Windows\System\xbZWvaH.exe
C:\Windows\System\xbZWvaH.exe
C:\Windows\System\rvzoLPK.exe
C:\Windows\System\rvzoLPK.exe
C:\Windows\System\veivZYT.exe
C:\Windows\System\veivZYT.exe
C:\Windows\System\HuKLxvj.exe
C:\Windows\System\HuKLxvj.exe
C:\Windows\System\HZxVKMD.exe
C:\Windows\System\HZxVKMD.exe
C:\Windows\System\OrYTODu.exe
C:\Windows\System\OrYTODu.exe
C:\Windows\System\SPMPBCl.exe
C:\Windows\System\SPMPBCl.exe
C:\Windows\System\ipZIKGj.exe
C:\Windows\System\ipZIKGj.exe
C:\Windows\System\YvwrQKt.exe
C:\Windows\System\YvwrQKt.exe
C:\Windows\System\DkxMhnD.exe
C:\Windows\System\DkxMhnD.exe
C:\Windows\System\xznBIny.exe
C:\Windows\System\xznBIny.exe
C:\Windows\System\IBtnNIh.exe
C:\Windows\System\IBtnNIh.exe
C:\Windows\System\ibkDKkM.exe
C:\Windows\System\ibkDKkM.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2128-0-0x000000013FD30000-0x0000000140084000-memory.dmp
memory/2128-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\AOhcaBw.exe
| MD5 | 3734b64e9deb9fb4d319e7b8c2dc0000 |
| SHA1 | aca81c5620c7eb80f38682312e6739449370e391 |
| SHA256 | d7d84e038afa574be6f92d7972d16455f4a87ca94c8d546575ce6019ba3f06c6 |
| SHA512 | 38c1801981e0ad79f0f007abd6d2d41f875feef1f547629179c1605ab34537d0e7a4db4c89079441e2ccdbcd351a47d9ca960b6e8fd47254b54d4124a10f3d2e |
memory/2128-6-0x000000013F130000-0x000000013F484000-memory.dmp
memory/2380-8-0x000000013F130000-0x000000013F484000-memory.dmp
\Windows\system\QaEUenm.exe
| MD5 | d5d12d57ba17785b09b51e86f956d2ce |
| SHA1 | af3afab22a7e0d4c518682b6d86088e4197b90f3 |
| SHA256 | 43c42824c92ef22aae0c116de238d6abe3840129f09b25f31e436639eadb2535 |
| SHA512 | a857696cfd665c4ed258d35edfcd898b85daf2eb775b0b483294de2269759399e4526b28a98c3efede37b530b996bfa457d742defece13e21ac4748efa30d2a4 |
memory/2128-13-0x000000013F100000-0x000000013F454000-memory.dmp
memory/3020-15-0x000000013F100000-0x000000013F454000-memory.dmp
C:\Windows\system\dYdpRtG.exe
| MD5 | 1757b56efd5109787e8ab991e36bbf6f |
| SHA1 | ccec58e2f080c9bf38f90c626386b0c2231f7a5d |
| SHA256 | f84458ea3295ef0668b23969f69e7de20a68776293cbd63c230d89d4372bc2e4 |
| SHA512 | bce0cf424f43c2e4c2ebeca6bcd7221673f2de1a2e324ec462db64ec3e90fc81ce85d79274ee2008cb68c49a708534a6be07d51b33115e7a5c18941ba267aa74 |
memory/2128-21-0x000000013F180000-0x000000013F4D4000-memory.dmp
C:\Windows\system\zUsCRMS.exe
| MD5 | a9328d6a90af8c008042d6f9b2d85d67 |
| SHA1 | 17732545aaf3ee6f742fad5bfcd0641c848ebced |
| SHA256 | 7a6962ba1f59344f485e402b11bb18f4ac1f39fd59fe9cf33da91e9c2ae2d76f |
| SHA512 | acb72f8767a9d171799688147a7698c12f9aa7ee366cb8ead4b3c6c324cb35e41a53a78d6c55fd34f6976dc1334dfc3ea8799567347e6d877258402f78babace |
C:\Windows\system\cfJYnpu.exe
| MD5 | e7bd1638a0fdb4de14e5f01f3908cda1 |
| SHA1 | 31ee45faf435af41532bdbaa63254ce09e7dbd2b |
| SHA256 | 4bde3b82b1cc67fdad50c800c44ef9a88d2c54913f9f4905b2021ba0bd2cdedb |
| SHA512 | 1a13042061ccf9bf6496ca727f976e22f4b80c0f9bf9e3dfa3bc70c3912600893586836babcae48cc6da9b2775838df69bf9b34209c9dca4dd8e13faa7349614 |
memory/2128-30-0x00000000022A0000-0x00000000025F4000-memory.dmp
memory/2564-44-0x000000013FBB0000-0x000000013FF04000-memory.dmp
memory/2380-43-0x000000013F130000-0x000000013F484000-memory.dmp
memory/2836-41-0x000000013F400000-0x000000013F754000-memory.dmp
C:\Windows\system\KgGboqm.exe
| MD5 | 4fe871f01c728532dc0cbba1cbaaae12 |
| SHA1 | 7510b9ca459f20e6f96bbc725862c46d7f37576c |
| SHA256 | f2d92e734fe83272afdb048852cd084fbc4c59d046f083eb7e64e44c8dca4ea5 |
| SHA512 | 0599dbc8f0d7a39e0347d46c5b80be035e0889f22b227ba3ea76b3dfde85ada6467694c5a0c9a9b42e9bbf19ce08db46437722561a2fee328b5b62500150225e |
C:\Windows\system\WwPEuUT.exe
| MD5 | f99aa0ed0bc414441561ca648a18ea4c |
| SHA1 | 1abfecc3d37941e7dde1dec591beb49113d17b6b |
| SHA256 | 2eca06af6f4b32492d416851854b5274928be93cb6d9534210b3128ac43aab01 |
| SHA512 | 20e8db8d4a0776c8b81d806c054e85799b6be498fcc47feda37188c1f0f15c24292678626e939e5f07b64a3d3b5b646b18a8cdd57945fb1622824b928ed72f91 |
C:\Windows\system\rvzoLPK.exe
| MD5 | 0248223f87ed018152168f780f9fd6aa |
| SHA1 | 925ffa2ffe92fe7ddd02688e720f83d1fdd2b045 |
| SHA256 | b3ad04f3c24dde84e1075217ca50d10a1b74466ff8e6f7693f924db250ad77a3 |
| SHA512 | 170a8b8de52280ec5bace52eb415b4fd08a70f5e24e8a810bf98d38ca029c317932413df8cda0cd7df1a4620932f9039c215365e26fba4e73ca7fdf0fb0ffb16 |
memory/2936-73-0x000000013F1A0000-0x000000013F4F4000-memory.dmp
memory/2528-86-0x000000013FA60000-0x000000013FDB4000-memory.dmp
memory/2208-79-0x000000013F870000-0x000000013FBC4000-memory.dmp
memory/2128-100-0x000000013F230000-0x000000013F584000-memory.dmp
C:\Windows\system\IBtnNIh.exe
| MD5 | 84f42ff4a3d31d0d085dc72409165581 |
| SHA1 | 2e78d9dbd1dcb76feb49e779a7c318eec4366d75 |
| SHA256 | 16ec498f3f2fd4e823e9c719fb056da82ade122baa6b8c11988df20af47d4b0d |
| SHA512 | 9e2eeecf4e80207559c1986d35458607326172502fc6bdae7cdcc8fcf51eae6e2972a6403f423c3e90c04c4908bf231e04ac7869c7c77b346bcdcf9c7b466d6f |
\Windows\system\ibkDKkM.exe
| MD5 | cda6db5db093f8670cc9e840d841bd27 |
| SHA1 | bab05f71b0af59f24b294c72c9629e231cd73fc0 |
| SHA256 | 2c0a1b937a49868b76f982d14e878ab4b876d6c86a1f9ed346a958a324773bea |
| SHA512 | 16f681f945599c5125fe38667d795bd46338e19969b660349d40033899fb5c7b0c0a69c993cb37f91a71068c6e629ec85561461af94717dfc4789c6b82a5df08 |
C:\Windows\system\xznBIny.exe
| MD5 | 967261403d0a71b263710c93a1640b7e |
| SHA1 | a792aaea13a0795106063a7ba9be2cf18ca58a5d |
| SHA256 | 31352d587b956dc1054e549f130e7f0de6bb8209d4e94b6eec78cfe8b54f4907 |
| SHA512 | 7e167bd9670e675adfc7782a7d6961ea35a0ea81c5241ec7b3630a36a07b3075fd799b7f5ff984af12bc3a9f2b47b523c149a79fd076cf4898527e06dc1ed742 |
C:\Windows\system\DkxMhnD.exe
| MD5 | 63d300f127a561417a824f3cbd442fc2 |
| SHA1 | 28dbe54755ca703e3845f23811abd31f12f53270 |
| SHA256 | 7a3364181c62f7fcb214504106f2effee848348989119f9d0618f6b10dcf1641 |
| SHA512 | 461c2b33589f848363c675c3f855c2bba4779c187e4d4ed607214249c9bd0fd77880b632ca77e2610da95e359a45562b56c45886841368658ae84c56c333f6e1 |
C:\Windows\system\YvwrQKt.exe
| MD5 | a91fe00a2e426c762ff1fa45de917ee0 |
| SHA1 | 90387f31acf1335b9275e39ecb0f16ff2fafd226 |
| SHA256 | 00363f328144a4147565a0787c0976cb8aee749efb7e970e88d74c154ee9fc33 |
| SHA512 | 4e57d2c2312e61f7aaeea6440c58e46315c8acb19b2cfcc101a884aa10da33772d4e8035dc44f9b907289c5bd0df2f40d83aaf80c40a40a7fa763c7b3b6572a0 |
memory/2128-108-0x000000013F3E0000-0x000000013F734000-memory.dmp
memory/2496-140-0x000000013F640000-0x000000013F994000-memory.dmp
memory/2128-139-0x000000013F640000-0x000000013F994000-memory.dmp
memory/2732-107-0x000000013F230000-0x000000013F584000-memory.dmp
C:\Windows\system\ipZIKGj.exe
| MD5 | f6930b94fd7fe540efcaf486fe06b4a7 |
| SHA1 | 061790406debb6228ed3908341494f7ecc396328 |
| SHA256 | c66a10cc408f0e2c18fd26530e6dc38d15215cc11a62d737ebc11077cc7a76db |
| SHA512 | 27886c38b312326edb17b399a2c08664af8c4a7f296ac0b61c18791822bd9028337d80e6d7d6d37e01fdcbdb910faaf987546f64410f68f0e556571e33a36cf1 |
C:\Windows\system\SPMPBCl.exe
| MD5 | feb00383acbed9a64872d38cb28c7983 |
| SHA1 | df747b59a9a703582f6c7e75c45b1ee37cd1baae |
| SHA256 | a590a8da7011d3c4cc4d5dbbba8992e8e61250d60c4351db24008230e8cf53ce |
| SHA512 | c723f0926356d99f8885e349e1b789ca1a72a6cb95ac8bf69ffdc5b96bf011d25464db80f64f044e4518d173a8086b03ecf1f66295ad78156febecb656343696 |
memory/2784-94-0x000000013F640000-0x000000013F994000-memory.dmp
C:\Windows\system\HZxVKMD.exe
| MD5 | 30cf8ae259bfa789cfe316b6582cda76 |
| SHA1 | 6d587d4d86520270a95287ae57df16b363efb8ed |
| SHA256 | 0d4513602286c18b0f930b866ec1a1cb9e800bff0986815070b188be47259e89 |
| SHA512 | 2e9bce0f29d1ff302eb701471f1846f868b39116d9f7f31bbcb38e98c66633a31dc8db6115d335626ea5d29e22e4ac5b4e339662606cf34b4573c3fce4d9d351 |
memory/2820-101-0x000000013FD40000-0x0000000140094000-memory.dmp
memory/2836-90-0x000000013F400000-0x000000013F754000-memory.dmp
memory/2512-142-0x000000013FA30000-0x000000013FD84000-memory.dmp
memory/2128-141-0x00000000022A0000-0x00000000025F4000-memory.dmp
memory/2752-89-0x000000013FB90000-0x000000013FEE4000-memory.dmp
C:\Windows\system\OrYTODu.exe
| MD5 | 7cdfe615bd66d414a4ac9987ff3bc24c |
| SHA1 | b0b6d8959a91792d8b602348a11a3d9b9ccb7e3a |
| SHA256 | a1e5804615ac73a25456925b9855c758f7d05e5a313556f75a6412efc85c86ed |
| SHA512 | 44a711a87054674ba7a341e2ee40a6befe52f756c40c7ddb61b014c50acaadc7dc972a0f6c376dcacd3d769b9f75b1f92dd38d974c54df7f0ced10257fad851f |
memory/2128-85-0x00000000022A0000-0x00000000025F4000-memory.dmp
C:\Windows\system\veivZYT.exe
| MD5 | 5eb74251d7478c99c663bf968e6ffb9e |
| SHA1 | 91fbe30bd145f680808ad08541021b982be57e90 |
| SHA256 | b0431776df700a2d425eabf755c66a14997e443c17d2895405666468bffa1390 |
| SHA512 | 260bda0ddcd9ef26fc7e478079b30abaf439e3b5371388e1250307d08852e4a0d419113e319f4727670081c5a0ecd5cc5db7bd3cb47f0f00b209a07111c5514a |
C:\Windows\system\HuKLxvj.exe
| MD5 | f957932686e9b990270b641035c0acba |
| SHA1 | 9f5d10ade10d74e8c6844d74b05141c2b75e452a |
| SHA256 | 9a50db284b7138bcdf8ec12e4e7f67a8fc8c2d8930ac9f6c87530a9dfc2198ce |
| SHA512 | 998c68ca9c3ac7099d43162999c4d415a038aff506c82948c4f35761b47805a4623b51fa1f31ceff5de720e492f51bfb335a1283825bf7d356ace5cfc44bfb25 |
memory/2936-144-0x000000013F1A0000-0x000000013F4F4000-memory.dmp
memory/2128-143-0x000000013F1A0000-0x000000013F4F4000-memory.dmp
memory/2512-67-0x000000013FA30000-0x000000013FD84000-memory.dmp
memory/2128-66-0x00000000022A0000-0x00000000025F4000-memory.dmp
C:\Windows\system\xbZWvaH.exe
| MD5 | 7bd9580b47274579f4fbe61db4368bfb |
| SHA1 | 9b538399897624d6a17ab698400ce814ef0b7bdf |
| SHA256 | b392ac2850df667e413075b98b44e8e6433da72474724b8ac00d9601e045cf31 |
| SHA512 | 39e902adc43e1a3aa86c4a321224636c8d98c0096eac2506c6954f2ed7953bd7454afb800aec95ffe3003c8aee75c73155207c12be371c67b187e7bdf12f91f2 |
memory/2496-60-0x000000013F640000-0x000000013F994000-memory.dmp
memory/2128-59-0x000000013F640000-0x000000013F994000-memory.dmp
memory/2672-58-0x000000013F180000-0x000000013F4D4000-memory.dmp
memory/2732-51-0x000000013F230000-0x000000013F584000-memory.dmp
memory/3020-50-0x000000013F100000-0x000000013F454000-memory.dmp
C:\Windows\system\FsQSbbe.exe
| MD5 | 6c5bec1c9b05dfa35fc2d320937adc99 |
| SHA1 | 1af9733b14b1f3c00e57fff361f2cad623bf928e |
| SHA256 | 3ac14acaec314dbdbff7018850064bd87f54ee6a3c082c050bebf971ce5de2d7 |
| SHA512 | 2c5d9031895b18a56bd17f4d192acf9e7a505fdcfbd5a6cc1c692531ad4f1ee13bc0d19779d0a05f4f67cf119dbb2b14c346845946c1547b4f57f5fb751906dc |
memory/2208-145-0x000000013F870000-0x000000013FBC4000-memory.dmp
memory/2752-38-0x000000013FB90000-0x000000013FEE4000-memory.dmp
memory/2128-37-0x000000013FD30000-0x0000000140084000-memory.dmp
memory/2128-35-0x000000013F400000-0x000000013F754000-memory.dmp
memory/2128-33-0x00000000022A0000-0x00000000025F4000-memory.dmp
memory/2672-26-0x000000013F180000-0x000000013F4D4000-memory.dmp
memory/2128-146-0x00000000022A0000-0x00000000025F4000-memory.dmp
memory/2784-147-0x000000013F640000-0x000000013F994000-memory.dmp
memory/2128-148-0x00000000022A0000-0x00000000025F4000-memory.dmp
memory/2820-149-0x000000013FD40000-0x0000000140094000-memory.dmp
memory/2380-150-0x000000013F130000-0x000000013F484000-memory.dmp
memory/3020-151-0x000000013F100000-0x000000013F454000-memory.dmp
memory/2672-152-0x000000013F180000-0x000000013F4D4000-memory.dmp
memory/2564-153-0x000000013FBB0000-0x000000013FF04000-memory.dmp
memory/2752-154-0x000000013FB90000-0x000000013FEE4000-memory.dmp
memory/2836-155-0x000000013F400000-0x000000013F754000-memory.dmp
memory/2732-156-0x000000013F230000-0x000000013F584000-memory.dmp
memory/2496-157-0x000000013F640000-0x000000013F994000-memory.dmp
memory/2512-158-0x000000013FA30000-0x000000013FD84000-memory.dmp
memory/2936-159-0x000000013F1A0000-0x000000013F4F4000-memory.dmp
memory/2528-160-0x000000013FA60000-0x000000013FDB4000-memory.dmp
memory/2208-161-0x000000013F870000-0x000000013FBC4000-memory.dmp
memory/2784-162-0x000000013F640000-0x000000013F994000-memory.dmp
memory/2820-163-0x000000013FD40000-0x0000000140094000-memory.dmp