xmrig | 3cfc7f58fbd47d37fc38aff375e12dc73a5a26ed5336cbab678a08d97b3b847d

Analysis

max time kernel
12s
max time network
16s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 14:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-21_9da28659b2b8b96af1ed7ad66c2860d7_cobalt-strike_cobaltstrike_poet-rat.exe
Size

6.0MB
MD5

9da28659b2b8b96af1ed7ad66c2860d7
SHA1

67f1e0cdf63d584bdde939c30a37a3941a85fcad
SHA256

3cfc7f58fbd47d37fc38aff375e12dc73a5a26ed5336cbab678a08d97b3b847d
SHA512

fbc6d13be613dae5f52c4561db1b7c0c50769156168f38b5ac625e67d6ed5c9c085d35950474d5546238b48d521f7c6ca205bc2c4304b8c5053c8ece3f8a9d52
SSDEEP

98304:oemTLkNdfE0pZrD56utgpPFotBER/mQ32lUf:T+q56utgpPF8u/7f

Score

10^/10

xmrig miner upx

Malware Config

Signatures

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 5 IoCs

miner

resource	yara_rule
behavioral2/memory/216-0-0x00007FF7DA470000-0x00007FF7DA7C4000-memory.dmp	xmrig
behavioral2/files/0x000c000000023b94-5.dat	xmrig
behavioral2/files/0x000c000000023b94-10.dat	xmrig
behavioral2/files/0x0009000000023c35-12.dat	xmrig
behavioral2/files/0x0008000000023c4f-8.dat	xmrig

Executes dropped EXE 1 IoCs

pid	Process
4324	ElPcbme.exe

UPX packed file 39 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/216-0-0x00007FF7DA470000-0x00007FF7DA7C4000-memory.dmp	upx
behavioral2/files/0x000c000000023b94-5.dat	upx
behavioral2/memory/4324-6-0x00007FF60A290000-0x00007FF60A5E4000-memory.dmp	upx
behavioral2/files/0x000c000000023b94-10.dat	upx
behavioral2/files/0x0009000000023c35-12.dat	upx
behavioral2/memory/3160-15-0x00007FF6382F0000-0x00007FF638644000-memory.dmp	upx
behavioral2/files/0x0008000000023c4f-8.dat	upx
behavioral2/files/0x0008000000023c4f-19.dat	upx
behavioral2/files/0x0008000000023c50-23.dat	upx
behavioral2/memory/4532-24-0x00007FF6D2520000-0x00007FF6D2874000-memory.dmp	upx
behavioral2/files/0x0008000000023c51-28.dat	upx
behavioral2/files/0x0008000000023c52-34.dat	upx
behavioral2/files/0x0008000000023c52-36.dat	upx
behavioral2/memory/2296-35-0x00007FF693960000-0x00007FF693CB4000-memory.dmp	upx
behavioral2/memory/4000-42-0x00007FF7475E0000-0x00007FF747934000-memory.dmp	upx
behavioral2/files/0x0016000000023c6a-48.dat	upx
behavioral2/files/0x0008000000023c70-54.dat	upx
behavioral2/files/0x0008000000023c74-59.dat	upx
behavioral2/files/0x0008000000023c80-65.dat	upx
behavioral2/memory/1788-80-0x00007FF79A050000-0x00007FF79A3A4000-memory.dmp	upx
behavioral2/memory/2604-82-0x00007FF76B500000-0x00007FF76B854000-memory.dmp	upx
behavioral2/memory/3776-98-0x00007FF60E870000-0x00007FF60EBC4000-memory.dmp	upx
behavioral2/memory/4000-108-0x00007FF7475E0000-0x00007FF747934000-memory.dmp	upx
behavioral2/files/0x0008000000023c86-111.dat	upx
behavioral2/memory/3968-124-0x00007FF7D73A0000-0x00007FF7D76F4000-memory.dmp	upx
behavioral2/memory/2012-129-0x00007FF767460000-0x00007FF7677B4000-memory.dmp	upx
behavioral2/files/0x0008000000023c8a-143.dat	upx
behavioral2/memory/3232-147-0x00007FF785180000-0x00007FF7854D4000-memory.dmp	upx
behavioral2/files/0x0007000000023c95-163.dat	upx
behavioral2/files/0x0007000000023c96-169.dat	upx
behavioral2/files/0x0007000000023c97-174.dat	upx
behavioral2/files/0x0007000000023c98-185.dat	upx
behavioral2/files/0x0007000000023c9c-206.dat	upx
behavioral2/files/0x0007000000023c9c-205.dat	upx
behavioral2/files/0x0007000000023c9b-201.dat	upx
behavioral2/memory/1372-320-0x00007FF66DB80000-0x00007FF66DED4000-memory.dmp	upx
behavioral2/memory/3232-323-0x00007FF785180000-0x00007FF7854D4000-memory.dmp	upx
behavioral2/memory/2880-438-0x00007FF6F6ED0000-0x00007FF6F7224000-memory.dmp	upx
behavioral2/memory/3100-559-0x00007FF6297A0000-0x00007FF629AF4000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System\ElPcbme.exe	2024-11-21_9da28659b2b8b96af1ed7ad66c2860d7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eEIAYLC.exe	2024-11-21_9da28659b2b8b96af1ed7ad66c2860d7_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 216 wrote to memory of 4324	216	2024-11-21_9da28659b2b8b96af1ed7ad66c2860d7_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 216 wrote to memory of 4324	216	2024-11-21_9da28659b2b8b96af1ed7ad66c2860d7_cobalt-strike_cobaltstrike_poet-rat.exe	85

C:\Users\Admin\AppData\Local\Temp\2024-11-21_9da28659b2b8b96af1ed7ad66c2860d7_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-21_9da28659b2b8b96af1ed7ad66c2860d7_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:216
- C:\Windows\System\ElPcbme.exe
  C:\Windows\System\ElPcbme.exe
  2⤵
  - Executes dropped EXE
  PID:4324
- C:\Windows\System\eEIAYLC.exe
  C:\Windows\System\eEIAYLC.exe
  2⤵
  PID:3160
- C:\Windows\System\PGfPbaL.exe
  C:\Windows\System\PGfPbaL.exe
  2⤵
  PID:5076
- C:\Windows\System\tyyblmJ.exe
  C:\Windows\System\tyyblmJ.exe
  2⤵
  PID:4000
- C:\Windows\System\ZgVVzvY.exe
  C:\Windows\System\ZgVVzvY.exe
  2⤵
  PID:2908
- C:\Windows\System\CiuZkwO.exe
  C:\Windows\System\CiuZkwO.exe
  2⤵
  PID:3776
- C:\Windows\System\KCIZoIX.exe
  C:\Windows\System\KCIZoIX.exe
  2⤵
  PID:5040
- C:\Windows\System\TUheOln.exe
  C:\Windows\System\TUheOln.exe
  2⤵
  PID:2616
- C:\Windows\System\WOUZsAb.exe
  C:\Windows\System\WOUZsAb.exe
  2⤵
  PID:3232
- C:\Windows\System\sBAZXFh.exe
  C:\Windows\System\sBAZXFh.exe
  2⤵
  PID:2040
- C:\Windows\System\SUDDYOP.exe
  C:\Windows\System\SUDDYOP.exe
  2⤵
  PID:4912
- C:\Windows\System\vQeOLUZ.exe
  C:\Windows\System\vQeOLUZ.exe
  2⤵
  PID:4184
- C:\Windows\System\rixZCvR.exe
  C:\Windows\System\rixZCvR.exe
  2⤵
  PID:3256
- C:\Windows\System\CZtEySF.exe
  C:\Windows\System\CZtEySF.exe
  2⤵
  PID:1588
- C:\Windows\System\WAifpVJ.exe
  C:\Windows\System\WAifpVJ.exe
  2⤵
  PID:228
- C:\Windows\System\BIgkzHy.exe
  C:\Windows\System\BIgkzHy.exe
  2⤵
  PID:4484
- C:\Windows\System\bXOADUv.exe
  C:\Windows\System\bXOADUv.exe
  2⤵
  PID:4756
- C:\Windows\System\CmoxXRT.exe
  C:\Windows\System\CmoxXRT.exe
  2⤵
  PID:616
- C:\Windows\System\JWxKWZo.exe
  C:\Windows\System\JWxKWZo.exe
  2⤵
  PID:548
- C:\Windows\System\JIZcVLY.exe
  C:\Windows\System\JIZcVLY.exe
  2⤵
  PID:2964
- C:\Windows\System\fmAiphG.exe
  C:\Windows\System\fmAiphG.exe
  2⤵
  PID:4772
- C:\Windows\System\oazHwQM.exe
  C:\Windows\System\oazHwQM.exe
  2⤵
  PID:1488
- C:\Windows\System\wJGObjo.exe
  C:\Windows\System\wJGObjo.exe
  2⤵
  PID:4408
- C:\Windows\System\fVgSMDq.exe
  C:\Windows\System\fVgSMDq.exe
  2⤵
  PID:1384
- C:\Windows\System\pXyxJHj.exe
  C:\Windows\System\pXyxJHj.exe
  2⤵
  PID:3084
- C:\Windows\System\FUSauLo.exe
  C:\Windows\System\FUSauLo.exe
  2⤵
  PID:4992
- C:\Windows\System\berPRRB.exe
  C:\Windows\System\berPRRB.exe
  2⤵
  PID:2064
- C:\Windows\System\JmtIKfc.exe
  C:\Windows\System\JmtIKfc.exe
  2⤵
  PID:520
- C:\Windows\System\dbysmtt.exe
  C:\Windows\System\dbysmtt.exe
  2⤵
  PID:2744
- C:\Windows\System\tnvoAVS.exe
  C:\Windows\System\tnvoAVS.exe
  2⤵
  PID:468
- C:\Windows\System\ojHAMeU.exe
  C:\Windows\System\ojHAMeU.exe
  2⤵
  PID:5036
- C:\Windows\System\LYMRyqE.exe
  C:\Windows\System\LYMRyqE.exe
  2⤵
  PID:3904
- C:\Windows\System\LiVIsRF.exe
  C:\Windows\System\LiVIsRF.exe
  2⤵
  PID:1264
- C:\Windows\System\ETAoMlY.exe
  C:\Windows\System\ETAoMlY.exe
  2⤵
  PID:4648
- C:\Windows\System\PrLjXag.exe
  C:\Windows\System\PrLjXag.exe
  2⤵
  PID:5056
- C:\Windows\System\nlMzXJf.exe
  C:\Windows\System\nlMzXJf.exe
  2⤵
  PID:1868
- C:\Windows\System\xFUBArN.exe
  C:\Windows\System\xFUBArN.exe
  2⤵
  PID:2960
- C:\Windows\System\BTJjLfC.exe
  C:\Windows\System\BTJjLfC.exe
  2⤵
  PID:1848
- C:\Windows\System\BoRnElP.exe
  C:\Windows\System\BoRnElP.exe
  2⤵
  PID:1068
- C:\Windows\System\zChpRDR.exe
  C:\Windows\System\zChpRDR.exe
  2⤵
  PID:3116
- C:\Windows\System\AlCVgRB.exe
  C:\Windows\System\AlCVgRB.exe
  2⤵
  PID:444
- C:\Windows\System\aJwiXbD.exe
  C:\Windows\System\aJwiXbD.exe
  2⤵
  PID:1520
- C:\Windows\System\QhreKVJ.exe
  C:\Windows\System\QhreKVJ.exe
  2⤵
  PID:100
- C:\Windows\System\nTfrFjn.exe
  C:\Windows\System\nTfrFjn.exe
  2⤵
  PID:636
- C:\Windows\System\ndpnWyL.exe
  C:\Windows\System\ndpnWyL.exe
  2⤵
  PID:1748
- C:\Windows\System\ymojuIm.exe
  C:\Windows\System\ymojuIm.exe
  2⤵
  PID:1440
- C:\Windows\System\dvoWIwm.exe
  C:\Windows\System\dvoWIwm.exe
  2⤵
  PID:1932
- C:\Windows\System\aRxwMTX.exe
  C:\Windows\System\aRxwMTX.exe
  2⤵
  PID:1236
- C:\Windows\System\grXpRub.exe
  C:\Windows\System\grXpRub.exe
  2⤵
  PID:708
- C:\Windows\System\hgyHDPk.exe
  C:\Windows\System\hgyHDPk.exe
  2⤵
  PID:2024
- C:\Windows\System\exBavVw.exe
  C:\Windows\System\exBavVw.exe
  2⤵
  PID:2392
- C:\Windows\System\NQScnGA.exe
  C:\Windows\System\NQScnGA.exe
  2⤵
  PID:2084
- C:\Windows\System\yPcjZdy.exe
  C:\Windows\System\yPcjZdy.exe
  2⤵
  PID:3476
- C:\Windows\System\HCORvwM.exe
  C:\Windows\System\HCORvwM.exe
  2⤵
  PID:1608
- C:\Windows\System\NHrefgh.exe
  C:\Windows\System\NHrefgh.exe
  2⤵
  PID:4588
- C:\Windows\System\CSNXZmH.exe
  C:\Windows\System\CSNXZmH.exe
  2⤵
  PID:1144
- C:\Windows\System\xffUbWt.exe
  C:\Windows\System\xffUbWt.exe
  2⤵
  PID:632
- C:\Windows\System\xfZlDxH.exe
  C:\Windows\System\xfZlDxH.exe
  2⤵
  PID:1172
- C:\Windows\System\avLEQrS.exe
  C:\Windows\System\avLEQrS.exe
  2⤵
  PID:5180
- C:\Windows\System\zZBHPcV.exe
  C:\Windows\System\zZBHPcV.exe
  2⤵
  PID:5252
- C:\Windows\System\gGEhChi.exe
  C:\Windows\System\gGEhChi.exe
  2⤵
  PID:5304
- C:\Windows\System\Hnlnybn.exe
  C:\Windows\System\Hnlnybn.exe
  2⤵
  PID:5356
- C:\Windows\System\woqqREz.exe
  C:\Windows\System\woqqREz.exe
  2⤵
  PID:5400
- C:\Windows\System\DZlbJqO.exe
  C:\Windows\System\DZlbJqO.exe
  2⤵
  PID:5440
- C:\Windows\System\KCJeKEA.exe
  C:\Windows\System\KCJeKEA.exe
  2⤵
  PID:5476
- C:\Windows\System\AkOyWoT.exe
  C:\Windows\System\AkOyWoT.exe
  2⤵
  PID:5504
- C:\Windows\System\uAZqJEj.exe
  C:\Windows\System\uAZqJEj.exe
  2⤵
  PID:5532
- C:\Windows\System\anCejiL.exe
  C:\Windows\System\anCejiL.exe
  2⤵
  PID:5556
- C:\Windows\System\XvAyTpU.exe
  C:\Windows\System\XvAyTpU.exe
  2⤵
  PID:5588
- C:\Windows\System\soxGnnU.exe
  C:\Windows\System\soxGnnU.exe
  2⤵
  PID:5644
- C:\Windows\System\cOpgswy.exe
  C:\Windows\System\cOpgswy.exe
  2⤵
  PID:5760
- C:\Windows\System\pLgRCUF.exe
  C:\Windows\System\pLgRCUF.exe
  2⤵
  PID:5812
- C:\Windows\System\opAwXEt.exe
  C:\Windows\System\opAwXEt.exe
  2⤵
  PID:5844
- C:\Windows\System\fHwvJmk.exe
  C:\Windows\System\fHwvJmk.exe
  2⤵
  PID:5872
- C:\Windows\System\qfDoJJW.exe
  C:\Windows\System\qfDoJJW.exe
  2⤵
  PID:5900
- C:\Windows\System\zmvmxCp.exe
  C:\Windows\System\zmvmxCp.exe
  2⤵
  PID:5984
- C:\Windows\System\DlLWSIG.exe
  C:\Windows\System\DlLWSIG.exe
  2⤵
  PID:6012
- C:\Windows\System\ZSUBOrW.exe
  C:\Windows\System\ZSUBOrW.exe
  2⤵
  PID:6044
- C:\Windows\System\MBjaviM.exe
  C:\Windows\System\MBjaviM.exe
  2⤵
  PID:6100
- C:\Windows\System\MyQqYHO.exe
  C:\Windows\System\MyQqYHO.exe
  2⤵
  PID:5248
- C:\Windows\System\TerbOQl.exe
  C:\Windows\System\TerbOQl.exe
  2⤵
  PID:2204
- C:\Windows\System\OKNOFkS.exe
  C:\Windows\System\OKNOFkS.exe
  2⤵
  PID:5344
- C:\Windows\System\yeNMzjc.exe
  C:\Windows\System\yeNMzjc.exe
  2⤵
  PID:5364
- C:\Windows\System\QlioDsR.exe
  C:\Windows\System\QlioDsR.exe
  2⤵
  PID:5544
- C:\Windows\System\NuFTpJk.exe
  C:\Windows\System\NuFTpJk.exe
  2⤵
  PID:5612
- C:\Windows\System\grLKIfo.exe
  C:\Windows\System\grLKIfo.exe
  2⤵
  PID:5896
- C:\Windows\System\GVXYgcx.exe
  C:\Windows\System\GVXYgcx.exe
  2⤵
  PID:5952
- C:\Windows\System\wBKJEEu.exe
  C:\Windows\System\wBKJEEu.exe
  2⤵
  PID:5156
- C:\Windows\System\MLrZNvR.exe
  C:\Windows\System\MLrZNvR.exe
  2⤵
  PID:3428
- C:\Windows\System\nsWAcWy.exe
  C:\Windows\System\nsWAcWy.exe
  2⤵
  PID:5472
- C:\Windows\System\vLuWXlt.exe
  C:\Windows\System\vLuWXlt.exe
  2⤵
  PID:5596
- C:\Windows\System\LfOWXRW.exe
  C:\Windows\System\LfOWXRW.exe
  2⤵
  PID:5908
- C:\Windows\System\PKefjwu.exe
  C:\Windows\System\PKefjwu.exe
  2⤵
  PID:5328
- C:\Windows\System\roZkBCs.exe
  C:\Windows\System\roZkBCs.exe
  2⤵
  PID:5640
- C:\Windows\System\eOBlksr.exe
  C:\Windows\System\eOBlksr.exe
  2⤵
  PID:6092
- C:\Windows\System\sqHVggw.exe
  C:\Windows\System\sqHVggw.exe
  2⤵
  PID:5780
- C:\Windows\System\ZxwOUpC.exe
  C:\Windows\System\ZxwOUpC.exe
  2⤵
  PID:5408
- C:\Windows\System\HXbERvN.exe
  C:\Windows\System\HXbERvN.exe
  2⤵
  PID:6172
- C:\Windows\System\NdFjCAH.exe
  C:\Windows\System\NdFjCAH.exe
  2⤵
  PID:6196
- C:\Windows\System\SflxihZ.exe
  C:\Windows\System\SflxihZ.exe
  2⤵
  PID:6236
- C:\Windows\System\KyZOlze.exe
  C:\Windows\System\KyZOlze.exe
  2⤵
  PID:6312
- C:\Windows\System\LcNbWzy.exe
  C:\Windows\System\LcNbWzy.exe
  2⤵
  PID:6348
- C:\Windows\System\DhFvcJA.exe
  C:\Windows\System\DhFvcJA.exe
  2⤵
  PID:6380
- C:\Windows\System\FSyeAcN.exe
  C:\Windows\System\FSyeAcN.exe
  2⤵
  PID:6420
- C:\Windows\System\ttiZymE.exe
  C:\Windows\System\ttiZymE.exe
  2⤵
  PID:6444
- C:\Windows\System\lRKCJGs.exe
  C:\Windows\System\lRKCJGs.exe
  2⤵
  PID:6476
- C:\Windows\System\GanODXk.exe
  C:\Windows\System\GanODXk.exe
  2⤵
  PID:6504
- C:\Windows\System\GloMUtm.exe
  C:\Windows\System\GloMUtm.exe
  2⤵
  PID:6536
- C:\Windows\System\rXRZIoS.exe
  C:\Windows\System\rXRZIoS.exe
  2⤵
  PID:6564
- C:\Windows\System\LfaNJeg.exe
  C:\Windows\System\LfaNJeg.exe
  2⤵
  PID:6592
- C:\Windows\System\oyBGWJj.exe
  C:\Windows\System\oyBGWJj.exe
  2⤵
  PID:6620
- C:\Windows\System\iTDhfsa.exe
  C:\Windows\System\iTDhfsa.exe
  2⤵
  PID:6652
- C:\Windows\System\QYVMGVf.exe
  C:\Windows\System\QYVMGVf.exe
  2⤵
  PID:6680
- C:\Windows\System\ixgzuBp.exe
  C:\Windows\System\ixgzuBp.exe
  2⤵
  PID:6708
- C:\Windows\System\ODOPubn.exe
  C:\Windows\System\ODOPubn.exe
  2⤵
  PID:6736
- C:\Windows\System\MYYOidV.exe
  C:\Windows\System\MYYOidV.exe
  2⤵
  PID:6764
- C:\Windows\System\YBcFykZ.exe
  C:\Windows\System\YBcFykZ.exe
  2⤵
  PID:6792
- C:\Windows\System\jgDeCaX.exe
  C:\Windows\System\jgDeCaX.exe
  2⤵
  PID:6848
- C:\Windows\System\WiGygvZ.exe
  C:\Windows\System\WiGygvZ.exe
  2⤵
  PID:6908
- C:\Windows\System\XtfkswA.exe
  C:\Windows\System\XtfkswA.exe
  2⤵
  PID:6936
- C:\Windows\System\XEwipjk.exe
  C:\Windows\System\XEwipjk.exe
  2⤵
  PID:6964
- C:\Windows\System\evRJIIf.exe
  C:\Windows\System\evRJIIf.exe
  2⤵
  PID:6992
- C:\Windows\System\tuECDBJ.exe
  C:\Windows\System\tuECDBJ.exe
  2⤵
  PID:7020
- C:\Windows\System\RibIiQH.exe
  C:\Windows\System\RibIiQH.exe
  2⤵
  PID:7052
- C:\Windows\System\TTRxecR.exe
  C:\Windows\System\TTRxecR.exe
  2⤵
  PID:7084
- C:\Windows\System\Ofdmsio.exe
  C:\Windows\System\Ofdmsio.exe
  2⤵
  PID:7112
- C:\Windows\System\WAAUIiu.exe
  C:\Windows\System\WAAUIiu.exe
  2⤵
  PID:7140
- C:\Windows\System\MmsVXdu.exe
  C:\Windows\System\MmsVXdu.exe
  2⤵
  PID:6168
- C:\Windows\System\VAIbUCO.exe
  C:\Windows\System\VAIbUCO.exe
  2⤵
  PID:6208
- C:\Windows\System\nxMrBZC.exe
  C:\Windows\System\nxMrBZC.exe
  2⤵
  PID:6328
- C:\Windows\System\JBnfMGz.exe
  C:\Windows\System\JBnfMGz.exe
  2⤵
  PID:6396
- C:\Windows\System\JTqDzgF.exe
  C:\Windows\System\JTqDzgF.exe
  2⤵
  PID:6392
- C:\Windows\System\LBsuXKr.exe
  C:\Windows\System\LBsuXKr.exe
  2⤵
  PID:6484
- C:\Windows\System\yRIxexH.exe
  C:\Windows\System\yRIxexH.exe
  2⤵
  PID:6544
- C:\Windows\System\zzViimQ.exe
  C:\Windows\System\zzViimQ.exe
  2⤵
  PID:6612
- C:\Windows\System\KsAZUyY.exe
  C:\Windows\System\KsAZUyY.exe
  2⤵
  PID:6676
- C:\Windows\System\aaqPjjY.exe
  C:\Windows\System\aaqPjjY.exe
  2⤵
  PID:6744
- C:\Windows\System\OFmVCqz.exe
  C:\Windows\System\OFmVCqz.exe
  2⤵
  PID:6808
- C:\Windows\System\aDiPRIC.exe
  C:\Windows\System\aDiPRIC.exe
  2⤵
  PID:6876
- C:\Windows\System\PTWtMlj.exe
  C:\Windows\System\PTWtMlj.exe
  2⤵
  PID:6932
- C:\Windows\System\pKfwtAp.exe
  C:\Windows\System\pKfwtAp.exe
  2⤵
  PID:7000
- C:\Windows\System\TotxzQB.exe
  C:\Windows\System\TotxzQB.exe
  2⤵
  PID:7072
- C:\Windows\System\WClrCQu.exe
  C:\Windows\System\WClrCQu.exe
  2⤵
  PID:7128
- C:\Windows\System\AKglpEK.exe
  C:\Windows\System\AKglpEK.exe
  2⤵
  PID:6264
- C:\Windows\System\ajtcSSd.exe
  C:\Windows\System\ajtcSSd.exe
  2⤵
  PID:6416
- C:\Windows\System\zLrPjil.exe
  C:\Windows\System\zLrPjil.exe
  2⤵
  PID:6532
- C:\Windows\System\NeRSfkd.exe
  C:\Windows\System\NeRSfkd.exe
  2⤵
  PID:6856
- C:\Windows\System\bQSdIOh.exe
  C:\Windows\System\bQSdIOh.exe
  2⤵
  PID:7012
- C:\Windows\System\dcZqDDj.exe
  C:\Windows\System\dcZqDDj.exe
  2⤵
  PID:7120
- C:\Windows\System\VOiaGUu.exe
  C:\Windows\System\VOiaGUu.exe
  2⤵
  PID:6452
- C:\Windows\System\BUkrYfN.exe
  C:\Windows\System\BUkrYfN.exe
  2⤵
  PID:6828
- C:\Windows\System\tIQLDJE.exe
  C:\Windows\System\tIQLDJE.exe
  2⤵
  PID:6224
- C:\Windows\System\TJseEEN.exe
  C:\Windows\System\TJseEEN.exe
  2⤵
  PID:7244
- C:\Windows\System\OoOuKbY.exe
  C:\Windows\System\OoOuKbY.exe
  2⤵
  PID:7352
- C:\Windows\System\ovvRsfy.exe
  C:\Windows\System\ovvRsfy.exe
  2⤵
  PID:7444
- C:\Windows\System\MWoyAbF.exe
  C:\Windows\System\MWoyAbF.exe
  2⤵
  PID:7476
- C:\Windows\System\xJnhypU.exe
  C:\Windows\System\xJnhypU.exe
  2⤵
  PID:7536
- C:\Windows\System\QYwCoVY.exe
  C:\Windows\System\QYwCoVY.exe
  2⤵
  PID:7568
- C:\Windows\System\ZLIAqaR.exe
  C:\Windows\System\ZLIAqaR.exe
  2⤵
  PID:7596
- C:\Windows\System\GCosFud.exe
  C:\Windows\System\GCosFud.exe
  2⤵
  PID:7612
- C:\Windows\System\TZMYwqR.exe
  C:\Windows\System\TZMYwqR.exe
  2⤵
  PID:7644
- C:\Windows\System\StZFrOQ.exe
  C:\Windows\System\StZFrOQ.exe
  2⤵
  PID:7704
- C:\Windows\System\MImNKkK.exe
  C:\Windows\System\MImNKkK.exe
  2⤵
  PID:7788
- C:\Windows\System\fYwibTq.exe
  C:\Windows\System\fYwibTq.exe
  2⤵
  PID:7852

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\ESEquTQ.exe

Filesize
121KB

MD5
7ac483a79257986bd8c1327eb2089a64

SHA1
50a4be577617d0d30f0f72fd510cbd58bcfbc83b

SHA256
3aa0d1dbe99b2c39440e1f0aac5b21aa65695c1c051546aaf587f6ce8f4d19a1

SHA512
fcbdc6fe32761d887d702b7b0fc2e3212fabd6de76701b788d17a2455484aa12f37b4abd94fcf788516d88cafd2f5e54b4c2cee3c4b5da2bba5b2b721b05c6e0

Download Submit
C:\Windows\System\ElPcbme.exe

Filesize
991KB

MD5
c64694734755372f9c30ae11638ef401

SHA1
f57add4e4836562ac70acc835411d28bdaed08b5

SHA256
1904c0c43114c2003092cfd9b5e5bbcd2bd7e8ffda3a6b40631807f371276305

SHA512
334c2992f060d5a70780b48bb0560459a002aec0ff91087da6583c4d726183861e5cd882a8b5f0e5586f44ac8c43ec3f26979eb8c4b34d97068d362d03a7d699

Download Submit
C:\Windows\System\ElPcbme.exe

Filesize
1.3MB

MD5
d325ab4210147afcd069584b45aee18e

SHA1
fe8c6829761c914bf75e41d9ddbecae325035e09

SHA256
cba135ab3532b9bec871754d3c2703f5eb8dce0d93647764737444e921dec548

SHA512
41fcafe3e3b900e11b27c7709492d536c51b0e7d7eba03cbad9c55fd08aac65c5e524d007aa3b251715e47240eb6e057b06e7d4b267d0a319a5135e8754685ad

Download Submit
C:\Windows\System\FgZFWKL.exe

Filesize
202KB

MD5
d0e8757ffe23639b27e48fa59c165ab3

SHA1
d07f1fc735bcff7848f552b76600dc0500445076

SHA256
cfd999cce0674cf0143e551ad679f8d6cc1c2922652669646434f9485305d0e3

SHA512
a1ce166062de448ba59e4795d869ab27317b371c656df61aaeea79cd6db197dcb0975adf024b9f4fcefe8c2499c2f9855f9c49b13eb0acf3573892a02884be6e

Download Submit
C:\Windows\System\GiBjDmc.exe

Filesize
18KB

MD5
11a6257c406ad4c75add631435c9ce74

SHA1
09477fb7375deb6bdf846d73506204ea985af768

SHA256
a69a57c1da9aaf41aa0450ed61525c103189845ed2ff7702cab4c74042b2e8a3

SHA512
32f6bda18e9712ac8cae96903d4b71a5fab92cd22059881f81e2b9b7283a8e81a9367a214b8dbddf94bb029423a13da67b73b0f524ffba24796325cb92fe8a15

Download Submit
C:\Windows\System\PGfPbaL.exe

Filesize
93KB

MD5
9705ce79fb22315000c23b1dcde45eff

SHA1
a7c4dc63528dcbdb033f1ebcc86575a4f9b6b112

SHA256
37e4b94a6c63e3626f5b43a769daebd5a95e2bd16b5bcd76fca58881b8030150

SHA512
af3fc2209b986e8db7d3a8c2b169145b876ea4170c9cd0bed6fa1eebef28f6c1dbd1558d353ae5ef37eb1796907f69077641d5d3fe6cd8487819916e695cfcf5

Download Submit
C:\Windows\System\TUheOln.exe

Filesize
71KB

MD5
6320a859417493e9aebc9da49aa18baa

SHA1
6b8c3f99ab589d83ae821bf60a0ab0dbeb11f7f7

SHA256
04eeea6856a3693d41b7ff949feeb17e0de156010b7e443bde834fd8f3b42e3d

SHA512
c6e4eb8820c2cbfe95aa023527741b3c4c9d1394c49ee849b5f64b183fcbc45727015e0de9f66970f19c9cef0a468f1c06feb5e88251f7d97030bd9eb4da4ba0

Download Submit
C:\Windows\System\UhqTBCX.exe

Filesize
219KB

MD5
85ba3941ac8bfbbb6bf00aa58f526bb8

SHA1
3a5c422d296a952dd7128690070418a5ed68b2cc

SHA256
62d780c1ea97bde5f5820a039588c1ba7f44a3285ef0a6169e9a25868aee0d64

SHA512
b3521258776d30cc2603a2f635d8aa69d00beb1883f0d8b03cb5356ebfbb4adf99d92f9802655f15bbdf010fdc17ece7683c1f25de4765eef43f3a4613d10b34

Download Submit
C:\Windows\System\WOUZsAb.exe

Filesize
244KB

MD5
0e82c4fa111fe4e11e38cfc55f86fb94

SHA1
308d636c837ca96be2862e209e8f48fd40114562

SHA256
884084d058d71fd4e448c216f7904a989faa808892c394a51990bd579250cfdf

SHA512
2a3bd5a6f14f8c8b36fee03ce7f8a475612129ec7210c8dcfb7925df52d03d53459ad05f99d35ad4dafb7d375edb9af03321ca200d149d744e4335085fb6213e

Download Submit
C:\Windows\System\ZVcvEGD.exe

Filesize
33KB

MD5
dd25d7e24ff4f1d694093a3fc4c02479

SHA1
7c36d6ef0b47febc0e85435248d7b28eba48ad04

SHA256
320a8cf3b7476c00c8496cffae9805fc5b0c3a4cf65cc687a524392f0a397674

SHA512
876154bf4effaff0e76ef81556d1573f5bab3cc9a6a3d5a91c7092ab0c01444c7fbca1cb3b0538f82f9c2371e24f8712a05e943eebc97ca7eef54a950ba9cf8e

Download Submit
C:\Windows\System\ZVcvEGD.exe

Filesize
32KB

MD5
9434d2e6fab9801d4161d6db7bc9496a

SHA1
0c6abb94753e88644605a70218a7f91b73e921a5

SHA256
325e02360c453480b5584a2f491bad95136b47b96f64192e4065eab3e954e3a6

SHA512
de433b490cc3c7adccb59167ca06a75b2fc426d7706867c9aee407c33d3252289256b83d9cc58091b45cfd688ea3a39efa68087bcdfcf2d2a16f9429f39d40a4

Download Submit
C:\Windows\System\ZgVVzvY.exe

Filesize
132KB

MD5
72393b0b758f7bcd801586a99140debd

SHA1
9402dc6dc78a1ab16e6f47ce4bd97ba2ea54e246

SHA256
dbf2111599961278efa696cd0840d96eda43af5a6c817d4ef17cbf0ad2d82610

SHA512
5306710e61a2cafca73ac877480b707be1d21db0f348318fa08172257900d051cf40cb3462d3d990c22b347e9543d7c7a31a94e8b2bae4a191f87d1b8b36b78b

Download Submit
C:\Windows\System\bZzJNYX.exe

Filesize
172KB

MD5
b50ef1ec6ef021d2ec16aba77a5d2e93

SHA1
7e7763185d59ae848ac25a17dbda582f7dacf714

SHA256
be63f20b538fb6ad35eb44d1a709ab7dbac0663cbe339373bebdb90889244948

SHA512
95c15d507192fa4314635f4f3aa9b7d1639badb4c63a11d7a18cdb6791f8202a72e226f187ab3a347070b0ee2e460bdc3887ee656a807fb4206ff46e73964beb

Download Submit
C:\Windows\System\bZzJNYX.exe

Filesize
1.5MB

MD5
b2e301d3f4a16e41e248824de9c5fc26

SHA1
6a4b34e6e7deb85afdacf0559f59e0391e5f458f

SHA256
bd8169d2361b0c774c2f7d64dd75767fb34623d5a45db6535c5fdd397c5072ca

SHA512
4810c8b374430c81d986d1cec269d3e954a25b209a48c0a5dd8c3cff6c1d1b62cd94eb2e89dfb6387f76ad943c464b94a5b6cf4dd08307411222a500a60537d1

Download Submit
C:\Windows\System\bavaDdh.exe

Filesize
89KB

MD5
bbc6c720b4ea968ae6aa1ffe56041fc2

SHA1
ceab156e6c95fe42887eae6489a7e1bd1f931955

SHA256
76796cf7d0bbf92c0308f8012a889ae945b21edada98fba9abf93562cc482811

SHA512
1bc2dcdda6dd0b01fb5a83988359d296b40c47e7ef6abd84c32b4295e6f6630fad0b8c38a8295c08f2591cdac4ef6350b40728b86be3a81f72568a0b671f8e04

Download Submit
C:\Windows\System\cfYlCIL.exe

Filesize
130KB

MD5
168e1148b45590b82ed9264ca6baa319

SHA1
13836c55359b49e866ce1830958e0f1ee5ffd43b

SHA256
43015582ae3388e7571a6c57b4be2d7f087ceb524e150ca5f2a91c1ee53a15e6

SHA512
7355b957eceaf81fde7c0aadf1b22babb6d49e8e84d3320c78c8daa84f63a8978469b14c5974478b853a7a4fd51c8d4d52404c01513e02211a00a3207504fee6

Download Submit
C:\Windows\System\cseeuVc.exe

Filesize
26KB

MD5
d257e47858632637f2bb95bae6265757

SHA1
84281c2e667966ec307efe667142207bc5b79c16

SHA256
70fdb6793f5a8426d78bf21eb6b1f523628d94b73e24590a1865af43bd8018c4

SHA512
46d812b717dfdca0edcb1b27617eb5030ff9ff2bc86dc6b54d83cd1411864a37efd6ef280f6756606b2dd6913c7f62f2e0525f083e6fce968f0c8dd9c9fc5ed6

Download Submit
C:\Windows\System\eEIAYLC.exe

Filesize
768KB

MD5
cf04f245946d5ce59b5ea611e40f4a29

SHA1
6f1af8b0c1e5361dfe27afddc936db26b7a85c0d

SHA256
28412b6d57f100e9e54dd0d6d319795bd3337c06b68776c9296497c1def2deba

SHA512
4875bfd70129264b9a9edb743bd51f62bd00b795a8575d4ada22ba00ee127c0d1f55bb69a2fb87814273a1e0e1a3bd3170019c9f356ca2fd7f4b8963e16617b2

Download Submit
C:\Windows\System\rixZCvR.exe

Filesize
46KB

MD5
38b3e6bae3671e976895b35b6ffa2cb0

SHA1
8a73668b6cc0e6a16d7cb1a60d26f2e573238346

SHA256
8ed517c496f0ecd0a7a07c7a95560070ce8a1b90bce889fe67cc6d75fcfda969

SHA512
9b0fd8fd724e4aa3d6ad4524952a408d94673cc271f6289bad3ab93278247fd8d566fa663ad3628a501076c0b9b831870f115bc4a04adbc65558a1353bee0ec1

Download Submit
C:\Windows\System\rixZCvR.exe

Filesize
137KB

MD5
ec4bc11a85fc1d5ee9028f8999ed9fc8

SHA1
e910937619899e8029ca4295fa0fa3e63b9cd265

SHA256
f8ae5d88de5c32315ade1e1207db54b2dad5159e016509c2edcbc16faf5a695d

SHA512
b9991326350b8aca04285cd2364f573312d2add63835be3b44f4d7f9620fca671bee42343da86b557869d51cafd9649d304412718a83f317c0bbc45c886c7b17

Download Submit
C:\Windows\System\sBAZXFh.exe

Filesize
69KB

MD5
ed12deaded03d2163ccbf4e16657113e

SHA1
b2eea58077bfba68e731af4d5ee3e505a91cf1e7

SHA256
7ba2ce521c45670f005d084cafc0d9f21bc99bb316055980e279f09bf08f182b

SHA512
00fcf6afc519e853aa517108602845cba0a897e9e8a04b2ef48ee6b762e076072ff4851d1f74bdcdc7928b48bb5573304297d9a05dc6aa36219cb6d18369af2e

Download Submit
C:\Windows\System\vQeOLUZ.exe

Filesize
214KB

MD5
dea874357ddca65455dba171add56870

SHA1
b19e45edac6b387ba4c59337a492f4efad393a4c

SHA256
5d5bf882713e06d7623809665fef87be3fbe4d5243b555d7dee57e397f2af0d4

SHA512
6d736f88f296a20d0d21f5e09b77b34dd498a644f7f081b989d01181da0f6d4f9eaf6acdfd63716029eff4faef8cbf346f66017e36fd40e2ef0aae15740fa3cf

Download Submit
memory/216-0-0x00007FF7DA470000-0x00007FF7DA7C4000-memory.dmp

Filesize
3.3MB

Download
memory/216-1-0x000001F0D6050000-0x000001F0D6060000-memory.dmp

Filesize
64KB

Download
memory/1372-320-0x00007FF66DB80000-0x00007FF66DED4000-memory.dmp

Filesize
3.3MB

Download
memory/1788-80-0x00007FF79A050000-0x00007FF79A3A4000-memory.dmp

Filesize
3.3MB

Download
memory/2012-129-0x00007FF767460000-0x00007FF7677B4000-memory.dmp

Filesize
3.3MB

Download
memory/2296-35-0x00007FF693960000-0x00007FF693CB4000-memory.dmp

Filesize
3.3MB

Download
memory/2604-82-0x00007FF76B500000-0x00007FF76B854000-memory.dmp

Filesize
3.3MB

Download
memory/2880-438-0x00007FF6F6ED0000-0x00007FF6F7224000-memory.dmp

Filesize
3.3MB

Download
memory/3100-559-0x00007FF6297A0000-0x00007FF629AF4000-memory.dmp

Filesize
3.3MB

Download
memory/3160-15-0x00007FF6382F0000-0x00007FF638644000-memory.dmp

Filesize
3.3MB

Download
memory/3232-323-0x00007FF785180000-0x00007FF7854D4000-memory.dmp

Filesize
3.3MB

Download
memory/3232-147-0x00007FF785180000-0x00007FF7854D4000-memory.dmp

Filesize
3.3MB

Download
memory/3776-98-0x00007FF60E870000-0x00007FF60EBC4000-memory.dmp

Filesize
3.3MB

Download
memory/3968-124-0x00007FF7D73A0000-0x00007FF7D76F4000-memory.dmp

Filesize
3.3MB

Download
memory/4000-108-0x00007FF7475E0000-0x00007FF747934000-memory.dmp

Filesize
3.3MB

Download
memory/4000-42-0x00007FF7475E0000-0x00007FF747934000-memory.dmp

Filesize
3.3MB

Download
memory/4324-6-0x00007FF60A290000-0x00007FF60A5E4000-memory.dmp

Filesize
3.3MB

Download
memory/4532-24-0x00007FF6D2520000-0x00007FF6D2874000-memory.dmp

Filesize
3.3MB

Download