Analysis Overview
SHA256
3e9c816833879bb1fc7c1c3aeb66b87d9d613c80768ce8a10a4c78e6fc571751
Threat Level: Known bad
The file 2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
UPX dump on OEP (original entry point)
xmrig
Detects Reflective DLL injection artifacts
Cobaltstrike
Cobaltstrike family
Xmrig family
XMRig Miner payload
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-25 15:24
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-25 15:24
Reported
2024-05-25 15:27
Platform
win7-20240508-en
Max time kernel
145s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\UFVYNfu.exe | N/A |
| N/A | N/A | C:\Windows\System\ITdtBIL.exe | N/A |
| N/A | N/A | C:\Windows\System\asRlCwC.exe | N/A |
| N/A | N/A | C:\Windows\System\SzmouWp.exe | N/A |
| N/A | N/A | C:\Windows\System\knPBEaK.exe | N/A |
| N/A | N/A | C:\Windows\System\PgKYNEa.exe | N/A |
| N/A | N/A | C:\Windows\System\IjICirB.exe | N/A |
| N/A | N/A | C:\Windows\System\GlaqWjO.exe | N/A |
| N/A | N/A | C:\Windows\System\gBMCSnM.exe | N/A |
| N/A | N/A | C:\Windows\System\KehCghC.exe | N/A |
| N/A | N/A | C:\Windows\System\xLYTlex.exe | N/A |
| N/A | N/A | C:\Windows\System\snTBEyo.exe | N/A |
| N/A | N/A | C:\Windows\System\dryzaVp.exe | N/A |
| N/A | N/A | C:\Windows\System\ATNeSvg.exe | N/A |
| N/A | N/A | C:\Windows\System\jRJZJoe.exe | N/A |
| N/A | N/A | C:\Windows\System\XJrPdqZ.exe | N/A |
| N/A | N/A | C:\Windows\System\jYxAXsN.exe | N/A |
| N/A | N/A | C:\Windows\System\zDLXPXR.exe | N/A |
| N/A | N/A | C:\Windows\System\YdbtKnh.exe | N/A |
| N/A | N/A | C:\Windows\System\iBKVGWJ.exe | N/A |
| N/A | N/A | C:\Windows\System\nSMMBrF.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\UFVYNfu.exe
C:\Windows\System\UFVYNfu.exe
C:\Windows\System\ITdtBIL.exe
C:\Windows\System\ITdtBIL.exe
C:\Windows\System\asRlCwC.exe
C:\Windows\System\asRlCwC.exe
C:\Windows\System\SzmouWp.exe
C:\Windows\System\SzmouWp.exe
C:\Windows\System\knPBEaK.exe
C:\Windows\System\knPBEaK.exe
C:\Windows\System\PgKYNEa.exe
C:\Windows\System\PgKYNEa.exe
C:\Windows\System\IjICirB.exe
C:\Windows\System\IjICirB.exe
C:\Windows\System\GlaqWjO.exe
C:\Windows\System\GlaqWjO.exe
C:\Windows\System\xLYTlex.exe
C:\Windows\System\xLYTlex.exe
C:\Windows\System\gBMCSnM.exe
C:\Windows\System\gBMCSnM.exe
C:\Windows\System\snTBEyo.exe
C:\Windows\System\snTBEyo.exe
C:\Windows\System\KehCghC.exe
C:\Windows\System\KehCghC.exe
C:\Windows\System\dryzaVp.exe
C:\Windows\System\dryzaVp.exe
C:\Windows\System\ATNeSvg.exe
C:\Windows\System\ATNeSvg.exe
C:\Windows\System\jRJZJoe.exe
C:\Windows\System\jRJZJoe.exe
C:\Windows\System\XJrPdqZ.exe
C:\Windows\System\XJrPdqZ.exe
C:\Windows\System\jYxAXsN.exe
C:\Windows\System\jYxAXsN.exe
C:\Windows\System\zDLXPXR.exe
C:\Windows\System\zDLXPXR.exe
C:\Windows\System\YdbtKnh.exe
C:\Windows\System\YdbtKnh.exe
C:\Windows\System\iBKVGWJ.exe
C:\Windows\System\iBKVGWJ.exe
C:\Windows\System\nSMMBrF.exe
C:\Windows\System\nSMMBrF.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2416-0-0x000000013F790000-0x000000013FAE4000-memory.dmp
memory/2416-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\UFVYNfu.exe
| MD5 | 37d570a77f9b64340cbd013d334569f0 |
| SHA1 | 09910a6b1122499c1d4676ab924fad3bac1213d7 |
| SHA256 | 6880e1fb72448a939b74e882ab865e47d50e65d9f8918fcef831f691f9d1bc8a |
| SHA512 | 88ef41730b382731aae182671d8084f36cda9d4dd8cb8e1d298dc6ce0bb59c18ace657c821baafe374b4b736acf2690c2def20fa0811f9b33e64d6002af80deb |
memory/2060-8-0x000000013F0F0000-0x000000013F444000-memory.dmp
C:\Windows\system\ITdtBIL.exe
| MD5 | 2c4640c6e6d896d502c3e4156d85386e |
| SHA1 | 23b4ae915e010a71b3d07f56f6056a1ae5fff88f |
| SHA256 | ba13e509d182cdb27158e6c5e2d5711c5e750c73c72174b8f097fd42b875a2c4 |
| SHA512 | 6714bd5cfb4b64006e1348491a31403d7c7645987d59c360fe07ddd2329195b037f5f34ef841cad2c0f564dab80ed40920afbd309e070c2e61b150828c18b090 |
\Windows\system\asRlCwC.exe
| MD5 | 3a90a6e8dd0105bb473a06896b2ee883 |
| SHA1 | 631fa73d8c6cdf1496fe4d5d01a5de48f35fe475 |
| SHA256 | bd61bce683d8b1bf465f008c507bf27eff0ca1a92756486b81c37bef4f3683dd |
| SHA512 | defc297125fc76be7afda5d0f9f852feb8f4954652081dd4f79cd530c974ff8d2c6613bc6e353b2f77abb8b374763c85636fc797ed4258f112e4d35a720e62c7 |
memory/2416-18-0x0000000002400000-0x0000000002754000-memory.dmp
memory/2416-22-0x000000013FCD0000-0x0000000140024000-memory.dmp
memory/3052-21-0x000000013FCD0000-0x0000000140024000-memory.dmp
memory/3004-20-0x000000013F480000-0x000000013F7D4000-memory.dmp
C:\Windows\system\SzmouWp.exe
| MD5 | 44eb89081527513f930f7c6ee60bceed |
| SHA1 | 55dd84ed28343baea56e7775cd49396533d96425 |
| SHA256 | 4b23d1f9e7e6140236fec8e7a5533fec2e5a31741f23f0273caee9602cf12ef7 |
| SHA512 | 3046f60cfb2f8312e7171ec122b92c06f969f319a630bb321be272bce65148d0f620fed0bc7a2e6a94d7584e227ec9051b5df06c51d3e76d428d8e6ddf26550f |
memory/2736-29-0x000000013FDB0000-0x0000000140104000-memory.dmp
memory/2416-28-0x000000013FDB0000-0x0000000140104000-memory.dmp
C:\Windows\system\knPBEaK.exe
| MD5 | af66fcf550ee2da7bfe45aa6b5d3df88 |
| SHA1 | 3665f89375b2fa38f63c5090173918cad29f496e |
| SHA256 | 2133466fd66cc50a6c5518e88782afd147744315790bb8e762a60adf0522e8a0 |
| SHA512 | b2a86d5609820a5483d384b72b0c962ae2b889aaf3ebfcb30d6f1ed06d89f4bc433f2514cd206e7480756c553f3587765300ac26161766b0bfd4d9d46947dcc3 |
C:\Windows\system\PgKYNEa.exe
| MD5 | 71d6fed7ab332ff5fb8c81db57957167 |
| SHA1 | a6cfbfc75254343ec4db6521626471ce94c15b15 |
| SHA256 | 32eccdb83aeda256d91cf3814734c1e6a3923d332d469af955c7cd16edbc5331 |
| SHA512 | 9d29bdb8e3b85584341ea4ef2707e134a2def687d0e7799fb8e1289f28e5ad839d83ba5139d55a8e51c349c6e9b1df2fd556be7d6a15509292f0bd47d4743d0f |
memory/2808-41-0x000000013F120000-0x000000013F474000-memory.dmp
memory/2416-40-0x000000013F120000-0x000000013F474000-memory.dmp
memory/2812-36-0x000000013F6B0000-0x000000013FA04000-memory.dmp
memory/2416-32-0x0000000002400000-0x0000000002754000-memory.dmp
\Windows\system\IjICirB.exe
| MD5 | ab73b33336ef96a59d254f02acc4493e |
| SHA1 | 1419557337c2ad84de35c02e72a0b1767a72a95c |
| SHA256 | 6b07c7b6d057d60307c3933ac08b6c30fae7aa530b362e0d70036f6c7690681f |
| SHA512 | 6a255346baa9fd85cb8036cea507d1a1c2ff21c887fddebbaa11e98d98a153f00e090c5ae3d481b44f39b3fa196359dc92983b1fdf88ff114fbe5e3119b20e00 |
memory/2416-51-0x000000013F150000-0x000000013F4A4000-memory.dmp
memory/2416-62-0x000000013FB00000-0x000000013FE54000-memory.dmp
memory/2592-68-0x000000013FC40000-0x000000013FF94000-memory.dmp
\Windows\system\KehCghC.exe
| MD5 | e94547090ab2157896cdee39046bb2da |
| SHA1 | fc4b5b45c951024e0e3e2d22e03e7ccd642da22b |
| SHA256 | 5417f5da48d0e8b0e63aff77f36cbd0aea7cd1b2a89c7d8a988de8b95b01e639 |
| SHA512 | fe42306c2922485d9bd6124c7961231d0b1cb1d5e31f02c7d2fd5055267c7c259c5de6dd3ef675ff31fb06f92aecc8195b9b6ccdfb41d75cf32b48fdc2d5024c |
memory/2416-79-0x000000013F340000-0x000000013F694000-memory.dmp
memory/1776-81-0x000000013F340000-0x000000013F694000-memory.dmp
memory/2520-83-0x000000013F300000-0x000000013F654000-memory.dmp
C:\Windows\system\xLYTlex.exe
| MD5 | f0773ea96c9a3348623176e536e93660 |
| SHA1 | d5a383043441bd6f15106a84862defc6b4a70220 |
| SHA256 | 71f3931f61d18d27b12c458e2b6ce8230eaaec330785416f47b88484d0d8cadd |
| SHA512 | 6c61c35c8b9191b501476a43967d610acedbe09668f8bc088e1396a3783c7f288dbf805c5c6ca99ac85b1e6bc0b9d770100ab047d5c3cb44da89320d7963b07b |
memory/2416-80-0x000000013FCD0000-0x0000000140024000-memory.dmp
memory/3008-100-0x000000013F150000-0x000000013F4A4000-memory.dmp
memory/1728-105-0x000000013FFE0000-0x0000000140334000-memory.dmp
C:\Windows\system\jRJZJoe.exe
| MD5 | 940661839f674160d161c8bc60c8308f |
| SHA1 | f0ab787cc501e07f98477d6343bbf1d549f89522 |
| SHA256 | a14c1e562514982ec7d0011e5448118d7c140da2f0e3f42fc2f2cdab5b71e558 |
| SHA512 | df6302e90f640f8ca2d8941a4d1e671978c49e5601979c60d74de7523a0d915b9c6c8ac036836f3f4fc64574d8b9301ab90323f760607b5a35eaa7bd9574e101 |
C:\Windows\system\iBKVGWJ.exe
| MD5 | 76d49150f84709b0505c5ca5f958972d |
| SHA1 | 39b28391122b222f5182c72b6a25fd9e91869098 |
| SHA256 | e3ad0aa61f531b0719f13aa4c9725afa650a3c946509a3c630355df22bc5c366 |
| SHA512 | 989a2c8351e59415980a65cb34c034a7e8298a7578faa93b5723c3e1d5e369b742960d1d14227969a7e94146f61c428c1c992dca30d293b2f4fe3fa7bcd79659 |
\Windows\system\nSMMBrF.exe
| MD5 | ba94d46054b54468eddf8d819b757a49 |
| SHA1 | b329e7fb371281945143539d844c1f0de9566ff6 |
| SHA256 | acd9c9c9bb06a70a7838a402b96cc5afe34acb7e317dcb0acd900e4ed887fde0 |
| SHA512 | 822ba588420d4cc8a26a4ae59e120117e50cb08b96d7911eee0318bf62d705e2a6f1d0e9a01c059ac23db394aa2d87ab20fe7dfb1b576a365d8483a9bb96c955 |
C:\Windows\system\YdbtKnh.exe
| MD5 | 44ef0845b675e18cddb947ff811448f8 |
| SHA1 | 445dbb21c4359e83fc7927f37470199e17d41be5 |
| SHA256 | 7498ecca27a7d10ce9aeaf898eebdcbea712c641b060b98b39a2916c633cd943 |
| SHA512 | 4e62c9e34c223011cdfc02f141c6de3b5d88cb85a7135419968fda301c066ffae0adc5c0aa6e9d44988b940257ce4693b99f0dd93bdb80934d6b5fa37e5c3b60 |
C:\Windows\system\zDLXPXR.exe
| MD5 | 73c397b83e62091dde0c52e9744732af |
| SHA1 | 64b8a1ca009f0ccc03088da04cb26d4072d4f0f6 |
| SHA256 | 7ea7c3c2b43208d5ec214289b41860f682e5c6d5f6dd002c94150b95e260ea5a |
| SHA512 | 626623633a77f350d33747d01afcc08d547520f6d24b6c8944733edce91ba73b0cb526dd4786f71c30c000e820e465cef4f8012aebe097d388866762a8c9b2f0 |
C:\Windows\system\jYxAXsN.exe
| MD5 | d029f884f13a08b8c8fd2262c60d3467 |
| SHA1 | 6af64fd51bae86f44b40ca2097c7d1320418dd7b |
| SHA256 | 72bf01654a47e00352853e3cc855b453b09a3aee1c8807f6b053d68e64fae660 |
| SHA512 | a7ad3207661e7ff0998e94fc8ebcbbe059932b601ec1510951726b41823dfa811d68fbc6a159f60d3d3dbcdf7f0783d83ceb532ba52c6dc7e6e98ba01d6cff1b |
C:\Windows\system\XJrPdqZ.exe
| MD5 | d309c2246811c45e4e2f8f75f199c51f |
| SHA1 | 129050e527c5b74f78f472f23c89a41aa0eb411f |
| SHA256 | f26b07aa735727f539ed2708a8bf283a5493336383a4ad9c37575781f9578d63 |
| SHA512 | fab00d4bf5d7343a0288cab393061b70050671ba791ced778b854e976d99bba1b7ca309e0d08b0fcd2382b449a9877cffd1a931ebf087f9bb83e70f13005b750 |
memory/2416-112-0x000000013F0B0000-0x000000013F404000-memory.dmp
memory/2684-104-0x000000013FB00000-0x000000013FE54000-memory.dmp
C:\Windows\system\ATNeSvg.exe
| MD5 | 77088142801c8f3f973bbfaefbda4fa9 |
| SHA1 | a8f834c9cef658eb9e359e19019db70451b94caa |
| SHA256 | 68723a792c1df24efeab960fbbdc33e99d013851aa5ed8562e0a1bf3a08514ec |
| SHA512 | 5f65b9c35bef49536f1e209095ea14be64e3e76b533f03ef82bc09fe6d5b01cf609774d1fabc44a43e3b989cdb818cfbf7fe400169c18c8e7da41ffc1157d02c |
memory/2416-101-0x000000013FFE0000-0x0000000140334000-memory.dmp
memory/2416-99-0x000000013F150000-0x000000013F4A4000-memory.dmp
memory/2808-98-0x000000013F120000-0x000000013F474000-memory.dmp
memory/2868-94-0x000000013FEE0000-0x0000000140234000-memory.dmp
memory/2988-93-0x000000013F3D0000-0x000000013F724000-memory.dmp
memory/2812-92-0x000000013F6B0000-0x000000013FA04000-memory.dmp
C:\Windows\system\dryzaVp.exe
| MD5 | d78728e5360baab7e03548009a3688bc |
| SHA1 | 8a4b1783287d7516f400b9aeddcb1f5952665d65 |
| SHA256 | 304562c98a30bd4cb28b9682db7780ac5f8f2b9b438967cd4926d33f02f810ad |
| SHA512 | 09bc0ef0368d60f3016bd0c652c38e185f69ba3887b3dabd9e5006b0d7e7c01af23002cf4cc81743804137243251d55a170276a23ae41c83c23ac73b71a7c874 |
C:\Windows\system\snTBEyo.exe
| MD5 | c01b7d715e5b09a54b50358e67b9e17c |
| SHA1 | f4e7795afa8360f0326e432c889e2ce8c80587eb |
| SHA256 | 15fa32ff2724c422bc73c3d077a378ae45a5dc222980d610489a18e1c75f9bd4 |
| SHA512 | 3bea6d76aea81af8317e7d5d004e8cef39a5d9759aa434ef3fed3f7ed596199ab727c8728b52d189ecde1b84167f2e27bdc79d259eada59978f596b30e018bd4 |
memory/2416-88-0x000000013FEE0000-0x0000000140234000-memory.dmp
memory/2060-72-0x000000013F0F0000-0x000000013F444000-memory.dmp
memory/2684-58-0x000000013FB00000-0x000000013FE54000-memory.dmp
memory/3008-56-0x000000013F150000-0x000000013F4A4000-memory.dmp
C:\Windows\system\GlaqWjO.exe
| MD5 | 19e4e51e92ca36ba30fc007b5d36af11 |
| SHA1 | 3956f9c56eb1cfe663203d4da1e6c774d65f22c1 |
| SHA256 | ad34117856153ca4a78e790ec61f2bced3bd3457f799f7fba3df33201a194d0a |
| SHA512 | 0c05938b89e3999264856fa82f108b4d6e61916aa89d9b852bc5bc9326c653fc0fef09f1c1a3b2dba5438b9645c04e9bf85fa094d045b00c60f48d0d0cb1107a |
memory/2416-76-0x000000013F3D0000-0x000000013F724000-memory.dmp
memory/2416-74-0x0000000002400000-0x0000000002754000-memory.dmp
memory/2416-66-0x000000013F790000-0x000000013FAE4000-memory.dmp
memory/2416-64-0x000000013F300000-0x000000013F654000-memory.dmp
C:\Windows\system\gBMCSnM.exe
| MD5 | f73120b068ec9d3d944459fc78832e38 |
| SHA1 | 888ab97e307a3b4cb42ef56f81f4aaab9fdd18b5 |
| SHA256 | 2f50fe5780c4e8f1873784a5ab93bb947e03e059b3ab09d5d8e3c1b191da19e3 |
| SHA512 | 25e4b16d1ef9a039f6929d2a817c61cf099eeeee768cde71ff93168209f62c50f33e5bb85ada103dd46190aaac1e57375fd4c0436f3c0022693ea59c3f85f91e |
memory/2416-143-0x000000013F340000-0x000000013F694000-memory.dmp
memory/1776-144-0x000000013F340000-0x000000013F694000-memory.dmp
memory/2520-145-0x000000013F300000-0x000000013F654000-memory.dmp
memory/2416-146-0x000000013FEE0000-0x0000000140234000-memory.dmp
memory/2988-147-0x000000013F3D0000-0x000000013F724000-memory.dmp
memory/2868-148-0x000000013FEE0000-0x0000000140234000-memory.dmp
memory/2416-149-0x000000013FFE0000-0x0000000140334000-memory.dmp
memory/1728-150-0x000000013FFE0000-0x0000000140334000-memory.dmp
memory/2416-151-0x000000013F0B0000-0x000000013F404000-memory.dmp
memory/2060-152-0x000000013F0F0000-0x000000013F444000-memory.dmp
memory/3004-153-0x000000013F480000-0x000000013F7D4000-memory.dmp
memory/3052-154-0x000000013FCD0000-0x0000000140024000-memory.dmp
memory/2736-155-0x000000013FDB0000-0x0000000140104000-memory.dmp
memory/2812-156-0x000000013F6B0000-0x000000013FA04000-memory.dmp
memory/2808-157-0x000000013F120000-0x000000013F474000-memory.dmp
memory/3008-158-0x000000013F150000-0x000000013F4A4000-memory.dmp
memory/2684-159-0x000000013FB00000-0x000000013FE54000-memory.dmp
memory/2592-160-0x000000013FC40000-0x000000013FF94000-memory.dmp
memory/1776-161-0x000000013F340000-0x000000013F694000-memory.dmp
memory/2520-162-0x000000013F300000-0x000000013F654000-memory.dmp
memory/2868-163-0x000000013FEE0000-0x0000000140234000-memory.dmp
memory/2988-164-0x000000013F3D0000-0x000000013F724000-memory.dmp
memory/1728-165-0x000000013FFE0000-0x0000000140334000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-25 15:24
Reported
2024-05-25 15:27
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\eClWJIX.exe | N/A |
| N/A | N/A | C:\Windows\System\JUKAQBe.exe | N/A |
| N/A | N/A | C:\Windows\System\TTDaukT.exe | N/A |
| N/A | N/A | C:\Windows\System\BHYcFKF.exe | N/A |
| N/A | N/A | C:\Windows\System\oYGlQGC.exe | N/A |
| N/A | N/A | C:\Windows\System\WQynLBT.exe | N/A |
| N/A | N/A | C:\Windows\System\misGKEV.exe | N/A |
| N/A | N/A | C:\Windows\System\SXqmVGj.exe | N/A |
| N/A | N/A | C:\Windows\System\EIGVeoD.exe | N/A |
| N/A | N/A | C:\Windows\System\YlLcmzm.exe | N/A |
| N/A | N/A | C:\Windows\System\OeTPRTZ.exe | N/A |
| N/A | N/A | C:\Windows\System\KwNRgYK.exe | N/A |
| N/A | N/A | C:\Windows\System\pQvqqlH.exe | N/A |
| N/A | N/A | C:\Windows\System\ZrdSskn.exe | N/A |
| N/A | N/A | C:\Windows\System\YuIKCYS.exe | N/A |
| N/A | N/A | C:\Windows\System\GsBjHkZ.exe | N/A |
| N/A | N/A | C:\Windows\System\hiWJkML.exe | N/A |
| N/A | N/A | C:\Windows\System\yszfomq.exe | N/A |
| N/A | N/A | C:\Windows\System\oSTfqro.exe | N/A |
| N/A | N/A | C:\Windows\System\UOIHnLY.exe | N/A |
| N/A | N/A | C:\Windows\System\VHjVQYM.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-25_84d2357a214a103f01e61d50a7fe8df2_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\eClWJIX.exe
C:\Windows\System\eClWJIX.exe
C:\Windows\System\JUKAQBe.exe
C:\Windows\System\JUKAQBe.exe
C:\Windows\System\TTDaukT.exe
C:\Windows\System\TTDaukT.exe
C:\Windows\System\BHYcFKF.exe
C:\Windows\System\BHYcFKF.exe
C:\Windows\System\oYGlQGC.exe
C:\Windows\System\oYGlQGC.exe
C:\Windows\System\WQynLBT.exe
C:\Windows\System\WQynLBT.exe
C:\Windows\System\misGKEV.exe
C:\Windows\System\misGKEV.exe
C:\Windows\System\SXqmVGj.exe
C:\Windows\System\SXqmVGj.exe
C:\Windows\System\EIGVeoD.exe
C:\Windows\System\EIGVeoD.exe
C:\Windows\System\YlLcmzm.exe
C:\Windows\System\YlLcmzm.exe
C:\Windows\System\OeTPRTZ.exe
C:\Windows\System\OeTPRTZ.exe
C:\Windows\System\KwNRgYK.exe
C:\Windows\System\KwNRgYK.exe
C:\Windows\System\pQvqqlH.exe
C:\Windows\System\pQvqqlH.exe
C:\Windows\System\ZrdSskn.exe
C:\Windows\System\ZrdSskn.exe
C:\Windows\System\YuIKCYS.exe
C:\Windows\System\YuIKCYS.exe
C:\Windows\System\GsBjHkZ.exe
C:\Windows\System\GsBjHkZ.exe
C:\Windows\System\hiWJkML.exe
C:\Windows\System\hiWJkML.exe
C:\Windows\System\yszfomq.exe
C:\Windows\System\yszfomq.exe
C:\Windows\System\oSTfqro.exe
C:\Windows\System\oSTfqro.exe
C:\Windows\System\UOIHnLY.exe
C:\Windows\System\UOIHnLY.exe
C:\Windows\System\VHjVQYM.exe
C:\Windows\System\VHjVQYM.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 73.239.69.13.in-addr.arpa | udp |
Files
memory/1472-0-0x00007FF7E5180000-0x00007FF7E54D4000-memory.dmp
memory/1472-1-0x000001BEFFE60000-0x000001BEFFE70000-memory.dmp
C:\Windows\System\eClWJIX.exe
| MD5 | b080cfc6eb0fba19509a293a5dc7cdd1 |
| SHA1 | c451e335440ec59ac10c7fc0390f1191a53f966e |
| SHA256 | 9d9b7a575a4d61927f9240cfc7677a75414e6334ed2de0ad5edf8786265b4030 |
| SHA512 | d3a6126b1211d365a02e8cbb982b6d56d95035a842bc92a4724f98ae81b7b2d59e41f0125d54a297ad91b57d7311ebdf36a8dd74492ce43edce515728d35c38c |
memory/2868-8-0x00007FF79F8E0000-0x00007FF79FC34000-memory.dmp
C:\Windows\System\JUKAQBe.exe
| MD5 | 0969fdfbf8525dfaa65cf3c8c45721e5 |
| SHA1 | 643c778df73b906792fc2201d2b625ac45aa0a2b |
| SHA256 | 32562a3cd470e7f9c2eb5ae8f37792ac772074d2648ee6143cf533f2ecf4c4b4 |
| SHA512 | 43a36bcfbec44c37468a8f4b6ecb4dd3f4ecf8c967a15103d61657500ae696525145c2623b1365bc253b904e98d4da76c55d2236063145c377e20edd0ec98747 |
C:\Windows\System\TTDaukT.exe
| MD5 | adbfded45d5c0171993aa33fbac3ffc2 |
| SHA1 | 2356554eeabc6cbea9edb26b5fec61ee95a010a9 |
| SHA256 | 1fe6abfe5bdefdc0f7c1a36277a28e9c51e034243ccc4550958b8dde2c859b2e |
| SHA512 | 473034ce554a9e7c5b1c9aa2ab4e7a5ad44dcf94b89c288d1498522a7b93b64bc9266dffa028d8351e9e7b82e3b98d384e73c5020d052929ff8118991954e7a1 |
memory/2516-14-0x00007FF60F7B0000-0x00007FF60FB04000-memory.dmp
C:\Windows\System\BHYcFKF.exe
| MD5 | 9700d967b6fdc103452a5349b6da5af1 |
| SHA1 | d0d191c85fede1988489ebacb96176336a987f56 |
| SHA256 | e9549756607b051acef01c1a46a6c4f72eae7abec4f17389acd835d6ce61378e |
| SHA512 | 11560b5a0309224438fdf90478512d7772a1da9ef3c0d794178e3c285377d344e961ec76a591e952bca0ed13c937166e26dfb4e3340e219a11da96b555272e5e |
memory/972-29-0x00007FF6AFAB0000-0x00007FF6AFE04000-memory.dmp
C:\Windows\System\oYGlQGC.exe
| MD5 | c6d833cee896dc03df1391ecbdb2f933 |
| SHA1 | a8de2ca18c270121ace99442e06393513f4d3e9f |
| SHA256 | ecdf756febea6a160f16ae43311ba94c14c9d5fc7652247528768c6dc5006d1b |
| SHA512 | d4ade4df98918ddda3f5d4a7d749a9821c68e7d4340bdcde0d286a6262b2452abc6d48bb1f6d3576a6dff33655df052bf676f443aaff43a6977944c2ce815ffa |
memory/2608-36-0x00007FF7ABEE0000-0x00007FF7AC234000-memory.dmp
C:\Windows\System\WQynLBT.exe
| MD5 | 49448f67ff408f9b4a2e0ef3fc5c9a05 |
| SHA1 | 78a190745531baea9f69c0da43770d1805d4019b |
| SHA256 | c299e0b9979842e05b5f322352376cbd79d12021ab8a739bc1ef5ad346a4ec81 |
| SHA512 | 3619ae33e729de584ccfc9b32444f63f66eb84ae101df71e3f9d1e1c14fc593fecc5a160de9509b6280e02946fe99ab96355d1a16f5580ffd0798d9eb912cfc6 |
memory/2184-31-0x00007FF60BA70000-0x00007FF60BDC4000-memory.dmp
memory/1128-20-0x00007FF718910000-0x00007FF718C64000-memory.dmp
C:\Windows\System\misGKEV.exe
| MD5 | cc2fac417824c29350cc5c19f3aac57d |
| SHA1 | d3ea25d9ed19906b01a1483c67870bf4b8304a7f |
| SHA256 | 21928f45d6af2d0bc4cbe253d5b14bf501990b0469b86272c176baeba0b36b6e |
| SHA512 | c233ca3f4c29b488b58a9a1a150a73425ea2f69abf74c06e31254e5e993591e453c27ed357373894e9cc52796f5a6edf78dfe21c397ffdbacd6d7bad7d112a39 |
C:\Windows\System\SXqmVGj.exe
| MD5 | 81cafa302b25ecb6eba961f985e63143 |
| SHA1 | a90d41e0c8b0069e8d31bf56c1a2ba16c4989525 |
| SHA256 | bfe8191461c82b988f01df92233607ac803655992c8998bf4abf12d686bab562 |
| SHA512 | 431557ddaacff7618e4a2deb1efa7518036bd54f137e59b3a3ba810bf268506b41c3064bc0c80aa04eae4d7965d3cc2a281165ec49ab806c69eec9ccd255baad |
C:\Windows\System\EIGVeoD.exe
| MD5 | 1f7a65e1f5f5846eb40fb1f4ab6c4ebc |
| SHA1 | 700e157f260d82b443ec846ebf6a548dd0d6bae7 |
| SHA256 | 2931ac325670f048357e8f1c5ffa615a7faf2985db7276ab8f5d1cd626e794d0 |
| SHA512 | 516824eb5b8ffc5fb0c0bdb908a5c7f156a0c043c93d352b55651a946a88eb1f016b4f9985ffa7058216168be99411fc4220a9ab831129c51a3aa89007bea7d2 |
memory/3260-50-0x00007FF747D80000-0x00007FF7480D4000-memory.dmp
memory/464-44-0x00007FF6DC8F0000-0x00007FF6DCC44000-memory.dmp
memory/1344-56-0x00007FF63EE90000-0x00007FF63F1E4000-memory.dmp
C:\Windows\System\YlLcmzm.exe
| MD5 | 2030d61f5896860e13097de9d09dc6e7 |
| SHA1 | 79a8438901d0492062de836b491964400961e6ae |
| SHA256 | 66641a4cf88f1626ecfb5515b67530ba7aa75a24ce12ef152d835b13028aa6a9 |
| SHA512 | 0604d592975500b28ef4b2431b99a4ad1ed18d2528853dde51b84e1ed304e411ca2e32feb9cf03b7a0e0e8628f7b817b9886e135f4fbd1ee1ae414d186f84fc6 |
memory/1472-62-0x00007FF7E5180000-0x00007FF7E54D4000-memory.dmp
memory/4228-63-0x00007FF703B90000-0x00007FF703EE4000-memory.dmp
memory/3204-70-0x00007FF6C45C0000-0x00007FF6C4914000-memory.dmp
memory/2868-69-0x00007FF79F8E0000-0x00007FF79FC34000-memory.dmp
C:\Windows\System\KwNRgYK.exe
| MD5 | fae571fa902ace3be82dd9db5c86dca4 |
| SHA1 | 26f1773d1c4311a2b9d13620389e9c0f3a6ec4d1 |
| SHA256 | e7fdb4ef779254a11c6536952900b6c7e84e629d5f317b490a1355b49a03c759 |
| SHA512 | 6a9406779bbc27cad70a6245e294403e7a130dd84526b1bdbd10cfdb8e20d99b5dd3ae6bec3f4c5d8e0f48e793cf929019e5e3ed97233fea02e9570fa9c3da07 |
C:\Windows\System\pQvqqlH.exe
| MD5 | 12f4dca857996c8afb14151508773eb0 |
| SHA1 | 8c920828f3a1b32a03fe32ae5cdf5053566ce410 |
| SHA256 | 0530773ee62ff9a85c021a845a8f2847e58cba55ea7641e2d82422cfe4210a10 |
| SHA512 | f40db514437333818c56d1b895bdc8910218e7979b485cb7d33db48e1ab577b139cd27a0b864f3af668d9f6e1a3f465f7acb4717f0138d59fb19b1f19089d811 |
memory/1100-78-0x00007FF65B1C0000-0x00007FF65B514000-memory.dmp
memory/2516-76-0x00007FF60F7B0000-0x00007FF60FB04000-memory.dmp
C:\Windows\System\OeTPRTZ.exe
| MD5 | df54609db16b074f4e1179c74a8bbda8 |
| SHA1 | 24d4bad0dd3ddcc32e3c41501f1abde55124215e |
| SHA256 | a4e380131d9670a764bd17ce301cb98347f39c86a957fefa42b686aa34e34d54 |
| SHA512 | a7e4cf9510ec56cbaaa7aa73289b596646e20600d8a8f22310e47e1b75f07b7738df4c445610e60d51ae14c8820e482b256f937eea3bc3ace0b6b128d62696d8 |
C:\Windows\System\ZrdSskn.exe
| MD5 | d9be6fd2364ccce384582d8c5c38dd11 |
| SHA1 | 0b6bb6b48bb4ab0de0dd589bd8ca12524fe84fb3 |
| SHA256 | 7cf5888023c61cb5bd997df65c5d4758c0999fd82961051152119cbafff39e0f |
| SHA512 | cbe4e0fdd1a023a049c6ef718504f24c7ead9772d4673d25954c16f5937899b6ebca7545cf6bd0c318fe20f0c997105da5962a4da0aab6456a5eda3b498a931a |
C:\Windows\System\hiWJkML.exe
| MD5 | 6db09ab39fe4d47333390af0f8e16e2c |
| SHA1 | 1a2de607f503f8690e1e62e51d712ed6648ed57d |
| SHA256 | 62ea984143a5bc26887777b92aa3c9b3334466623817c407bd0052f797b76456 |
| SHA512 | e704f2816f4d91ef5c3d173d2cf22c9cf04a92fa66235885900b92e6b62de68678cf2cf867c548d9f805e79b4054ef353ce33883cf0c6a5c1f9758439c048b8d |
C:\Windows\System\GsBjHkZ.exe
| MD5 | 5584f82a8e5588e56718c6a16999a6a1 |
| SHA1 | 77896cc8008b930e8c44799bed99a6d5334248ae |
| SHA256 | 4ab3d50372ba8026f0b0da185fd540a50f380533ac7fbefdfee378be33d68134 |
| SHA512 | d21ced731d3663cc9747b6f5adadb040e3df563273e379522ca7d6c262a83d32dd5ce5a23cc37b8f5f9da877ed186c584e8c93dbd8d0d5ddc38b5736ad999dab |
C:\Windows\System\VHjVQYM.exe
| MD5 | 90654058c37e8b58190a6f7bcd49aaa3 |
| SHA1 | c88232bb5f62ce864338b7883f904164ac5f8781 |
| SHA256 | 8382cb120f8c93ebdfc53ce875cbba45eb683dc143eb28d6294687c07f31c928 |
| SHA512 | a537ca54f3a392c22e8440301c8345292e903d6b5cee0e216d830f5f4bef0bc14ba0a24a1dce3822d04dc71986456cbd565bfcc0783b92a6984a9492faf6dbad |
C:\Windows\System\oSTfqro.exe
| MD5 | c6304bfdc59cb23f7f56abc57eed6e66 |
| SHA1 | 6133d251802a836204152c600abdef81c46c3439 |
| SHA256 | 6fa94cee58825f749b0dfb51df36a845b773697bc852dd9bb09440ca528e4014 |
| SHA512 | 20360453e7f2b9418301716ea780cfc3a083590b5f0f9ebb67715bbad3c310f909b9a83c5e95c4699e493bf5e0809b0f53971c36a0888cf837e50c0faaddaddc |
memory/2608-127-0x00007FF7ABEE0000-0x00007FF7AC234000-memory.dmp
memory/4512-130-0x00007FF646BA0000-0x00007FF646EF4000-memory.dmp
C:\Windows\System\UOIHnLY.exe
| MD5 | 5cd96634ddbc211f8586353137e9b8a0 |
| SHA1 | 0ba98ea163da8a7740753e3fa22272f481cf600b |
| SHA256 | 7b8718d148f7da5c4856f911454afaa8251920e2e44b56ac5297761e7fa5cd6c |
| SHA512 | f305f70b803211bf7b438d471441a819bd2c1f6102bf84225bf35709e6c37f66f227c38dca6d7032f97f55db7520b425dffbf36e6840da3a9f3b65f76296b61b |
memory/748-129-0x00007FF648DF0000-0x00007FF649144000-memory.dmp
memory/2144-128-0x00007FF6FBB90000-0x00007FF6FBEE4000-memory.dmp
memory/1356-118-0x00007FF6542D0000-0x00007FF654624000-memory.dmp
C:\Windows\System\yszfomq.exe
| MD5 | 025854bce5255cadb9ccb4dff38c8319 |
| SHA1 | e95c308b96848f412166ee1a5d8f81290a45987a |
| SHA256 | 138fd2503ed52ba7934b30f93cfee2de14d7944cf1a4dc5f59eaa0377daf200d |
| SHA512 | 206501fc45fad017d677f498689439b46912ea6fa6683fec7ace98fab4c4771b5c0576264891ce3b245da2a2e4fac9c3b8012c54d8131c342ec2bdeb59e6a0c9 |
memory/4488-110-0x00007FF7944E0000-0x00007FF794834000-memory.dmp
C:\Windows\System\YuIKCYS.exe
| MD5 | e40c4b59872163964d82f9274bd64fc9 |
| SHA1 | 7ff3cae738b1404970b721b5371ff457ba56b67f |
| SHA256 | e7da74808c2ece0fa0f5d7aa9618c4b650836fb03d728c6779ecf4d0db3990e7 |
| SHA512 | 9e164932b4367df65b62c615d01f8bc949c68d6dcc5a43294f014033182941cb4e3b84b1aa0a24d033dc5351208a573b9cf5e6ef6d12430f4bec25ba882a94fd |
memory/1896-115-0x00007FF719730000-0x00007FF719A84000-memory.dmp
memory/2184-107-0x00007FF60BA70000-0x00007FF60BDC4000-memory.dmp
memory/1004-101-0x00007FF76F4B0000-0x00007FF76F804000-memory.dmp
memory/4052-96-0x00007FF631EE0000-0x00007FF632234000-memory.dmp
memory/2020-88-0x00007FF785F80000-0x00007FF7862D4000-memory.dmp
memory/1004-133-0x00007FF76F4B0000-0x00007FF76F804000-memory.dmp
memory/4488-134-0x00007FF7944E0000-0x00007FF794834000-memory.dmp
memory/1356-135-0x00007FF6542D0000-0x00007FF654624000-memory.dmp
memory/748-136-0x00007FF648DF0000-0x00007FF649144000-memory.dmp
memory/2868-137-0x00007FF79F8E0000-0x00007FF79FC34000-memory.dmp
memory/2516-138-0x00007FF60F7B0000-0x00007FF60FB04000-memory.dmp
memory/1128-139-0x00007FF718910000-0x00007FF718C64000-memory.dmp
memory/972-140-0x00007FF6AFAB0000-0x00007FF6AFE04000-memory.dmp
memory/2184-141-0x00007FF60BA70000-0x00007FF60BDC4000-memory.dmp
memory/2608-142-0x00007FF7ABEE0000-0x00007FF7AC234000-memory.dmp
memory/464-143-0x00007FF6DC8F0000-0x00007FF6DCC44000-memory.dmp
memory/3260-144-0x00007FF747D80000-0x00007FF7480D4000-memory.dmp
memory/1344-145-0x00007FF63EE90000-0x00007FF63F1E4000-memory.dmp
memory/4228-146-0x00007FF703B90000-0x00007FF703EE4000-memory.dmp
memory/3204-147-0x00007FF6C45C0000-0x00007FF6C4914000-memory.dmp
memory/1100-148-0x00007FF65B1C0000-0x00007FF65B514000-memory.dmp
memory/2020-149-0x00007FF785F80000-0x00007FF7862D4000-memory.dmp
memory/4052-150-0x00007FF631EE0000-0x00007FF632234000-memory.dmp
memory/1896-151-0x00007FF719730000-0x00007FF719A84000-memory.dmp
memory/4488-152-0x00007FF7944E0000-0x00007FF794834000-memory.dmp
memory/1004-153-0x00007FF76F4B0000-0x00007FF76F804000-memory.dmp
memory/1356-154-0x00007FF6542D0000-0x00007FF654624000-memory.dmp
memory/4512-156-0x00007FF646BA0000-0x00007FF646EF4000-memory.dmp
memory/2144-155-0x00007FF6FBB90000-0x00007FF6FBEE4000-memory.dmp
memory/748-157-0x00007FF648DF0000-0x00007FF649144000-memory.dmp