Analysis Overview
SHA256
c59291f38a24b4a1716001e176dde5f5bf0c6b9d5bae8f673ede0b444ac1db72
Threat Level: Known bad
The file 2024-06-14_bcf4733a4958264dccb424fb14ff20d6_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
Xmrig family
Cobaltstrike
xmrig
Cobalt Strike reflective loader
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
Cobaltstrike family
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-14 08:46
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 08:46
Reported
2024-06-14 08:49
Platform
win7-20240611-en
Max time kernel
124s
Max time network
138s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\jWJTzgz.exe | N/A |
| N/A | N/A | C:\Windows\System\whCtKkQ.exe | N/A |
| N/A | N/A | C:\Windows\System\vAXTsYc.exe | N/A |
| N/A | N/A | C:\Windows\System\lFSlVnP.exe | N/A |
| N/A | N/A | C:\Windows\System\KZLSkYJ.exe | N/A |
| N/A | N/A | C:\Windows\System\ZQIYECd.exe | N/A |
| N/A | N/A | C:\Windows\System\ijubZfl.exe | N/A |
| N/A | N/A | C:\Windows\System\UVgxbJI.exe | N/A |
| N/A | N/A | C:\Windows\System\cHLUtZF.exe | N/A |
| N/A | N/A | C:\Windows\System\enullQB.exe | N/A |
| N/A | N/A | C:\Windows\System\cRIaRnL.exe | N/A |
| N/A | N/A | C:\Windows\System\RESTqrr.exe | N/A |
| N/A | N/A | C:\Windows\System\NSiHBhS.exe | N/A |
| N/A | N/A | C:\Windows\System\vUzraEj.exe | N/A |
| N/A | N/A | C:\Windows\System\rVUsqJu.exe | N/A |
| N/A | N/A | C:\Windows\System\HNqIghq.exe | N/A |
| N/A | N/A | C:\Windows\System\lVVMpvs.exe | N/A |
| N/A | N/A | C:\Windows\System\HJgMybR.exe | N/A |
| N/A | N/A | C:\Windows\System\hZLKowO.exe | N/A |
| N/A | N/A | C:\Windows\System\jgvKtMJ.exe | N/A |
| N/A | N/A | C:\Windows\System\gMLgzrZ.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-14_bcf4733a4958264dccb424fb14ff20d6_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-14_bcf4733a4958264dccb424fb14ff20d6_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bcf4733a4958264dccb424fb14ff20d6_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-14_bcf4733a4958264dccb424fb14ff20d6_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\jWJTzgz.exe
C:\Windows\System\jWJTzgz.exe
C:\Windows\System\whCtKkQ.exe
C:\Windows\System\whCtKkQ.exe
C:\Windows\System\lFSlVnP.exe
C:\Windows\System\lFSlVnP.exe
C:\Windows\System\vAXTsYc.exe
C:\Windows\System\vAXTsYc.exe
C:\Windows\System\ZQIYECd.exe
C:\Windows\System\ZQIYECd.exe
C:\Windows\System\KZLSkYJ.exe
C:\Windows\System\KZLSkYJ.exe
C:\Windows\System\UVgxbJI.exe
C:\Windows\System\UVgxbJI.exe
C:\Windows\System\ijubZfl.exe
C:\Windows\System\ijubZfl.exe
C:\Windows\System\enullQB.exe
C:\Windows\System\enullQB.exe
C:\Windows\System\cHLUtZF.exe
C:\Windows\System\cHLUtZF.exe
C:\Windows\System\cRIaRnL.exe
C:\Windows\System\cRIaRnL.exe
C:\Windows\System\RESTqrr.exe
C:\Windows\System\RESTqrr.exe
C:\Windows\System\NSiHBhS.exe
C:\Windows\System\NSiHBhS.exe
C:\Windows\System\vUzraEj.exe
C:\Windows\System\vUzraEj.exe
C:\Windows\System\rVUsqJu.exe
C:\Windows\System\rVUsqJu.exe
C:\Windows\System\HNqIghq.exe
C:\Windows\System\HNqIghq.exe
C:\Windows\System\lVVMpvs.exe
C:\Windows\System\lVVMpvs.exe
C:\Windows\System\HJgMybR.exe
C:\Windows\System\HJgMybR.exe
C:\Windows\System\hZLKowO.exe
C:\Windows\System\hZLKowO.exe
C:\Windows\System\jgvKtMJ.exe
C:\Windows\System\jgvKtMJ.exe
C:\Windows\System\gMLgzrZ.exe
C:\Windows\System\gMLgzrZ.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1056-0-0x000000013F9A0000-0x000000013FCF4000-memory.dmp
memory/1056-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\jWJTzgz.exe
| MD5 | dc7280bd0ff8ffb38f2c0c3cd8b159cd |
| SHA1 | d36041500062d8e5e6d2952e2a375f1d5a778d18 |
| SHA256 | 5d34a9bf7980d3b57f2d1e6f8634626ea710d57c92fa5f57dd6cc364c906fcad |
| SHA512 | bc5a0251fc77c0cedd280f7f78798b16479133d5ce4c83a28047e6a54e5fbe0ab07fd370f1b69b71bfde54125418aaff4cd40a2c0bf86b444f77af499800272b |
memory/1056-6-0x000000013F3B0000-0x000000013F704000-memory.dmp
\Windows\system\whCtKkQ.exe
| MD5 | 22606542e61f5e8f80dea61196306e2a |
| SHA1 | 3b1ba180530aa51ca0811d9299cd984b3c076804 |
| SHA256 | 6aa56292b648128d3474fe8c87f0fe84fbc357461422802f7c8ab9567309140f |
| SHA512 | 2bbc169adeed5a8941fc98013f3d7932fa8f99f592d26b5be9d090779e50721cef691506a7e0a9b967d76f65349a0cdc3595952b3b7c3a9945f0636f25584e8d |
C:\Windows\system\lFSlVnP.exe
| MD5 | 27d22d8ed2b873f35ffd42fd6ee0cf6a |
| SHA1 | 3ed7c385fbf2503ef950ee3a674a964007dd0580 |
| SHA256 | d04b4254bdc266e73763e24bbc3a52251c9bbe6b0561c7a9880803809af1e5ef |
| SHA512 | 56513affcd135e3aef184f314d131321eaba432f414868545b0a71ff64a7baafaaec98ed4ce74ba7c37a273f309468a9df3df0cb76e956478ce2915f5caa951d |
memory/1056-15-0x00000000023C0000-0x0000000002714000-memory.dmp
C:\Windows\system\vAXTsYc.exe
| MD5 | 2e82ba6f5065d0f3046c86041da7159b |
| SHA1 | b580abeaeb06a89039e9bf62b90447ba765c721a |
| SHA256 | cb9bced1a12bf7f845b98e51b0d6f32eaef63aa137a991bbb70182686a31b8d6 |
| SHA512 | fdd349e161680e79b6b69db498adc7e3bb85c75369a85bff4550f7a2ad43b1463af469417e0fa2e2d631f11cc9624b3a512f5477c7c4fde6f7139a23e3db7a50 |
memory/1056-24-0x00000000023C0000-0x0000000002714000-memory.dmp
C:\Windows\system\KZLSkYJ.exe
| MD5 | 69df351c376c3bb01537fcb75626081a |
| SHA1 | d11913620a74e3d9948c9c5e8f8337b8f32c3956 |
| SHA256 | 8ca0591f88d98bc77ddd69604c8a5bfff92d8894151077f67791a417acccbc39 |
| SHA512 | 93c1ce97728e2c183a31847951cf712b6d4b6d5badb07ceba18374f6ccc5ebc2dc248b6c2d71b12f0df8a52a78a61cd6daf5a5f120587744a1ab04735a3804e5 |
memory/1056-39-0x00000000023C0000-0x0000000002714000-memory.dmp
memory/2680-42-0x000000013FE00000-0x0000000140154000-memory.dmp
memory/2780-32-0x000000013F780000-0x000000013FAD4000-memory.dmp
memory/3060-31-0x000000013F900000-0x000000013FC54000-memory.dmp
C:\Windows\system\ijubZfl.exe
| MD5 | 5a2b6c03e199dd4b3849af8cf61b4c77 |
| SHA1 | 477000f250c1a11a7fe17b0d53134e3ac98e0fba |
| SHA256 | f8319328834688119a9ef7a7e06202451ac68bbfd1c7a3e3849a40c0a8b64b4b |
| SHA512 | fbe7e27c2fe4c88e91859fd6b0eb399762ef3765098cfeb3b0b640fc42f8df9340ecdb681be2cf8b4b366a6f08eb63813da650ffd47b60c75d19697421621fbd |
\Windows\system\ZQIYECd.exe
| MD5 | 68d51b61de3139114d1e43e63897bf0e |
| SHA1 | 4b2408660a0394a6c0437add94674594ba552351 |
| SHA256 | c74efdade0e5b671f39a4729b6f071e547d140348e848edace76b53fe56af7dc |
| SHA512 | 7caf7a12b290ebec8c252026bfe53141ef890a9e16003cb22ff5f2be346c7ddf1ae57f0d169cf01be911ef9766e7c404cc02a04d2a319fb69fc2bafb6f58d53a |
memory/2520-52-0x000000013FB10000-0x000000013FE64000-memory.dmp
\Windows\system\cHLUtZF.exe
| MD5 | 075aef9a858d201d725b30a4a6521dfb |
| SHA1 | c42e3d1750c88e7962269960da870a9dc2718d35 |
| SHA256 | 71e1ffad3974345f1cab83284a6977a59d9eb6aaeadf7f2db8d672ecd695e501 |
| SHA512 | affb23303cb5f17b66d3d5d1792be3e5cd7d84c4bd08dce4d574edbe168d0622d00efdae6204634bbb3f6ca9979e3f60e9654ccc78cce9cd3a851f0a1dbadeff |
memory/1056-66-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/1056-68-0x00000000023C0000-0x0000000002714000-memory.dmp
C:\Windows\system\enullQB.exe
| MD5 | 382fe7b11bcf63f2856ac7868694c7cf |
| SHA1 | 1c94a939e593ca1ba7a74beba19e35de3a681e39 |
| SHA256 | ac8bba38c39a35071d2d873df669f78705dba6c4e1cb477cbc265a727f05d3fe |
| SHA512 | 60e73885706404de4aa73dcd220564cc9d8a1fbe16da6bee49cdb05fca39f86c38c91044341b7017b26703ac95ceed127c2fc09e438d8c12f1cb6e55d62b76e0 |
memory/2672-71-0x000000013F1B0000-0x000000013F504000-memory.dmp
C:\Windows\system\UVgxbJI.exe
| MD5 | dd5da419350b9cab086f131a22196649 |
| SHA1 | 29e8a9909a6dc7b62c743d6e069da2967d287d4e |
| SHA256 | 3b9a71a4c5ac4e9672817aff857d7a0d5539f5e3ab6b0202dc95124ca40d7285 |
| SHA512 | e3b3bd726b7db08721e010f32f5192e1fabae7f1eb20dac262e5c2fc659a505e2484806baa23f480029052faaeaee790930cfae2f63facbdc3a694120317e86c |
memory/2676-60-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/2680-82-0x000000013FE00000-0x0000000140154000-memory.dmp
memory/524-79-0x000000013F2E0000-0x000000013F634000-memory.dmp
memory/2560-86-0x000000013F5F0000-0x000000013F944000-memory.dmp
memory/2820-95-0x000000013F710000-0x000000013FA64000-memory.dmp
C:\Windows\system\vUzraEj.exe
| MD5 | 576abe8fc22ce95f588f692fa40b8c1e |
| SHA1 | 2a812f636fb45e00d326d82cd5ffc480794d7057 |
| SHA256 | 62c350325018ab21af35a9a314e3134c8814c6db5cbb5f665af68b348e0ceabf |
| SHA512 | 3cdb17d4eaaf3eb200300b0bfd9b23c80822dc2efefb22b6614bca5ca6eb5e844bf68f6ac0d2a57b736b2aea5330d5134a6ae7c35ecdb3b3a2c21aaa402a250a |
memory/2940-104-0x000000013F200000-0x000000013F554000-memory.dmp
C:\Windows\system\jgvKtMJ.exe
| MD5 | 325ddb22a45eae32a3d0d9708b07a3a7 |
| SHA1 | e6af5fb2b46e1a25bd77285ed31567baeef0e365 |
| SHA256 | 8f69eaefd69ac4ceb2e2ecb8225bf8e45ec7b3f76e66c443687b15882cf8d6bf |
| SHA512 | 3c53f7ceb23cdfa47e671522bdca8ba7ec49eeadeb30c525dcb5af6f6c84f0ad82ea475fe424c5321a7b40eced569df8bef2f716565cd7aaf963fd6bb4d478eb |
\Windows\system\gMLgzrZ.exe
| MD5 | f50c60a9facb8b5405532efa4df7fd11 |
| SHA1 | ec6570ffdebef0a63dbd71b4b2f7f111ce80af94 |
| SHA256 | bc7a9c53270e9e18141c65726337ebfcd7c9ef746d793081c227c3c69f4ba9c8 |
| SHA512 | e47492458c2b4b811d740dc0caa1fabe4f862cf305b92aa74d9679c028f6eae8e8b49fa240bb9a0e9df0c6b283b6a5d49d25a1cbf4d7941b545a725787cfa70b |
C:\Windows\system\hZLKowO.exe
| MD5 | 0cd59f2be028edcdd1b24b92b7b377c2 |
| SHA1 | cd565d86880ed9b5a73eb2d79ce12660a38036f2 |
| SHA256 | 96bf336d6abe9722a11e83abf23cb75f3b23b35191b19fdec273027c9e982819 |
| SHA512 | 431c18d1ab9db3037288a614ff0079797040ea41696c210bdedff9b9a79c7f09ab09faa113ff49655ac12584287a90c52385a356a1b708a792916900d8de03cd |
C:\Windows\system\HJgMybR.exe
| MD5 | 43e697b2585548b8cd876a31960ead3b |
| SHA1 | 9f8ebc5cd59415c41786a4e6ada8794727aab374 |
| SHA256 | f50770e3e62e93c7063a8efdcfbc3332800a4680d5b83b5d5ac23e8b99adc04e |
| SHA512 | bcab5d2e8d73b0b98180fd3b937cb707cffb2c02651cc33b03fe12c37c6e497aebb49936219eeb92b4d3ed4674487413278aadd3cd978c3e85264eb7fa17d699 |
C:\Windows\system\lVVMpvs.exe
| MD5 | 59fd4a3a08e0641ee5bdb5653609243d |
| SHA1 | 91a51db92aa98f2a2e36cdcc3f692f668394f144 |
| SHA256 | ad31fa6e9b8e56f110ab90aa2e95ea1ba6ab2a2701d70b588b70f0d1466fe417 |
| SHA512 | 2f83d60bb0f307fc3ca393c80c9bb85c3247f7a2a9f32d5eda3fcf6ba3a08c3ea6d98a51e18625ca4d9065d069a3c7c4ff59fd94a979288678b6989d39a322f5 |
memory/2672-142-0x000000013F1B0000-0x000000013F504000-memory.dmp
C:\Windows\system\HNqIghq.exe
| MD5 | c180a059925832ca4b46f50fd16f3cb3 |
| SHA1 | 9680419aef53d4a94afaf51c606c13ef115b2098 |
| SHA256 | 6d0b927e531c465e7531d699c8439f6b4746c1bfd5950e35f04373ac8985648c |
| SHA512 | ebbe0b84155903b30b800f21ed1908dea27fd96209204a9dec859137889e036723642fd162005d2846da2ea8044e5e00898d8ccccbd4c37243af14c17d5a910a |
C:\Windows\system\rVUsqJu.exe
| MD5 | 35f3f9b1bd44afa7eb705c039fb290c5 |
| SHA1 | 2363b1e6bd970e3e65dd0106682ea9daca661ba7 |
| SHA256 | 12af81e070a159c478523d55c81e18803d60bbf26a8e378057387a816d9e55fd |
| SHA512 | 6a1a3151e1987c6b0cb9278d2398d9bd1e2a7465ba96011fdb88a30a01ca3e3313383d090328c1e63837491991bc4efe706d447094670a54101d9f38e637d9d6 |
memory/1056-109-0x000000013FFB0000-0x0000000140304000-memory.dmp
memory/1056-108-0x00000000023C0000-0x0000000002714000-memory.dmp
memory/1056-143-0x000000013F2E0000-0x000000013F634000-memory.dmp
memory/1240-103-0x000000013FCB0000-0x0000000140004000-memory.dmp
memory/1056-99-0x000000013F200000-0x000000013F554000-memory.dmp
memory/1056-98-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/2520-94-0x000000013FB10000-0x000000013FE64000-memory.dmp
C:\Windows\system\NSiHBhS.exe
| MD5 | d671f249f3bffbf88e351bdbab94b329 |
| SHA1 | e7f5ce57ebd35e335b31e18aef858943bb6c09ff |
| SHA256 | c5971aba764978686a87ce703efb9fdf78c549911b259c8febbf886267957344 |
| SHA512 | 9a94516bfdba029094839f8b9dfd28231835808de818c575727daea115ba763a37984ac13c5aa3d7189cd516eb471b36ab67aa0b75ca575d52444254df7a7e45 |
memory/1056-90-0x00000000023C0000-0x0000000002714000-memory.dmp
C:\Windows\system\cRIaRnL.exe
| MD5 | cc08b5ac46883f88b83b0246824af0d1 |
| SHA1 | 0e60cfd1ec9a6f6212694e80555413caad859c9f |
| SHA256 | 5748dbb3ca0a24429d2a653981c2ba0cf4ad0b195384451b125b3ece949f6463 |
| SHA512 | 8c72937d61286259c66ed5434ae0634985319e5eabc867618cf0c029f2ae9fa9bc6621f6e265abb5db1454f61639d5a90cbebbf0d9a5edd207402674c5d1c26e |
memory/1056-75-0x000000013F2E0000-0x000000013F634000-memory.dmp
memory/524-144-0x000000013F2E0000-0x000000013F634000-memory.dmp
memory/2768-74-0x000000013F950000-0x000000013FCA4000-memory.dmp
C:\Windows\system\RESTqrr.exe
| MD5 | 89325ffc63733ac5b649b657c21b12cb |
| SHA1 | 6b40b348c2ad7a1b839be8a98f291516001b6c75 |
| SHA256 | 840b6fe8e51fffda86598e699f9896bccb28a22de7be130948cd22f28db3ccb3 |
| SHA512 | b1c049a3603b0e40a459f557146f02031b9eabf0530085dd25238e3c717a4e550e9d5541cf2b936b33b27553ba73f05bee2d97d61f75d4ad1cb145816ac886fe |
memory/1056-83-0x000000013F5F0000-0x000000013F944000-memory.dmp
memory/1056-54-0x00000000023C0000-0x0000000002714000-memory.dmp
memory/2592-53-0x000000013F3B0000-0x000000013F704000-memory.dmp
memory/1056-47-0x000000013F9A0000-0x000000013FCF4000-memory.dmp
memory/1240-67-0x000000013FCB0000-0x0000000140004000-memory.dmp
memory/2768-38-0x000000013F950000-0x000000013FCA4000-memory.dmp
memory/1056-37-0x000000013FE00000-0x0000000140154000-memory.dmp
memory/1056-145-0x000000013F5F0000-0x000000013F944000-memory.dmp
memory/2692-18-0x000000013F990000-0x000000013FCE4000-memory.dmp
memory/1056-22-0x00000000023C0000-0x0000000002714000-memory.dmp
memory/2560-146-0x000000013F5F0000-0x000000013F944000-memory.dmp
memory/2820-147-0x000000013F710000-0x000000013FA64000-memory.dmp
memory/1056-148-0x000000013F200000-0x000000013F554000-memory.dmp
memory/2940-149-0x000000013F200000-0x000000013F554000-memory.dmp
memory/1056-150-0x000000013FFB0000-0x0000000140304000-memory.dmp
memory/2592-152-0x000000013F3B0000-0x000000013F704000-memory.dmp
memory/2780-154-0x000000013F780000-0x000000013FAD4000-memory.dmp
memory/3060-153-0x000000013F900000-0x000000013FC54000-memory.dmp
memory/2692-151-0x000000013F990000-0x000000013FCE4000-memory.dmp
memory/2768-155-0x000000013F950000-0x000000013FCA4000-memory.dmp
memory/2680-156-0x000000013FE00000-0x0000000140154000-memory.dmp
memory/2676-157-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/2520-158-0x000000013FB10000-0x000000013FE64000-memory.dmp
memory/1240-159-0x000000013FCB0000-0x0000000140004000-memory.dmp
memory/2672-160-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/524-161-0x000000013F2E0000-0x000000013F634000-memory.dmp
memory/2560-162-0x000000013F5F0000-0x000000013F944000-memory.dmp
memory/2820-163-0x000000013F710000-0x000000013FA64000-memory.dmp
memory/2940-164-0x000000013F200000-0x000000013F554000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 08:46
Reported
2024-06-14 08:48
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\JHXMXjP.exe | N/A |
| N/A | N/A | C:\Windows\System\DGCdleA.exe | N/A |
| N/A | N/A | C:\Windows\System\ibcpEri.exe | N/A |
| N/A | N/A | C:\Windows\System\XdlXoCX.exe | N/A |
| N/A | N/A | C:\Windows\System\scoVxSw.exe | N/A |
| N/A | N/A | C:\Windows\System\bWaLMXI.exe | N/A |
| N/A | N/A | C:\Windows\System\sRLjvLD.exe | N/A |
| N/A | N/A | C:\Windows\System\hGArhax.exe | N/A |
| N/A | N/A | C:\Windows\System\WgtEXEB.exe | N/A |
| N/A | N/A | C:\Windows\System\Fetngsi.exe | N/A |
| N/A | N/A | C:\Windows\System\qCLHBHz.exe | N/A |
| N/A | N/A | C:\Windows\System\iTAHetL.exe | N/A |
| N/A | N/A | C:\Windows\System\WLtJghD.exe | N/A |
| N/A | N/A | C:\Windows\System\tFzFWXr.exe | N/A |
| N/A | N/A | C:\Windows\System\QECbwNr.exe | N/A |
| N/A | N/A | C:\Windows\System\eACTCSs.exe | N/A |
| N/A | N/A | C:\Windows\System\HADTGZt.exe | N/A |
| N/A | N/A | C:\Windows\System\NeKydAH.exe | N/A |
| N/A | N/A | C:\Windows\System\foSMnvJ.exe | N/A |
| N/A | N/A | C:\Windows\System\adkglpe.exe | N/A |
| N/A | N/A | C:\Windows\System\BMJcOXX.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-14_bcf4733a4958264dccb424fb14ff20d6_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-14_bcf4733a4958264dccb424fb14ff20d6_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bcf4733a4958264dccb424fb14ff20d6_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-14_bcf4733a4958264dccb424fb14ff20d6_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\JHXMXjP.exe
C:\Windows\System\JHXMXjP.exe
C:\Windows\System\DGCdleA.exe
C:\Windows\System\DGCdleA.exe
C:\Windows\System\ibcpEri.exe
C:\Windows\System\ibcpEri.exe
C:\Windows\System\XdlXoCX.exe
C:\Windows\System\XdlXoCX.exe
C:\Windows\System\scoVxSw.exe
C:\Windows\System\scoVxSw.exe
C:\Windows\System\bWaLMXI.exe
C:\Windows\System\bWaLMXI.exe
C:\Windows\System\sRLjvLD.exe
C:\Windows\System\sRLjvLD.exe
C:\Windows\System\hGArhax.exe
C:\Windows\System\hGArhax.exe
C:\Windows\System\WgtEXEB.exe
C:\Windows\System\WgtEXEB.exe
C:\Windows\System\Fetngsi.exe
C:\Windows\System\Fetngsi.exe
C:\Windows\System\qCLHBHz.exe
C:\Windows\System\qCLHBHz.exe
C:\Windows\System\iTAHetL.exe
C:\Windows\System\iTAHetL.exe
C:\Windows\System\WLtJghD.exe
C:\Windows\System\WLtJghD.exe
C:\Windows\System\tFzFWXr.exe
C:\Windows\System\tFzFWXr.exe
C:\Windows\System\QECbwNr.exe
C:\Windows\System\QECbwNr.exe
C:\Windows\System\eACTCSs.exe
C:\Windows\System\eACTCSs.exe
C:\Windows\System\HADTGZt.exe
C:\Windows\System\HADTGZt.exe
C:\Windows\System\NeKydAH.exe
C:\Windows\System\NeKydAH.exe
C:\Windows\System\foSMnvJ.exe
C:\Windows\System\foSMnvJ.exe
C:\Windows\System\adkglpe.exe
C:\Windows\System\adkglpe.exe
C:\Windows\System\BMJcOXX.exe
C:\Windows\System\BMJcOXX.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| NL | 23.62.61.73:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 73.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 12.173.189.20.in-addr.arpa | udp |
Files
memory/4468-0-0x00007FF7D5150000-0x00007FF7D54A4000-memory.dmp
memory/4468-1-0x0000016D25D20000-0x0000016D25D30000-memory.dmp
C:\Windows\System\JHXMXjP.exe
| MD5 | 454babbcd2c3e05c1f88d9ab45b1ebbb |
| SHA1 | bf64f445b5149c59ade8c33982361f72ba49ddb2 |
| SHA256 | 909b29895a193bc8bb87fa3d4dd95ac2f0beb6acd3b7256fb79b819cd0f32c59 |
| SHA512 | 5ee1392409c6477c937584e4f41498ad42e64e9a1b135a5921bc974528a425a863bf0be68c69461e39a80df4794c8758a5d317393bf6ce59d8bc1855e87623b3 |
C:\Windows\System\ibcpEri.exe
| MD5 | 95b8832a61dc5709fb2438eac2625a33 |
| SHA1 | 54b6d34c14ad251222effc0088ed5ce738014c95 |
| SHA256 | 2ae8ddf32c31014db4ce7e2f380e631e2eed8ea6232dee0ccde3eecd3908f63f |
| SHA512 | a1361355d7c9420f4034450ee5c2e0116ace76bf03bbae490a2a27d739fc2324d0181b2e0c2c3dab6a75f7af3d91e1264a5d813bbb3a1b175f06c3410413918c |
C:\Windows\System\DGCdleA.exe
| MD5 | 9e292953aade6cea608a3f1a9617bdc6 |
| SHA1 | b3a4ace4d744355d57557ee994d0ac0f71265891 |
| SHA256 | 9672016d7e045fb3a98c2debc28cf78bb7245495df7ce628b72e293a3dd42429 |
| SHA512 | 9ca4d4a2af4331fc55b6b8a390b2620d10fdea82649706dac2e653d8e5394cd243f67d6ec2edb23456197bcd465c463692129fd8eb4656b896e913c86bb78bb7 |
memory/1408-13-0x00007FF794200000-0x00007FF794554000-memory.dmp
memory/2200-8-0x00007FF729E90000-0x00007FF72A1E4000-memory.dmp
C:\Windows\System\XdlXoCX.exe
| MD5 | c03ad8afb5d945678f5b98d3550ac486 |
| SHA1 | dc02068c4bd72cddba52bbc46f0da43f267ac591 |
| SHA256 | d2133867ada94e757e06b5619ef7dcde86ecf06a74e37293f8f1d0fa9da5fe87 |
| SHA512 | 704e1f083809aae357b24089a46dca7b61f05418550bd4a78f354b09e48538c31bdad228a3693e609d29fec2791c031c65846be922a0b3379fbc61459c12dc8d |
C:\Windows\System\scoVxSw.exe
| MD5 | 142e11928f556df7639f59d38f175011 |
| SHA1 | b0984d06794bbee65bbd9f4ad94b0005f439236b |
| SHA256 | 6d69ad5fae5f9b1bd883f4785e310321c66bbc079d38d6159e82f01d8842f3b2 |
| SHA512 | 737722ed6b0cb59202ba65fbcc38f575e55ae4bdeea488df934d4ce81330f6b647c61db0432cc915f35197dd087a119b31111721f803f0c8e5bc621c82659e5d |
memory/4184-25-0x00007FF7230D0000-0x00007FF723424000-memory.dmp
memory/1356-32-0x00007FF720CA0000-0x00007FF720FF4000-memory.dmp
C:\Windows\System\bWaLMXI.exe
| MD5 | 3f1775deb38195c0d168a5f84c80c8ae |
| SHA1 | 77dfcab5a47e5ac59886433e57758793be5ef86c |
| SHA256 | 9efa8cc39ea1487fe794656577a23ab66c8be723216689317bb21a76ef6e495b |
| SHA512 | fff7d0aabe9f5d89d289fcfa11a09d4e4c2711c9aa267413328c09df7fcf7d3a455888fddc70605b9de77e386e2c03780a05617b8dd48ece8f1c97298d79373f |
C:\Windows\System\hGArhax.exe
| MD5 | b227b4903236717e75332cd07c0c6317 |
| SHA1 | 6294deae360776cad5f69c103f84410684d6a927 |
| SHA256 | e9e72c2ea19c28c3e69d2aa6f5da1500684d7676cbb24431ef7988863a2ea7b0 |
| SHA512 | 1559fc4eff3e7603f34f81a2457917721e8114a07105f61efbeb21f05c71850d8021430c6caeb02598c01b9415323da8dbb2d0d3e7c4e5c84efe14d2cbbd61b2 |
C:\Windows\System\WgtEXEB.exe
| MD5 | 99f50f11cf2a362a7d675fcf88f137d2 |
| SHA1 | 03401135cd2f2f6b3b35139904a0b03d4d0b73b6 |
| SHA256 | 6503870f20ab2363b583fa05a404cbb0de7dbd917f7e4798f3007d423786f4a0 |
| SHA512 | 6782ae95352395e50ea054eb6e54209e22397ceb1fb9916123df21230c938bac3794190aa71452f5d5b882a15dd6e361b5b037889359af6f9f4ba1fbe33bc436 |
C:\Windows\System\qCLHBHz.exe
| MD5 | 88c22ab6d1aa081eabf273bde5e5158e |
| SHA1 | 0a0a83114c98cae1521fb9c205581abc0bc8eefd |
| SHA256 | 8ad16f672ef5ad9ff12178808fc7cc8fa771169dff728052c30a7dd458ffe57d |
| SHA512 | 41689fb3326b64130dd070f7cfa280c4080941425ba22a220010d4ad6780d15b45a6583a10c12fedc6acaeb490eff137b835b07fd84f09498b6534639f16bb49 |
C:\Windows\System\WLtJghD.exe
| MD5 | 2ff0a26839290a3e3153a8a588055a33 |
| SHA1 | 02ce02c3970e3584b632b90f79b49e6dfd334363 |
| SHA256 | e195937ded5912074b7517a9b57286532caf51cb4a5f466a8fad07380b9d2ffd |
| SHA512 | 6ec70b2007a7fd055370d7aa9133968b5f7558901519d821dde1c55b41be0405df901fba2e73fc762f3d6ed4af1454a1844228e2cbdf876f71b8e5bc751a0ada |
C:\Windows\System\tFzFWXr.exe
| MD5 | 535cc651f15f06b6d1e0af20631ec0cf |
| SHA1 | 4500ada3a50eab2e287040f4c065aa132ab80c46 |
| SHA256 | 5aff2890a603a4169362709f5de4a1ffb5abbb2991358bdd252dae64ba73021a |
| SHA512 | b1f7f11275455e675310827a492a6dc9a1cec17260fa3d346a1ad04c561c071d455cad9b4db579c87bd71d9dd50a957d768272b904d22fbbffb1b59a6fc449ea |
C:\Windows\System\eACTCSs.exe
| MD5 | 5425ee0945b27d6fdd99e8a8e9d8fb1e |
| SHA1 | 0a1f5e027ba075401a601c14aabfdcf2f6f167d4 |
| SHA256 | 5caf6cd505fa403989d2f03759a94d0a538f7a14ee1334d82361dc3b5790353a |
| SHA512 | b838007eceba3a4520d1a5044d1c7aa1f790c5ca597fab81a6ae5bc26f1f93377b29b50b43292cbabe20bb728a2d30d195ddd50ff5e6451af349cc19a18dd5e4 |
memory/5020-86-0x00007FF67B530000-0x00007FF67B884000-memory.dmp
memory/2396-90-0x00007FF775980000-0x00007FF775CD4000-memory.dmp
memory/4648-92-0x00007FF7FE720000-0x00007FF7FEA74000-memory.dmp
C:\Windows\System\adkglpe.exe
| MD5 | f2184ce383e6182dbc053f0f98bde73a |
| SHA1 | a4ddea7e19821954e209a38d496ca993024a3f26 |
| SHA256 | ceefe53d9a2826946c8b0bf752692edfd5d35155673448dc1ddf38dcf12746e2 |
| SHA512 | b48d7f05ef5d4e461ca93c4707e1e4ad09cbe1847070f006fda9e82274a68f87336ed7266635b70fc84afd7145958c5713f83c504e6604a570dfdf1cf2305785 |
memory/1904-118-0x00007FF7A0AD0000-0x00007FF7A0E24000-memory.dmp
C:\Windows\System\BMJcOXX.exe
| MD5 | 1696bd94e9e86ad00864818ec834cc30 |
| SHA1 | 9f979eb207ec4d9bd14ae8731c707970e62a49f6 |
| SHA256 | 941285adb7bbb4fa0155bf8b419c6d6d3b8b6c64149ff097c735523d1b53fc4a |
| SHA512 | 04c169ed57d424f0f638cc4021c5888afec71ede19307bc3e8b98d8a604ecdbae3b55c6463e64432227d56f169eb27a5f511f6f24e4bd55c8fb37b44db3ee991 |
memory/1992-127-0x00007FF66D960000-0x00007FF66DCB4000-memory.dmp
memory/4468-124-0x00007FF7D5150000-0x00007FF7D54A4000-memory.dmp
memory/388-123-0x00007FF6CF210000-0x00007FF6CF564000-memory.dmp
C:\Windows\System\NeKydAH.exe
| MD5 | b1289de01ce17c13ff1ed54ed3af7259 |
| SHA1 | 6f9827e601c2c065ce644e745687d893c60a9dc0 |
| SHA256 | 2ce199d0812f28fa6dd7e9b0fe995d3a31bc74e66979fcc10aba15ec10e2f1bd |
| SHA512 | 1201fe88beb0bf9904bb54162c43cf6c5576ea3bfee46902191920b2d1a158d242b8820f07fbe65f512e93c613fa41cb801e77a332fcb77fc74f5c01650c36b4 |
memory/1080-119-0x00007FF6B4BC0000-0x00007FF6B4F14000-memory.dmp
C:\Windows\System\foSMnvJ.exe
| MD5 | 94e3bd67094ae8c4f29480da4286bc24 |
| SHA1 | 51759da58811765e81d0a0bf3c5ed28b65ded2fc |
| SHA256 | c6a940389670049301ac6ae9790e0b12c29ca972f1920a79fbe016ee4cfc0860 |
| SHA512 | 7c41b1abfb3b32d349bfb37a0eff49820c3ab632b3b8047272cac7799658ee8185097a6946bd806293b360447b84a0966192bdc8f171f43924af14b111e0ef02 |
C:\Windows\System\HADTGZt.exe
| MD5 | 7d66a9d2faccdb69d53c11f6b470784a |
| SHA1 | 90ccb939f54e1b0d2c9dbbc0fb0a96fdb5b6f447 |
| SHA256 | f3daca0f010df0094a95f99cf7d69af08611e37a9f02501b65ffbdc804333a20 |
| SHA512 | c3f7d96db36f46dd44bd66ac2de184e28f2ccc3b8fde6197c1b69bddfbdead27f18107edb21739db504d1f985e5186d2281b5b07b19b56e6b4a7137c9e0f0104 |
memory/3956-110-0x00007FF6128C0000-0x00007FF612C14000-memory.dmp
C:\Windows\System\QECbwNr.exe
| MD5 | 34501a98664b4573c42d3f539ed3d83b |
| SHA1 | 36823d5212f68b960e04436c8ffc35e76865334e |
| SHA256 | e24969b88472f2c6ef6acd701ae6c5df73f7db5c880f5c47ddfa56f016d39f78 |
| SHA512 | e951933c37a713028ea51bdec45be80b6cd105669af742dd1b0e93965bc949c6f572b463a46e30b17c676ca347bd631d74f212b676f7e0d1209f4b0284625a59 |
memory/2576-91-0x00007FF67E4D0000-0x00007FF67E824000-memory.dmp
memory/2792-89-0x00007FF79BBF0000-0x00007FF79BF44000-memory.dmp
memory/1912-88-0x00007FF67F6F0000-0x00007FF67FA44000-memory.dmp
memory/1956-87-0x00007FF799A60000-0x00007FF799DB4000-memory.dmp
C:\Windows\System\iTAHetL.exe
| MD5 | ddbe3da8674f71eab46f5de4922b85f4 |
| SHA1 | 47f8b707979be11d6bee1b6408bb294453b1a79f |
| SHA256 | d5ceefec4c29bfb2138651762522faccabe62d5b9e43ea0b61852ab30683ad1c |
| SHA512 | 6a2af01facf5336b7dca91c2d224ce886f17bc818aa9f19c5f104d1fc1b72fda6cfb5f7d887f93b9605b4f8957e35f2108129109fad8de32e852aecacea16510 |
memory/1196-77-0x00007FF749F30000-0x00007FF74A284000-memory.dmp
C:\Windows\System\Fetngsi.exe
| MD5 | 3142a6de8c4bf8cf6392532f7722724b |
| SHA1 | 9bd8500041f18744ba29be8f9da3c3d69e443b48 |
| SHA256 | 45fe6f18b0ecbc52ab21da35865a5484ec4ffaba6be97593142fc91fe64fb7fa |
| SHA512 | 085f08522fd40a8a707ba7d17814ca2a6494cc75ab7553e8f6a2070f352ccaf9cf1ef3ba16458ffb570062b63528ff835515f070d4dc7381924ba055a44bd80d |
memory/2644-59-0x00007FF7C5330000-0x00007FF7C5684000-memory.dmp
memory/396-51-0x00007FF7923E0000-0x00007FF792734000-memory.dmp
memory/5036-46-0x00007FF6EAF40000-0x00007FF6EB294000-memory.dmp
C:\Windows\System\sRLjvLD.exe
| MD5 | ac84870cc557a9492822b7c81202842e |
| SHA1 | e9a5e3299e368ded6e7495b93d76f745d5ce1f70 |
| SHA256 | fe05dbdf8c9f098925d830599af7578413dd8d5f80fed9db81ea992ea6067566 |
| SHA512 | 8829c36ba91659565cb1304301d887ec342552c8ddeac1e7ed509fa76acf74eef9e839f7ef2327c6d63628cea57745ae23a464b9ee49aa83f41f550fe23b14b8 |
memory/552-33-0x00007FF6F8800000-0x00007FF6F8B54000-memory.dmp
memory/1408-129-0x00007FF794200000-0x00007FF794554000-memory.dmp
memory/396-130-0x00007FF7923E0000-0x00007FF792734000-memory.dmp
memory/1912-131-0x00007FF67F6F0000-0x00007FF67FA44000-memory.dmp
memory/2396-133-0x00007FF775980000-0x00007FF775CD4000-memory.dmp
memory/2792-132-0x00007FF79BBF0000-0x00007FF79BF44000-memory.dmp
memory/4648-134-0x00007FF7FE720000-0x00007FF7FEA74000-memory.dmp
memory/1904-135-0x00007FF7A0AD0000-0x00007FF7A0E24000-memory.dmp
memory/3956-136-0x00007FF6128C0000-0x00007FF612C14000-memory.dmp
memory/388-137-0x00007FF6CF210000-0x00007FF6CF564000-memory.dmp
memory/2200-138-0x00007FF729E90000-0x00007FF72A1E4000-memory.dmp
memory/1408-139-0x00007FF794200000-0x00007FF794554000-memory.dmp
memory/4184-140-0x00007FF7230D0000-0x00007FF723424000-memory.dmp
memory/1356-141-0x00007FF720CA0000-0x00007FF720FF4000-memory.dmp
memory/552-142-0x00007FF6F8800000-0x00007FF6F8B54000-memory.dmp
memory/5036-143-0x00007FF6EAF40000-0x00007FF6EB294000-memory.dmp
memory/2644-144-0x00007FF7C5330000-0x00007FF7C5684000-memory.dmp
memory/396-145-0x00007FF7923E0000-0x00007FF792734000-memory.dmp
memory/1196-146-0x00007FF749F30000-0x00007FF74A284000-memory.dmp
memory/5020-148-0x00007FF67B530000-0x00007FF67B884000-memory.dmp
memory/2576-147-0x00007FF67E4D0000-0x00007FF67E824000-memory.dmp
memory/1956-149-0x00007FF799A60000-0x00007FF799DB4000-memory.dmp
memory/2792-150-0x00007FF79BBF0000-0x00007FF79BF44000-memory.dmp
memory/2396-151-0x00007FF775980000-0x00007FF775CD4000-memory.dmp
memory/1080-152-0x00007FF6B4BC0000-0x00007FF6B4F14000-memory.dmp
memory/4648-155-0x00007FF7FE720000-0x00007FF7FEA74000-memory.dmp
memory/388-156-0x00007FF6CF210000-0x00007FF6CF564000-memory.dmp
memory/1912-154-0x00007FF67F6F0000-0x00007FF67FA44000-memory.dmp
memory/3956-153-0x00007FF6128C0000-0x00007FF612C14000-memory.dmp
memory/1904-157-0x00007FF7A0AD0000-0x00007FF7A0E24000-memory.dmp
memory/1992-158-0x00007FF66D960000-0x00007FF66DCB4000-memory.dmp