Analysis Overview
SHA256
4779a6b5c3bb606e6929737e4a58db86c50419f274c5c4cf1b5cd265a75a3815
Threat Level: Known bad
The file 2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Xmrig family
xmrig
Cobaltstrike
XMRig Miner payload
Cobalt Strike reflective loader
Cobaltstrike family
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-09 21:30
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-09 21:29
Reported
2024-06-09 21:32
Platform
win7-20240508-en
Max time kernel
140s
Max time network
154s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\pkFkGMy.exe | N/A |
| N/A | N/A | C:\Windows\System\zQcssCB.exe | N/A |
| N/A | N/A | C:\Windows\System\tbTWPZA.exe | N/A |
| N/A | N/A | C:\Windows\System\VCHXHTN.exe | N/A |
| N/A | N/A | C:\Windows\System\SQEhXIF.exe | N/A |
| N/A | N/A | C:\Windows\System\NHiqszG.exe | N/A |
| N/A | N/A | C:\Windows\System\LWqNinM.exe | N/A |
| N/A | N/A | C:\Windows\System\HTLkZai.exe | N/A |
| N/A | N/A | C:\Windows\System\yxdtKaS.exe | N/A |
| N/A | N/A | C:\Windows\System\QvENAFT.exe | N/A |
| N/A | N/A | C:\Windows\System\foGWbzn.exe | N/A |
| N/A | N/A | C:\Windows\System\NwzqKsN.exe | N/A |
| N/A | N/A | C:\Windows\System\ItqrNig.exe | N/A |
| N/A | N/A | C:\Windows\System\ZiyaJjI.exe | N/A |
| N/A | N/A | C:\Windows\System\qQNCGWD.exe | N/A |
| N/A | N/A | C:\Windows\System\uOdpPso.exe | N/A |
| N/A | N/A | C:\Windows\System\TNJKVNK.exe | N/A |
| N/A | N/A | C:\Windows\System\QLGKsVN.exe | N/A |
| N/A | N/A | C:\Windows\System\ygwZQzg.exe | N/A |
| N/A | N/A | C:\Windows\System\tzGjiqJ.exe | N/A |
| N/A | N/A | C:\Windows\System\jaqMdNR.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\pkFkGMy.exe
C:\Windows\System\pkFkGMy.exe
C:\Windows\System\zQcssCB.exe
C:\Windows\System\zQcssCB.exe
C:\Windows\System\VCHXHTN.exe
C:\Windows\System\VCHXHTN.exe
C:\Windows\System\tbTWPZA.exe
C:\Windows\System\tbTWPZA.exe
C:\Windows\System\SQEhXIF.exe
C:\Windows\System\SQEhXIF.exe
C:\Windows\System\NHiqszG.exe
C:\Windows\System\NHiqszG.exe
C:\Windows\System\HTLkZai.exe
C:\Windows\System\HTLkZai.exe
C:\Windows\System\LWqNinM.exe
C:\Windows\System\LWqNinM.exe
C:\Windows\System\yxdtKaS.exe
C:\Windows\System\yxdtKaS.exe
C:\Windows\System\QvENAFT.exe
C:\Windows\System\QvENAFT.exe
C:\Windows\System\foGWbzn.exe
C:\Windows\System\foGWbzn.exe
C:\Windows\System\NwzqKsN.exe
C:\Windows\System\NwzqKsN.exe
C:\Windows\System\ItqrNig.exe
C:\Windows\System\ItqrNig.exe
C:\Windows\System\ZiyaJjI.exe
C:\Windows\System\ZiyaJjI.exe
C:\Windows\System\qQNCGWD.exe
C:\Windows\System\qQNCGWD.exe
C:\Windows\System\uOdpPso.exe
C:\Windows\System\uOdpPso.exe
C:\Windows\System\TNJKVNK.exe
C:\Windows\System\TNJKVNK.exe
C:\Windows\System\QLGKsVN.exe
C:\Windows\System\QLGKsVN.exe
C:\Windows\System\ygwZQzg.exe
C:\Windows\System\ygwZQzg.exe
C:\Windows\System\tzGjiqJ.exe
C:\Windows\System\tzGjiqJ.exe
C:\Windows\System\jaqMdNR.exe
C:\Windows\System\jaqMdNR.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1852-0-0x000000013F6B0000-0x000000013FA04000-memory.dmp
memory/1852-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\pkFkGMy.exe
| MD5 | 9b88a0dc12e2f1c3eef6bf54f35b6379 |
| SHA1 | fc04890e577ef33e6611c8d3b41521feb93dd372 |
| SHA256 | 1d48bd7a006c324e994b859650e4c45c9b9048dfee33e8321b240e16607b0d0f |
| SHA512 | 0e0cadc13a76ee3dff1c9c7887193c19d7cdd5f7205a16a1065a8eef7d90e1241e2ba328c8f054bbe97cb4fa33e272bc45852a0b0daadc3da7c04d0f6a711de8 |
memory/1852-6-0x00000000023F0000-0x0000000002744000-memory.dmp
C:\Windows\system\VCHXHTN.exe
| MD5 | 7ae683da5839006a226950b10e50e3db |
| SHA1 | 895aaa41a20d4bba42e0870a659f950d514e56d7 |
| SHA256 | c3ad82901bab4a78ea191679c45577e18b03235146f434e255f68d85fa50e81f |
| SHA512 | fa2af20f3c276d681e312b0100a2d3fc6d23a26827e6cb3f3e78f8a4d51edc1868d203040bf05dbd9899165d6416fb6655c7d9769eaf15f06db8314d8aa86cd6 |
C:\Windows\system\tbTWPZA.exe
| MD5 | 2f7997422ee3c55e3e21b02cb2afae75 |
| SHA1 | 159b7d5d33def7f387367ef10082ea3e5e17876d |
| SHA256 | bd30f36772cbfcc16d8fb691ad96af17dc4e442383da5b4e8d5066da5abc7e91 |
| SHA512 | 1dd2b7b1b5db66472c9e84a8c7656288ad458329672ac9f0a9195cd1e4ecac5dd7cf42a2060ae11dcd3649863ba181eb701b23bee9fe68d6520bc62bc6a36597 |
memory/1852-22-0x00000000023F0000-0x0000000002744000-memory.dmp
memory/2572-25-0x000000013F630000-0x000000013F984000-memory.dmp
C:\Windows\system\zQcssCB.exe
| MD5 | 67b828e554a5ae91eae0837e09f069c5 |
| SHA1 | 17fa15e1dfe229ef05c3e51910d3d6ddb24a002d |
| SHA256 | b017391d7fe7dc0d7b0a8ac80b3a5e333732c6048fdf565d7a75ce26b0a7ce14 |
| SHA512 | 2d2a5679ffb99ae664b2e7070b15888553e4ccd9b118b9c838c3c2485332c0d7fa08490ba1879c9863d6f78ac55dfb01cbb90427e4a1d7afcdce33b29745cd04 |
memory/2224-28-0x000000013FF30000-0x0000000140284000-memory.dmp
C:\Windows\system\SQEhXIF.exe
| MD5 | ed2dee693b69ce0087a84a4d7e554dbf |
| SHA1 | ecf15424a0068583205c1468d4074f1841fcce51 |
| SHA256 | b74ed7dca4fffa6f142155a866479d3f4bf94df82680ceb1880d8eedc0a400cc |
| SHA512 | 2fc1f2110f62f90f3da4f06a30a369a96e4ad15594864cac4632346498a6e346aacf17ff93777710854b08067b720ea9e91797eb05bbfda21575388ce237bafe |
memory/1852-37-0x000000013FEA0000-0x00000001401F4000-memory.dmp
C:\Windows\system\NHiqszG.exe
| MD5 | 6cc7c6ce873a150c31ec8d84ce029bdf |
| SHA1 | 89680537e2f589687cc11f063820d9f5cebd88e2 |
| SHA256 | fdb935ab52fccb93964432711e6a82ca709b40b853017074d7a242858fcb556e |
| SHA512 | d4042581bb6f305d7401faefff76c5d490411f8b398e832b79d7dce9e02ba8d069d38056001105d3b48d60274ee1d3a60321e5d124a980b1051c17b97af5d583 |
memory/2744-40-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/2624-35-0x000000013FAA0000-0x000000013FDF4000-memory.dmp
memory/1852-34-0x000000013FAA0000-0x000000013FDF4000-memory.dmp
memory/2248-13-0x000000013F610000-0x000000013F964000-memory.dmp
memory/1852-52-0x000000013F1F0000-0x000000013F544000-memory.dmp
memory/2640-53-0x000000013F1F0000-0x000000013F544000-memory.dmp
memory/2248-55-0x000000013F610000-0x000000013F964000-memory.dmp
C:\Windows\system\HTLkZai.exe
| MD5 | f940596492c124eca11b48dd9aa0c8b6 |
| SHA1 | 9b41e9206679aa5f80fc6b1cf59a7cc174c8c52d |
| SHA256 | bbd506f228328b3660744c6524c66674b797ac24ec2c1a4b1f36ad86905b6413 |
| SHA512 | f64877d9387309efca38081d7a9e18a60587fcded02148c3702d29c74904f58594773fd116c829fbb6f30523ef582bdab3d6cae57588c8aa50381d483b388a8c |
memory/2508-58-0x000000013F690000-0x000000013F9E4000-memory.dmp
C:\Windows\system\LWqNinM.exe
| MD5 | af39a8c3c4265719da3e0aea0b8fd9bb |
| SHA1 | 1f977ea80bb98fad0f8199f0689c8af191be46b3 |
| SHA256 | 1fa6a06d44ee554c652d8bb198438796e1d22667cf434203c2a281af7203af8d |
| SHA512 | 0d984d802881d91cd93453bbdf5bb5bf91ad2a8f342f222d53ed441d6ded93aee4b3b088401f5651c252c55ff9e06e1a8c69aa7bfb807ce876f060134e2953b7 |
\Windows\system\yxdtKaS.exe
| MD5 | e22bf7a71834d66d73cc16c7a44c9d51 |
| SHA1 | 872492eb460855a02afe5adbaffdb16b0f16e230 |
| SHA256 | 99d0d7e03908bbd25ee8446fd0f22c7675431979dfa78fbc736f32ce62cd7d4a |
| SHA512 | 14584d311c33381c30ff382555c846f2994ee20d1bcc459fff90ade5b856d247beaf5e5b496ddaf319e53fa7ab1b178d0220d704d3153a3252ff7fcda5cf5575 |
memory/2224-69-0x000000013FF30000-0x0000000140284000-memory.dmp
memory/3068-71-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/2384-77-0x000000013FEC0000-0x0000000140214000-memory.dmp
memory/2744-96-0x000000013FEA0000-0x00000001401F4000-memory.dmp
C:\Windows\system\QLGKsVN.exe
| MD5 | 023e3d4f2fc6ae1c3ec76c906b887dc6 |
| SHA1 | e0754de08f3f40958c635d24b9e7a8ee1b01e6f6 |
| SHA256 | 39498dcc2769c2ff609571fe257d8830690b858b6b05ac27c19f18e141c49fa1 |
| SHA512 | d71c14b66458a761ea6812ccba1326d2ae9e3c4308551cd66932526cb96c9102853e0cc3f7fa931ef6ea236600cd169e7f89a8df22f5823c8775d338a615c1b0 |
C:\Windows\system\ygwZQzg.exe
| MD5 | 7f573638c8e22022dd5dfb27b8c09bbc |
| SHA1 | e0021efcda9d6de98eab65dad0f1a37c31b351ce |
| SHA256 | cf21f5e9a5b7b1f1ac16f56ec130fe74b15c1cc3b03820c84372b4cf04bcc735 |
| SHA512 | 5e04e4ef8c6f87b835cb6a88ff562890d2c35e469ed1e9d4e8a0bd8d2c60c3588e756c3b56c1d5bd4dba238611809f6c35b48ffd25889d8b06b09ab7f33b8ab4 |
\Windows\system\jaqMdNR.exe
| MD5 | 69b1a4b0a22776ece358a5ba4bb8cca4 |
| SHA1 | fa80c9afa67afd8be46b737f3fb746d56e5066ae |
| SHA256 | b51c3f2b7e353677a10269da720a912d09992b16c1c6bb5f0131facf9d03d829 |
| SHA512 | 6f7b54e8729086d637ee700f7413cf57e081bff9450c54e4bdfbefd1c8c6e9259e6e38f1a345ff25eb10a96c493ce447fab61c8d5fd79db0ab5985c5c677df40 |
C:\Windows\system\tzGjiqJ.exe
| MD5 | 1a40026d37bb906c68f39b864cfbc2f8 |
| SHA1 | fb087b85bd4da0e94daeb28023b7f1a63d57c091 |
| SHA256 | fac2e2f7536ee0787aabc4f62d50a4107402390961a4a1a942a2d38f3e26d405 |
| SHA512 | 1dce385e438b79d1d5e6b4d3a518efff19ff5fcd43b347af58fcd654bcd25f4e0020367150e1aaf11ea2ccee39a002c1d710336274a732eadf8bd2af174a2f3c |
C:\Windows\system\TNJKVNK.exe
| MD5 | 3c114d37694e4868f124e0b8a4e52932 |
| SHA1 | 2ff00d0e780f802786d875a2c7900ccb9549729a |
| SHA256 | df830f5004872aa2610e584ad3d1645e7f44e22c153e1e66165f9fc260d78457 |
| SHA512 | 5f7d5b74900e588223b6a11138e1fa35dd7384dc95ae06f4555afce0ea52434c19130f2ec1e523df3fe9a944c814a4812582b46f3ef78f69fcacb2dbfc37e88e |
C:\Windows\system\qQNCGWD.exe
| MD5 | 7319cd32f72dff84c3df2a40277083d9 |
| SHA1 | e6194934e10620330d400a7b1010d73bdca53c80 |
| SHA256 | 2b7eee50c5170a16e71f2ac2064784847044c55f170f6cfe9bacdafe0d092780 |
| SHA512 | 1a96dfda1f9be9aaf503191dd15d76e14dc8026d89d62f6ae046dd91e12f3b212e44007068fd783551d9e7418d6096403c8dbdcfb6199e589e953c3d84461613 |
C:\Windows\system\uOdpPso.exe
| MD5 | 73a8f5616aa35326986d84bf09469e48 |
| SHA1 | ece82facb5a120cb7b952f4af2fbb55f53ffa8a5 |
| SHA256 | f81d2e35904e343e629e0082320513917ea04e918ef93546da900bae434ad59a |
| SHA512 | cb0bd39c469fa49e65d414374cfa0bf3b2bf7ce1533e12e616a9923932939b2d2ce57445f040e7c8ed8a22d4ef506a0f714353e43d79fad902b6afa5c23af568 |
memory/1364-98-0x000000013FE80000-0x00000001401D4000-memory.dmp
memory/1852-97-0x000000013FE80000-0x00000001401D4000-memory.dmp
C:\Windows\system\ZiyaJjI.exe
| MD5 | e56aa014dd55849a5d9d097e9e3855ac |
| SHA1 | 3f75552d40a8463293018167f5fb620f3e5470ec |
| SHA256 | a7fc8c7294b8c3862b88e61e0032631721f2c2ab5e6f2d9f83957fb445cc37dd |
| SHA512 | d8f4482cbe4213169fdda0f16fc5811eafa413def2e3f5b525e41a63255fdcbc2b247511ac62fbdf776ee62081fd10775699bbf8bdd2bf77f8fcb7efd51d7383 |
memory/2360-91-0x000000013F770000-0x000000013FAC4000-memory.dmp
C:\Windows\system\ItqrNig.exe
| MD5 | 247b636d058f93164851f9a78934240e |
| SHA1 | 07cd6225f10c897252b42b302ffe774e2850f25d |
| SHA256 | 060c8a9b0e01a0128984b70e99a78bb20b7c5c8fa83dc878167fcb41d563ba9b |
| SHA512 | 5b849a1f467e8f004d0bb08d4be70cd35b332bed5fafa7fc3cd1ecca36718b2cdc473a05f92e3cd09f60bfe24d5094c2f06890a0bf2722dbaa178249e4ea9d2c |
memory/1624-85-0x000000013F100000-0x000000013F454000-memory.dmp
memory/1852-84-0x000000013F100000-0x000000013F454000-memory.dmp
memory/2624-83-0x000000013FAA0000-0x000000013FDF4000-memory.dmp
C:\Windows\system\foGWbzn.exe
| MD5 | 3bad29f47325c67c8b98821405a7d2ac |
| SHA1 | 4ad7e7305ca02946ad3e9dae04d7c5fab4546d9e |
| SHA256 | 0037bf92c6d3bbb963fd898621ff9ddaf3be982489277c181e73885a1eb2fd61 |
| SHA512 | b448bf7502b94afce2bfeabfdc53d30e51fd84a03e570c394d8709bc5d8c2290a14b75a34c066b6433328c33dc308ba9f010c67e19d9b897a1f8573b63e39fe7 |
C:\Windows\system\NwzqKsN.exe
| MD5 | 3aa09174fe7939c3cd116eefbc83c7df |
| SHA1 | 7f1d984d7debc7993544ebe3aaf5fc3dba829257 |
| SHA256 | 185ac90a414527dc1e62765c84a018253c5ccbed1aec6a241a26f811a933a35d |
| SHA512 | 1e885e6c8bf95eeff27a340e448ac4616afe621995726846c163b1919e20b26a4461fadf0e22f545ced3009902801fbfb6be9fdb45cdf18fc913c2fe113f6900 |
memory/1852-70-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/2588-63-0x000000013FE00000-0x0000000140154000-memory.dmp
C:\Windows\system\QvENAFT.exe
| MD5 | caec2d14f7040cceb85e60fc633a8f0b |
| SHA1 | 5e837d2ec3329e2f1094a5e99e358eb930319451 |
| SHA256 | 854efbb3e06af32360c607e913f1ab285bfeb8bb41f67ad4e713cf4de8502625 |
| SHA512 | acf2ae5dddab09a8ff8d571e55ea40d0eb7e1c951ecf770118a510e40930a3f282cb1d131a648562650bbf66b6a65cc9670b97886ebb833a9a34918fd3a3e6aa |
memory/1852-47-0x000000013F6B0000-0x000000013FA04000-memory.dmp
memory/2656-24-0x000000013F7F0000-0x000000013FB44000-memory.dmp
memory/1852-18-0x000000013FF30000-0x0000000140284000-memory.dmp
memory/2640-135-0x000000013F1F0000-0x000000013F544000-memory.dmp
memory/2588-137-0x000000013FE00000-0x0000000140154000-memory.dmp
memory/1852-136-0x000000013FE00000-0x0000000140154000-memory.dmp
memory/1852-138-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/3068-139-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/2384-140-0x000000013FEC0000-0x0000000140214000-memory.dmp
memory/1852-141-0x000000013F100000-0x000000013F454000-memory.dmp
memory/1624-142-0x000000013F100000-0x000000013F454000-memory.dmp
memory/2360-144-0x000000013F770000-0x000000013FAC4000-memory.dmp
memory/1852-143-0x00000000023F0000-0x0000000002744000-memory.dmp
memory/1364-146-0x000000013FE80000-0x00000001401D4000-memory.dmp
memory/1852-145-0x000000013FE80000-0x00000001401D4000-memory.dmp
memory/2248-147-0x000000013F610000-0x000000013F964000-memory.dmp
memory/2656-148-0x000000013F7F0000-0x000000013FB44000-memory.dmp
memory/2572-149-0x000000013F630000-0x000000013F984000-memory.dmp
memory/2224-150-0x000000013FF30000-0x0000000140284000-memory.dmp
memory/2744-151-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/2624-152-0x000000013FAA0000-0x000000013FDF4000-memory.dmp
memory/2640-153-0x000000013F1F0000-0x000000013F544000-memory.dmp
memory/2508-154-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/2588-155-0x000000013FE00000-0x0000000140154000-memory.dmp
memory/3068-156-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/2384-157-0x000000013FEC0000-0x0000000140214000-memory.dmp
memory/1624-158-0x000000013F100000-0x000000013F454000-memory.dmp
memory/2360-159-0x000000013F770000-0x000000013FAC4000-memory.dmp
memory/1364-160-0x000000013FE80000-0x00000001401D4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-09 21:29
Reported
2024-06-09 21:32
Platform
win10v2004-20240508-en
Max time kernel
142s
Max time network
156s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\pkFkGMy.exe | N/A |
| N/A | N/A | C:\Windows\System\zQcssCB.exe | N/A |
| N/A | N/A | C:\Windows\System\VCHXHTN.exe | N/A |
| N/A | N/A | C:\Windows\System\tbTWPZA.exe | N/A |
| N/A | N/A | C:\Windows\System\SQEhXIF.exe | N/A |
| N/A | N/A | C:\Windows\System\NHiqszG.exe | N/A |
| N/A | N/A | C:\Windows\System\HTLkZai.exe | N/A |
| N/A | N/A | C:\Windows\System\LWqNinM.exe | N/A |
| N/A | N/A | C:\Windows\System\yxdtKaS.exe | N/A |
| N/A | N/A | C:\Windows\System\QvENAFT.exe | N/A |
| N/A | N/A | C:\Windows\System\foGWbzn.exe | N/A |
| N/A | N/A | C:\Windows\System\NwzqKsN.exe | N/A |
| N/A | N/A | C:\Windows\System\ItqrNig.exe | N/A |
| N/A | N/A | C:\Windows\System\ZiyaJjI.exe | N/A |
| N/A | N/A | C:\Windows\System\uOdpPso.exe | N/A |
| N/A | N/A | C:\Windows\System\qQNCGWD.exe | N/A |
| N/A | N/A | C:\Windows\System\TNJKVNK.exe | N/A |
| N/A | N/A | C:\Windows\System\QLGKsVN.exe | N/A |
| N/A | N/A | C:\Windows\System\ygwZQzg.exe | N/A |
| N/A | N/A | C:\Windows\System\tzGjiqJ.exe | N/A |
| N/A | N/A | C:\Windows\System\jaqMdNR.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\pkFkGMy.exe
C:\Windows\System\pkFkGMy.exe
C:\Windows\System\zQcssCB.exe
C:\Windows\System\zQcssCB.exe
C:\Windows\System\VCHXHTN.exe
C:\Windows\System\VCHXHTN.exe
C:\Windows\System\tbTWPZA.exe
C:\Windows\System\tbTWPZA.exe
C:\Windows\System\SQEhXIF.exe
C:\Windows\System\SQEhXIF.exe
C:\Windows\System\NHiqszG.exe
C:\Windows\System\NHiqszG.exe
C:\Windows\System\HTLkZai.exe
C:\Windows\System\HTLkZai.exe
C:\Windows\System\LWqNinM.exe
C:\Windows\System\LWqNinM.exe
C:\Windows\System\yxdtKaS.exe
C:\Windows\System\yxdtKaS.exe
C:\Windows\System\QvENAFT.exe
C:\Windows\System\QvENAFT.exe
C:\Windows\System\foGWbzn.exe
C:\Windows\System\foGWbzn.exe
C:\Windows\System\NwzqKsN.exe
C:\Windows\System\NwzqKsN.exe
C:\Windows\System\ItqrNig.exe
C:\Windows\System\ItqrNig.exe
C:\Windows\System\ZiyaJjI.exe
C:\Windows\System\ZiyaJjI.exe
C:\Windows\System\qQNCGWD.exe
C:\Windows\System\qQNCGWD.exe
C:\Windows\System\uOdpPso.exe
C:\Windows\System\uOdpPso.exe
C:\Windows\System\TNJKVNK.exe
C:\Windows\System\TNJKVNK.exe
C:\Windows\System\QLGKsVN.exe
C:\Windows\System\QLGKsVN.exe
C:\Windows\System\ygwZQzg.exe
C:\Windows\System\ygwZQzg.exe
C:\Windows\System\tzGjiqJ.exe
C:\Windows\System\tzGjiqJ.exe
C:\Windows\System\jaqMdNR.exe
C:\Windows\System\jaqMdNR.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 216.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4608-0-0x00007FF668F90000-0x00007FF6692E4000-memory.dmp
memory/4608-1-0x0000021491BD0000-0x0000021491BE0000-memory.dmp
C:\Windows\System\pkFkGMy.exe
| MD5 | 9b88a0dc12e2f1c3eef6bf54f35b6379 |
| SHA1 | fc04890e577ef33e6611c8d3b41521feb93dd372 |
| SHA256 | 1d48bd7a006c324e994b859650e4c45c9b9048dfee33e8321b240e16607b0d0f |
| SHA512 | 0e0cadc13a76ee3dff1c9c7887193c19d7cdd5f7205a16a1065a8eef7d90e1241e2ba328c8f054bbe97cb4fa33e272bc45852a0b0daadc3da7c04d0f6a711de8 |
C:\Windows\System\zQcssCB.exe
| MD5 | 67b828e554a5ae91eae0837e09f069c5 |
| SHA1 | 17fa15e1dfe229ef05c3e51910d3d6ddb24a002d |
| SHA256 | b017391d7fe7dc0d7b0a8ac80b3a5e333732c6048fdf565d7a75ce26b0a7ce14 |
| SHA512 | 2d2a5679ffb99ae664b2e7070b15888553e4ccd9b118b9c838c3c2485332c0d7fa08490ba1879c9863d6f78ac55dfb01cbb90427e4a1d7afcdce33b29745cd04 |
memory/2020-12-0x00007FF68A9B0000-0x00007FF68AD04000-memory.dmp
memory/4320-14-0x00007FF7B9FF0000-0x00007FF7BA344000-memory.dmp
C:\Windows\System\VCHXHTN.exe
| MD5 | 7ae683da5839006a226950b10e50e3db |
| SHA1 | 895aaa41a20d4bba42e0870a659f950d514e56d7 |
| SHA256 | c3ad82901bab4a78ea191679c45577e18b03235146f434e255f68d85fa50e81f |
| SHA512 | fa2af20f3c276d681e312b0100a2d3fc6d23a26827e6cb3f3e78f8a4d51edc1868d203040bf05dbd9899165d6416fb6655c7d9769eaf15f06db8314d8aa86cd6 |
memory/4624-18-0x00007FF76E1C0000-0x00007FF76E514000-memory.dmp
C:\Windows\System\tbTWPZA.exe
| MD5 | 2f7997422ee3c55e3e21b02cb2afae75 |
| SHA1 | 159b7d5d33def7f387367ef10082ea3e5e17876d |
| SHA256 | bd30f36772cbfcc16d8fb691ad96af17dc4e442383da5b4e8d5066da5abc7e91 |
| SHA512 | 1dd2b7b1b5db66472c9e84a8c7656288ad458329672ac9f0a9195cd1e4ecac5dd7cf42a2060ae11dcd3649863ba181eb701b23bee9fe68d6520bc62bc6a36597 |
C:\Windows\System\SQEhXIF.exe
| MD5 | ed2dee693b69ce0087a84a4d7e554dbf |
| SHA1 | ecf15424a0068583205c1468d4074f1841fcce51 |
| SHA256 | b74ed7dca4fffa6f142155a866479d3f4bf94df82680ceb1880d8eedc0a400cc |
| SHA512 | 2fc1f2110f62f90f3da4f06a30a369a96e4ad15594864cac4632346498a6e346aacf17ff93777710854b08067b720ea9e91797eb05bbfda21575388ce237bafe |
C:\Windows\System\NHiqszG.exe
| MD5 | 6cc7c6ce873a150c31ec8d84ce029bdf |
| SHA1 | 89680537e2f589687cc11f063820d9f5cebd88e2 |
| SHA256 | fdb935ab52fccb93964432711e6a82ca709b40b853017074d7a242858fcb556e |
| SHA512 | d4042581bb6f305d7401faefff76c5d490411f8b398e832b79d7dce9e02ba8d069d38056001105d3b48d60274ee1d3a60321e5d124a980b1051c17b97af5d583 |
memory/2900-34-0x00007FF7C0DB0000-0x00007FF7C1104000-memory.dmp
memory/4860-37-0x00007FF692200000-0x00007FF692554000-memory.dmp
memory/4856-33-0x00007FF7614A0000-0x00007FF7617F4000-memory.dmp
C:\Windows\System\HTLkZai.exe
| MD5 | f940596492c124eca11b48dd9aa0c8b6 |
| SHA1 | 9b41e9206679aa5f80fc6b1cf59a7cc174c8c52d |
| SHA256 | bbd506f228328b3660744c6524c66674b797ac24ec2c1a4b1f36ad86905b6413 |
| SHA512 | f64877d9387309efca38081d7a9e18a60587fcded02148c3702d29c74904f58594773fd116c829fbb6f30523ef582bdab3d6cae57588c8aa50381d483b388a8c |
memory/884-43-0x00007FF6EB560000-0x00007FF6EB8B4000-memory.dmp
memory/1304-50-0x00007FF738160000-0x00007FF7384B4000-memory.dmp
C:\Windows\System\yxdtKaS.exe
| MD5 | e22bf7a71834d66d73cc16c7a44c9d51 |
| SHA1 | 872492eb460855a02afe5adbaffdb16b0f16e230 |
| SHA256 | 99d0d7e03908bbd25ee8446fd0f22c7675431979dfa78fbc736f32ce62cd7d4a |
| SHA512 | 14584d311c33381c30ff382555c846f2994ee20d1bcc459fff90ade5b856d247beaf5e5b496ddaf319e53fa7ab1b178d0220d704d3153a3252ff7fcda5cf5575 |
memory/3112-54-0x00007FF7B8850000-0x00007FF7B8BA4000-memory.dmp
C:\Windows\System\LWqNinM.exe
| MD5 | af39a8c3c4265719da3e0aea0b8fd9bb |
| SHA1 | 1f977ea80bb98fad0f8199f0689c8af191be46b3 |
| SHA256 | 1fa6a06d44ee554c652d8bb198438796e1d22667cf434203c2a281af7203af8d |
| SHA512 | 0d984d802881d91cd93453bbdf5bb5bf91ad2a8f342f222d53ed441d6ded93aee4b3b088401f5651c252c55ff9e06e1a8c69aa7bfb807ce876f060134e2953b7 |
C:\Windows\System\QvENAFT.exe
| MD5 | caec2d14f7040cceb85e60fc633a8f0b |
| SHA1 | 5e837d2ec3329e2f1094a5e99e358eb930319451 |
| SHA256 | 854efbb3e06af32360c607e913f1ab285bfeb8bb41f67ad4e713cf4de8502625 |
| SHA512 | acf2ae5dddab09a8ff8d571e55ea40d0eb7e1c951ecf770118a510e40930a3f282cb1d131a648562650bbf66b6a65cc9670b97886ebb833a9a34918fd3a3e6aa |
C:\Windows\System\foGWbzn.exe
| MD5 | 3bad29f47325c67c8b98821405a7d2ac |
| SHA1 | 4ad7e7305ca02946ad3e9dae04d7c5fab4546d9e |
| SHA256 | 0037bf92c6d3bbb963fd898621ff9ddaf3be982489277c181e73885a1eb2fd61 |
| SHA512 | b448bf7502b94afce2bfeabfdc53d30e51fd84a03e570c394d8709bc5d8c2290a14b75a34c066b6433328c33dc308ba9f010c67e19d9b897a1f8573b63e39fe7 |
memory/1092-67-0x00007FF71AFE0000-0x00007FF71B334000-memory.dmp
memory/4608-72-0x00007FF668F90000-0x00007FF6692E4000-memory.dmp
C:\Windows\System\NwzqKsN.exe
| MD5 | 3aa09174fe7939c3cd116eefbc83c7df |
| SHA1 | 7f1d984d7debc7993544ebe3aaf5fc3dba829257 |
| SHA256 | 185ac90a414527dc1e62765c84a018253c5ccbed1aec6a241a26f811a933a35d |
| SHA512 | 1e885e6c8bf95eeff27a340e448ac4616afe621995726846c163b1919e20b26a4461fadf0e22f545ced3009902801fbfb6be9fdb45cdf18fc913c2fe113f6900 |
memory/1520-74-0x00007FF68E770000-0x00007FF68EAC4000-memory.dmp
memory/2020-73-0x00007FF68A9B0000-0x00007FF68AD04000-memory.dmp
memory/1628-62-0x00007FF62F800000-0x00007FF62FB54000-memory.dmp
C:\Windows\System\ItqrNig.exe
| MD5 | 247b636d058f93164851f9a78934240e |
| SHA1 | 07cd6225f10c897252b42b302ffe774e2850f25d |
| SHA256 | 060c8a9b0e01a0128984b70e99a78bb20b7c5c8fa83dc878167fcb41d563ba9b |
| SHA512 | 5b849a1f467e8f004d0bb08d4be70cd35b332bed5fafa7fc3cd1ecca36718b2cdc473a05f92e3cd09f60bfe24d5094c2f06890a0bf2722dbaa178249e4ea9d2c |
C:\Windows\System\ZiyaJjI.exe
| MD5 | e56aa014dd55849a5d9d097e9e3855ac |
| SHA1 | 3f75552d40a8463293018167f5fb620f3e5470ec |
| SHA256 | a7fc8c7294b8c3862b88e61e0032631721f2c2ab5e6f2d9f83957fb445cc37dd |
| SHA512 | d8f4482cbe4213169fdda0f16fc5811eafa413def2e3f5b525e41a63255fdcbc2b247511ac62fbdf776ee62081fd10775699bbf8bdd2bf77f8fcb7efd51d7383 |
C:\Windows\System\qQNCGWD.exe
| MD5 | 7319cd32f72dff84c3df2a40277083d9 |
| SHA1 | e6194934e10620330d400a7b1010d73bdca53c80 |
| SHA256 | 2b7eee50c5170a16e71f2ac2064784847044c55f170f6cfe9bacdafe0d092780 |
| SHA512 | 1a96dfda1f9be9aaf503191dd15d76e14dc8026d89d62f6ae046dd91e12f3b212e44007068fd783551d9e7418d6096403c8dbdcfb6199e589e953c3d84461613 |
C:\Windows\System\uOdpPso.exe
| MD5 | 73a8f5616aa35326986d84bf09469e48 |
| SHA1 | ece82facb5a120cb7b952f4af2fbb55f53ffa8a5 |
| SHA256 | f81d2e35904e343e629e0082320513917ea04e918ef93546da900bae434ad59a |
| SHA512 | cb0bd39c469fa49e65d414374cfa0bf3b2bf7ce1533e12e616a9923932939b2d2ce57445f040e7c8ed8a22d4ef506a0f714353e43d79fad902b6afa5c23af568 |
memory/2648-104-0x00007FF601D40000-0x00007FF602094000-memory.dmp
C:\Windows\System\TNJKVNK.exe
| MD5 | 3c114d37694e4868f124e0b8a4e52932 |
| SHA1 | 2ff00d0e780f802786d875a2c7900ccb9549729a |
| SHA256 | df830f5004872aa2610e584ad3d1645e7f44e22c153e1e66165f9fc260d78457 |
| SHA512 | 5f7d5b74900e588223b6a11138e1fa35dd7384dc95ae06f4555afce0ea52434c19130f2ec1e523df3fe9a944c814a4812582b46f3ef78f69fcacb2dbfc37e88e |
memory/4460-107-0x00007FF6F69D0000-0x00007FF6F6D24000-memory.dmp
C:\Windows\System\ygwZQzg.exe
| MD5 | 7f573638c8e22022dd5dfb27b8c09bbc |
| SHA1 | e0021efcda9d6de98eab65dad0f1a37c31b351ce |
| SHA256 | cf21f5e9a5b7b1f1ac16f56ec130fe74b15c1cc3b03820c84372b4cf04bcc735 |
| SHA512 | 5e04e4ef8c6f87b835cb6a88ff562890d2c35e469ed1e9d4e8a0bd8d2c60c3588e756c3b56c1d5bd4dba238611809f6c35b48ffd25889d8b06b09ab7f33b8ab4 |
C:\Windows\System\QLGKsVN.exe
| MD5 | 023e3d4f2fc6ae1c3ec76c906b887dc6 |
| SHA1 | e0754de08f3f40958c635d24b9e7a8ee1b01e6f6 |
| SHA256 | 39498dcc2769c2ff609571fe257d8830690b858b6b05ac27c19f18e141c49fa1 |
| SHA512 | d71c14b66458a761ea6812ccba1326d2ae9e3c4308551cd66932526cb96c9102853e0cc3f7fa931ef6ea236600cd169e7f89a8df22f5823c8775d338a615c1b0 |
memory/4572-124-0x00007FF7A73C0000-0x00007FF7A7714000-memory.dmp
C:\Windows\System\tzGjiqJ.exe
| MD5 | 1a40026d37bb906c68f39b864cfbc2f8 |
| SHA1 | fb087b85bd4da0e94daeb28023b7f1a63d57c091 |
| SHA256 | fac2e2f7536ee0787aabc4f62d50a4107402390961a4a1a942a2d38f3e26d405 |
| SHA512 | 1dce385e438b79d1d5e6b4d3a518efff19ff5fcd43b347af58fcd654bcd25f4e0020367150e1aaf11ea2ccee39a002c1d710336274a732eadf8bd2af174a2f3c |
memory/4928-126-0x00007FF6404B0000-0x00007FF640804000-memory.dmp
memory/5036-125-0x00007FF711870000-0x00007FF711BC4000-memory.dmp
memory/884-121-0x00007FF6EB560000-0x00007FF6EB8B4000-memory.dmp
memory/4024-105-0x00007FF791010000-0x00007FF791364000-memory.dmp
memory/4860-106-0x00007FF692200000-0x00007FF692554000-memory.dmp
memory/4624-100-0x00007FF76E1C0000-0x00007FF76E514000-memory.dmp
memory/4792-93-0x00007FF619630000-0x00007FF619984000-memory.dmp
memory/4320-86-0x00007FF7B9FF0000-0x00007FF7BA344000-memory.dmp
memory/232-82-0x00007FF649F30000-0x00007FF64A284000-memory.dmp
C:\Windows\System\jaqMdNR.exe
| MD5 | 69b1a4b0a22776ece358a5ba4bb8cca4 |
| SHA1 | fa80c9afa67afd8be46b737f3fb746d56e5066ae |
| SHA256 | b51c3f2b7e353677a10269da720a912d09992b16c1c6bb5f0131facf9d03d829 |
| SHA512 | 6f7b54e8729086d637ee700f7413cf57e081bff9450c54e4bdfbefd1c8c6e9259e6e38f1a345ff25eb10a96c493ce447fab61c8d5fd79db0ab5985c5c677df40 |
memory/1304-133-0x00007FF738160000-0x00007FF7384B4000-memory.dmp
memory/1104-134-0x00007FF788490000-0x00007FF7887E4000-memory.dmp
memory/3112-135-0x00007FF7B8850000-0x00007FF7B8BA4000-memory.dmp
memory/1628-136-0x00007FF62F800000-0x00007FF62FB54000-memory.dmp
memory/1092-137-0x00007FF71AFE0000-0x00007FF71B334000-memory.dmp
memory/1520-138-0x00007FF68E770000-0x00007FF68EAC4000-memory.dmp
memory/4460-139-0x00007FF6F69D0000-0x00007FF6F6D24000-memory.dmp
memory/4928-140-0x00007FF6404B0000-0x00007FF640804000-memory.dmp
memory/2020-141-0x00007FF68A9B0000-0x00007FF68AD04000-memory.dmp
memory/4320-142-0x00007FF7B9FF0000-0x00007FF7BA344000-memory.dmp
memory/4856-143-0x00007FF7614A0000-0x00007FF7617F4000-memory.dmp
memory/2900-144-0x00007FF7C0DB0000-0x00007FF7C1104000-memory.dmp
memory/4624-145-0x00007FF76E1C0000-0x00007FF76E514000-memory.dmp
memory/4860-146-0x00007FF692200000-0x00007FF692554000-memory.dmp
memory/884-147-0x00007FF6EB560000-0x00007FF6EB8B4000-memory.dmp
memory/1304-148-0x00007FF738160000-0x00007FF7384B4000-memory.dmp
memory/3112-149-0x00007FF7B8850000-0x00007FF7B8BA4000-memory.dmp
memory/1628-150-0x00007FF62F800000-0x00007FF62FB54000-memory.dmp
memory/1092-151-0x00007FF71AFE0000-0x00007FF71B334000-memory.dmp
memory/1520-152-0x00007FF68E770000-0x00007FF68EAC4000-memory.dmp
memory/232-153-0x00007FF649F30000-0x00007FF64A284000-memory.dmp
memory/4792-154-0x00007FF619630000-0x00007FF619984000-memory.dmp
memory/4024-156-0x00007FF791010000-0x00007FF791364000-memory.dmp
memory/2648-155-0x00007FF601D40000-0x00007FF602094000-memory.dmp
memory/4460-157-0x00007FF6F69D0000-0x00007FF6F6D24000-memory.dmp
memory/4572-158-0x00007FF7A73C0000-0x00007FF7A7714000-memory.dmp
memory/5036-159-0x00007FF711870000-0x00007FF711BC4000-memory.dmp
memory/4928-160-0x00007FF6404B0000-0x00007FF640804000-memory.dmp
memory/1104-161-0x00007FF788490000-0x00007FF7887E4000-memory.dmp