Analysis Overview
SHA256
0f154c31f6511c7bdddb539d70f851dc41126f90ac428023414b286aaa7e7a54
Threat Level: Known bad
The file 2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Xmrig family
Detects Reflective DLL injection artifacts
xmrig
Cobaltstrike family
Cobalt Strike reflective loader
UPX dump on OEP (original entry point)
XMRig Miner payload
Cobaltstrike
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 01:49
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 01:49
Reported
2024-06-01 01:52
Platform
win7-20240221-en
Max time kernel
137s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\THgmydD.exe | N/A |
| N/A | N/A | C:\Windows\System\gIBJzOJ.exe | N/A |
| N/A | N/A | C:\Windows\System\kXUkVAP.exe | N/A |
| N/A | N/A | C:\Windows\System\EmMjLKl.exe | N/A |
| N/A | N/A | C:\Windows\System\vGjGHTc.exe | N/A |
| N/A | N/A | C:\Windows\System\wOaguwJ.exe | N/A |
| N/A | N/A | C:\Windows\System\gPZCDlN.exe | N/A |
| N/A | N/A | C:\Windows\System\txVoENQ.exe | N/A |
| N/A | N/A | C:\Windows\System\nJmLrPz.exe | N/A |
| N/A | N/A | C:\Windows\System\wzIhMpY.exe | N/A |
| N/A | N/A | C:\Windows\System\XBHyRtl.exe | N/A |
| N/A | N/A | C:\Windows\System\UFPVxPk.exe | N/A |
| N/A | N/A | C:\Windows\System\jzWsnQK.exe | N/A |
| N/A | N/A | C:\Windows\System\VyEUlPS.exe | N/A |
| N/A | N/A | C:\Windows\System\sQkqFwu.exe | N/A |
| N/A | N/A | C:\Windows\System\lblpqCU.exe | N/A |
| N/A | N/A | C:\Windows\System\RBGKZEF.exe | N/A |
| N/A | N/A | C:\Windows\System\lXIEuQb.exe | N/A |
| N/A | N/A | C:\Windows\System\dyOZnEY.exe | N/A |
| N/A | N/A | C:\Windows\System\ivxKSJq.exe | N/A |
| N/A | N/A | C:\Windows\System\czqRkCv.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\THgmydD.exe
C:\Windows\System\THgmydD.exe
C:\Windows\System\gIBJzOJ.exe
C:\Windows\System\gIBJzOJ.exe
C:\Windows\System\kXUkVAP.exe
C:\Windows\System\kXUkVAP.exe
C:\Windows\System\EmMjLKl.exe
C:\Windows\System\EmMjLKl.exe
C:\Windows\System\vGjGHTc.exe
C:\Windows\System\vGjGHTc.exe
C:\Windows\System\wOaguwJ.exe
C:\Windows\System\wOaguwJ.exe
C:\Windows\System\gPZCDlN.exe
C:\Windows\System\gPZCDlN.exe
C:\Windows\System\txVoENQ.exe
C:\Windows\System\txVoENQ.exe
C:\Windows\System\nJmLrPz.exe
C:\Windows\System\nJmLrPz.exe
C:\Windows\System\wzIhMpY.exe
C:\Windows\System\wzIhMpY.exe
C:\Windows\System\XBHyRtl.exe
C:\Windows\System\XBHyRtl.exe
C:\Windows\System\UFPVxPk.exe
C:\Windows\System\UFPVxPk.exe
C:\Windows\System\jzWsnQK.exe
C:\Windows\System\jzWsnQK.exe
C:\Windows\System\VyEUlPS.exe
C:\Windows\System\VyEUlPS.exe
C:\Windows\System\lblpqCU.exe
C:\Windows\System\lblpqCU.exe
C:\Windows\System\sQkqFwu.exe
C:\Windows\System\sQkqFwu.exe
C:\Windows\System\RBGKZEF.exe
C:\Windows\System\RBGKZEF.exe
C:\Windows\System\lXIEuQb.exe
C:\Windows\System\lXIEuQb.exe
C:\Windows\System\dyOZnEY.exe
C:\Windows\System\dyOZnEY.exe
C:\Windows\System\ivxKSJq.exe
C:\Windows\System\ivxKSJq.exe
C:\Windows\System\czqRkCv.exe
C:\Windows\System\czqRkCv.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2096-1-0x000000013F180000-0x000000013F4D4000-memory.dmp
memory/2096-0-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\THgmydD.exe
| MD5 | 75319f8c897fdc9c25ba5401423ca493 |
| SHA1 | 2a888e977093361a97e79f06618d50929459955a |
| SHA256 | be1a1d34e7f251dbf6b885da459f11e32879059947c4a058e8fdb54913760eca |
| SHA512 | 22cf692c9ea322a5f045ddf938e37e8c60e57c0fcf018bd20a9fbee316d2e2dba9bc2246d2dd2e401dd06ea838c0da5d2acd3672848d644e3f5a6b8c0766de24 |
memory/2096-6-0x00000000024C0000-0x0000000002814000-memory.dmp
C:\Windows\system\gIBJzOJ.exe
| MD5 | 348c352e8787b0f16bfe1d95797a907c |
| SHA1 | 83176f4e2a842e5ec92ba7f53d9125ffa8829735 |
| SHA256 | 61726c8e43547363d1cda05055d8e1f16312ffee70637b022bdacf5c3b755318 |
| SHA512 | 9aa26fd746d87398dff87744b51e21c66f02b2ee86dbe31a5b4c93ce0ed7a69d5bba5cd91a99637b635ca4646e3e68debfebe4177c8b6b40da04be9b8ac77ed9 |
memory/1996-14-0x000000013F4B0000-0x000000013F804000-memory.dmp
memory/2096-15-0x00000000024C0000-0x0000000002814000-memory.dmp
memory/2924-16-0x000000013F170000-0x000000013F4C4000-memory.dmp
C:\Windows\system\kXUkVAP.exe
| MD5 | 6f26c1b34617e315440f08a73c810c6d |
| SHA1 | f7caaf5107a15a8a831b9614d03c49528a7349d6 |
| SHA256 | 8b28daef17fc83b1da49e9cb189352dc8a6b09eb2eba3fb959b10a185e02dc13 |
| SHA512 | c82d0ed84aa25d7855ebee8c9667c09ed452619f5c56b81f6bcdb8cb22a176b847f45505759dc08231c50269aa36e5afbc04742aeea125883f482e184ed1c249 |
memory/2096-24-0x00000000024C0000-0x0000000002814000-memory.dmp
memory/2644-32-0x000000013F550000-0x000000013F8A4000-memory.dmp
C:\Windows\system\vGjGHTc.exe
| MD5 | cfc47e90971c794818ffe1e47c98c8bb |
| SHA1 | cb560c3e69e304b8d030bbd9abd83e304fc9965e |
| SHA256 | fb4f90e0afaf66446290b5e7acb7b279118d7a0d6822a0185529916faf2740c7 |
| SHA512 | 2050e69fac16a268a544b7ed0d27356431154a857eedcc2396bb61395a1d9f3923a08e02009546348db781b037015715b81f4f56bf6e2e4bad16a777e82c66ca |
memory/2096-29-0x000000013F550000-0x000000013F8A4000-memory.dmp
memory/2580-39-0x000000013F4A0000-0x000000013F7F4000-memory.dmp
memory/2948-42-0x000000013F910000-0x000000013FC64000-memory.dmp
memory/2096-44-0x000000013F910000-0x000000013FC64000-memory.dmp
memory/2096-43-0x00000000024C0000-0x0000000002814000-memory.dmp
C:\Windows\system\wOaguwJ.exe
| MD5 | d1aec7595a2c8a780f8eafe7682da821 |
| SHA1 | b7e854846b7544273635227833a53d1123566df0 |
| SHA256 | 56c4858e48b2f61df0ae1d8053e568612caebfe9635cc83e3909599dc47877e8 |
| SHA512 | 1d99501180b55eee705f9e827ecd15b7fd91dec793c2873a8d54e952df6f3a41e996c735a959cb6ba565b3490a632065e4f492c5aa61f65cc1cdcff165382a47 |
memory/2564-27-0x000000013F2C0000-0x000000013F614000-memory.dmp
C:\Windows\system\EmMjLKl.exe
| MD5 | 35868b1fb7fd78ea45a1d2222d4d2104 |
| SHA1 | 483a50b51c9b3c4ee58924dbbf756e3376462b84 |
| SHA256 | 7ac94b0d1b6fe5a0141542637ae9f0412cee809226e31ce9b5181efdc695c49e |
| SHA512 | 84faa620dd7bf990c4b5087757e089c508f8c1f8a5c4d449db60a8cfb37a80b6bcf75113bd3beecd382484331baf1b74d309c927233f6bb9dfe58254587a223a |
\Windows\system\gPZCDlN.exe
| MD5 | 1ba742a91defccc81e99362da2f9c5c4 |
| SHA1 | 3a085036fff6f07c8f28d02df8cb5adec98d0016 |
| SHA256 | 0394f6641ee0baccc0f76287f531b30fb363d5644de08919a56cc2d2cb732e53 |
| SHA512 | 274723e15bd6d9a2e087ae7c376c905c61cb59474f4ff262b6a1c8892d036638c2c65692e075b2eaf23241ac5033060fcb8c1b88ee13a944087a33794080ffa2 |
C:\Windows\system\gPZCDlN.exe
| MD5 | 38e1b7b0b9aa649f5c14f03127a6d132 |
| SHA1 | 3917ca36707cd2c4dba6b6926d34a14a7bb117b1 |
| SHA256 | ddb3f57945f3929208b2b32e9fb1bc992b84f62c9f6d825404b952bbb20eee72 |
| SHA512 | 47f8cf2986d63387cdc2751aeb8271afa2f9ce56ab0a21337ea9677985ff041ab00a0daf7ea6b9731948111f864f618de503be2edb6c7c0b58599566140c22a0 |
\Windows\system\txVoENQ.exe
| MD5 | b5e18313ad4f66275601bd7b1c8f47f9 |
| SHA1 | eb0dd5edb30c169741187b9b67ba547dc54d990c |
| SHA256 | 464fdbb641dd2d25ba5389142f5c6291af99e7e9525a378e12199449ed447e8d |
| SHA512 | 8555f09eae80295f34c85136534ab0e42d4606b2f9be8960d1c7b419770a778d8ee30ee664e188317f872af358c03d5dedffda07e2fad42eb9e2fe90a7726b57 |
memory/2680-57-0x000000013F520000-0x000000013F874000-memory.dmp
memory/2752-51-0x000000013F740000-0x000000013FA94000-memory.dmp
memory/2096-50-0x000000013F740000-0x000000013FA94000-memory.dmp
memory/2096-63-0x000000013FA20000-0x000000013FD74000-memory.dmp
memory/2432-65-0x000000013FA20000-0x000000013FD74000-memory.dmp
memory/2096-64-0x000000013F180000-0x000000013F4D4000-memory.dmp
C:\Windows\system\nJmLrPz.exe
| MD5 | 8275dbc46688b802a429d71d26c02163 |
| SHA1 | e753fc1b7c855c971fc6e7a77f54b82efaffe414 |
| SHA256 | ebcb937f9bf665db3304d8d9cf6c187e301105055fc76dbf528151437acdadc4 |
| SHA512 | 486b13cc7346ff015509b40c7dfa48ea3bea05346fefe8cff883b49eee29ce220c63be724254c6dfafa2258166f0a601aac1fb13ad3f683cf86e82225cf8e49d |
\Windows\system\nJmLrPz.exe
| MD5 | 1d51a6f9f8f706d40a78f27cac287065 |
| SHA1 | 981c2096ede4558d1ebc91ef5d6ea849a5e05a26 |
| SHA256 | 15b21f96ab3bc949c328ae89ca4b8971cb600187d8a414a03ad62deea81f4ef1 |
| SHA512 | f88e4c79c055461a937a826fa6bbc551f208f7399466fa47521581ae4db3bc5d256e1bf01ae134b570a11c9d09f89930e6add7d4c8135ba334d8b29af2c44c97 |
\Windows\system\UFPVxPk.exe
| MD5 | 5d36821caf0e9fb46aeedabbe88b1d48 |
| SHA1 | fd580a8b9b54c3de43b817a8f0040d0f47b2e79a |
| SHA256 | 4820b0c97cd729aeadae72fc77879de0c54c3bf70c7aa5f3c742b540250e065e |
| SHA512 | 31ff05e78b7e7a86bedcdc435753ad7b1ecb0ea659dc59ac128bf8bd89d6c6fe15e485975407778690d0dd47f9fc85f8c751e980c972818a02e7d9bc330271df |
\Windows\system\VyEUlPS.exe
| MD5 | cf4c5cbc84f7c3a7abb0d67a29e83e21 |
| SHA1 | fdd9ef46cae8b84a6542a82777efddd25fd0b407 |
| SHA256 | 9824efa4258c989b01fdf5bd6f90e8afc4dbe7429c487cce0104b5b061d9b14a |
| SHA512 | 3f77be24c51b6c5a3b046dff27d9b8507ca78b87785216e536b02ab49c9bade358dc554d80c7649960bd74e0706ac4418b500f7adf548eac814e9f7b5e3abfb4 |
memory/2848-97-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/1632-108-0x000000013FE20000-0x0000000140174000-memory.dmp
C:\Windows\system\lblpqCU.exe
| MD5 | 8a8130a6aa3807024bc442b5bf25a39e |
| SHA1 | af7e815cc142487a893951d90695be6c9f7ab8bc |
| SHA256 | 576f567a479935a9df02bfcaefc4b710fe06b9385f408471a658fd9d939af1b3 |
| SHA512 | 1849e47419bbf0931b2d65886affbe13e610d236cefe8049c778d5a33984665863f368409fe7f9da57bb3b0d640fac173727195469d741278f1777f68754398d |
memory/2096-112-0x000000013FC90000-0x000000013FFE4000-memory.dmp
memory/2580-110-0x000000013F4A0000-0x000000013F7F4000-memory.dmp
C:\Windows\system\ivxKSJq.exe
| MD5 | a7d25f5166036fb9016dfdb538693190 |
| SHA1 | 12018dd9f25ff555401768dedc6ee5d4c5a5d4e1 |
| SHA256 | 403f253649bac2ffc21811e94039517cb5c0bc07b55fac2492b3caef36a5d9df |
| SHA512 | 1021e76c3a1208424d6b091cd3e1c8cc067517596996a626f6a44fe60ba1d6459cf66f19091d87ad2d9517d51b99655c9579941e99bff7ed818b484f2ef44a1e |
\Windows\system\czqRkCv.exe
| MD5 | 4cf121e0ecfbf73cda9100c15ebfe7ab |
| SHA1 | ac0830c9955f80b7661626695b3802f1bb3ee620 |
| SHA256 | ea6e972976fda5872c976009d17572bfa6a17a7a6204e3f5bb44fa70f87755fd |
| SHA512 | 8e2230c04fe97fabcb320d0e349cb7584e149116c27891d7ec879bb79e49999fa35fc399a67edd7ad53e5b3a287620e54571210140f1806ed5f69a20fdf993ad |
\Windows\system\ivxKSJq.exe
| MD5 | 93bacfc3d845f374627b012c3a61a1e5 |
| SHA1 | f08219d5f19196fbc7a3a1e7ffbfb44e344c21ae |
| SHA256 | 4fd1d5231f529c0710d6a6cd40036ebe10563700b5f25c50aacacf0ccbeb0b9d |
| SHA512 | 63e909e0f694f7072b09c22815e6279a7448ff3ee9b219e1f03fa23b70411a9de5cd54205f2b9fac218aee1fe5bb1761b1d6308bcade318f7b85c7b720112b83 |
C:\Windows\system\dyOZnEY.exe
| MD5 | c93afb183e72bba0b4a43614b8dc23da |
| SHA1 | 4d94442773263ceefddff0b8748350a6e846f6c0 |
| SHA256 | 8a2f8c9869d5e9aad964296f2881829244de06d2e8e0290d0d046372e3a5aabd |
| SHA512 | b71b1af9701814684e754fe65d7e242b73e0b2215f155aaa9ec0398d619df27548a1d29f8d3f0857d4ff05f56abce6aaf713f321ae28338bb7eb57f8e2bd32d5 |
C:\Windows\system\lXIEuQb.exe
| MD5 | c492a916ba43c3163d3a414c3ed42a39 |
| SHA1 | c7910f5cda281dc8062bdb4e602c8550cdd828dc |
| SHA256 | 7d7360ed11405b98c7b420593c57cc7b04a3b097d5275aed2d6c4940a1f38573 |
| SHA512 | 747468bb70ea84e0f28513196654d104ed7b46ea06db8491b284266cd9cb940666aaefa4ae07a2ca806db19b61cbb68e28ca9fcbc7070cdcd66f0a0cb5e92c98 |
C:\Windows\system\RBGKZEF.exe
| MD5 | a0543034fae1ac2e62c22ff4609a494f |
| SHA1 | 66be56a5109c0337d9bf3f399f6507dcfb24a381 |
| SHA256 | 5e66b00a1424fd4a14df013261e5d1b813605a1a796c77d7e71ce1ffcdeb2e0e |
| SHA512 | 36ebe770c9afbfe134e3290cf3c67c0053d672bfcfdd64753bfe43459514ea6534eabc1f8bd21298ea9e2904d5a619ee67cafc74e18a7960fcab1299ace5706b |
memory/2096-103-0x000000013FE20000-0x0000000140174000-memory.dmp
memory/2096-101-0x000000013FA30000-0x000000013FD84000-memory.dmp
C:\Windows\system\sQkqFwu.exe
| MD5 | 9a2d899dbcd4725e1180d2c1b05d00ba |
| SHA1 | d521ceca8a36e495a94eab69ae9ed42e59babec4 |
| SHA256 | d63a7b26df900d1edd7788128ee9b24cf99cf7cd7b4394d9e175c47ae548c73b |
| SHA512 | b27c1718210b3c977e8078ef8987ac86cf5b9283d2c19f3a50b0fe04df3c8e655fe3459d7775484d85f7b1b38ae80040c920848f0764aa9185545073d866bd3e |
memory/768-105-0x000000013FA30000-0x000000013FD84000-memory.dmp
\Windows\system\sQkqFwu.exe
| MD5 | 30ac98cd6ec57605801f546c6567c9ef |
| SHA1 | 6432a7a9703259b40c10be16db7b39adce1f130c |
| SHA256 | 1d79da8549c3799713a6109d1bea90e413cb0fc53e299dddf783bb6ae4dd26dd |
| SHA512 | 008fa4cea1ffdd4b38dc10823add1593d558af9d475052938882c7d1a85f52e714a536b08725eed77f52d0cd239c5e9bf7d392702d03009a532a7faeb1d5ef33 |
memory/2096-98-0x00000000024C0000-0x0000000002814000-memory.dmp
memory/2096-96-0x00000000024C0000-0x0000000002814000-memory.dmp
memory/1996-92-0x000000013F4B0000-0x000000013F804000-memory.dmp
C:\Windows\system\jzWsnQK.exe
| MD5 | dc0f4bd22e16e1a71ff73fa13dd5ccc8 |
| SHA1 | b5a70c13ef916cad764ccf811e02136fe5ba621c |
| SHA256 | 25afb732e6d904b25d2e6098360c2a10e71a6b4bf55d5e4bb9ab660ac52d9e37 |
| SHA512 | 6b9aedc79b0dce6c08afd9bad524df6e5ae340e17b5cec128e4e87c8d8b50cbf9ee76945826d0ca2121205e92c7b6fafabaedc786f2b1f4510b6c191d72e2809 |
memory/2604-88-0x000000013F170000-0x000000013F4C4000-memory.dmp
memory/2496-84-0x000000013F170000-0x000000013F4C4000-memory.dmp
memory/2096-79-0x00000000024C0000-0x0000000002814000-memory.dmp
C:\Windows\system\XBHyRtl.exe
| MD5 | 3c4936ba91eaa69f7fdbfccc9b857022 |
| SHA1 | d97c8ba6655ec64594f86192c6bdb9c832040c3a |
| SHA256 | f647e481490f98c412386808e010fe7c22bcbe8d3cebe4c6aae38fd2d6003c10 |
| SHA512 | 327dd607eb26134ae7933735d6de926b79e86a7c2a97c4f64919c1cdded613dd5e13b9c7b209f5d7e94d70772d16c0aa412b8bf1f7d9435384a504f194d13cc9 |
\Windows\system\XBHyRtl.exe
| MD5 | c303705661228a1a05937667079965cc |
| SHA1 | 2aeacd1f3de911a7cab7f9b5975499c11d4fdbc4 |
| SHA256 | 631d5817452e7aa6ee5178431348b5f3ac748691e6dd780e1e28c5a50d297dd9 |
| SHA512 | 30b1fd3ac4c95afbbf778a4d07c28b1cc38f1fed0f98e364cd490e10d4cf3d86b1ea771f343525c22ebc79b50870ebae03263efe911bbc990d8c0324e0e0a42f |
memory/2096-70-0x00000000024C0000-0x0000000002814000-memory.dmp
C:\Windows\system\wzIhMpY.exe
| MD5 | d2839ee0b656c2111c7bc1d77ec65d6c |
| SHA1 | 439184fcad2d9885a4ea90e93d61f8b1716d5018 |
| SHA256 | 327464db84f5ce777126171ad14fb29802792cc315ade2ee1e23a5932d8c3aa2 |
| SHA512 | db4b5059665ef3bac2b7224503eb4ab2b74b4df2585133df864f2e28e1a3b0295f0d1b3df3e5fe815277d7c54d3c253bc91f1665da07ff13f721a3ab04457a01 |
memory/2948-139-0x000000013F910000-0x000000013FC64000-memory.dmp
memory/2096-140-0x00000000024C0000-0x0000000002814000-memory.dmp
memory/2096-141-0x000000013FA20000-0x000000013FD74000-memory.dmp
memory/2096-142-0x000000013FC90000-0x000000013FFE4000-memory.dmp
memory/1996-144-0x000000013F4B0000-0x000000013F804000-memory.dmp
memory/2924-143-0x000000013F170000-0x000000013F4C4000-memory.dmp
memory/2564-145-0x000000013F2C0000-0x000000013F614000-memory.dmp
memory/2644-146-0x000000013F550000-0x000000013F8A4000-memory.dmp
memory/2948-148-0x000000013F910000-0x000000013FC64000-memory.dmp
memory/2580-147-0x000000013F4A0000-0x000000013F7F4000-memory.dmp
memory/2752-149-0x000000013F740000-0x000000013FA94000-memory.dmp
memory/2680-150-0x000000013F520000-0x000000013F874000-memory.dmp
memory/2432-151-0x000000013FA20000-0x000000013FD74000-memory.dmp
memory/2496-152-0x000000013F170000-0x000000013F4C4000-memory.dmp
memory/2848-153-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/2604-154-0x000000013F170000-0x000000013F4C4000-memory.dmp
memory/1632-156-0x000000013FE20000-0x0000000140174000-memory.dmp
memory/768-155-0x000000013FA30000-0x000000013FD84000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 01:49
Reported
2024-06-01 01:52
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\THgmydD.exe | N/A |
| N/A | N/A | C:\Windows\System\gIBJzOJ.exe | N/A |
| N/A | N/A | C:\Windows\System\kXUkVAP.exe | N/A |
| N/A | N/A | C:\Windows\System\EmMjLKl.exe | N/A |
| N/A | N/A | C:\Windows\System\vGjGHTc.exe | N/A |
| N/A | N/A | C:\Windows\System\wOaguwJ.exe | N/A |
| N/A | N/A | C:\Windows\System\gPZCDlN.exe | N/A |
| N/A | N/A | C:\Windows\System\txVoENQ.exe | N/A |
| N/A | N/A | C:\Windows\System\nJmLrPz.exe | N/A |
| N/A | N/A | C:\Windows\System\wzIhMpY.exe | N/A |
| N/A | N/A | C:\Windows\System\XBHyRtl.exe | N/A |
| N/A | N/A | C:\Windows\System\UFPVxPk.exe | N/A |
| N/A | N/A | C:\Windows\System\jzWsnQK.exe | N/A |
| N/A | N/A | C:\Windows\System\VyEUlPS.exe | N/A |
| N/A | N/A | C:\Windows\System\lblpqCU.exe | N/A |
| N/A | N/A | C:\Windows\System\sQkqFwu.exe | N/A |
| N/A | N/A | C:\Windows\System\RBGKZEF.exe | N/A |
| N/A | N/A | C:\Windows\System\lXIEuQb.exe | N/A |
| N/A | N/A | C:\Windows\System\dyOZnEY.exe | N/A |
| N/A | N/A | C:\Windows\System\ivxKSJq.exe | N/A |
| N/A | N/A | C:\Windows\System\czqRkCv.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_4a78149686b8718c843682bfafd03dfc_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\THgmydD.exe
C:\Windows\System\THgmydD.exe
C:\Windows\System\gIBJzOJ.exe
C:\Windows\System\gIBJzOJ.exe
C:\Windows\System\kXUkVAP.exe
C:\Windows\System\kXUkVAP.exe
C:\Windows\System\EmMjLKl.exe
C:\Windows\System\EmMjLKl.exe
C:\Windows\System\vGjGHTc.exe
C:\Windows\System\vGjGHTc.exe
C:\Windows\System\wOaguwJ.exe
C:\Windows\System\wOaguwJ.exe
C:\Windows\System\gPZCDlN.exe
C:\Windows\System\gPZCDlN.exe
C:\Windows\System\txVoENQ.exe
C:\Windows\System\txVoENQ.exe
C:\Windows\System\nJmLrPz.exe
C:\Windows\System\nJmLrPz.exe
C:\Windows\System\wzIhMpY.exe
C:\Windows\System\wzIhMpY.exe
C:\Windows\System\XBHyRtl.exe
C:\Windows\System\XBHyRtl.exe
C:\Windows\System\UFPVxPk.exe
C:\Windows\System\UFPVxPk.exe
C:\Windows\System\jzWsnQK.exe
C:\Windows\System\jzWsnQK.exe
C:\Windows\System\VyEUlPS.exe
C:\Windows\System\VyEUlPS.exe
C:\Windows\System\lblpqCU.exe
C:\Windows\System\lblpqCU.exe
C:\Windows\System\sQkqFwu.exe
C:\Windows\System\sQkqFwu.exe
C:\Windows\System\RBGKZEF.exe
C:\Windows\System\RBGKZEF.exe
C:\Windows\System\lXIEuQb.exe
C:\Windows\System\lXIEuQb.exe
C:\Windows\System\dyOZnEY.exe
C:\Windows\System\dyOZnEY.exe
C:\Windows\System\ivxKSJq.exe
C:\Windows\System\ivxKSJq.exe
C:\Windows\System\czqRkCv.exe
C:\Windows\System\czqRkCv.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 215.143.182.52.in-addr.arpa | udp |
Files
memory/3488-0-0x00007FF76B400000-0x00007FF76B754000-memory.dmp
memory/3488-1-0x000002991B1E0000-0x000002991B1F0000-memory.dmp
C:\Windows\System\THgmydD.exe
| MD5 | 75319f8c897fdc9c25ba5401423ca493 |
| SHA1 | 2a888e977093361a97e79f06618d50929459955a |
| SHA256 | be1a1d34e7f251dbf6b885da459f11e32879059947c4a058e8fdb54913760eca |
| SHA512 | 22cf692c9ea322a5f045ddf938e37e8c60e57c0fcf018bd20a9fbee316d2e2dba9bc2246d2dd2e401dd06ea838c0da5d2acd3672848d644e3f5a6b8c0766de24 |
memory/4496-8-0x00007FF752DE0000-0x00007FF753134000-memory.dmp
C:\Windows\System\gIBJzOJ.exe
| MD5 | 348c352e8787b0f16bfe1d95797a907c |
| SHA1 | 83176f4e2a842e5ec92ba7f53d9125ffa8829735 |
| SHA256 | 61726c8e43547363d1cda05055d8e1f16312ffee70637b022bdacf5c3b755318 |
| SHA512 | 9aa26fd746d87398dff87744b51e21c66f02b2ee86dbe31a5b4c93ce0ed7a69d5bba5cd91a99637b635ca4646e3e68debfebe4177c8b6b40da04be9b8ac77ed9 |
memory/4536-13-0x00007FF791330000-0x00007FF791684000-memory.dmp
C:\Windows\System\kXUkVAP.exe
| MD5 | 6f26c1b34617e315440f08a73c810c6d |
| SHA1 | f7caaf5107a15a8a831b9614d03c49528a7349d6 |
| SHA256 | 8b28daef17fc83b1da49e9cb189352dc8a6b09eb2eba3fb959b10a185e02dc13 |
| SHA512 | c82d0ed84aa25d7855ebee8c9667c09ed452619f5c56b81f6bcdb8cb22a176b847f45505759dc08231c50269aa36e5afbc04742aeea125883f482e184ed1c249 |
C:\Windows\System\EmMjLKl.exe
| MD5 | 35868b1fb7fd78ea45a1d2222d4d2104 |
| SHA1 | 483a50b51c9b3c4ee58924dbbf756e3376462b84 |
| SHA256 | 7ac94b0d1b6fe5a0141542637ae9f0412cee809226e31ce9b5181efdc695c49e |
| SHA512 | 84faa620dd7bf990c4b5087757e089c508f8c1f8a5c4d449db60a8cfb37a80b6bcf75113bd3beecd382484331baf1b74d309c927233f6bb9dfe58254587a223a |
C:\Windows\System\vGjGHTc.exe
| MD5 | cfc47e90971c794818ffe1e47c98c8bb |
| SHA1 | cb560c3e69e304b8d030bbd9abd83e304fc9965e |
| SHA256 | fb4f90e0afaf66446290b5e7acb7b279118d7a0d6822a0185529916faf2740c7 |
| SHA512 | 2050e69fac16a268a544b7ed0d27356431154a857eedcc2396bb61395a1d9f3923a08e02009546348db781b037015715b81f4f56bf6e2e4bad16a777e82c66ca |
memory/748-30-0x00007FF719300000-0x00007FF719654000-memory.dmp
memory/4920-22-0x00007FF7C4530000-0x00007FF7C4884000-memory.dmp
C:\Windows\System\wOaguwJ.exe
| MD5 | d1aec7595a2c8a780f8eafe7682da821 |
| SHA1 | b7e854846b7544273635227833a53d1123566df0 |
| SHA256 | 56c4858e48b2f61df0ae1d8053e568612caebfe9635cc83e3909599dc47877e8 |
| SHA512 | 1d99501180b55eee705f9e827ecd15b7fd91dec793c2873a8d54e952df6f3a41e996c735a959cb6ba565b3490a632065e4f492c5aa61f65cc1cdcff165382a47 |
C:\Windows\System\txVoENQ.exe
| MD5 | b5e18313ad4f66275601bd7b1c8f47f9 |
| SHA1 | eb0dd5edb30c169741187b9b67ba547dc54d990c |
| SHA256 | 464fdbb641dd2d25ba5389142f5c6291af99e7e9525a378e12199449ed447e8d |
| SHA512 | 8555f09eae80295f34c85136534ab0e42d4606b2f9be8960d1c7b419770a778d8ee30ee664e188317f872af358c03d5dedffda07e2fad42eb9e2fe90a7726b57 |
C:\Windows\System\wzIhMpY.exe
| MD5 | d2839ee0b656c2111c7bc1d77ec65d6c |
| SHA1 | 439184fcad2d9885a4ea90e93d61f8b1716d5018 |
| SHA256 | 327464db84f5ce777126171ad14fb29802792cc315ade2ee1e23a5932d8c3aa2 |
| SHA512 | db4b5059665ef3bac2b7224503eb4ab2b74b4df2585133df864f2e28e1a3b0295f0d1b3df3e5fe815277d7c54d3c253bc91f1665da07ff13f721a3ab04457a01 |
C:\Windows\System\UFPVxPk.exe
| MD5 | 5d36821caf0e9fb46aeedabbe88b1d48 |
| SHA1 | fd580a8b9b54c3de43b817a8f0040d0f47b2e79a |
| SHA256 | 4820b0c97cd729aeadae72fc77879de0c54c3bf70c7aa5f3c742b540250e065e |
| SHA512 | 31ff05e78b7e7a86bedcdc435753ad7b1ecb0ea659dc59ac128bf8bd89d6c6fe15e485975407778690d0dd47f9fc85f8c751e980c972818a02e7d9bc330271df |
C:\Windows\System\jzWsnQK.exe
| MD5 | dc0f4bd22e16e1a71ff73fa13dd5ccc8 |
| SHA1 | b5a70c13ef916cad764ccf811e02136fe5ba621c |
| SHA256 | 25afb732e6d904b25d2e6098360c2a10e71a6b4bf55d5e4bb9ab660ac52d9e37 |
| SHA512 | 6b9aedc79b0dce6c08afd9bad524df6e5ae340e17b5cec128e4e87c8d8b50cbf9ee76945826d0ca2121205e92c7b6fafabaedc786f2b1f4510b6c191d72e2809 |
C:\Windows\System\sQkqFwu.exe
| MD5 | 9a2d899dbcd4725e1180d2c1b05d00ba |
| SHA1 | d521ceca8a36e495a94eab69ae9ed42e59babec4 |
| SHA256 | d63a7b26df900d1edd7788128ee9b24cf99cf7cd7b4394d9e175c47ae548c73b |
| SHA512 | b27c1718210b3c977e8078ef8987ac86cf5b9283d2c19f3a50b0fe04df3c8e655fe3459d7775484d85f7b1b38ae80040c920848f0764aa9185545073d866bd3e |
C:\Windows\System\RBGKZEF.exe
| MD5 | a0543034fae1ac2e62c22ff4609a494f |
| SHA1 | 66be56a5109c0337d9bf3f399f6507dcfb24a381 |
| SHA256 | 5e66b00a1424fd4a14df013261e5d1b813605a1a796c77d7e71ce1ffcdeb2e0e |
| SHA512 | 36ebe770c9afbfe134e3290cf3c67c0053d672bfcfdd64753bfe43459514ea6534eabc1f8bd21298ea9e2904d5a619ee67cafc74e18a7960fcab1299ace5706b |
C:\Windows\System\czqRkCv.exe
| MD5 | 4cf121e0ecfbf73cda9100c15ebfe7ab |
| SHA1 | ac0830c9955f80b7661626695b3802f1bb3ee620 |
| SHA256 | ea6e972976fda5872c976009d17572bfa6a17a7a6204e3f5bb44fa70f87755fd |
| SHA512 | 8e2230c04fe97fabcb320d0e349cb7584e149116c27891d7ec879bb79e49999fa35fc399a67edd7ad53e5b3a287620e54571210140f1806ed5f69a20fdf993ad |
C:\Windows\System\ivxKSJq.exe
| MD5 | a7d25f5166036fb9016dfdb538693190 |
| SHA1 | 12018dd9f25ff555401768dedc6ee5d4c5a5d4e1 |
| SHA256 | 403f253649bac2ffc21811e94039517cb5c0bc07b55fac2492b3caef36a5d9df |
| SHA512 | 1021e76c3a1208424d6b091cd3e1c8cc067517596996a626f6a44fe60ba1d6459cf66f19091d87ad2d9517d51b99655c9579941e99bff7ed818b484f2ef44a1e |
C:\Windows\System\dyOZnEY.exe
| MD5 | c93afb183e72bba0b4a43614b8dc23da |
| SHA1 | 4d94442773263ceefddff0b8748350a6e846f6c0 |
| SHA256 | 8a2f8c9869d5e9aad964296f2881829244de06d2e8e0290d0d046372e3a5aabd |
| SHA512 | b71b1af9701814684e754fe65d7e242b73e0b2215f155aaa9ec0398d619df27548a1d29f8d3f0857d4ff05f56abce6aaf713f321ae28338bb7eb57f8e2bd32d5 |
C:\Windows\System\lXIEuQb.exe
| MD5 | c492a916ba43c3163d3a414c3ed42a39 |
| SHA1 | c7910f5cda281dc8062bdb4e602c8550cdd828dc |
| SHA256 | 7d7360ed11405b98c7b420593c57cc7b04a3b097d5275aed2d6c4940a1f38573 |
| SHA512 | 747468bb70ea84e0f28513196654d104ed7b46ea06db8491b284266cd9cb940666aaefa4ae07a2ca806db19b61cbb68e28ca9fcbc7070cdcd66f0a0cb5e92c98 |
C:\Windows\System\lblpqCU.exe
| MD5 | 8a8130a6aa3807024bc442b5bf25a39e |
| SHA1 | af7e815cc142487a893951d90695be6c9f7ab8bc |
| SHA256 | 576f567a479935a9df02bfcaefc4b710fe06b9385f408471a658fd9d939af1b3 |
| SHA512 | 1849e47419bbf0931b2d65886affbe13e610d236cefe8049c778d5a33984665863f368409fe7f9da57bb3b0d640fac173727195469d741278f1777f68754398d |
C:\Windows\System\VyEUlPS.exe
| MD5 | cf4c5cbc84f7c3a7abb0d67a29e83e21 |
| SHA1 | fdd9ef46cae8b84a6542a82777efddd25fd0b407 |
| SHA256 | 9824efa4258c989b01fdf5bd6f90e8afc4dbe7429c487cce0104b5b061d9b14a |
| SHA512 | 3f77be24c51b6c5a3b046dff27d9b8507ca78b87785216e536b02ab49c9bade358dc554d80c7649960bd74e0706ac4418b500f7adf548eac814e9f7b5e3abfb4 |
C:\Windows\System\XBHyRtl.exe
| MD5 | c303705661228a1a05937667079965cc |
| SHA1 | 2aeacd1f3de911a7cab7f9b5975499c11d4fdbc4 |
| SHA256 | 631d5817452e7aa6ee5178431348b5f3ac748691e6dd780e1e28c5a50d297dd9 |
| SHA512 | 30b1fd3ac4c95afbbf778a4d07c28b1cc38f1fed0f98e364cd490e10d4cf3d86b1ea771f343525c22ebc79b50870ebae03263efe911bbc990d8c0324e0e0a42f |
C:\Windows\System\nJmLrPz.exe
| MD5 | 8275dbc46688b802a429d71d26c02163 |
| SHA1 | e753fc1b7c855c971fc6e7a77f54b82efaffe414 |
| SHA256 | ebcb937f9bf665db3304d8d9cf6c187e301105055fc76dbf528151437acdadc4 |
| SHA512 | 486b13cc7346ff015509b40c7dfa48ea3bea05346fefe8cff883b49eee29ce220c63be724254c6dfafa2258166f0a601aac1fb13ad3f683cf86e82225cf8e49d |
memory/336-43-0x00007FF72B2B0000-0x00007FF72B604000-memory.dmp
C:\Windows\System\gPZCDlN.exe
| MD5 | 1ba742a91defccc81e99362da2f9c5c4 |
| SHA1 | 3a085036fff6f07c8f28d02df8cb5adec98d0016 |
| SHA256 | 0394f6641ee0baccc0f76287f531b30fb363d5644de08919a56cc2d2cb732e53 |
| SHA512 | 274723e15bd6d9a2e087ae7c376c905c61cb59474f4ff262b6a1c8892d036638c2c65692e075b2eaf23241ac5033060fcb8c1b88ee13a944087a33794080ffa2 |
memory/4532-35-0x00007FF69A230000-0x00007FF69A584000-memory.dmp
memory/3884-113-0x00007FF673820000-0x00007FF673B74000-memory.dmp
memory/536-115-0x00007FF749950000-0x00007FF749CA4000-memory.dmp
memory/1000-114-0x00007FF68BE60000-0x00007FF68C1B4000-memory.dmp
memory/452-116-0x00007FF743070000-0x00007FF7433C4000-memory.dmp
memory/4016-117-0x00007FF771260000-0x00007FF7715B4000-memory.dmp
memory/1888-119-0x00007FF7F68B0000-0x00007FF7F6C04000-memory.dmp
memory/3372-118-0x00007FF6B5B80000-0x00007FF6B5ED4000-memory.dmp
memory/3116-120-0x00007FF70C280000-0x00007FF70C5D4000-memory.dmp
memory/4936-122-0x00007FF7DA140000-0x00007FF7DA494000-memory.dmp
memory/4864-123-0x00007FF6331D0000-0x00007FF633524000-memory.dmp
memory/4784-121-0x00007FF7ED690000-0x00007FF7ED9E4000-memory.dmp
memory/2160-124-0x00007FF7B35F0000-0x00007FF7B3944000-memory.dmp
memory/4428-125-0x00007FF697830000-0x00007FF697B84000-memory.dmp
memory/4528-126-0x00007FF70C330000-0x00007FF70C684000-memory.dmp
memory/376-127-0x00007FF7CBF20000-0x00007FF7CC274000-memory.dmp
memory/3488-128-0x00007FF76B400000-0x00007FF76B754000-memory.dmp
memory/4536-129-0x00007FF791330000-0x00007FF791684000-memory.dmp
memory/748-130-0x00007FF719300000-0x00007FF719654000-memory.dmp
memory/336-131-0x00007FF72B2B0000-0x00007FF72B604000-memory.dmp
memory/4496-132-0x00007FF752DE0000-0x00007FF753134000-memory.dmp
memory/4536-133-0x00007FF791330000-0x00007FF791684000-memory.dmp
memory/4920-134-0x00007FF7C4530000-0x00007FF7C4884000-memory.dmp
memory/4532-135-0x00007FF69A230000-0x00007FF69A584000-memory.dmp
memory/748-136-0x00007FF719300000-0x00007FF719654000-memory.dmp
memory/336-137-0x00007FF72B2B0000-0x00007FF72B604000-memory.dmp
memory/3884-139-0x00007FF673820000-0x00007FF673B74000-memory.dmp
memory/376-138-0x00007FF7CBF20000-0x00007FF7CC274000-memory.dmp
memory/4016-140-0x00007FF771260000-0x00007FF7715B4000-memory.dmp
memory/3372-144-0x00007FF6B5B80000-0x00007FF6B5ED4000-memory.dmp
memory/1000-143-0x00007FF68BE60000-0x00007FF68C1B4000-memory.dmp
memory/1888-145-0x00007FF7F68B0000-0x00007FF7F6C04000-memory.dmp
memory/536-142-0x00007FF749950000-0x00007FF749CA4000-memory.dmp
memory/452-141-0x00007FF743070000-0x00007FF7433C4000-memory.dmp
memory/4428-146-0x00007FF697830000-0x00007FF697B84000-memory.dmp
memory/4936-151-0x00007FF7DA140000-0x00007FF7DA494000-memory.dmp
memory/4784-152-0x00007FF7ED690000-0x00007FF7ED9E4000-memory.dmp
memory/4864-150-0x00007FF6331D0000-0x00007FF633524000-memory.dmp
memory/2160-149-0x00007FF7B35F0000-0x00007FF7B3944000-memory.dmp
memory/4528-148-0x00007FF70C330000-0x00007FF70C684000-memory.dmp
memory/3116-147-0x00007FF70C280000-0x00007FF70C5D4000-memory.dmp