Analysis Overview
SHA256
1c9dc5c9e0599ee12ddb7980edbc543501f37b6d7bc8a80a97337fdbe9ac2965
Threat Level: Known bad
The file 2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
Xmrig family
xmrig
Cobaltstrike
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Cobaltstrike family
XMRig Miner payload
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 11:10
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 11:10
Reported
2024-06-01 11:12
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\ClUQyLV.exe | N/A |
| N/A | N/A | C:\Windows\System\nIwjFPk.exe | N/A |
| N/A | N/A | C:\Windows\System\LChICbg.exe | N/A |
| N/A | N/A | C:\Windows\System\igpBVPj.exe | N/A |
| N/A | N/A | C:\Windows\System\JoxfHYX.exe | N/A |
| N/A | N/A | C:\Windows\System\taxWioa.exe | N/A |
| N/A | N/A | C:\Windows\System\zxXppEx.exe | N/A |
| N/A | N/A | C:\Windows\System\dWuBpej.exe | N/A |
| N/A | N/A | C:\Windows\System\BjyLQxu.exe | N/A |
| N/A | N/A | C:\Windows\System\Oypyrub.exe | N/A |
| N/A | N/A | C:\Windows\System\mgFuxQh.exe | N/A |
| N/A | N/A | C:\Windows\System\JcUZrNY.exe | N/A |
| N/A | N/A | C:\Windows\System\otZYKAW.exe | N/A |
| N/A | N/A | C:\Windows\System\FVLchfs.exe | N/A |
| N/A | N/A | C:\Windows\System\RIYArul.exe | N/A |
| N/A | N/A | C:\Windows\System\mTZGICu.exe | N/A |
| N/A | N/A | C:\Windows\System\oUZuuot.exe | N/A |
| N/A | N/A | C:\Windows\System\XmheTyK.exe | N/A |
| N/A | N/A | C:\Windows\System\IvgshXj.exe | N/A |
| N/A | N/A | C:\Windows\System\HUGsjGz.exe | N/A |
| N/A | N/A | C:\Windows\System\nnsHtob.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\ClUQyLV.exe
C:\Windows\System\ClUQyLV.exe
C:\Windows\System\nIwjFPk.exe
C:\Windows\System\nIwjFPk.exe
C:\Windows\System\LChICbg.exe
C:\Windows\System\LChICbg.exe
C:\Windows\System\igpBVPj.exe
C:\Windows\System\igpBVPj.exe
C:\Windows\System\JoxfHYX.exe
C:\Windows\System\JoxfHYX.exe
C:\Windows\System\taxWioa.exe
C:\Windows\System\taxWioa.exe
C:\Windows\System\zxXppEx.exe
C:\Windows\System\zxXppEx.exe
C:\Windows\System\dWuBpej.exe
C:\Windows\System\dWuBpej.exe
C:\Windows\System\BjyLQxu.exe
C:\Windows\System\BjyLQxu.exe
C:\Windows\System\Oypyrub.exe
C:\Windows\System\Oypyrub.exe
C:\Windows\System\mgFuxQh.exe
C:\Windows\System\mgFuxQh.exe
C:\Windows\System\JcUZrNY.exe
C:\Windows\System\JcUZrNY.exe
C:\Windows\System\otZYKAW.exe
C:\Windows\System\otZYKAW.exe
C:\Windows\System\FVLchfs.exe
C:\Windows\System\FVLchfs.exe
C:\Windows\System\RIYArul.exe
C:\Windows\System\RIYArul.exe
C:\Windows\System\mTZGICu.exe
C:\Windows\System\mTZGICu.exe
C:\Windows\System\oUZuuot.exe
C:\Windows\System\oUZuuot.exe
C:\Windows\System\XmheTyK.exe
C:\Windows\System\XmheTyK.exe
C:\Windows\System\IvgshXj.exe
C:\Windows\System\IvgshXj.exe
C:\Windows\System\HUGsjGz.exe
C:\Windows\System\HUGsjGz.exe
C:\Windows\System\nnsHtob.exe
C:\Windows\System\nnsHtob.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
memory/1060-0-0x00007FF7208C0000-0x00007FF720C14000-memory.dmp
memory/1060-1-0x0000016EABD80000-0x0000016EABD90000-memory.dmp
C:\Windows\System\ClUQyLV.exe
| MD5 | 720efed83f7250bd39b9a9438952c1c3 |
| SHA1 | a2d8c03a60ec0d71fe41dff6e8c8500c92438293 |
| SHA256 | 4007f31ca08129c7dcd663fe7044e4852638b84614b86d3f1a625fac409c9144 |
| SHA512 | eba68e2e1967d30719a70dcb6fe4a2ef68c5607649e12947c896baf1076e1a2a7455b09287142b6d4c77e8c49f03d0a7ad7691a0c7e32ed0c2d35ee72a7da623 |
memory/4056-8-0x00007FF742C60000-0x00007FF742FB4000-memory.dmp
C:\Windows\System\LChICbg.exe
| MD5 | cf50e281e240fb32a0fd01268baaff1e |
| SHA1 | 3246e614147956ce34f5347654fd87ca8539985e |
| SHA256 | 576e164e314bafaaf10ae9adbfe19c4bc06379bd78440dc8408d58ce29a70bc8 |
| SHA512 | 33634a5fd4c5891b1f1a8a8d30ac64332042191948ead6816d005fcb9d33176ed4abbef759d26e3e7f53cd74437d1e2b1e818e1c000bceb06a00af6b28a9d55f |
C:\Windows\System\nIwjFPk.exe
| MD5 | 6128719134a2cbf55be639e8adb1bc54 |
| SHA1 | 15c4096e40e2330405206f4f095c07c7d34759a1 |
| SHA256 | 371fa14192f361bea47e406fb3b547c8173d803b11c9f6353eed3cfbf05e2a85 |
| SHA512 | 21798c8d7bd1cb5b696dc921e45c05c806689b77251f6ed7ccdcbbad247d8a5396c17b1b0a1b50f7b6186b2e4d9f2614a962b22d3914dd4f77110e7680bdcc4b |
C:\Windows\System\igpBVPj.exe
| MD5 | 1a919f49abe5b579ecb03b655dcf2c92 |
| SHA1 | 324de2503d26883f5105913b4bb76f89ed4e1005 |
| SHA256 | 21250c9d91fc02774a16f85f806f770b3c59081211edd318e7f8f4f26f7a8276 |
| SHA512 | 81ba2b2b1b5d84120ead638b1210d1a7cf50cd4206486f1b98e7c32e11d92391556b61b17c1b5d1a72696c8e09b11af51048859bc97c7ed4bc559b2b48a82df5 |
C:\Windows\System\JoxfHYX.exe
| MD5 | 168771d618abcf4c5a042d9bb5641bad |
| SHA1 | 261c5e06850adb3464a80bca23e74e7a652c96c3 |
| SHA256 | 2509b7674c3d1abbd5d8ea9e376a7a8eaae5c2c526f17a92cb57217d5577ac74 |
| SHA512 | c3d8b0704ed1b70c3a964a710bdcd7212bfe4f91fb4e3d290539b3678596ce7914acf40509f99583b32ed7c4bd40b48b712b0a7a71ccd5393d49fc003824af97 |
memory/2620-29-0x00007FF73F590000-0x00007FF73F8E4000-memory.dmp
memory/2816-30-0x00007FF656B70000-0x00007FF656EC4000-memory.dmp
memory/3604-20-0x00007FF6AB260000-0x00007FF6AB5B4000-memory.dmp
memory/3504-14-0x00007FF623FA0000-0x00007FF6242F4000-memory.dmp
C:\Windows\System\taxWioa.exe
| MD5 | 3367e7dc53cecd41b1ad7e4a46f8b1e4 |
| SHA1 | dd811ecea307fe1ee809557e70000bf65ab05c40 |
| SHA256 | 91b4574d8bab8dda1294139dfb298de062e5a2dda39094c180aad9c5a44de08d |
| SHA512 | deed06030a05f51945103692560fe4731aae1fb25843cee7d18e14227a763070703b496015cb4d9345fa5046df2e0909afec73850e9b35395b3db9d397699325 |
memory/2004-38-0x00007FF725920000-0x00007FF725C74000-memory.dmp
C:\Windows\System\zxXppEx.exe
| MD5 | 5f1b11c62a6274cf20f745daefd8f2d0 |
| SHA1 | 15e96b5e75cc54e27f91b2d775a6487b8ac8bbca |
| SHA256 | 4a956f7c3fbfc7959b45ca09a6e10b67a84c5265654e8316f0e3af3cc9299986 |
| SHA512 | df78d75a628544b18fb7acd3b5ca8ea73a5057c45b5b9a52618d8d59f7d8a5fa5163baf19561838b125372ac2f74545315c8df93a60c828e022116c9f0fbbe09 |
C:\Windows\System\dWuBpej.exe
| MD5 | 1d5e7d8345fe0a6c501aca4e28b84952 |
| SHA1 | 4f1cfb0bd415caaf4b72b1792ec585f3c333eff8 |
| SHA256 | 81ae9fbf6e42c03d052dce3b2480ec0c00d913ac23380b5d6d014bd81125a23a |
| SHA512 | 5787f0a099ba1a892dac123225b2ef5b3fbeae30189164329c11fc046c14c784cdc45cceeb6ca8fd59020fcff5262a517ead32b7cd4896679814ffff5a3995d7 |
memory/4980-43-0x00007FF7CEE70000-0x00007FF7CF1C4000-memory.dmp
memory/1748-50-0x00007FF6A9DB0000-0x00007FF6AA104000-memory.dmp
C:\Windows\System\BjyLQxu.exe
| MD5 | b68961278f58c2e6ae545c9f65e29444 |
| SHA1 | 5b9e5d2d252dbce03e9d9e6a34553b379d1be052 |
| SHA256 | d5b94f4364c1dd93858ad51f5c7593eb0929f9839d8c49cdc850ae24c067111e |
| SHA512 | 2778953151c77c343a5780aead9a229b739894dead6013bf52691b93713d7daae61aadeb730ab5053c606986b0ad9dd757dc1e6da68a7a8fe23504527b31c56e |
memory/3388-56-0x00007FF7538E0000-0x00007FF753C34000-memory.dmp
C:\Windows\System\Oypyrub.exe
| MD5 | eebbc4a3862ebf9ff174e0bf2cec34b6 |
| SHA1 | 8bdde4ac2dbe0ab540d0368425e5692219782994 |
| SHA256 | 4f385677d571377e65488dac25eae6da6d4099d398ae04e2fdc5331c714a8f9f |
| SHA512 | 0d1057ec7dabd7789c5d4842f6d368eb67915582dc6aba36e521599f83c6f89e56a8fd63b3eb78ef6493b0f350661257bb9e2350e6f0031d7a3458d4780f2757 |
C:\Windows\System\mgFuxQh.exe
| MD5 | 898fd6bc130e59b87343e3dacaaf9c6d |
| SHA1 | 99164e623fbe6af0bbda6dfaa92dbb926e9b5d1b |
| SHA256 | 6ceda3d14b582fe8fbf375c1d1c04771f44a123a6e782e54d02a972dce716153 |
| SHA512 | e9a1b3489accfbde00ba2c86e30568bf409ff47b75f3efe06927feb2b8686ec76eec6b7a2206b587cdff9bb85472731d220bb409bb0ccf454483d474e2c10e49 |
memory/1060-66-0x00007FF7208C0000-0x00007FF720C14000-memory.dmp
C:\Windows\System\JcUZrNY.exe
| MD5 | 93b5f916ee4cc428998e01f8c6375070 |
| SHA1 | 7ba7889d44a297279952e4eaf9cdb9fbc690ba23 |
| SHA256 | c4eabedd31b53e951420f3ba4009fc2601d1fa3aa006a09d2e9664194c8ad325 |
| SHA512 | 3853ab66ee30979b02018529b276c546ed5968c0b167493b026f07ab07ebb0cf0d614519e6ae636bd900d75d8d767d9c15662f9f7de44c52dd5a118805ef6d1a |
memory/2212-73-0x00007FF6BEDC0000-0x00007FF6BF114000-memory.dmp
memory/1400-67-0x00007FF663BC0000-0x00007FF663F14000-memory.dmp
memory/4604-62-0x00007FF613CE0000-0x00007FF614034000-memory.dmp
C:\Windows\System\otZYKAW.exe
| MD5 | 6d1573839ba65e5647fcc8b98b424ffe |
| SHA1 | 0c939cb8a31e905b3a569ae65c464a9d15315335 |
| SHA256 | a925aa7de234cc586e6c5138cabc4eb1fead9891e7e7e3c6bedafb591278f02b |
| SHA512 | 48859041ca465a46dd253f4c749818b065d4a68c39b64cdbee38dac692513a858db4e658b6c92f9b5c7d7bb711876fbd7e12a09f47599857d45ff333a0e359e6 |
C:\Windows\System\FVLchfs.exe
| MD5 | f00ff2c0e0111e3cd2e322b8954f0fc1 |
| SHA1 | 3b8519aed036603f7bcd4b1e8ace9ff5001e97c0 |
| SHA256 | 7e5a9febeb3aa6c5e84191d98d3d613d2ed79b1a0bb24c439e4c98d5b567b90f |
| SHA512 | a311dc89ccb0af958f358293f99ce8ecd277de8b54a6274a7ca8c18249045591c1659655c99410dd8b33364c8eb8df57375f168ccb713533c15f7fd74458e0cc |
memory/4340-83-0x00007FF7A5E20000-0x00007FF7A6174000-memory.dmp
memory/4728-87-0x00007FF790DD0000-0x00007FF791124000-memory.dmp
C:\Windows\System\RIYArul.exe
| MD5 | 64aab9e81f9af4338c2be277cfcdfa22 |
| SHA1 | 4f75bea3e6f8e322e71d2a1a9449f3626f778c58 |
| SHA256 | 3b12970f858cd0e7359a6bc5d2f2cc884f4b7d23b2fd3d15a9408e24ba7ef84e |
| SHA512 | 0c73cd58c6b236b3aa678b0bf7b95fd1678c4db9d278c444f82678977714484d89e7c0ed9622070c7a15ab3d3949651f4625ed5a84d6d60d797e79078749de68 |
memory/4456-97-0x00007FF6D1AB0000-0x00007FF6D1E04000-memory.dmp
memory/2004-98-0x00007FF725920000-0x00007FF725C74000-memory.dmp
C:\Windows\System\mTZGICu.exe
| MD5 | 8fad9628694958105527ccea1a071946 |
| SHA1 | cd367a0d2b9f722c7df8831bd01c0e6eff642a1f |
| SHA256 | 4fd7b1621f6f4616c52162ae2b1a0ca6a8aee4d975676f4ffc93d624d36d7526 |
| SHA512 | 56f07ad52c7fcd65c6c9fb1a14e27852e23a56bb50c9c1bea8877ba5395dec1c03b5df25f91552967c4264f82cf39cd1446066cc5fae9e158c17375d1abb8344 |
memory/3784-99-0x00007FF6EDAC0000-0x00007FF6EDE14000-memory.dmp
memory/2816-93-0x00007FF656B70000-0x00007FF656EC4000-memory.dmp
C:\Windows\System\oUZuuot.exe
| MD5 | 310266ad939a995b53058f74abbfaa6d |
| SHA1 | 52825dc1bf87b41180acac3f5263da9b24747ca1 |
| SHA256 | f404d4c402a85380203d8fe7212013373ff84ac60a2e4127132ceade642f98c0 |
| SHA512 | fdf1b6fc440c5af7a46ffab646987b2d5045c66999cfea09399a69acef204ea025b89c89221829b939c2fbc30e47807b924feccfdfb343f8f6a6ddec5176a5fa |
C:\Windows\System\XmheTyK.exe
| MD5 | 808157beef9c9a61d969f4d1fb92887e |
| SHA1 | e8994b2f892437fa4512f63f4cbb14f90bd3b2fd |
| SHA256 | 1d41515ba7f3c6a4a6bcfbe41fd513336e9a7914122cbafba9c4a7daf8066db7 |
| SHA512 | 5c11fef2b6b2d81e5005d0610114126832dabe817132d2e5c0b61e6e68bce58c2eb54be64617d780e453267446f96c1184c920f338a7d8cd4099e54fe5ad5a98 |
C:\Windows\System\IvgshXj.exe
| MD5 | 4146ef7e7e83fc48dcc3c0af4083942a |
| SHA1 | 83f87f25b20c60d0f6925cbee87b2517bb1bed4c |
| SHA256 | e082aae594a1205e8c43936904f04b5f3fa57750fca561d3479618589bb8bcc3 |
| SHA512 | ea75af17d9b2edffb65a0a8204298aee658b3fabe4b84ff4112d93ebd6c6e2806e54e95bfdd7155ce34010d0876b32f8141a8f47cd0c51a1463f1666affc1874 |
memory/880-108-0x00007FF76EC10000-0x00007FF76EF64000-memory.dmp
memory/4980-107-0x00007FF7CEE70000-0x00007FF7CF1C4000-memory.dmp
memory/2240-119-0x00007FF6EAB80000-0x00007FF6EAED4000-memory.dmp
memory/2956-125-0x00007FF64EF40000-0x00007FF64F294000-memory.dmp
C:\Windows\System\nnsHtob.exe
| MD5 | 5edd1c39b9d81ca671fbb2c0431e26c9 |
| SHA1 | 4eec64884efa801857c55cc7c57116f799d6ccf3 |
| SHA256 | db61fdd96ddbb17b193b26985b82dc9da041f319e106fb62e8200e106ca43c86 |
| SHA512 | 7237490e53f0e782683c18bc68990d2d7d3e0580578081a941bc2ed8b0cf1c96dcecd01357360d367a2d7d43dbf458d43c1d8bd3a71482b918e4233b73d93a84 |
C:\Windows\System\HUGsjGz.exe
| MD5 | d7efd64af4c2ea5244fb65380e288b7d |
| SHA1 | 0e422682d358e9a17e7eb3abd0279e6b0e26b3a9 |
| SHA256 | 59ef90ffc641f8571aec5bebdfc0f8a92f03ff7017f2719fd78ddfe2174548fe |
| SHA512 | 27b193a41c596713219b9a3634515022da362ccced22332dd91e3777d6535c0c5cc0efe5896cb26ed0fabf000de9319d288c0a399e889f14829c8e6389641412 |
memory/1748-118-0x00007FF6A9DB0000-0x00007FF6AA104000-memory.dmp
memory/3452-131-0x00007FF6FB1A0000-0x00007FF6FB4F4000-memory.dmp
memory/1924-132-0x00007FF670BE0000-0x00007FF670F34000-memory.dmp
memory/4604-133-0x00007FF613CE0000-0x00007FF614034000-memory.dmp
memory/1400-134-0x00007FF663BC0000-0x00007FF663F14000-memory.dmp
memory/2212-135-0x00007FF6BEDC0000-0x00007FF6BF114000-memory.dmp
memory/3784-136-0x00007FF6EDAC0000-0x00007FF6EDE14000-memory.dmp
memory/880-137-0x00007FF76EC10000-0x00007FF76EF64000-memory.dmp
memory/4056-138-0x00007FF742C60000-0x00007FF742FB4000-memory.dmp
memory/3504-139-0x00007FF623FA0000-0x00007FF6242F4000-memory.dmp
memory/3604-140-0x00007FF6AB260000-0x00007FF6AB5B4000-memory.dmp
memory/2620-141-0x00007FF73F590000-0x00007FF73F8E4000-memory.dmp
memory/2816-142-0x00007FF656B70000-0x00007FF656EC4000-memory.dmp
memory/2004-143-0x00007FF725920000-0x00007FF725C74000-memory.dmp
memory/4980-144-0x00007FF7CEE70000-0x00007FF7CF1C4000-memory.dmp
memory/1748-145-0x00007FF6A9DB0000-0x00007FF6AA104000-memory.dmp
memory/3388-146-0x00007FF7538E0000-0x00007FF753C34000-memory.dmp
memory/4604-147-0x00007FF613CE0000-0x00007FF614034000-memory.dmp
memory/1400-148-0x00007FF663BC0000-0x00007FF663F14000-memory.dmp
memory/2212-149-0x00007FF6BEDC0000-0x00007FF6BF114000-memory.dmp
memory/4340-150-0x00007FF7A5E20000-0x00007FF7A6174000-memory.dmp
memory/4728-151-0x00007FF790DD0000-0x00007FF791124000-memory.dmp
memory/4456-152-0x00007FF6D1AB0000-0x00007FF6D1E04000-memory.dmp
memory/3784-153-0x00007FF6EDAC0000-0x00007FF6EDE14000-memory.dmp
memory/2240-154-0x00007FF6EAB80000-0x00007FF6EAED4000-memory.dmp
memory/2956-155-0x00007FF64EF40000-0x00007FF64F294000-memory.dmp
memory/880-156-0x00007FF76EC10000-0x00007FF76EF64000-memory.dmp
memory/1924-157-0x00007FF670BE0000-0x00007FF670F34000-memory.dmp
memory/3452-158-0x00007FF6FB1A0000-0x00007FF6FB4F4000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 11:10
Reported
2024-06-01 11:12
Platform
win7-20240220-en
Max time kernel
139s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\FVwDRmN.exe | N/A |
| N/A | N/A | C:\Windows\System\IrqjHyZ.exe | N/A |
| N/A | N/A | C:\Windows\System\tuInTmj.exe | N/A |
| N/A | N/A | C:\Windows\System\IgTMqqd.exe | N/A |
| N/A | N/A | C:\Windows\System\ZXuScya.exe | N/A |
| N/A | N/A | C:\Windows\System\vscKwWm.exe | N/A |
| N/A | N/A | C:\Windows\System\IiUZhmG.exe | N/A |
| N/A | N/A | C:\Windows\System\wlfxmoE.exe | N/A |
| N/A | N/A | C:\Windows\System\DTyawPo.exe | N/A |
| N/A | N/A | C:\Windows\System\aZGGAyD.exe | N/A |
| N/A | N/A | C:\Windows\System\IslTkDc.exe | N/A |
| N/A | N/A | C:\Windows\System\JCQPXwP.exe | N/A |
| N/A | N/A | C:\Windows\System\nBpkeNQ.exe | N/A |
| N/A | N/A | C:\Windows\System\hiQHnKH.exe | N/A |
| N/A | N/A | C:\Windows\System\QgBxnJV.exe | N/A |
| N/A | N/A | C:\Windows\System\vzFKPmx.exe | N/A |
| N/A | N/A | C:\Windows\System\FUmlYKZ.exe | N/A |
| N/A | N/A | C:\Windows\System\UrMebXX.exe | N/A |
| N/A | N/A | C:\Windows\System\uVYFfqA.exe | N/A |
| N/A | N/A | C:\Windows\System\WEoWYCE.exe | N/A |
| N/A | N/A | C:\Windows\System\zhAeAzA.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_41ec72377d00c3a00d9ccdfd7a40af44_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\FVwDRmN.exe
C:\Windows\System\FVwDRmN.exe
C:\Windows\System\IrqjHyZ.exe
C:\Windows\System\IrqjHyZ.exe
C:\Windows\System\tuInTmj.exe
C:\Windows\System\tuInTmj.exe
C:\Windows\System\IgTMqqd.exe
C:\Windows\System\IgTMqqd.exe
C:\Windows\System\ZXuScya.exe
C:\Windows\System\ZXuScya.exe
C:\Windows\System\vscKwWm.exe
C:\Windows\System\vscKwWm.exe
C:\Windows\System\IiUZhmG.exe
C:\Windows\System\IiUZhmG.exe
C:\Windows\System\wlfxmoE.exe
C:\Windows\System\wlfxmoE.exe
C:\Windows\System\DTyawPo.exe
C:\Windows\System\DTyawPo.exe
C:\Windows\System\aZGGAyD.exe
C:\Windows\System\aZGGAyD.exe
C:\Windows\System\IslTkDc.exe
C:\Windows\System\IslTkDc.exe
C:\Windows\System\JCQPXwP.exe
C:\Windows\System\JCQPXwP.exe
C:\Windows\System\nBpkeNQ.exe
C:\Windows\System\nBpkeNQ.exe
C:\Windows\System\hiQHnKH.exe
C:\Windows\System\hiQHnKH.exe
C:\Windows\System\QgBxnJV.exe
C:\Windows\System\QgBxnJV.exe
C:\Windows\System\vzFKPmx.exe
C:\Windows\System\vzFKPmx.exe
C:\Windows\System\FUmlYKZ.exe
C:\Windows\System\FUmlYKZ.exe
C:\Windows\System\UrMebXX.exe
C:\Windows\System\UrMebXX.exe
C:\Windows\System\uVYFfqA.exe
C:\Windows\System\uVYFfqA.exe
C:\Windows\System\WEoWYCE.exe
C:\Windows\System\WEoWYCE.exe
C:\Windows\System\zhAeAzA.exe
C:\Windows\System\zhAeAzA.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2184-0-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/2184-1-0x0000000000300000-0x0000000000310000-memory.dmp
\Windows\system\FVwDRmN.exe
| MD5 | 17908edd7aa61f3da5b66b8b35eed218 |
| SHA1 | 71e23ac4099ead0b53c4cc6bc9c3cb65ab2e4dfe |
| SHA256 | 0d4ed4260b9fcf217d9786814f34160d96606d2aab1c18f5e44442f1fabbb29b |
| SHA512 | f069825b71feb10be31194cc1665d7382c14a36ab9bdc015fb0cec573d4aaee0c4d7cc11058b962b684dbbfbcbd93b1ca227269fdb08c62d98582c8289714e28 |
memory/1748-8-0x000000013FE40000-0x0000000140194000-memory.dmp
\Windows\system\IrqjHyZ.exe
| MD5 | f4b1cc89e12d9ba9cdce3d6b1bc79f11 |
| SHA1 | 56f18421fed0fb74e72dd724dda446459fe72b07 |
| SHA256 | 7627494312b39a5c92c9fa5c287afeabc78f0319c6d0c3d6208b2618e5db5f6a |
| SHA512 | 4c0b6be6dd98f7bb677e9088a214fc37b7be2dd568fc196a9228c1e91d3f9c4c25c76296fcaccc73cb982a86d99813c61a6d6ef7e0f83c927bb92398ac4f4cb2 |
memory/2288-15-0x000000013F900000-0x000000013FC54000-memory.dmp
memory/2184-13-0x000000013F900000-0x000000013FC54000-memory.dmp
C:\Windows\system\tuInTmj.exe
| MD5 | 706972b4396cd7df39ac41404dde88b9 |
| SHA1 | 9e58ce3fea5a314d0420f8b76c80a41f19dad17e |
| SHA256 | 165eed39e384f14efb1a238e8699ea8a7b7121049f14096767a28fa084b182a9 |
| SHA512 | b75c2b1aca2c2b84ed815a02ef56244d7427fefe3194a841be5051b306a8b686f9a2e8f4fa97bb19acde59239531f615e0a25c082ab653ffff0b13f27194fbae |
memory/2524-22-0x000000013F990000-0x000000013FCE4000-memory.dmp
C:\Windows\system\IgTMqqd.exe
| MD5 | 395d0b76c523ffe2b41ffcb124b811a4 |
| SHA1 | 7b772fa2bc5b2d2a4034f3f8a464747e835762ab |
| SHA256 | 4dda2787a7ea276803c98cbe918bef3e2e6c93aeef4a8ce4e7c146fe6e9fdf8d |
| SHA512 | 542cedf36723c59c48ea9ecdfe4b1f79decc13a7f1742d2c84fbfcb4b104466de778d577a11426eb20e00c2182c737a168e39c98a93da417a9cdb3fff4e57a82 |
memory/2560-29-0x000000013FC80000-0x000000013FFD4000-memory.dmp
memory/2184-27-0x000000013FC80000-0x000000013FFD4000-memory.dmp
C:\Windows\system\ZXuScya.exe
| MD5 | 3bbfc5c6f1f9a0e1d420c81720c94c28 |
| SHA1 | 63fbdaf37672a96518f7ec9404425df4d6c4fb53 |
| SHA256 | 2c1300be186261b6daa837540ff2215b740ee4389bc95429503b9f84c7303bfa |
| SHA512 | 6207825ae7ef45f7c78bd9534dcb18a18817df4fd9502ccf2a17ed8caaa7dc029a11e169fbcfdc614844505a0c3703a352619027020b05368afafe0e2d6f0e7b |
C:\Windows\system\vscKwWm.exe
| MD5 | 47409d8cd2675f45a758da86dd01983d |
| SHA1 | e34648b6f0aa33e35eaf4dd03d41449373b1d409 |
| SHA256 | d19f66a345979af95ad1b8db6de128baaeaa6010e47865e702790469e31460fa |
| SHA512 | 5f00e1060a46c0d52bb20b12b2a33a367b76e8c7d69de352bff9ba6d29fd30cb0baba7c5724716b3cafdb76bc91003ec998fcdb287d7e8cd9b52944d81e87d60 |
memory/2700-41-0x000000013F600000-0x000000013F954000-memory.dmp
C:\Windows\system\wlfxmoE.exe
| MD5 | 8aa091567ae249fb9f300c5da1d713f8 |
| SHA1 | 67082b4d2fe2d308161dc4209a3478e8b0069900 |
| SHA256 | b098b3a93bf0631af6632bc328e776cb76e63425c14d54497104217e90ac5fc2 |
| SHA512 | 5281e53ff886a6b9def662c15478dc8bb9b30511f12e1aa7d00e161433b5d67463e8b7dc865d6fb6901634f1c343887fc61764e927520963c2822732a789c522 |
memory/2184-51-0x0000000002320000-0x0000000002674000-memory.dmp
C:\Windows\system\IiUZhmG.exe
| MD5 | 08609b3d21568158df9b12311349d7d9 |
| SHA1 | 1a91ced16dce2aac0ccf5dbaf05343e9f856f1e7 |
| SHA256 | 73dd33cfe8bf77fae951febe00ae8c3a66e9669b6994f4d6e1b766d7d38c1be2 |
| SHA512 | 4d28fc29ab9fd54758adc1ca895c63aad1166ce721f9ffcf98bbcfc442a0838b67e86066bc827b3742c8a3bc2f97aa35a30adbef958796185ed53994cf9607e1 |
memory/2568-60-0x000000013F320000-0x000000013F674000-memory.dmp
memory/2604-67-0x000000013F650000-0x000000013F9A4000-memory.dmp
memory/2184-66-0x0000000002320000-0x0000000002674000-memory.dmp
memory/2184-79-0x000000013F990000-0x000000013FCE4000-memory.dmp
memory/2520-82-0x000000013F370000-0x000000013F6C4000-memory.dmp
C:\Windows\system\QgBxnJV.exe
| MD5 | fcb0a413900185af9fd3d9511486a9ad |
| SHA1 | 98df0984d1c25f931cf34bd145ebebf15545eaa6 |
| SHA256 | d8d0677b2a3d4798b02d1c8863258644a48597baccdf787594e8e8c80db4777d |
| SHA512 | b3612222656812428b4aabafaf04cfe0490aaf7faf06ee9e8a00869fcfefc796f2e25005150626c17339c98d48f25784eea98578c2079d93424a255f11657b1d |
C:\Windows\system\uVYFfqA.exe
| MD5 | cf6b47aac1fb9d004533073531162e56 |
| SHA1 | f2a1eb1db56980a86617f60225e052ce60081a2e |
| SHA256 | 62ca4a8b19f359919d91614bb65b90ce172340023a7b591d66ca7bec272639bc |
| SHA512 | 0adc00c9ff121836b575b7f8bfc8d8d44acd9d563e98679893856f844d418f9806fcdca80ac82c000271af38a39653422885780d8ec235d19d4a450ea08b12a4 |
\Windows\system\zhAeAzA.exe
| MD5 | 162bf524b7ef34b80f3fade429731816 |
| SHA1 | bd4950358633bea37db6b52a1b2bbeb5346da036 |
| SHA256 | e5db2d32870a2c7d6c83481435a6848c56010acba37c38ee258cc23cea52534e |
| SHA512 | 214a5445290a48f24a9b89c3d3b1543a92e9025954a5ab850f3dc0976804d9d3d4fd8cf9582c0931bf832c64c2e54d1b8d50e977efb5dd905c5b10a34911a233 |
C:\Windows\system\WEoWYCE.exe
| MD5 | ae12af31477dbed28a78fb449bc0067a |
| SHA1 | 32e5c0c9ce3ab25da1b86607c83a19f0ecb0a6aa |
| SHA256 | c5d645b1f1b7f6192264924ff9f9eb04fa21067711ba5353a8b9818e1c211b04 |
| SHA512 | b98178876829afff38502dacd948239e644888c550573a602da8f0224855338f27fdfeaa77e1e7b944b1171ec0d18ab03589982c259044b2d5c6fdda5fd62b77 |
C:\Windows\system\UrMebXX.exe
| MD5 | b5780bb55f382ddf3741a92a7b8632be |
| SHA1 | a98d75c8fadd73835f7bf5aadca2b47de1166dc7 |
| SHA256 | b068d62adec4f7eacc26f835e85b19c8003c084d99b9f220319a9c6f9eefff78 |
| SHA512 | a6f6d289c2209cdae238e44feeaf6f60d00d5bdbce04899ea0233385b1e5156694e8ab71dc9fee4243e271b86dd47781063772bd85f98e865b48541b75eb3811 |
C:\Windows\system\FUmlYKZ.exe
| MD5 | a252056a0289d5da6d582250261060e9 |
| SHA1 | 13afb3408f398d3fef0d5ae04131f40c3f9cefbe |
| SHA256 | e6b367e3125443cf08f6c71b50e6b6a9f762689da8130a407191ced126ec9271 |
| SHA512 | ad4e7ce7f44ef0e03158fe3b79c69048e965e8066b47e5048268833489dfc654188a273ed53b93979a39a8afe45bedf8415a8775260fff614c39567ed8dcfc76 |
C:\Windows\system\vzFKPmx.exe
| MD5 | f4821c6053e33071aac4794abec78b82 |
| SHA1 | 23321f4c95b6a6db5214b8bfe91c3c7476f182cc |
| SHA256 | e0284d523cf9e82953910426a2024e09c285d6a76106e490bce5862504c6d79e |
| SHA512 | 9101b1028d02bafa4fa6910853a97cc2924555a615a4827e85aaa0677544429bec045d95e5efce616074943c6aac52b867d6381d807955d4787a4071e9417539 |
memory/2184-102-0x000000013F960000-0x000000013FCB4000-memory.dmp
memory/2700-101-0x000000013F600000-0x000000013F954000-memory.dmp
memory/1992-96-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/2184-95-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/2656-94-0x000000013F1D0000-0x000000013F524000-memory.dmp
C:\Windows\system\hiQHnKH.exe
| MD5 | 47ecd874d00737a868f75ea527b5f86d |
| SHA1 | ba0d86b436accebfaa72aeb4a64b2e077307c578 |
| SHA256 | 7cb79755f761e2dbeb7f14f489790f7fa190a432d4afe1885cbb7104ca17b897 |
| SHA512 | cd830db480b6968e803864d0bb108ea48a5a0a5ee77a726d5574e0ad5422ef9caa8594bd0dc383c221d1d5acb945a06fcb89b9f5dc7cca7e22dcea4971b2c133 |
memory/2824-89-0x000000013FE00000-0x0000000140154000-memory.dmp
memory/2184-88-0x000000013FE00000-0x0000000140154000-memory.dmp
memory/2560-87-0x000000013FC80000-0x000000013FFD4000-memory.dmp
C:\Windows\system\nBpkeNQ.exe
| MD5 | e17e8e369059dad2a42fa71f6d74bba1 |
| SHA1 | 15d76629504eaf280cf789bde09d7e0f04499edd |
| SHA256 | f31c1f9fe0d9c1064b1f5237c7a9c984401a7e5d275aa3688eaecf606011363b |
| SHA512 | fcc2e90f1c6c2ef92e681ed33da18ecabf9305158e9ff53e86953363fbe32de10ac7da52023a9a9aceee13844b1a21ac02f736a05c7b4ec8218ea33b4ad1b012 |
memory/2184-81-0x0000000002320000-0x0000000002674000-memory.dmp
memory/2380-80-0x000000013F270000-0x000000013F5C4000-memory.dmp
C:\Windows\system\IslTkDc.exe
| MD5 | 1d6b5adc96cbbf0fe85f0eaf4fad96d8 |
| SHA1 | 92204fd944eeff9c98dfe662d59dbdcfa6171b14 |
| SHA256 | e2f0b8224fdd0236deed9f9df520badf6cd7bf7d00909a7dfb13106680f9f683 |
| SHA512 | ea9ea609b69bcd9ec7c4f66e3120f07ca66359575a8760d0cd44cee36f105819c508805ae48e7120ed7b9ac1b55b9310ea649c5f39c4da784e54620fefcc2308 |
memory/2184-73-0x0000000002320000-0x0000000002674000-memory.dmp
memory/2288-72-0x000000013F900000-0x000000013FC54000-memory.dmp
memory/2184-71-0x000000013F900000-0x000000013FC54000-memory.dmp
C:\Windows\system\JCQPXwP.exe
| MD5 | 4a83d652fd50415df404d1318aff153e |
| SHA1 | f8f5456146ec69cf7b50a9646f5a34e0b67cb37b |
| SHA256 | b635328b25d2a80b905dddc07e04f6a79e762a5c77871d5229eceef420eb3e5c |
| SHA512 | d41185bd30d27c643369c7963f2fd3ced531a9f5b720a2322e13ff61b23e97f2f735019443af8b29e24bb85fdcd31f4800132b6ca3bb904fa0c42ca3f642db5d |
memory/1748-65-0x000000013FE40000-0x0000000140194000-memory.dmp
C:\Windows\system\aZGGAyD.exe
| MD5 | 74ca1fe3a683186c414bc6de0a5b4de3 |
| SHA1 | 805180c52eba10376101994e91bfd4d578bb5cd0 |
| SHA256 | 56189773d62276000fd4bf4390d1e89d1f620d2bd5f63fcdce2c5bc2ea94429a |
| SHA512 | 3e8c120051dc247455b0622d1fadf33fd46dd7aca4f83110611fbc290c6a562e9641d858e7e3219b3682ae443d2bd8e2fe8e89a27c1992bf2a54fdf9a049a894 |
C:\Windows\system\DTyawPo.exe
| MD5 | a3e33f972e04708c047db6e963d759d6 |
| SHA1 | 23031a9439c4f761ac5f09037591efc8d745b57a |
| SHA256 | 719464d2fe8f817a570b006c233f92c78e4a94d350efdbf92d5da98642dac4a1 |
| SHA512 | 1d470cf5ca174d94c2a5d3a86f77f1ae2b2c3f4679a244f7fcb8adc4712386681525ea261e750049916990fe27b9338ad1a404e80e29b42efa864a24efe7f0ab |
memory/2184-56-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/2692-52-0x000000013F4F0000-0x000000013F844000-memory.dmp
memory/1620-50-0x000000013FF90000-0x00000001402E4000-memory.dmp
memory/2184-40-0x0000000002320000-0x0000000002674000-memory.dmp
memory/2656-35-0x000000013F1D0000-0x000000013F524000-memory.dmp
memory/2184-34-0x000000013F1D0000-0x000000013F524000-memory.dmp
memory/2184-21-0x000000013F990000-0x000000013FCE4000-memory.dmp
memory/1620-126-0x000000013FF90000-0x00000001402E4000-memory.dmp
memory/2692-127-0x000000013F4F0000-0x000000013F844000-memory.dmp
memory/2568-143-0x000000013F320000-0x000000013F674000-memory.dmp
memory/2184-144-0x0000000002320000-0x0000000002674000-memory.dmp
memory/2604-145-0x000000013F650000-0x000000013F9A4000-memory.dmp
memory/2380-146-0x000000013F270000-0x000000013F5C4000-memory.dmp
memory/2520-147-0x000000013F370000-0x000000013F6C4000-memory.dmp
memory/2184-148-0x000000013FE00000-0x0000000140154000-memory.dmp
memory/2824-149-0x000000013FE00000-0x0000000140154000-memory.dmp
memory/2184-150-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/1992-151-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/2184-152-0x000000013F960000-0x000000013FCB4000-memory.dmp
memory/1748-153-0x000000013FE40000-0x0000000140194000-memory.dmp
memory/2288-154-0x000000013F900000-0x000000013FC54000-memory.dmp
memory/2524-155-0x000000013F990000-0x000000013FCE4000-memory.dmp
memory/2560-156-0x000000013FC80000-0x000000013FFD4000-memory.dmp
memory/2700-157-0x000000013F600000-0x000000013F954000-memory.dmp
memory/1620-158-0x000000013FF90000-0x00000001402E4000-memory.dmp
memory/1992-162-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/2692-164-0x000000013F4F0000-0x000000013F844000-memory.dmp
memory/2824-163-0x000000013FE00000-0x0000000140154000-memory.dmp
memory/2520-161-0x000000013F370000-0x000000013F6C4000-memory.dmp
memory/2604-160-0x000000013F650000-0x000000013F9A4000-memory.dmp
memory/2656-159-0x000000013F1D0000-0x000000013F524000-memory.dmp
memory/2568-165-0x000000013F320000-0x000000013F674000-memory.dmp
memory/2380-166-0x000000013F270000-0x000000013F5C4000-memory.dmp