Malware Analysis Report

2024-10-24 18:16

Sample ID 240607-awa4psfe49
Target 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike
SHA256 f160177f543ca6ab008a5b1701414de51726e418b5e3a27b73048776d235ee42
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f160177f543ca6ab008a5b1701414de51726e418b5e3a27b73048776d235ee42

Threat Level: Known bad

The file 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

XMRig Miner payload

Cobaltstrike

Detects Reflective DLL injection artifacts

xmrig

Cobaltstrike family

UPX dump on OEP (original entry point)

Cobalt Strike reflective loader

Xmrig family

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-07 00:33

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-07 00:33

Reported

2024-06-07 00:41

Platform

win7-20231129-en

Max time kernel

133s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\UaRkdvH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KmDBUtn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\StPcVvv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CWWDuIR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MVnNppt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pORdPTn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ssKIOYz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UHAiqUV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xcWJwgA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nduGlfI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GiTBmZi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FJygThd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZWWHgvh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LVYHduv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yLvXuyS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AUWiRwX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hgRgYao.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LpyUcog.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NvgScMj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\auNCmEh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FpWkxbn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2060 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZWWHgvh.exe
PID 2060 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZWWHgvh.exe
PID 2060 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZWWHgvh.exe
PID 2060 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\ssKIOYz.exe
PID 2060 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\ssKIOYz.exe
PID 2060 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\ssKIOYz.exe
PID 2060 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\LVYHduv.exe
PID 2060 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\LVYHduv.exe
PID 2060 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\LVYHduv.exe
PID 2060 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\UHAiqUV.exe
PID 2060 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\UHAiqUV.exe
PID 2060 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\UHAiqUV.exe
PID 2060 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\xcWJwgA.exe
PID 2060 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\xcWJwgA.exe
PID 2060 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\xcWJwgA.exe
PID 2060 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\AUWiRwX.exe
PID 2060 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\AUWiRwX.exe
PID 2060 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\AUWiRwX.exe
PID 2060 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\nduGlfI.exe
PID 2060 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\nduGlfI.exe
PID 2060 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\nduGlfI.exe
PID 2060 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\hgRgYao.exe
PID 2060 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\hgRgYao.exe
PID 2060 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\hgRgYao.exe
PID 2060 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\GiTBmZi.exe
PID 2060 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\GiTBmZi.exe
PID 2060 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\GiTBmZi.exe
PID 2060 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\UaRkdvH.exe
PID 2060 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\UaRkdvH.exe
PID 2060 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\UaRkdvH.exe
PID 2060 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\FJygThd.exe
PID 2060 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\FJygThd.exe
PID 2060 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\FJygThd.exe
PID 2060 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\KmDBUtn.exe
PID 2060 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\KmDBUtn.exe
PID 2060 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\KmDBUtn.exe
PID 2060 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\LpyUcog.exe
PID 2060 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\LpyUcog.exe
PID 2060 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\LpyUcog.exe
PID 2060 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\NvgScMj.exe
PID 2060 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\NvgScMj.exe
PID 2060 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\NvgScMj.exe
PID 2060 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\auNCmEh.exe
PID 2060 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\auNCmEh.exe
PID 2060 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\auNCmEh.exe
PID 2060 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\MVnNppt.exe
PID 2060 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\MVnNppt.exe
PID 2060 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\MVnNppt.exe
PID 2060 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\pORdPTn.exe
PID 2060 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\pORdPTn.exe
PID 2060 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\pORdPTn.exe
PID 2060 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\FpWkxbn.exe
PID 2060 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\FpWkxbn.exe
PID 2060 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\FpWkxbn.exe
PID 2060 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\StPcVvv.exe
PID 2060 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\StPcVvv.exe
PID 2060 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\StPcVvv.exe
PID 2060 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\yLvXuyS.exe
PID 2060 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\yLvXuyS.exe
PID 2060 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\yLvXuyS.exe
PID 2060 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\CWWDuIR.exe
PID 2060 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\CWWDuIR.exe
PID 2060 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\CWWDuIR.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\ZWWHgvh.exe

C:\Windows\System\ZWWHgvh.exe

C:\Windows\System\ssKIOYz.exe

C:\Windows\System\ssKIOYz.exe

C:\Windows\System\LVYHduv.exe

C:\Windows\System\LVYHduv.exe

C:\Windows\System\UHAiqUV.exe

C:\Windows\System\UHAiqUV.exe

C:\Windows\System\xcWJwgA.exe

C:\Windows\System\xcWJwgA.exe

C:\Windows\System\AUWiRwX.exe

C:\Windows\System\AUWiRwX.exe

C:\Windows\System\nduGlfI.exe

C:\Windows\System\nduGlfI.exe

C:\Windows\System\hgRgYao.exe

C:\Windows\System\hgRgYao.exe

C:\Windows\System\GiTBmZi.exe

C:\Windows\System\GiTBmZi.exe

C:\Windows\System\UaRkdvH.exe

C:\Windows\System\UaRkdvH.exe

C:\Windows\System\FJygThd.exe

C:\Windows\System\FJygThd.exe

C:\Windows\System\KmDBUtn.exe

C:\Windows\System\KmDBUtn.exe

C:\Windows\System\LpyUcog.exe

C:\Windows\System\LpyUcog.exe

C:\Windows\System\NvgScMj.exe

C:\Windows\System\NvgScMj.exe

C:\Windows\System\auNCmEh.exe

C:\Windows\System\auNCmEh.exe

C:\Windows\System\MVnNppt.exe

C:\Windows\System\MVnNppt.exe

C:\Windows\System\pORdPTn.exe

C:\Windows\System\pORdPTn.exe

C:\Windows\System\FpWkxbn.exe

C:\Windows\System\FpWkxbn.exe

C:\Windows\System\StPcVvv.exe

C:\Windows\System\StPcVvv.exe

C:\Windows\System\yLvXuyS.exe

C:\Windows\System\yLvXuyS.exe

C:\Windows\System\CWWDuIR.exe

C:\Windows\System\CWWDuIR.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2060-0-0x00000000001F0000-0x0000000000200000-memory.dmp

memory/2060-2-0x000000013F940000-0x000000013FC94000-memory.dmp

memory/2060-8-0x00000000022F0000-0x0000000002644000-memory.dmp

C:\Windows\system\ssKIOYz.exe

MD5 0642442db4acbbfb6037e06789624264
SHA1 923aee440a6887c7a7a8a78085aa492b2cdcee65
SHA256 5d6249e3d37c32c515e6f20e0771180c7b51c791102dfffe39e4510d623eda85
SHA512 7fc8231c299b64743a966130c519362217b11d421c0ccc65ca7c97570221449b6e5bd90caefa97b416470db36fac07c3f48ea41836b395ab190e6121598e88a1

C:\Windows\system\LVYHduv.exe

MD5 7ca4c7d08ec840a69d3101c638d4b72f
SHA1 9a0bd3c709f755b63121fadc936f446aec1e7ee6
SHA256 ad375c6a067690acfdb9ba070a3a7e26450ca7423af526c703ce192d7173f7e7
SHA512 93ae69558c6397f1d10b68fc7e156b1c23dffe4348c43264d4d2484e88db3346ef1d13b6b607cc291558edc2cbc35a0667021d52c5cf7e17eeb41ed495e23c3b

memory/2132-36-0x000000013F770000-0x000000013FAC4000-memory.dmp

memory/2060-43-0x00000000022F0000-0x0000000002644000-memory.dmp

C:\Windows\system\hgRgYao.exe

MD5 2c29c56557704a5af675ac862b6acadc
SHA1 8095e9a472d534a6ef5dc3ab384273149ae12d48
SHA256 ad78076137bb51fd4326f7a646d70c5d984effb3c1176184b92e2481afe8ee9d
SHA512 f76c7cafe7089612bd2c5136e03dfbe423618b3b68e64692820e5dfa2eb3d816fbca1bfa4bd5be14823ba5172f77c777b526463c4d46646574bc76ae1535f049

\Windows\system\hgRgYao.exe

MD5 2543c4760bd9af7f70b7834411ab61af
SHA1 ed963cb76a076b222f6cdae99e8563d4444f6351
SHA256 c5992c95fef0e281d0ce0d741b02048e13663a833b3e0a3351e4871cc0042001
SHA512 37d8c491a184de94728c08add4a199f5cd8ae60d7cd02c39ad185a2859dd5e731e72c9b8cd0fd70525b0b413284ba12790037144a49d111203eb80cb9afcba56

\Windows\system\GiTBmZi.exe

MD5 170dd624fc04fc3839f9c4b66a089ce7
SHA1 689050489367e9d7989856de58d7dae4b3e867bb
SHA256 2882c9c886d8464419d873a9064b43411cb65ebce3e3928914a03cf014d51b3b
SHA512 6c2577b1133dc0e707ddd0582933138a814bc91876e45b902c1ce646d61afa9efa2788e7db3f897838eebb25c1faa4d564ec0bef69844aab72cc22ec6531ab9a

memory/2060-58-0x000000013F410000-0x000000013F764000-memory.dmp

memory/2060-57-0x000000013FF20000-0x0000000140274000-memory.dmp

memory/2872-64-0x000000013FF60000-0x00000001402B4000-memory.dmp

memory/2060-71-0x00000000022F0000-0x0000000002644000-memory.dmp

C:\Windows\system\KmDBUtn.exe

MD5 0b1dc771469fa6753e7aace834956918
SHA1 ab392eb1cb5fc16a55a2c41b7c5a6d56cfdeced7
SHA256 60a5948084400707991c40b4413636168d0f0501efbc67fab461d4937de55fb6
SHA512 6ff29d03eaaae06a15e3efe1ea402940d3f7a6e2ebae2266481a1a80576dd91702b1cbddedd5f74c67cdfdf217582f180323fa66c29c2525747039f60c34ba60

memory/2060-86-0x00000000022F0000-0x0000000002644000-memory.dmp

memory/1524-88-0x000000013F200000-0x000000013F554000-memory.dmp

\Windows\system\NvgScMj.exe

MD5 711965c0ed770375b388ea9b5ea57c70
SHA1 21f7ffc0c96b29ee6bc8176dc97f6fd049d110a2
SHA256 c07d701eb04ab4f8699484a3bd23da869373ffe5abb89855dad47bf019625666
SHA512 1805d8628649a043140bc3aafe1e7909e2e2c4d13967ba772fc49046b58f359c9204953c678c902e0a7afe7ca922f35fcfea6266309db91efb45c72ff619c428

memory/2804-102-0x000000013FB30000-0x000000013FE84000-memory.dmp

C:\Windows\system\MVnNppt.exe

MD5 2999532dc35b49213ea1ffa0fdce5d12
SHA1 ef43e59a954e41cd0180ed84faad7585b07377db
SHA256 0ee4b22749bab39e71bc09cb3061d879611cd302ace5f52d0ee39806fc242cfa
SHA512 3390b1a0356277742902797504aa40220556ffc2c1668d719d4a11fe617a089d12a6483eb05a231e0f0e41e230164474503313859fb63fd87f30bf0df1935ba3

C:\Windows\system\CWWDuIR.exe

MD5 2b325ba998218e1724cf0adeb30ee980
SHA1 91c91f972b93ca21c02dbae5cc375d4e1212c0a0
SHA256 3b509ef9edb2905d68e114a86a101a00bf7ea4fa51d16ade0566e14bca5a50a9
SHA512 d7398cce9bbdb945487f66d7ab2c5fc7624933379c2058d1b197daa7f380b66de5a2145bdf0033355e795b1072c67b0031b7045307d04119888457779d707df5

\Windows\system\CWWDuIR.exe

MD5 625ce47337ec454a33d1093ebb762a13
SHA1 ae84a5a7af055e1dcd1cfa215ed4e31329213bf9
SHA256 282cb2c6e835d7fbf977167a0015c254c6f44d191b45362715a418fa0b1c1910
SHA512 a5e8a61c6450e5e1626fb9c41d48ecf1d923c7479852e4851e9cc9d9d7858d8bafec111b97d26417936ab43c946231ee3186a9980b45659b1912e80063179f2d

C:\Windows\system\StPcVvv.exe

MD5 fbb6a602f644dbf57142122f30692c9a
SHA1 8158aaa7168744874ea387599d6d2cead21e28a3
SHA256 3ededef3bd2586830b0a8597cb8ce36b4909b0421f6d3ed699083dfd6f8c0a7d
SHA512 594ad340712d040831c50ecaffbc2dabd957ed3d1d45fbdcb2c0a001df0ecad88502ea7ae79d922d80e7ca9a296427129145281a618e70a75857e869e5c45bfe

\Windows\system\MVnNppt.exe

MD5 ce95ecfd82cad989d07f01bb5a4e0e62
SHA1 9c404e62c6a147d88e2c4214a4a0c1206972e9c1
SHA256 593e7bd118d819d8e39ef2651ab132601260307c705634ada0a2db317b292576
SHA512 c2ff795a22229b7c15805b1e961a5dfe271dec3d9731c58be06511c88be95cff0caaac2a29a6db9c14604bb11c8d799f874a0f83a490e055a4995d26515db084

memory/2060-103-0x000000013F2C0000-0x000000013F614000-memory.dmp

memory/2060-96-0x00000000022F0000-0x0000000002644000-memory.dmp

memory/2060-90-0x00000000022F0000-0x0000000002644000-memory.dmp

memory/1252-89-0x000000013FC70000-0x000000013FFC4000-memory.dmp

memory/2060-87-0x000000013F200000-0x000000013F554000-memory.dmp

memory/2820-84-0x000000013F8B0000-0x000000013FC04000-memory.dmp

\Windows\system\LpyUcog.exe

MD5 700f275fa85ed6a694cc643a3e6b2d07
SHA1 81d7f0b5782d4650c1ffc7f4ce129e2628efd0f3
SHA256 9e676c985bfc2e0eebd92922b559476103dfa5b924653ac6ceb075c9d642299f
SHA512 b94579b0ff3aa24dcf186b42ebb4cd1eb44ffa1cdd3f47e6b1a391d05e5994b7ad5eba921b0a20caed26a34ea5b55ddc1e96e64aab45e1e6708d46d079f15944

memory/2456-79-0x000000013F480000-0x000000013F7D4000-memory.dmp

memory/2060-75-0x000000013F480000-0x000000013F7D4000-memory.dmp

memory/2488-72-0x000000013F960000-0x000000013FCB4000-memory.dmp

C:\Windows\system\UaRkdvH.exe

MD5 b0446695b4f6959fd89a363b056867e1
SHA1 a151e9cc9c24cdebc07f104d747406379efe19cd
SHA256 ce470b3d75e279b518ce166ee9bbc38db16bea110ec8fb660a2c550d54c2e1ca
SHA512 c86dc9b22ad90229c44185eb4e4950e1ab7d56741a7b48345cd57d5c9da0e8462ca09523b4069b58300170180b1a9e074d18956838a56f1c1427c1503d07190c

memory/2060-59-0x000000013FF60000-0x00000001402B4000-memory.dmp

memory/1944-55-0x000000013F310000-0x000000013F664000-memory.dmp

memory/2712-50-0x000000013F410000-0x000000013F764000-memory.dmp

memory/2668-44-0x000000013F7E0000-0x000000013FB34000-memory.dmp

memory/2596-41-0x000000013FF20000-0x0000000140274000-memory.dmp

memory/3044-35-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

C:\Windows\system\AUWiRwX.exe

MD5 9d367348bc2b0a338371873ab92b5ce0
SHA1 7f656575ff1e475fc391f43341a8d5f4ac819b19
SHA256 54a48f3a9df4f2d2df5308f04d9bbc5bfb754b7f4236b7d31d49f71134f2b309
SHA512 8ea158cb453b86b762270e2cebce91cbe9a0e8b60ddc4e0fb3c531068e04df9f568fe69f34e169c5bdf6255c4c79c801e5f4b3c040f45ef12c24211a5d1dd454

memory/2060-133-0x000000013F940000-0x000000013FC94000-memory.dmp

memory/2744-23-0x000000013F650000-0x000000013F9A4000-memory.dmp

\Windows\system\ssKIOYz.exe

MD5 fe23d8f2a683ea3c37e211db5c47c198
SHA1 c8d98757080f758fa71fe2947f967f4c2ba26b77
SHA256 e791fb8dbe7f5a7d384dc32653c49cf355982fbc2394ea1e3030cd6ebb798cb8
SHA512 ff5ab31bffe4dcd555455f3d81b2d9fca6cd687b604f37f4aa99e780677c84919321fd43b5fd13f9cb6081978b182fef58c2564f773d39cf2fefe33142ce3656

\Windows\system\LVYHduv.exe

MD5 90be846177ebce09b1bfa8b40630684a
SHA1 43a2c66ff47d9e295f18f8c18fe76b69e8850154
SHA256 2237948f07e37d90442b50a92836356588f3ae1e31ae0d8dac227315cf2c7f65
SHA512 f4ff566c9eaa4a50bcad3cfa87bbb92d072dc2249f94ae304b8cb104e61cee98dba9f3ef0ceebfe48bef05c9c2df36d9188d043c7aa83ca58742993e634b68a6

memory/2060-134-0x00000000022F0000-0x0000000002644000-memory.dmp

memory/2744-135-0x000000013F650000-0x000000013F9A4000-memory.dmp

memory/3044-136-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

memory/2132-137-0x000000013F770000-0x000000013FAC4000-memory.dmp

memory/1944-138-0x000000013F310000-0x000000013F664000-memory.dmp

memory/2668-139-0x000000013F7E0000-0x000000013FB34000-memory.dmp

memory/2596-140-0x000000013FF20000-0x0000000140274000-memory.dmp

memory/2712-141-0x000000013F410000-0x000000013F764000-memory.dmp

memory/2872-142-0x000000013FF60000-0x00000001402B4000-memory.dmp

memory/2820-143-0x000000013F8B0000-0x000000013FC04000-memory.dmp

memory/2488-144-0x000000013F960000-0x000000013FCB4000-memory.dmp

memory/2456-145-0x000000013F480000-0x000000013F7D4000-memory.dmp

memory/1524-146-0x000000013F200000-0x000000013F554000-memory.dmp

memory/1252-147-0x000000013FC70000-0x000000013FFC4000-memory.dmp

memory/2804-148-0x000000013FB30000-0x000000013FE84000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-07 00:33

Reported

2024-06-07 00:41

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\xcWJwgA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FJygThd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yLvXuyS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ssKIOYz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UHAiqUV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MVnNppt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pORdPTn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LVYHduv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nduGlfI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GiTBmZi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UaRkdvH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KmDBUtn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LpyUcog.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\auNCmEh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FpWkxbn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZWWHgvh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AUWiRwX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hgRgYao.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NvgScMj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\StPcVvv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CWWDuIR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4816 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZWWHgvh.exe
PID 4816 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZWWHgvh.exe
PID 4816 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\ssKIOYz.exe
PID 4816 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\ssKIOYz.exe
PID 4816 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\LVYHduv.exe
PID 4816 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\LVYHduv.exe
PID 4816 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\UHAiqUV.exe
PID 4816 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\UHAiqUV.exe
PID 4816 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\xcWJwgA.exe
PID 4816 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\xcWJwgA.exe
PID 4816 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\AUWiRwX.exe
PID 4816 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\AUWiRwX.exe
PID 4816 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\nduGlfI.exe
PID 4816 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\nduGlfI.exe
PID 4816 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\hgRgYao.exe
PID 4816 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\hgRgYao.exe
PID 4816 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\GiTBmZi.exe
PID 4816 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\GiTBmZi.exe
PID 4816 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\UaRkdvH.exe
PID 4816 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\UaRkdvH.exe
PID 4816 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\FJygThd.exe
PID 4816 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\FJygThd.exe
PID 4816 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\KmDBUtn.exe
PID 4816 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\KmDBUtn.exe
PID 4816 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\LpyUcog.exe
PID 4816 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\LpyUcog.exe
PID 4816 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\NvgScMj.exe
PID 4816 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\NvgScMj.exe
PID 4816 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\auNCmEh.exe
PID 4816 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\auNCmEh.exe
PID 4816 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\MVnNppt.exe
PID 4816 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\MVnNppt.exe
PID 4816 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\pORdPTn.exe
PID 4816 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\pORdPTn.exe
PID 4816 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\FpWkxbn.exe
PID 4816 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\FpWkxbn.exe
PID 4816 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\StPcVvv.exe
PID 4816 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\StPcVvv.exe
PID 4816 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\yLvXuyS.exe
PID 4816 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\yLvXuyS.exe
PID 4816 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\CWWDuIR.exe
PID 4816 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe C:\Windows\System\CWWDuIR.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\ZWWHgvh.exe

C:\Windows\System\ZWWHgvh.exe

C:\Windows\System\ssKIOYz.exe

C:\Windows\System\ssKIOYz.exe

C:\Windows\System\LVYHduv.exe

C:\Windows\System\LVYHduv.exe

C:\Windows\System\UHAiqUV.exe

C:\Windows\System\UHAiqUV.exe

C:\Windows\System\xcWJwgA.exe

C:\Windows\System\xcWJwgA.exe

C:\Windows\System\AUWiRwX.exe

C:\Windows\System\AUWiRwX.exe

C:\Windows\System\nduGlfI.exe

C:\Windows\System\nduGlfI.exe

C:\Windows\System\hgRgYao.exe

C:\Windows\System\hgRgYao.exe

C:\Windows\System\GiTBmZi.exe

C:\Windows\System\GiTBmZi.exe

C:\Windows\System\UaRkdvH.exe

C:\Windows\System\UaRkdvH.exe

C:\Windows\System\FJygThd.exe

C:\Windows\System\FJygThd.exe

C:\Windows\System\KmDBUtn.exe

C:\Windows\System\KmDBUtn.exe

C:\Windows\System\LpyUcog.exe

C:\Windows\System\LpyUcog.exe

C:\Windows\System\NvgScMj.exe

C:\Windows\System\NvgScMj.exe

C:\Windows\System\auNCmEh.exe

C:\Windows\System\auNCmEh.exe

C:\Windows\System\MVnNppt.exe

C:\Windows\System\MVnNppt.exe

C:\Windows\System\pORdPTn.exe

C:\Windows\System\pORdPTn.exe

C:\Windows\System\FpWkxbn.exe

C:\Windows\System\FpWkxbn.exe

C:\Windows\System\StPcVvv.exe

C:\Windows\System\StPcVvv.exe

C:\Windows\System\yLvXuyS.exe

C:\Windows\System\yLvXuyS.exe

C:\Windows\System\CWWDuIR.exe

C:\Windows\System\CWWDuIR.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.196.137:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 137.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4816-0-0x00007FF687CF0000-0x00007FF688044000-memory.dmp

memory/4816-1-0x000002198C7E0000-0x000002198C7F0000-memory.dmp

C:\Windows\System\ZWWHgvh.exe

MD5 6dc83771bd34c0b735d044a5cabe0528
SHA1 c3c08e81bbd3afa0f0e9c8833b24301005bb1db9
SHA256 1581476c88b902c72f245977290123f6aa64a88700aadbbd5946cddcffe461d8
SHA512 9ab9bd1e3eb48e7d449c622a76f5b4b337f43d7538f96dd7d0b5b6c3ab43aa597e2795da0ae75e7e18436530208f4d2fb48e722e5b3abb949774b66cc50732a0

memory/4056-8-0x00007FF623F50000-0x00007FF6242A4000-memory.dmp

C:\Windows\System\ssKIOYz.exe

MD5 94a3abbac37eb4e74f0d27d1a6130281
SHA1 5956452c83f48eec4b571dc56e9968e7381d54f6
SHA256 f0afa8843922db1372ead1ab37e67873ca94d89d63ffba1f3da2f2e18046ff92
SHA512 ddb420aac458b545e5c7c57694766e4fc4f89852b3547cf7b541847c36207d616cd53dea27b449d79e83524b524ea043912511f0d1b11770ac1281a00350edcf

C:\Windows\System\LVYHduv.exe

MD5 6c805e00f83305a937f2312347d47082
SHA1 c5be3170e02d791cb5b3a9d35869904026aa547d
SHA256 dc87431afebaed54cbbe7684f35337701d01917e1ca1ade8d5c88ce77c143825
SHA512 6570961e04c7257cd20b76a8289ebc83d214079a8ff6df2c26aaaea636a01f8d501a95e34605ae98e072e4e27cb1f3b8fb44823f289ac77700a906e4c1768751

memory/4516-14-0x00007FF6BE5F0000-0x00007FF6BE944000-memory.dmp

memory/4788-22-0x00007FF6713E0000-0x00007FF671734000-memory.dmp

C:\Windows\System\UHAiqUV.exe

MD5 40f6e6fd0b8d8114c0264e8ebf295ffe
SHA1 572f7d525ef176ba0f84b353ff628612afe427fa
SHA256 efe2051ae2d11bee31c7cb4d17ad22f47a0d66221bff15a721dc5cb53a717e01
SHA512 68bdfdcb0308b99243160793f467959fafb582e706e8b90cdc1860b63e5b549ba7584cab4c39a89c80c5344768ff97b6486a26cdadb126b4afcd2c8c230d3e1c

C:\Windows\System\xcWJwgA.exe

MD5 c20e906475cab36301e4d1d43fda0a86
SHA1 d8f00e6bb84b399d6a9ae48b8f12d9eddb6270f1
SHA256 879de8fa4318301ceb81985239a37446b8ab8f6e0679b0bf2b1eac1370a7a8b7
SHA512 1f565d4f05acdec85d23b18116506faf5546f3d1eb13ed095631cf305ab24a05e17c64feede078cb8957145fe7315a7a7601d1088364525a32acbf97745becdb

memory/4984-40-0x00007FF651920000-0x00007FF651C74000-memory.dmp

C:\Windows\System\AUWiRwX.exe

MD5 b68e9afecafc39e6c42b76b58b1b7217
SHA1 bcaeaa90aef7e44d6b02743a1be6b9a5969dd2d7
SHA256 c6d267fddf7d37104449370d685cfeece60bb3917ad8f4911a18efe2f73940ae
SHA512 8a70867717ac9e2f486dd4d44a04ec21f900bf5ae508e96f98f9da331e2d542c468da42ad8d6b75255cf2cff825e472e53212da0f8f95c5d1e1774112a42a908

memory/1412-43-0x00007FF6CAF40000-0x00007FF6CB294000-memory.dmp

C:\Windows\System\nduGlfI.exe

MD5 4467ea20160ff6bb5412b9faceddd279
SHA1 98a0c4856213277d03023a14eaa670e3bf5713ff
SHA256 6201f168d62b86426d5a9d4465c331651b757f6083e5dc0f4e8b14e37bc141f4
SHA512 231d073087bf06902f6f8c52473cbf4515882284902ec50ba6c28866d22016aa041e5e56b9827b60ccc9dd0f923fb69a263c9542854e0e02e9583a8923cf2ede

memory/1872-30-0x00007FF71F7C0000-0x00007FF71FB14000-memory.dmp

memory/2232-29-0x00007FF7F4DD0000-0x00007FF7F5124000-memory.dmp

C:\Windows\System\hgRgYao.exe

MD5 cf25ade0435a0dbb5332aa5d8ca112bb
SHA1 444f6c0d4cd089b8e5aba4f021872e152ec42863
SHA256 2fbc47f74993a2e30d4108adc878d6c20597d97c687456300eb22e010b303a26
SHA512 2b9a78f315e4982b5d558bcf91059f85e4e77b0878f6dddb6a2a9d7ca9e9062fcd55a8b074d700776a422eb3f1c7d1449acd9f8f363f1e63042b7f48a49cee74

memory/1884-51-0x00007FF7BE160000-0x00007FF7BE4B4000-memory.dmp

C:\Windows\System\GiTBmZi.exe

MD5 2e6aa64ce2c544b8fd992564509344c9
SHA1 1406eb8284965b31362a2edcc6290d69c37cf4ed
SHA256 d2313e7e864889f22892663b09f4f8e6bd5d82269ffb21c70f6b03c5486e886b
SHA512 4ef67bfaaf610444f6275d96caad998945b69775a0ad1cbfd55ad41286e970edb2c38483136804145222819770ab266dee7808a6b72be95a57cb4600adc48a43

C:\Windows\System\UaRkdvH.exe

MD5 b0446695b4f6959fd89a363b056867e1
SHA1 a151e9cc9c24cdebc07f104d747406379efe19cd
SHA256 ce470b3d75e279b518ce166ee9bbc38db16bea110ec8fb660a2c550d54c2e1ca
SHA512 c86dc9b22ad90229c44185eb4e4950e1ab7d56741a7b48345cd57d5c9da0e8462ca09523b4069b58300170180b1a9e074d18956838a56f1c1427c1503d07190c

memory/628-54-0x00007FF60BD20000-0x00007FF60C074000-memory.dmp

C:\Windows\System\FJygThd.exe

MD5 26709e6a1902bfb57b0a6ddd4148d69d
SHA1 512d5eb5ae5a134f028a8bb964529406aba51c4c
SHA256 ab501302b4b55ad82871dcac7c18661a132c12bc9d50eb2134c9f96ea24e4906
SHA512 c1e54c76a1581b974b3e9b961e69ff1ebf27385e99e423c0bbd519796977b7c8a5237feb4b388bb239b91e3f9185a454360053540faceba37534eb1f0c8b9e03

memory/4816-68-0x00007FF687CF0000-0x00007FF688044000-memory.dmp

memory/1172-69-0x00007FF696220000-0x00007FF696574000-memory.dmp

memory/1388-65-0x00007FF705810000-0x00007FF705B64000-memory.dmp

C:\Windows\System\KmDBUtn.exe

MD5 59b126bb958f1cdb7fb9ddabc4630fe3
SHA1 d523676e52a53e6762cf1f3d2079c88a93eaab5a
SHA256 74b91df4076e8a0048aa30b310f5cea946738c6cbb55c0c589643dd4778e7cb6
SHA512 007082c799cdc7b8e8cf8503e1fbbcce6d269006d200bd279c82af8c753c45ab5412b1d06bd6092829fb65f7797ed438cde2f8efa050d04dc4a22f978bb5dbc4

memory/3764-74-0x00007FF744460000-0x00007FF7447B4000-memory.dmp

C:\Windows\System\LpyUcog.exe

MD5 700f275fa85ed6a694cc643a3e6b2d07
SHA1 81d7f0b5782d4650c1ffc7f4ce129e2628efd0f3
SHA256 9e676c985bfc2e0eebd92922b559476103dfa5b924653ac6ceb075c9d642299f
SHA512 b94579b0ff3aa24dcf186b42ebb4cd1eb44ffa1cdd3f47e6b1a391d05e5994b7ad5eba921b0a20caed26a34ea5b55ddc1e96e64aab45e1e6708d46d079f15944

memory/4076-83-0x00007FF767D90000-0x00007FF7680E4000-memory.dmp

C:\Windows\System\NvgScMj.exe

MD5 4fa57d94e87818451d29b658dfb412c1
SHA1 17edf909b660f59505d8817a6d69bf931d0d3c54
SHA256 a182fd97fc5dcdc170236d17b5290cbfc6faaf8262d884d37b85b2bff7f9e22d
SHA512 e322fbca930b16bfaabb8d61d45535193badcb64be3a5d50a8a06cce2fce6c40eb077da106b64fd144138d87b80eb7fd8dbb43aff2afa1200cb2494ae3466adc

C:\Windows\System\auNCmEh.exe

MD5 6e90578b95960481c13b28accf9c926b
SHA1 16a65c9ca4a38e3922edefd0c24cec5aa4938f5d
SHA256 f13e4b24b54b734fdc77ddbbee8e084aedd434ba47675fe9ba005c98da90999e
SHA512 489c8e72b1c5915104dde3f136a2a75d3b1684bbe5584db6ae45c8841f361fb9f6224cfc278e805abb7a08171f197c308bf20fe233609a31565f2aed486c9614

memory/2232-91-0x00007FF7F4DD0000-0x00007FF7F5124000-memory.dmp

C:\Windows\System\MVnNppt.exe

MD5 2999532dc35b49213ea1ffa0fdce5d12
SHA1 ef43e59a954e41cd0180ed84faad7585b07377db
SHA256 0ee4b22749bab39e71bc09cb3061d879611cd302ace5f52d0ee39806fc242cfa
SHA512 3390b1a0356277742902797504aa40220556ffc2c1668d719d4a11fe617a089d12a6483eb05a231e0f0e41e230164474503313859fb63fd87f30bf0df1935ba3

memory/4984-94-0x00007FF651920000-0x00007FF651C74000-memory.dmp

memory/1872-93-0x00007FF71F7C0000-0x00007FF71FB14000-memory.dmp

memory/3588-92-0x00007FF720E00000-0x00007FF721154000-memory.dmp

memory/5104-90-0x00007FF6EEB60000-0x00007FF6EEEB4000-memory.dmp

C:\Windows\System\FpWkxbn.exe

MD5 dd7b50e7a9d673d4f6ea2a8aebb653b4
SHA1 e68d74f4ece5da48268104acc8046fc2f6115256
SHA256 45fd5bc069bb30a9d182a24531584b2efda2092e55b81c9e000fcd1e17cf5515
SHA512 cd9e34b703dcea778f9e8eed8a1271316c76e139a3fd859b1a1ba6734182b495d8d91381cbbafd1be1288f03bc1d8ed5372552550c1472f06b01734b280e147b

memory/3360-104-0x00007FF7710A0000-0x00007FF7713F4000-memory.dmp

C:\Windows\System\pORdPTn.exe

MD5 56abc6ad9643b8fe62edf9ef9f04e50a
SHA1 9652514e975f34b101d3c6acad75aec1f8dd60fb
SHA256 7c53dbb34ed851c5084692e8e0b0391ee63ffe1129750c9180a484155b96c320
SHA512 bdfaa5bd7ba7d6d5128839cb38980b3fb742b05540dce1db5f82cb03e9ecc78438d74080ba6edb23ac74e710b93cf6cf2d89bf9a447dadac6d04168a6bf1000f

C:\Windows\System\yLvXuyS.exe

MD5 30f43c3a1e6da063073b05881e977fc9
SHA1 7b0163e33f75832c9502dbfca11c64c520cfa97a
SHA256 18ce5cfc960c5f5c703f08c8a85aab00a26cda3d411aa5ef39e358667c2a3edb
SHA512 ac0aa3347c0a5b9dca4dd072be353b918cc5a1cb94264aefdd63d2db504738a2f3d32b8a2649484920e3179cdc98f370b57038940d52c8530b4c807ebf9c001a

C:\Windows\System\CWWDuIR.exe

MD5 625ce47337ec454a33d1093ebb762a13
SHA1 ae84a5a7af055e1dcd1cfa215ed4e31329213bf9
SHA256 282cb2c6e835d7fbf977167a0015c254c6f44d191b45362715a418fa0b1c1910
SHA512 a5e8a61c6450e5e1626fb9c41d48ecf1d923c7479852e4851e9cc9d9d7858d8bafec111b97d26417936ab43c946231ee3186a9980b45659b1912e80063179f2d

C:\Windows\System\StPcVvv.exe

MD5 f915e06efeadac88efdfd3e9083ea9b0
SHA1 eb7a25ac21349c064327b490a1211bc8ebcccb9c
SHA256 64d48b71f5d88e54953c3aebfef3971a0c2398c2c707e6b7a16b8a4a85edaea0
SHA512 d92a4e537024ed0de9b519dba7abd20c712966ab336e35987add996ce478d20c0449c74c9011a7b430e56d361dd902e1a312da1a3817443e049a223f2443d0f8

memory/4004-130-0x00007FF676990000-0x00007FF676CE4000-memory.dmp

memory/628-132-0x00007FF60BD20000-0x00007FF60C074000-memory.dmp

memory/4384-131-0x00007FF776910000-0x00007FF776C64000-memory.dmp

memory/3328-129-0x00007FF760FF0000-0x00007FF761344000-memory.dmp

memory/3996-119-0x00007FF7B40D0000-0x00007FF7B4424000-memory.dmp

memory/3316-117-0x00007FF70DB70000-0x00007FF70DEC4000-memory.dmp

memory/3764-133-0x00007FF744460000-0x00007FF7447B4000-memory.dmp

memory/3588-134-0x00007FF720E00000-0x00007FF721154000-memory.dmp

memory/3996-135-0x00007FF7B40D0000-0x00007FF7B4424000-memory.dmp

memory/4056-136-0x00007FF623F50000-0x00007FF6242A4000-memory.dmp

memory/4516-137-0x00007FF6BE5F0000-0x00007FF6BE944000-memory.dmp

memory/4788-138-0x00007FF6713E0000-0x00007FF671734000-memory.dmp

memory/2232-139-0x00007FF7F4DD0000-0x00007FF7F5124000-memory.dmp

memory/4984-141-0x00007FF651920000-0x00007FF651C74000-memory.dmp

memory/1412-140-0x00007FF6CAF40000-0x00007FF6CB294000-memory.dmp

memory/1872-142-0x00007FF71F7C0000-0x00007FF71FB14000-memory.dmp

memory/1884-143-0x00007FF7BE160000-0x00007FF7BE4B4000-memory.dmp

memory/1388-144-0x00007FF705810000-0x00007FF705B64000-memory.dmp

memory/628-145-0x00007FF60BD20000-0x00007FF60C074000-memory.dmp

memory/1172-146-0x00007FF696220000-0x00007FF696574000-memory.dmp

memory/4076-147-0x00007FF767D90000-0x00007FF7680E4000-memory.dmp

memory/3764-148-0x00007FF744460000-0x00007FF7447B4000-memory.dmp

memory/5104-149-0x00007FF6EEB60000-0x00007FF6EEEB4000-memory.dmp

memory/3588-151-0x00007FF720E00000-0x00007FF721154000-memory.dmp

memory/3360-150-0x00007FF7710A0000-0x00007FF7713F4000-memory.dmp

memory/3316-152-0x00007FF70DB70000-0x00007FF70DEC4000-memory.dmp

memory/3328-154-0x00007FF760FF0000-0x00007FF761344000-memory.dmp

memory/3996-155-0x00007FF7B40D0000-0x00007FF7B4424000-memory.dmp

memory/4004-153-0x00007FF676990000-0x00007FF676CE4000-memory.dmp

memory/4384-156-0x00007FF776910000-0x00007FF776C64000-memory.dmp