Analysis Overview
SHA256
659310fcf600783f354ae9107daeec8052b647a0d0069c7ad43b8e2c5a0a08c4
Threat Level: Known bad
The file 2024-06-11_6ca7922fbe7693b9232382f7acb02ad3_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
xmrig
Xmrig family
Cobalt Strike reflective loader
XMRig Miner payload
Cobaltstrike
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-11 20:43
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 20:43
Reported
2024-06-11 20:45
Platform
win7-20240221-en
Max time kernel
145s
Max time network
153s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\faFwINl.exe | N/A |
| N/A | N/A | C:\Windows\System\paPHzDb.exe | N/A |
| N/A | N/A | C:\Windows\System\eWvLFLw.exe | N/A |
| N/A | N/A | C:\Windows\System\ytjQgyI.exe | N/A |
| N/A | N/A | C:\Windows\System\yPLoiCG.exe | N/A |
| N/A | N/A | C:\Windows\System\xabxxeo.exe | N/A |
| N/A | N/A | C:\Windows\System\VKyJUtd.exe | N/A |
| N/A | N/A | C:\Windows\System\CfdRxMe.exe | N/A |
| N/A | N/A | C:\Windows\System\FyZEQkv.exe | N/A |
| N/A | N/A | C:\Windows\System\YLAdFuD.exe | N/A |
| N/A | N/A | C:\Windows\System\xAfXSWm.exe | N/A |
| N/A | N/A | C:\Windows\System\YphYSKI.exe | N/A |
| N/A | N/A | C:\Windows\System\YrgtQkp.exe | N/A |
| N/A | N/A | C:\Windows\System\PGFwFmd.exe | N/A |
| N/A | N/A | C:\Windows\System\NVHNPTs.exe | N/A |
| N/A | N/A | C:\Windows\System\inwbiCH.exe | N/A |
| N/A | N/A | C:\Windows\System\zpQjxBG.exe | N/A |
| N/A | N/A | C:\Windows\System\pVIhnIt.exe | N/A |
| N/A | N/A | C:\Windows\System\YKnVZru.exe | N/A |
| N/A | N/A | C:\Windows\System\fqotlJg.exe | N/A |
| N/A | N/A | C:\Windows\System\kFeqiOu.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_6ca7922fbe7693b9232382f7acb02ad3_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_6ca7922fbe7693b9232382f7acb02ad3_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_6ca7922fbe7693b9232382f7acb02ad3_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_6ca7922fbe7693b9232382f7acb02ad3_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\faFwINl.exe
C:\Windows\System\faFwINl.exe
C:\Windows\System\paPHzDb.exe
C:\Windows\System\paPHzDb.exe
C:\Windows\System\eWvLFLw.exe
C:\Windows\System\eWvLFLw.exe
C:\Windows\System\ytjQgyI.exe
C:\Windows\System\ytjQgyI.exe
C:\Windows\System\yPLoiCG.exe
C:\Windows\System\yPLoiCG.exe
C:\Windows\System\xabxxeo.exe
C:\Windows\System\xabxxeo.exe
C:\Windows\System\VKyJUtd.exe
C:\Windows\System\VKyJUtd.exe
C:\Windows\System\CfdRxMe.exe
C:\Windows\System\CfdRxMe.exe
C:\Windows\System\FyZEQkv.exe
C:\Windows\System\FyZEQkv.exe
C:\Windows\System\YLAdFuD.exe
C:\Windows\System\YLAdFuD.exe
C:\Windows\System\xAfXSWm.exe
C:\Windows\System\xAfXSWm.exe
C:\Windows\System\YphYSKI.exe
C:\Windows\System\YphYSKI.exe
C:\Windows\System\YrgtQkp.exe
C:\Windows\System\YrgtQkp.exe
C:\Windows\System\PGFwFmd.exe
C:\Windows\System\PGFwFmd.exe
C:\Windows\System\NVHNPTs.exe
C:\Windows\System\NVHNPTs.exe
C:\Windows\System\inwbiCH.exe
C:\Windows\System\inwbiCH.exe
C:\Windows\System\zpQjxBG.exe
C:\Windows\System\zpQjxBG.exe
C:\Windows\System\pVIhnIt.exe
C:\Windows\System\pVIhnIt.exe
C:\Windows\System\YKnVZru.exe
C:\Windows\System\YKnVZru.exe
C:\Windows\System\fqotlJg.exe
C:\Windows\System\fqotlJg.exe
C:\Windows\System\kFeqiOu.exe
C:\Windows\System\kFeqiOu.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2660-0-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/2660-1-0x00000000001F0000-0x0000000000200000-memory.dmp
\Windows\system\faFwINl.exe
| MD5 | 82ca66689c5354360124e65c973c03dd |
| SHA1 | 0860c048d6ca17e85857afcc36b82a4935f3e0ac |
| SHA256 | 0f4d74e2fab77a2f083d5cd60c1af1725285047e4eaaefd81d6320e17f864d10 |
| SHA512 | 4542d5d5bd1777cfd5f4ea447381ae9efc0f5b38521c263d376d2f3c0e4dfd59087a243c07bda16e22cc3e3833cf8085689f5e9c00eca26de406c982e09b8b87 |
memory/2932-8-0x000000013F940000-0x000000013FC94000-memory.dmp
\Windows\system\paPHzDb.exe
| MD5 | 4e7037b9c3d7fab23f1bc094c162a87c |
| SHA1 | 43e9e1db64b434835ffa74a213d68775d90c0196 |
| SHA256 | 4f8895c150e4fb3356bf0a1214baf6251b3389e3049e8ae23d8a142ebd9d728e |
| SHA512 | c283981d5fce458695d0c398ad2aeead89cde92ff0417a802b0fe7140dd0cd70f3cd07cca96302e9ae5526ee089132d31d84944dd82d88b89c72dfb40089fb86 |
memory/2660-14-0x000000013F930000-0x000000013FC84000-memory.dmp
\Windows\system\ytjQgyI.exe
| MD5 | 64508f45ed780d9cb8e9bfb6fc41b9a4 |
| SHA1 | 655abb1474e44606de2e0b92eef470e37c9d7b9b |
| SHA256 | cb1a8bf5103b7f7cdcb131a0456b4f445f54335ca4e420c9def5482a6f07904d |
| SHA512 | 9f1ca91fa5296b7e8086d9224d8bcf1e3afdb1dabfc62a3d2e9dac36d24918471f80a0c1731e8848136a0ac74583978338fce58bf950936da2de8dcade4f659d |
C:\Windows\system\eWvLFLw.exe
| MD5 | ee6c97cb5442cab96699bc0353adad9d |
| SHA1 | d1312f6563239f9a3c4e202e5d30e7fcaeb86697 |
| SHA256 | 443c6c5e12accb80355340e9637b8e9b669696ee041ad71ec7139e359a6a6596 |
| SHA512 | 17d6b983c82be45a8d88b434d60b8cd287dfa296afd612584fa80ead911f012f9c04c1d9d59521a9bfeb86aac2a9f2d4616e135bffdcec606ef1a4be3b46c408 |
memory/2772-24-0x000000013F710000-0x000000013FA64000-memory.dmp
memory/2520-27-0x000000013F780000-0x000000013FAD4000-memory.dmp
memory/2660-26-0x000000013F780000-0x000000013FAD4000-memory.dmp
C:\Windows\system\xabxxeo.exe
| MD5 | d716f0d803b5405a046b5ec3e2df38ed |
| SHA1 | dc5b8b9da6a97080e8e6133b08100572646cf2fb |
| SHA256 | 5e10b6a6f0e4861ef4232ea044b25090780f3a6154aa26eb2d7b7d901c9fefa0 |
| SHA512 | 1baacdbc17f3852054ae2b1388c914f377be4d2e94114a428efe7066da49f1239729e74aca2f17e1035fd928f6e2449d15d59a5e76e15dd53fd97b0e6c3e74b8 |
memory/2704-39-0x000000013FBD0000-0x000000013FF24000-memory.dmp
C:\Windows\system\CfdRxMe.exe
| MD5 | e2c92e68a31d45ac03900d19b81db9e4 |
| SHA1 | 594f6adec8fa1809a3711df63623edeb954ad0bc |
| SHA256 | 7fcf3087a7450d40bfd8a4d4e863ed84b04df5e3306bb366c98b8a732c81bdff |
| SHA512 | fa2ae731f8d9d4421f8d1e49f54f24cccaee4fd6767d366706a34f5224c5c0f0db3f787e2571d52364805cb4cc71860f0b92a6bcb1d0de96827659003633606e |
memory/2660-50-0x000000013F940000-0x000000013FC94000-memory.dmp
memory/2252-51-0x000000013FDD0000-0x0000000140124000-memory.dmp
memory/2608-52-0x000000013FEC0000-0x0000000140214000-memory.dmp
C:\Windows\system\YLAdFuD.exe
| MD5 | 468eae17021cd0bb6e9bbb891334eee9 |
| SHA1 | 45e5e6a23e740a70f0da562e46a7a0574b9a9ce1 |
| SHA256 | da73dfe1992d041bb5bfb66a919079f045cb86e32a81bb3e36032629c0fd2b80 |
| SHA512 | ac241c75e0d8475196e7ffd0915d1459e159669076e207e50a89a1875a192019ffcfa1f1809e51ca76e7aeea998767ad0a44f68410eb73dcdb512eb24659dcc8 |
memory/2460-67-0x000000013F330000-0x000000013F684000-memory.dmp
memory/2476-60-0x000000013F960000-0x000000013FCB4000-memory.dmp
memory/2932-59-0x000000013F940000-0x000000013FC94000-memory.dmp
C:\Windows\system\FyZEQkv.exe
| MD5 | c15c8163a33ebdb2cbd1d98583c73126 |
| SHA1 | fdb8e2219b3a0b71a7b5d8e81d9b8096ee120076 |
| SHA256 | 8bed1e81375eb717f5ed06b7c5652fe65990a701f5db91895e54f1effb437256 |
| SHA512 | 1aab3c7a77195b0b1efb1630fa57e45ef81dd27181cd2edf875241c223ea4a401f3da702c17b73288a5e0b81745d5255dd8f12d94f1be2917ced401e82ee5ca5 |
\Windows\system\FyZEQkv.exe
| MD5 | f75564539a83b376903c5ecfa5901e06 |
| SHA1 | 860909f2131254f5457375c9de8cb6e8e7533a93 |
| SHA256 | a25c9e54e4ac4fb130d0aaa541a8a5b2dedfb1d619c1e147022de971b177da82 |
| SHA512 | d714b2231a9eda4a9f476c29532e558ef6354d4c3b2a94db233eac1109e70cc17fff62ea890eb23a55dae53b722fad41b241ad0f437f20912c6925b0f568206c |
memory/1428-82-0x000000013FF70000-0x00000001402C4000-memory.dmp
memory/2152-96-0x000000013F2F0000-0x000000013F644000-memory.dmp
memory/2712-98-0x000000013F210000-0x000000013F564000-memory.dmp
\Windows\system\kFeqiOu.exe
| MD5 | 4e64d81c2f7a6212dc786d99e06ba3ad |
| SHA1 | b647a1927f1a9706942c4eca918c6508018c9aba |
| SHA256 | a25d599699320fb5b74dbc1f799b8da661a6b2b7dd98af2d17a33e63baf7599e |
| SHA512 | 9747015f08577355a633ed9365431e242bd870d5363711055a2c5a81714a5790b811b6baace4a4738fddc4d65718558cff8e5e10bbcf959a7b50f7e32c440ac5 |
C:\Windows\system\YKnVZru.exe
| MD5 | 74046429c8cdaf48bfbc7c08b2903236 |
| SHA1 | 7fbc18cb002f450ae9cbd0e88319c647a1525a89 |
| SHA256 | f65d06a087861d078447e4d4b53f2aae7d242204a15fd6fcafb0854ad9ea23f8 |
| SHA512 | 520062073b89b56350522c1c430bc1bf8e40df8137220bf95839598368c740db3440e1736b3628d14132b888c67cbfeadeca3aadc401597fa820f4c8bdd0a9f1 |
C:\Windows\system\fqotlJg.exe
| MD5 | 01c70bd8da7aff6bbb13d5e70c74b42d |
| SHA1 | 2ff8f868db4f6e31f4732f38102c978cc1387945 |
| SHA256 | e39671f4acef8c0fc480b2ff44676e372c26e42bb850bd1372d3731cba484a8a |
| SHA512 | e5aabfd8ed22496ab4701e09b5cd1c1fb9728614b82477a38bae3498a79075c54e1e5af6cb558517391e746767238d8270a1c611ef6b3c6c90eec927c0d9f15b |
C:\Windows\system\zpQjxBG.exe
| MD5 | d044027d9515eb5eff9621ebe7129f35 |
| SHA1 | 68d2cb96a63380516694eb5a97b18b50dac5eb88 |
| SHA256 | 0834f4b6c38891fd7ff3cc62ade6332110b80978af92afd536d9e424a02bceca |
| SHA512 | ce368971032c0f1a84a15a457ba27506b71101c909e05e280083207409e6e4f1987009647d03e124ca32e08e797023db352a6c58e30c2c219cc0ac706bea845a |
C:\Windows\system\pVIhnIt.exe
| MD5 | c90d608fd7c1070c4f3c8638c6d954be |
| SHA1 | 159205bfd06d6c8f031165fa57addb113562e8d7 |
| SHA256 | 73e92f22a97bc74dc99692ac6accfc66c1ab29220bfa97f7b49d66991fc6801f |
| SHA512 | 3f48b113ae7193dd4271ab3d33f4c6fd28d0d34cbcc851818e6c509eab0a9a64239893a8bf6c5de26b5a3c93229fdc6e6fe5f1be64e6a73b6dbb37e1f7b7e138 |
\Windows\system\pVIhnIt.exe
| MD5 | b8cb0f6fdd4385e04865b122d56b8847 |
| SHA1 | cf4b5f3f2ac56dfd8083cebd6d7502e88907f03a |
| SHA256 | 022e7579b63e40c7fb997d4d2f1e95cd724a568163dbc1fc615377c18225afdb |
| SHA512 | d16a6d3333548fee61e1b454abcd9fdf873298caee0552b4e6ced10c10e083b9ccad04bb5a12bdc7150ebf0e2426a20439722048e73de74fdf5a3a9e07c930dc |
C:\Windows\system\NVHNPTs.exe
| MD5 | 4652ae2c2bc579223cc296b85156df38 |
| SHA1 | a76c010d05d4a26b711781096afd444dbd6a28e6 |
| SHA256 | 607e6b6f1a629f5e9f1454aa6e7c05d6e7d4b2bc375e1c256536f4f8d6303e9e |
| SHA512 | c0bb429e43d4bda8bc802b09b0ed39f12f9308e7072413777c05608fa25afe84d8e472a6225f8a6bede7a7617168962ea1a1d119f1126d5041faf8f41ac09d72 |
memory/2660-103-0x000000013F660000-0x000000013F9B4000-memory.dmp
memory/2704-102-0x000000013FBD0000-0x000000013FF24000-memory.dmp
C:\Windows\system\inwbiCH.exe
| MD5 | b234863419d4700aba68298fb1a21070 |
| SHA1 | be1258e687d230e3b16feef6f730ab9447367316 |
| SHA256 | 5e6e7b55c468dda573c5deeabd6396d06ecf214ad9bc4754713610e729718a36 |
| SHA512 | 4686a1c5d17ea1d6d85c47e749d81a87316288b932b52246eb36f2aa91cd0b325faa4df98826c72347eb1c1af9ba2b745bb884fd231fbc6c9b7328f1388dbd4d |
\Windows\system\NVHNPTs.exe
| MD5 | e1e20d544ebea78f75a69d387b3e61a3 |
| SHA1 | 14f7164adc68c63fabcfbc99c8a79fcabfe0308e |
| SHA256 | 3313037aee794bcf7f1cb5f585de081f54ad51f5b734811bc30e31696347c46d |
| SHA512 | 4e1830240b082043c214a43e8ab2b6f6f99c8690cf04b929be1e47940c89c773472739a78942b32fd03b1ac5fcd60619e68d0493d3d6b3e63950dc54b361b176 |
memory/2080-90-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/2660-97-0x000000013F210000-0x000000013F564000-memory.dmp
C:\Windows\system\PGFwFmd.exe
| MD5 | c719f384dd9fe87194c6979ffd6f4c29 |
| SHA1 | ae0b2a2456849e8c9c94fd298482a9e00cb506d0 |
| SHA256 | 3a66807ec0edda0f1134c1e29caec3d95cd9f01593ce04a64bb52dccab7a068d |
| SHA512 | 79e7427005c7fb4580428410390a719ef5a51b9f1989175aa4f17c4e16bc6e253f6e5a52639e760403a0c1e8e01a9e7b784ce8de14e286aa9c7a692ea25a4548 |
C:\Windows\system\YrgtQkp.exe
| MD5 | f6fb9a7a0d6eea73ef7f3f8e7cd5859e |
| SHA1 | ddbdf9382ea3f4d5898bed6d1f62a7ea1e35d46e |
| SHA256 | 337a4334eda0b34801766de2387f369f4989dd4ebf158bfe4364ae858d2ae3e8 |
| SHA512 | a1baff7d5ab59840927e3235079ef737249cc3e8de829f0c88fb6cdf781c81f0834254f01485fcc5da3643a024f1f4c12ae5655c36f7bdb485ccc6847d468a53 |
memory/2608-137-0x000000013FEC0000-0x0000000140214000-memory.dmp
memory/2252-136-0x000000013FDD0000-0x0000000140124000-memory.dmp
\Windows\system\YrgtQkp.exe
| MD5 | 7577b6effbc6d17a5a97e756ac2ea7a8 |
| SHA1 | f14ea7f89401a2203377068fe6797f642acefd13 |
| SHA256 | 1b43fef364d745dd7b93c5df9acdd60da10243b58663b7a4e5cf422a855c433f |
| SHA512 | 51145969e46d0821371b88992ae25d542ae62a647d80433891f6d02d97c1fb70431ec8c9dedabcb58047f1d32e00747c51d277513a0052d1698e1eba481ff9aa |
memory/596-76-0x000000013FCC0000-0x0000000140014000-memory.dmp
C:\Windows\system\xAfXSWm.exe
| MD5 | 062910ae98ebb49b02d9664f7f003b0d |
| SHA1 | ea39df16ea147c282370da767d5b17948b6bf679 |
| SHA256 | 35dc49a7266f4dbfd141e5ae61f260611a47fee793f7db49eb7e373a302cc93b |
| SHA512 | ad2569b1d33e5a13f3b7a9fc2e903dc8326241bfcf4f578f617088de18ced86ca0340441d617fc9b3cc65d9924e2eca7ae62b55a2c06ac7d19874f0680051a07 |
memory/2660-72-0x0000000002320000-0x0000000002674000-memory.dmp
memory/2772-71-0x000000013F710000-0x000000013FA64000-memory.dmp
memory/2660-81-0x0000000002320000-0x0000000002674000-memory.dmp
memory/2520-80-0x000000013F780000-0x000000013FAD4000-memory.dmp
C:\Windows\system\YphYSKI.exe
| MD5 | 9e455e7102bb84e783afe18c42b50505 |
| SHA1 | a54be3eb91d39f751babfe971835c1b15d411c95 |
| SHA256 | d75a63d72e14b094d475e79bade403a3dae13ca7b635f6b88530364317b9fb59 |
| SHA512 | 42c3b6c1a6ca5054a75a7c30f5ab2bf883b419dd307e839f73e514faa5697104779df6aedb3cdaa603b4871de4f90996bdb9c6e6cb30c97138bd515f2fd3fff1 |
\Windows\system\YphYSKI.exe
| MD5 | 23bc6dcede88b8ed539a544d67efe185 |
| SHA1 | f6e5f132336211adb09362509b340cab235f1bd4 |
| SHA256 | 8fe6a8c4d5c74fbe3637c9a5ffa9989eba8de8a7e31088d66c93a406ce176b84 |
| SHA512 | 01dc9a0dfe5f91ccaeb2af4753010dda595695f941673c981d8c33685e3cf7ed7e3c6fbde552dea50749fa0822d3fdcb74c297ba6da6d030356868c1cb681307 |
memory/2660-66-0x000000013F930000-0x000000013FC84000-memory.dmp
C:\Windows\system\VKyJUtd.exe
| MD5 | 9eda34900e2d282ab64482ad2dd417a3 |
| SHA1 | 477441dfcb07090167f29d4edb1f099f7ee5372f |
| SHA256 | 745cfb80e124b68f4a243ccd92b06ce60fd7fca3685c3937bc646a7fd3cba7fb |
| SHA512 | cd3d31edd01f86ca10697ac941085f9156f94569a287332c9718453cd3a068912ae379afc3da5c118f043e3f387156284a73942e08e60fbb2c226f7cf71d17a8 |
memory/2660-45-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/2660-38-0x0000000002320000-0x0000000002674000-memory.dmp
memory/2476-138-0x000000013F960000-0x000000013FCB4000-memory.dmp
memory/2152-33-0x000000013F2F0000-0x000000013F644000-memory.dmp
C:\Windows\system\yPLoiCG.exe
| MD5 | 8fe7c7ca83daf5d412119f8b84536c75 |
| SHA1 | ebaf0a794299dc44c1208979eb9ae7091c3f53e1 |
| SHA256 | 0732c9874bb59c44d3e446b9768e211a7b4cfe4fba2e9e4ee655f8d7f2d1e950 |
| SHA512 | e20e57fe6574066db077d927b86d52f54a843b34725f174ce99a59a2663162ded0d0dac6857de9de7287692aec3d728bebeb8cbe55ff8ed2b9c1c7fe2bfbaa73 |
memory/2648-17-0x000000013F930000-0x000000013FC84000-memory.dmp
memory/2660-139-0x000000013F330000-0x000000013F684000-memory.dmp
memory/2460-140-0x000000013F330000-0x000000013F684000-memory.dmp
memory/2660-141-0x0000000002320000-0x0000000002674000-memory.dmp
memory/596-142-0x000000013FCC0000-0x0000000140014000-memory.dmp
memory/1428-144-0x000000013FF70000-0x00000001402C4000-memory.dmp
memory/2660-143-0x0000000002320000-0x0000000002674000-memory.dmp
memory/2080-146-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/2660-145-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/2660-147-0x000000013F210000-0x000000013F564000-memory.dmp
memory/2712-148-0x000000013F210000-0x000000013F564000-memory.dmp
memory/2660-149-0x000000013F660000-0x000000013F9B4000-memory.dmp
memory/2932-150-0x000000013F940000-0x000000013FC94000-memory.dmp
memory/2648-151-0x000000013F930000-0x000000013FC84000-memory.dmp
memory/2772-152-0x000000013F710000-0x000000013FA64000-memory.dmp
memory/2520-153-0x000000013F780000-0x000000013FAD4000-memory.dmp
memory/2152-154-0x000000013F2F0000-0x000000013F644000-memory.dmp
memory/2704-155-0x000000013FBD0000-0x000000013FF24000-memory.dmp
memory/2252-157-0x000000013FDD0000-0x0000000140124000-memory.dmp
memory/2608-156-0x000000013FEC0000-0x0000000140214000-memory.dmp
memory/2476-158-0x000000013F960000-0x000000013FCB4000-memory.dmp
memory/2460-159-0x000000013F330000-0x000000013F684000-memory.dmp
memory/1428-161-0x000000013FF70000-0x00000001402C4000-memory.dmp
memory/596-160-0x000000013FCC0000-0x0000000140014000-memory.dmp
memory/2080-162-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/2712-163-0x000000013F210000-0x000000013F564000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 20:43
Reported
2024-06-11 20:45
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\VdoGMtI.exe | N/A |
| N/A | N/A | C:\Windows\System\nZjztJI.exe | N/A |
| N/A | N/A | C:\Windows\System\mDKWOfn.exe | N/A |
| N/A | N/A | C:\Windows\System\QmqdVTr.exe | N/A |
| N/A | N/A | C:\Windows\System\BWUDeWO.exe | N/A |
| N/A | N/A | C:\Windows\System\qqnhHhD.exe | N/A |
| N/A | N/A | C:\Windows\System\sLGEsgK.exe | N/A |
| N/A | N/A | C:\Windows\System\yCWVyxB.exe | N/A |
| N/A | N/A | C:\Windows\System\GBqDPSx.exe | N/A |
| N/A | N/A | C:\Windows\System\gbIwdic.exe | N/A |
| N/A | N/A | C:\Windows\System\aJnJxtB.exe | N/A |
| N/A | N/A | C:\Windows\System\YXuJSTA.exe | N/A |
| N/A | N/A | C:\Windows\System\ESjCATX.exe | N/A |
| N/A | N/A | C:\Windows\System\qhgImxe.exe | N/A |
| N/A | N/A | C:\Windows\System\RkIcWjF.exe | N/A |
| N/A | N/A | C:\Windows\System\HEmHwIH.exe | N/A |
| N/A | N/A | C:\Windows\System\BfrabqR.exe | N/A |
| N/A | N/A | C:\Windows\System\pYcaHtU.exe | N/A |
| N/A | N/A | C:\Windows\System\RVvjlfn.exe | N/A |
| N/A | N/A | C:\Windows\System\lVqIDUa.exe | N/A |
| N/A | N/A | C:\Windows\System\CYHpTho.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_6ca7922fbe7693b9232382f7acb02ad3_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_6ca7922fbe7693b9232382f7acb02ad3_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_6ca7922fbe7693b9232382f7acb02ad3_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_6ca7922fbe7693b9232382f7acb02ad3_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\VdoGMtI.exe
C:\Windows\System\VdoGMtI.exe
C:\Windows\System\nZjztJI.exe
C:\Windows\System\nZjztJI.exe
C:\Windows\System\mDKWOfn.exe
C:\Windows\System\mDKWOfn.exe
C:\Windows\System\QmqdVTr.exe
C:\Windows\System\QmqdVTr.exe
C:\Windows\System\BWUDeWO.exe
C:\Windows\System\BWUDeWO.exe
C:\Windows\System\qqnhHhD.exe
C:\Windows\System\qqnhHhD.exe
C:\Windows\System\sLGEsgK.exe
C:\Windows\System\sLGEsgK.exe
C:\Windows\System\yCWVyxB.exe
C:\Windows\System\yCWVyxB.exe
C:\Windows\System\GBqDPSx.exe
C:\Windows\System\GBqDPSx.exe
C:\Windows\System\gbIwdic.exe
C:\Windows\System\gbIwdic.exe
C:\Windows\System\aJnJxtB.exe
C:\Windows\System\aJnJxtB.exe
C:\Windows\System\YXuJSTA.exe
C:\Windows\System\YXuJSTA.exe
C:\Windows\System\ESjCATX.exe
C:\Windows\System\ESjCATX.exe
C:\Windows\System\qhgImxe.exe
C:\Windows\System\qhgImxe.exe
C:\Windows\System\RkIcWjF.exe
C:\Windows\System\RkIcWjF.exe
C:\Windows\System\HEmHwIH.exe
C:\Windows\System\HEmHwIH.exe
C:\Windows\System\BfrabqR.exe
C:\Windows\System\BfrabqR.exe
C:\Windows\System\pYcaHtU.exe
C:\Windows\System\pYcaHtU.exe
C:\Windows\System\RVvjlfn.exe
C:\Windows\System\RVvjlfn.exe
C:\Windows\System\lVqIDUa.exe
C:\Windows\System\lVqIDUa.exe
C:\Windows\System\CYHpTho.exe
C:\Windows\System\CYHpTho.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 52.111.229.43:443 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/392-0-0x00007FF6AAAE0000-0x00007FF6AAE34000-memory.dmp
memory/392-1-0x000001E57A430000-0x000001E57A440000-memory.dmp
C:\Windows\System\VdoGMtI.exe
| MD5 | 9d1db86d27a51dc9c80039a783d35930 |
| SHA1 | eb2df8da277083b7427653938f612fda67795a02 |
| SHA256 | 5f7e89537721ca6b6c51bcaeb481517bd505c982b351d036c087d1f4304fe358 |
| SHA512 | 779c26fd1461fe242c9e74393f165702204b74a6bb1e74af3f443a1b80cbff79fb0ca09ef65968a6def0ae84ed32d0265efe6830007e506c61eb6765a640436d |
memory/2304-6-0x00007FF7C7B10000-0x00007FF7C7E64000-memory.dmp
C:\Windows\System\nZjztJI.exe
| MD5 | c9a6fa46a8ca74893acffdc8a830ed7e |
| SHA1 | 6b0c61c8dfd151893fca53ab62b7d97c49e0b6ab |
| SHA256 | 1fe67b3e5fd2c4eb4f4e732c23361315f35736371c518b71aa3caedbb3283cbb |
| SHA512 | 17927581bf7f11f65a9ca694e369dbe026c67232635b787be3b25c227f37e7aa40f56278036ef8123726865808108c9904f6b3357fb8050abbcc84b3b5821b63 |
C:\Windows\System\mDKWOfn.exe
| MD5 | c2f09204ecdb6f991d5941b6932991a3 |
| SHA1 | 506beda72e717942bac455d4008752ed3cf09a6b |
| SHA256 | 1f794d6570e4a8927aae2354054aa7773edb34d660dfd42551bbf2843991c9ad |
| SHA512 | 67d5bc8b1c0823feaac4dfa3757522c6c58ba6e79c20f1ebdb179ece6168d3ea77b571b3fa22d4432c290a53fbac8a6083c5ff7d25c94cafb11c7a8e5eca25d2 |
memory/396-14-0x00007FF6C10D0000-0x00007FF6C1424000-memory.dmp
memory/4960-20-0x00007FF77C450000-0x00007FF77C7A4000-memory.dmp
C:\Windows\System\QmqdVTr.exe
| MD5 | 3c2aa89255732b1ad5a401cc60cec73b |
| SHA1 | d86bdbe037b2fcaf5a85cac94793d882dc363389 |
| SHA256 | abdb0a207fac92691810099e107980a6f45650ca72eda9c984ee6730fb0b8769 |
| SHA512 | 8e449f874a641e55ad2098ed3fb9e276e9af94ccf7b1c7d1be91a7f6017ce15833ea29fb25f3d24b334f5f4c271e9273b06ecfa071da13290de0271a8f4f8289 |
memory/4696-26-0x00007FF61A2E0000-0x00007FF61A634000-memory.dmp
C:\Windows\System\BWUDeWO.exe
| MD5 | 073a8d0eed0176561ebcd925d3291f31 |
| SHA1 | 7035f87945b7b9faf40f17fa9ab88e106f930a79 |
| SHA256 | aa762f5ea1604258ea11e293fb0ace96b1ff0aabd36ae136c0dadca223452646 |
| SHA512 | cc7b0c06d70ac7de5c7561b91e2d0bb663d8f85bc03e2a8eb77c6422f4e0fa46fbb17bb40a108c5ad1c50a1a097ad21e6c349aa3111197fab51233afa7eb8958 |
memory/4916-32-0x00007FF673CA0000-0x00007FF673FF4000-memory.dmp
C:\Windows\System\qqnhHhD.exe
| MD5 | e1a561f9cef098e4ed16d3bd1ff5bee5 |
| SHA1 | d6e6f26871ea04827b71616ad5d74899899e2ae2 |
| SHA256 | 7df6e4c4162e075f25ae853b402bb9c4e04290a8b4b6cb412afaee25fa3bedcf |
| SHA512 | 142414790932cefe34edcdcd2571f49ddf7e70b564cdfeedbeb7ccdb2cff1c3c1e4a71e6a00c35c7744f791a94037fc6b54858372998f254242102fe31be624d |
memory/1916-38-0x00007FF7EBC30000-0x00007FF7EBF84000-memory.dmp
C:\Windows\System\sLGEsgK.exe
| MD5 | 39b4051632c4b8cdd338e7132af618b7 |
| SHA1 | 6c70b304e16c6f79151741c993912334b1d3779d |
| SHA256 | 63e92d3b0733f0e0202fd3ca3f6a886cc45e7df51677b4d83ad08c367b2157e9 |
| SHA512 | 5fde69b3fd750269fdfd888c2bc33ba43439c2c8f1ab2cb5bfea88d9459d82cc6f62f23cd2d95e3d0296ef33d3fc8b072fec204e5485d3ebfcb30525ae3ba5ca |
C:\Windows\System\yCWVyxB.exe
| MD5 | c7c98d1a0f409d2584928c58f8dbf428 |
| SHA1 | 451279dd1b4dfa467be4b305fa50faeb6221951e |
| SHA256 | 8fedfb8ad22b6c09edf43d435dede7e09a379b9adbb35feaf75874d48119858c |
| SHA512 | d8c67621e8721f127e53ff8f1df148f6d26aa52900b8c28130f8534ec9c1d1b373a7f595b0f87d4f3340f739d9ae8d6dad95736713f75727a5db34d4ceb01abb |
memory/4212-49-0x00007FF76CF70000-0x00007FF76D2C4000-memory.dmp
memory/848-53-0x00007FF6F14E0000-0x00007FF6F1834000-memory.dmp
C:\Windows\System\GBqDPSx.exe
| MD5 | 303a0eb8bab7f856f409da9e8e6c670d |
| SHA1 | 0e7f60992b733c9585752503abbeee06b778ae24 |
| SHA256 | 72cf850055da8d14a05baf1958d6ea10675cf0fa83d16cda4fb63c71acfa9caa |
| SHA512 | b74ae4dd51ae17669a7caebe1ccbd3a04583f5a9eac156367d93ec121132ced96fb53424a3213e11781219caa37179f7af79ee6535e6a049272c156ce3ab746f |
memory/3388-54-0x00007FF7AD010000-0x00007FF7AD364000-memory.dmp
C:\Windows\System\gbIwdic.exe
| MD5 | 80bb0ee20ca7c0a0e541d7fe23cf3c0d |
| SHA1 | 648090fc7bf6c9f13b3aef19ceff5bfd99d7e290 |
| SHA256 | 536ae522eda7dd7e497cf2347e545849b6b02092e2bbba1de2e4c45bd22937a6 |
| SHA512 | 8e24dd22bd536ebc9f4abd6f1ba4c10dc201ba5a0ec19789f9c7d086588a8ca0c195ea2eebbf8da79f14bc04007905003b152e9f899eae763a29dfcd33683db2 |
memory/392-62-0x00007FF6AAAE0000-0x00007FF6AAE34000-memory.dmp
C:\Windows\System\aJnJxtB.exe
| MD5 | b3c42afa5c65e96935050c62af37049b |
| SHA1 | a4ff964b0d1dc5a647a1e91c43ab77e626246b05 |
| SHA256 | 9e38b4efe71611d5f5b3aafc47d928db7970abd6d4dda0690a05fb73b4ced78c |
| SHA512 | bc55465d21098a029c3a2675fe996e641930169fc97d56e8538fbdb67e543ab4dcb004eb001a6908d630df7663d0f41afcae1661440f59e07e85b36c56b30a8c |
memory/1904-68-0x00007FF788760000-0x00007FF788AB4000-memory.dmp
memory/2304-67-0x00007FF7C7B10000-0x00007FF7C7E64000-memory.dmp
memory/3428-63-0x00007FF64FB70000-0x00007FF64FEC4000-memory.dmp
C:\Windows\System\YXuJSTA.exe
| MD5 | a3f3a1eb48d1d6349fce994986bd584e |
| SHA1 | ba643019962f802d794abd7ac08b80afa773fc4b |
| SHA256 | e519686c96c87f2d3dbe1d39eec443996c00c88ef755a25f918e7b8e04228646 |
| SHA512 | 99a796965bbd7071872ee425b6000a3a469a60333353534823d07ee00c2b48c4d380a2462aae5eadbcf934f9a5c71bdf64b2ce7415d8261f522301e912756804 |
memory/5100-76-0x00007FF7F60D0000-0x00007FF7F6424000-memory.dmp
memory/396-75-0x00007FF6C10D0000-0x00007FF6C1424000-memory.dmp
C:\Windows\System\ESjCATX.exe
| MD5 | 04e5d685bb801e67414646b6dc6dec8f |
| SHA1 | 6edee69c33dc2946ce4f1f1c283ef5dc5689b250 |
| SHA256 | dc89e5cb7dfa0b78c39e705294c5a1d8be9b0b04e221bed99c639e34cd9fa59b |
| SHA512 | d5e9fd3f7979bb93576510ca72234c1a62ce984489bb5a68a5ab7e7348629dd5cf6a2da0daea47ed6d36a0297e3d1d1d2bcd6d910d88075b9b665dbb5b1ef7b2 |
C:\Windows\System\qhgImxe.exe
| MD5 | 1432377ae91bea15210f8cfc3f245390 |
| SHA1 | def9df8c9d4c9985f230739b45e53c906632aa13 |
| SHA256 | 8d4bcea172999094c98fade071f2e9202fb047e5195fdf50e0c4d7aa151481e6 |
| SHA512 | ac6005ec917b6d55b9a78de554d944fbc4f5cac718d5e9bce86d84d3e9160896b3f92912551f51df2ca2f63fa82db36f6a91c5b902fb106e6a8253b315198697 |
memory/444-90-0x00007FF6AC880000-0x00007FF6ACBD4000-memory.dmp
C:\Windows\System\RkIcWjF.exe
| MD5 | 83b96332771d0fccb5feb5c72478d24f |
| SHA1 | 28112eb6e4f4b0ff508920ff12f80bf308b472a3 |
| SHA256 | b9c91a3d1b60fbec6c6fb6274f8b53baf3b50add80e4d9f30c1c7b1f942f8a3a |
| SHA512 | ce60bdafbaf77a7f94017db11956c1b0f1f3140c69902b86b675edc1ead8339fb5428df2b650ce473205a06416e18d129fc600f450aeae488ca1f725b66f6ab3 |
memory/1668-83-0x00007FF757410000-0x00007FF757764000-memory.dmp
memory/1916-99-0x00007FF7EBC30000-0x00007FF7EBF84000-memory.dmp
C:\Windows\System\BfrabqR.exe
| MD5 | 74d5547f4ae9aa6322c554b77358968b |
| SHA1 | f42c2d095aabbb30ebdfff926da4debbff0ea1c1 |
| SHA256 | 3b9f9d2f3f1e405ce4d5bc9fba226fb20a5632ba9353d006d28aae62da096748 |
| SHA512 | 0b99171688ac6fbf95b8163356abafc70b47f4dff5247a09e8cd1c8aee3fcebc6981fd3ce96811a9b881a033d931e868d9e1e013373eb3afacd852869d3a1035 |
C:\Windows\System\pYcaHtU.exe
| MD5 | 706a507a5ecae3969c00ffd8bc36644e |
| SHA1 | ca7e2e392c6550ba03e76243032737d8ca008e68 |
| SHA256 | 01b6143e6a889f2a54d650d44d70fc438942719de86555e849b628691092ae83 |
| SHA512 | 6ffb679cae035cd4170ebfd825ec0132223b3e33fd2d62356dec7a6fc94f5ae22470e56bcb082d2b264144ede4decc0cd2239f97f0eed3386b0a83e822fdf0ec |
C:\Windows\System\RVvjlfn.exe
| MD5 | a7c43b01fb51e630b94b2a5fce2d2149 |
| SHA1 | 92d5a01a6bd82fcb4265fbff71f3b2a7ab386a36 |
| SHA256 | 054f7800eef9b92cb299b7eaeb607ef910625b386dd6c746c4d758f1ba88ae18 |
| SHA512 | 1d423e3458fcfc981abfe977621b5e3591579d7bbb2a65b679f9b8f7956cc69505bf7607eb83b9adfc95a37978c1b91dfba03b7416f0afbf555c3f421f917d2c |
C:\Windows\System\lVqIDUa.exe
| MD5 | 0a0552d15c5cbd91b01cee633c7247d9 |
| SHA1 | cf23e0ae008188feb5c7aa36b0605f787d467d0d |
| SHA256 | 551782e1d50314f9148ebf003c60a6bea4309a3dfaed769d248ec40e2ca9e767 |
| SHA512 | 26f54e1c57b5790c913081eb5a2fa54885ea4c6bba6a890d2c0a06fae92d0f173323c41bb96f505620f78097cdeac3f3d41a5fa808ab824df8d8a86ce2eaf6a7 |
C:\Windows\System\CYHpTho.exe
| MD5 | 6cc41add10bbdb5a2fe2325ee8ea8de6 |
| SHA1 | fbc335f49433df4053f5aa7406decefe655f8892 |
| SHA256 | 498607a31d89c1ff1c4e0bde3a9c99d31102b7a1f89fffb0a15b1789c321f361 |
| SHA512 | 8b00efe72b8c71ed47862ea1a67333b5790341edd769f5afcb1541d4c342b6b82ac96c0b6e364b57a7d950145dca20b4fcf860276d82a86c766d20e2d67d6b83 |
memory/2012-110-0x00007FF7D3BD0000-0x00007FF7D3F24000-memory.dmp
memory/4524-107-0x00007FF7D4DA0000-0x00007FF7D50F4000-memory.dmp
C:\Windows\System\HEmHwIH.exe
| MD5 | 71ad6720e44446f7f7ed6d92d8dcacf5 |
| SHA1 | 11111f9cfb7734ed9d5b5e39ba4890ec12b4e468 |
| SHA256 | 4dda1997bbed86fec1804eb434f8ab3abd65da5eec56b750e532f6017a7e2ca5 |
| SHA512 | cdf89c8c37cbe333a17eff0cc2e54093b52541cb84e5e920e68c57b2177db6266f2723dce2dd3f4c478e0ccdf2407a6b4d6c352ee9e482c3ae2056c44e2cb67f |
memory/8-96-0x00007FF687C50000-0x00007FF687FA4000-memory.dmp
memory/1080-128-0x00007FF7B7190000-0x00007FF7B74E4000-memory.dmp
memory/4036-130-0x00007FF7E0AE0000-0x00007FF7E0E34000-memory.dmp
memory/4880-129-0x00007FF73DB70000-0x00007FF73DEC4000-memory.dmp
memory/3388-131-0x00007FF7AD010000-0x00007FF7AD364000-memory.dmp
memory/2040-132-0x00007FF650DB0000-0x00007FF651104000-memory.dmp
memory/1904-133-0x00007FF788760000-0x00007FF788AB4000-memory.dmp
memory/5100-134-0x00007FF7F60D0000-0x00007FF7F6424000-memory.dmp
memory/1668-135-0x00007FF757410000-0x00007FF757764000-memory.dmp
memory/4524-136-0x00007FF7D4DA0000-0x00007FF7D50F4000-memory.dmp
memory/2012-137-0x00007FF7D3BD0000-0x00007FF7D3F24000-memory.dmp
memory/2304-138-0x00007FF7C7B10000-0x00007FF7C7E64000-memory.dmp
memory/396-139-0x00007FF6C10D0000-0x00007FF6C1424000-memory.dmp
memory/4960-140-0x00007FF77C450000-0x00007FF77C7A4000-memory.dmp
memory/4696-141-0x00007FF61A2E0000-0x00007FF61A634000-memory.dmp
memory/4916-142-0x00007FF673CA0000-0x00007FF673FF4000-memory.dmp
memory/1916-143-0x00007FF7EBC30000-0x00007FF7EBF84000-memory.dmp
memory/4212-144-0x00007FF76CF70000-0x00007FF76D2C4000-memory.dmp
memory/848-145-0x00007FF6F14E0000-0x00007FF6F1834000-memory.dmp
memory/3388-146-0x00007FF7AD010000-0x00007FF7AD364000-memory.dmp
memory/3428-147-0x00007FF64FB70000-0x00007FF64FEC4000-memory.dmp
memory/1904-148-0x00007FF788760000-0x00007FF788AB4000-memory.dmp
memory/5100-149-0x00007FF7F60D0000-0x00007FF7F6424000-memory.dmp
memory/1668-150-0x00007FF757410000-0x00007FF757764000-memory.dmp
memory/444-151-0x00007FF6AC880000-0x00007FF6ACBD4000-memory.dmp
memory/8-152-0x00007FF687C50000-0x00007FF687FA4000-memory.dmp
memory/4524-153-0x00007FF7D4DA0000-0x00007FF7D50F4000-memory.dmp
memory/1080-154-0x00007FF7B7190000-0x00007FF7B74E4000-memory.dmp
memory/4880-156-0x00007FF73DB70000-0x00007FF73DEC4000-memory.dmp
memory/2012-155-0x00007FF7D3BD0000-0x00007FF7D3F24000-memory.dmp
memory/2040-157-0x00007FF650DB0000-0x00007FF651104000-memory.dmp
memory/4036-158-0x00007FF7E0AE0000-0x00007FF7E0E34000-memory.dmp