Malware Analysis Report

2025-01-22 19:52

Sample ID 240601-awhtjsbc4v
Target 2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike
SHA256 c7f9817a07be5bf309084f6cd2704c5564e1f927ea87afbf741298e4af4a1d84
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c7f9817a07be5bf309084f6cd2704c5564e1f927ea87afbf741298e4af4a1d84

Threat Level: Known bad

The file 2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobalt Strike reflective loader

Xmrig family

Cobaltstrike family

xmrig

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

XMRig Miner payload

Cobaltstrike

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

XMRig Miner payload

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 00:33

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 00:33

Reported

2024-06-01 00:36

Platform

win7-20240508-en

Max time kernel

145s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\tklzRsk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nQzPIqA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rhDYGuW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hQGCgWK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RJdUaAr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OBMGifP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YQMiycg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aMGpopW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bsUXYey.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IeSKwia.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MxMnMkd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PeRMTfR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZrXDeda.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gRqaLDl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ELEumah.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bBbeTMe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JCdFTUu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\falZAkK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uKlQOeS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wGymNer.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ttRxALo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2280 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\MxMnMkd.exe
PID 2280 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\MxMnMkd.exe
PID 2280 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\MxMnMkd.exe
PID 2280 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\hQGCgWK.exe
PID 2280 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\hQGCgWK.exe
PID 2280 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\hQGCgWK.exe
PID 2280 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\ELEumah.exe
PID 2280 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\ELEumah.exe
PID 2280 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\ELEumah.exe
PID 2280 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\RJdUaAr.exe
PID 2280 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\RJdUaAr.exe
PID 2280 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\RJdUaAr.exe
PID 2280 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\PeRMTfR.exe
PID 2280 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\PeRMTfR.exe
PID 2280 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\PeRMTfR.exe
PID 2280 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZrXDeda.exe
PID 2280 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZrXDeda.exe
PID 2280 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZrXDeda.exe
PID 2280 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\OBMGifP.exe
PID 2280 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\OBMGifP.exe
PID 2280 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\OBMGifP.exe
PID 2280 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\bBbeTMe.exe
PID 2280 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\bBbeTMe.exe
PID 2280 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\bBbeTMe.exe
PID 2280 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\YQMiycg.exe
PID 2280 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\YQMiycg.exe
PID 2280 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\YQMiycg.exe
PID 2280 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\gRqaLDl.exe
PID 2280 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\gRqaLDl.exe
PID 2280 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\gRqaLDl.exe
PID 2280 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\aMGpopW.exe
PID 2280 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\aMGpopW.exe
PID 2280 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\aMGpopW.exe
PID 2280 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\falZAkK.exe
PID 2280 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\falZAkK.exe
PID 2280 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\falZAkK.exe
PID 2280 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\uKlQOeS.exe
PID 2280 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\uKlQOeS.exe
PID 2280 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\uKlQOeS.exe
PID 2280 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\tklzRsk.exe
PID 2280 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\tklzRsk.exe
PID 2280 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\tklzRsk.exe
PID 2280 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\bsUXYey.exe
PID 2280 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\bsUXYey.exe
PID 2280 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\bsUXYey.exe
PID 2280 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\IeSKwia.exe
PID 2280 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\IeSKwia.exe
PID 2280 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\IeSKwia.exe
PID 2280 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\nQzPIqA.exe
PID 2280 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\nQzPIqA.exe
PID 2280 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\nQzPIqA.exe
PID 2280 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\rhDYGuW.exe
PID 2280 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\rhDYGuW.exe
PID 2280 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\rhDYGuW.exe
PID 2280 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\wGymNer.exe
PID 2280 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\wGymNer.exe
PID 2280 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\wGymNer.exe
PID 2280 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\ttRxALo.exe
PID 2280 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\ttRxALo.exe
PID 2280 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\ttRxALo.exe
PID 2280 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\JCdFTUu.exe
PID 2280 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\JCdFTUu.exe
PID 2280 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\JCdFTUu.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\MxMnMkd.exe

C:\Windows\System\MxMnMkd.exe

C:\Windows\System\hQGCgWK.exe

C:\Windows\System\hQGCgWK.exe

C:\Windows\System\ELEumah.exe

C:\Windows\System\ELEumah.exe

C:\Windows\System\RJdUaAr.exe

C:\Windows\System\RJdUaAr.exe

C:\Windows\System\PeRMTfR.exe

C:\Windows\System\PeRMTfR.exe

C:\Windows\System\ZrXDeda.exe

C:\Windows\System\ZrXDeda.exe

C:\Windows\System\OBMGifP.exe

C:\Windows\System\OBMGifP.exe

C:\Windows\System\bBbeTMe.exe

C:\Windows\System\bBbeTMe.exe

C:\Windows\System\YQMiycg.exe

C:\Windows\System\YQMiycg.exe

C:\Windows\System\gRqaLDl.exe

C:\Windows\System\gRqaLDl.exe

C:\Windows\System\aMGpopW.exe

C:\Windows\System\aMGpopW.exe

C:\Windows\System\falZAkK.exe

C:\Windows\System\falZAkK.exe

C:\Windows\System\uKlQOeS.exe

C:\Windows\System\uKlQOeS.exe

C:\Windows\System\tklzRsk.exe

C:\Windows\System\tklzRsk.exe

C:\Windows\System\bsUXYey.exe

C:\Windows\System\bsUXYey.exe

C:\Windows\System\IeSKwia.exe

C:\Windows\System\IeSKwia.exe

C:\Windows\System\nQzPIqA.exe

C:\Windows\System\nQzPIqA.exe

C:\Windows\System\rhDYGuW.exe

C:\Windows\System\rhDYGuW.exe

C:\Windows\System\wGymNer.exe

C:\Windows\System\wGymNer.exe

C:\Windows\System\ttRxALo.exe

C:\Windows\System\ttRxALo.exe

C:\Windows\System\JCdFTUu.exe

C:\Windows\System\JCdFTUu.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2280-0-0x000000013F310000-0x000000013F664000-memory.dmp

memory/2280-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\MxMnMkd.exe

MD5 e51c1f7602cd4f8138284d8ce27ece40
SHA1 f3a8c50eefa634e5dfdaa39a5cfd985f4ae02e77
SHA256 aeb6886cde43946b4252e0d03b106f2b07e8505a7e919e9951c0d90df91af95b
SHA512 b56bfc97bc923401b1f35731c3819f9930a3a99a4b3638bd2f58e72fa63220cdebeb9e12b8a33cc854346e88e6034485811009a4d52e0b0f4c68e4b0c8c7803e

memory/2280-6-0x0000000002230000-0x0000000002584000-memory.dmp

\Windows\system\hQGCgWK.exe

MD5 80cc0586d42dee5c150d84d6be9e2e15
SHA1 bb193abf320449000ff0c8aacbb85db4586c707f
SHA256 62e823eba6c803242bb21082b0d298bc7bbbb24a524400bbed5ae5215062facc
SHA512 8ce490ebdb0faf9b3a7705d9aee7b8a0be3a79be332b1375c4493cb99faa0a26a7d42d0ba7782cae396adcaad739b5be4cabec15ec82d4db9fd0f9522962d4f6

memory/1712-14-0x000000013F4C0000-0x000000013F814000-memory.dmp

\Windows\system\ELEumah.exe

MD5 44f76c6f86cfb0ac855a2733fa098a7f
SHA1 33c17a2a791582272bbd673333ff05636173c1bf
SHA256 4c243f98c7bd75808ad3710f7720a8971ff0e9e4508f64eb7cef1982cd5584bd
SHA512 1bec2fd0b763e93a5cf1cd266dc62a9b67a7fcd0110fa1d7d80c5ac35434e33ab777d2947f8185e3612c6dd65d6f77292c37e5f1abc33d5d38f2a64670422f68

memory/2280-23-0x000000013FB70000-0x000000013FEC4000-memory.dmp

\Windows\system\RJdUaAr.exe

MD5 193d1819287cb2df8f86b5a88b3ac258
SHA1 226508f0af65a7ea9b652d5dfed9ee6a8351631d
SHA256 711e439f966860ca56163ed84ea50a76a834ed90ab4e5bb5fa2fa8b33bf43c83
SHA512 38d37ed5b2a69354b8393aaea76689841b8ee39725f1450ede873ff7b0e544dce3fb628518780f89e0365b2dd2a8884ffdee2c4b88e62d59b5c8f4b67822f35a

memory/2280-15-0x0000000002230000-0x0000000002584000-memory.dmp

memory/3020-19-0x000000013F420000-0x000000013F774000-memory.dmp

memory/2648-35-0x000000013F200000-0x000000013F554000-memory.dmp

memory/2684-34-0x000000013FB70000-0x000000013FEC4000-memory.dmp

C:\Windows\system\PeRMTfR.exe

MD5 e9e53ae8877635d8e1041ed7a3e1d334
SHA1 6c8ffd7f2f6c492efe19893206be4f530301d2c1
SHA256 454b8322ef07e14e57f6311795117d1e685baac76a42156b169285a3904e38a6
SHA512 a94ba96b24e777f5e19b8accdf4abc31d89f927b38eac4f6e639bd2369f5d3cf0550e10f8a65fc20a7eb20110cd09f7c10e846c3da108b2dda8244e4a45c43ba

memory/2712-31-0x000000013F0C0000-0x000000013F414000-memory.dmp

memory/2280-29-0x0000000002230000-0x0000000002584000-memory.dmp

memory/2280-26-0x0000000002230000-0x0000000002584000-memory.dmp

memory/2280-41-0x0000000002230000-0x0000000002584000-memory.dmp

memory/2768-42-0x000000013F540000-0x000000013F894000-memory.dmp

C:\Windows\system\ZrXDeda.exe

MD5 47a43b001f305ec13f90627fa0ae0f90
SHA1 f7373e3e2c3b7fa488eca9893b5baf840416f951
SHA256 b2220ab0db2ca5c8f0a2beab049aeff2b15f8385dce51a111bc9f3d0fff03910
SHA512 06183ce0dcb183ea22905d845b4efc23a70605f121c97701cc92e0252144b89513fd95d06c08112c5291b43c76cc688ce5bc97b31d4e609e731b593ee371d977

\Windows\system\OBMGifP.exe

MD5 97bed9808781c87c0126f7f556fbfc22
SHA1 bb7ec2d86e70a67877a3df434b9bf72215fb45c3
SHA256 c2b40434192ab38b8c17afbb4b7d7e8c55035c2a2ce0bb7bd7ed56f8de54a588
SHA512 c651d964264e148f141b21d661c7dc75689874e786e493faabca41ffbc00b9441db5bfce53b3def323e70f8a7284d67b456caa29a7eb54f457d7c8ebf40dce46

C:\Windows\system\bBbeTMe.exe

MD5 490af6a6583b8f863b5f60abeba39f7f
SHA1 58222ae5563945f3ea795b9564b7a1ad6a9e686c
SHA256 f37be5d4ae9d8275e0b902d16f0c581e55208b9ed2af070d6766c9547ff09389
SHA512 9dc24aca0fdc70eb4b8108b7fa9b8c3f8da5f2c7d659e8e32f0a72327a798bd915bbf71b5fe8f6ef4371ddeb08e4d3b015e073d3b5990860a9ecc656d8e40606

memory/2280-53-0x0000000002230000-0x0000000002584000-memory.dmp

memory/2280-60-0x0000000002230000-0x0000000002584000-memory.dmp

memory/2604-59-0x000000013FBF0000-0x000000013FF44000-memory.dmp

memory/1712-56-0x000000013F4C0000-0x000000013F814000-memory.dmp

memory/2504-55-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

memory/2280-48-0x000000013F310000-0x000000013F664000-memory.dmp

C:\Windows\system\YQMiycg.exe

MD5 102c970e52e5e276b235cb8f31c07987
SHA1 b1911d932c3afb90e8b40f7234b33fbf445eeae2
SHA256 c78d90b54143077e5554ab01248f4747eb1f8c09a1b0dcf7f264e1b774d39062
SHA512 c3ed0bff7040f60b98d3a679e8e1539de71569ce5bbe54e5139f041a2a1d4f21a5f70a70b21b64c61cc070617f313f0034c599cd90c7bca800ac6033b69f4418

C:\Windows\system\gRqaLDl.exe

MD5 6cbe5398ca6e8fe48150c86f72969d4a
SHA1 6fa99b3085cee8b86ec42ad57002a7a82b9656bc
SHA256 c87c91b23f9f28d7fc0e28353ba5605cdd35b1976422d1de791a9e02690caa81
SHA512 8a71deb44f4e0e52b1b6766405adcfc2c0f7db61c4bde24177cb48b510d6b7aa25a90ac752113346ecf7ce8ead004a9706283b789070b955424519607093e3db

memory/1504-75-0x000000013FFB0000-0x0000000140304000-memory.dmp

memory/2280-74-0x000000013FFB0000-0x0000000140304000-memory.dmp

memory/2544-68-0x000000013FEB0000-0x0000000140204000-memory.dmp

memory/2280-66-0x000000013FEB0000-0x0000000140204000-memory.dmp

memory/2712-65-0x000000013F0C0000-0x000000013F414000-memory.dmp

C:\Windows\system\aMGpopW.exe

MD5 36800d103bd490197653af58a1f1df6c
SHA1 bbd280f54b7bb5595344c16dd626b20395fd2c7c
SHA256 3395bb15aacccbb9e08b5350dba9ebc34f2dd113c782c5d6d9c126126e7ee0dc
SHA512 d8d04717d87e92417c5a7fd6b449c62d26f93086b2ce85713342f9b657ee009ce7fc8e3b1a2c6fe9c5c59e7a6bdcda9a58e3194eac3d6597e76bcec9332454c2

memory/2768-87-0x000000013F540000-0x000000013F894000-memory.dmp

memory/2592-89-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

memory/1212-96-0x000000013FD90000-0x00000001400E4000-memory.dmp

C:\Windows\system\rhDYGuW.exe

MD5 8b931546ea21a11db1291b5b91c1a714
SHA1 e5d3147cdf711971ebfeb370f0f8898f1a43d73b
SHA256 b5501cad731980f1be60211697df43e1d6a671b731afae1c12dbdbd59f44cc74
SHA512 db2b97a71c2b454f3deef7c0bdb2c04586199e1874b961ac1e1ca20c63fca0fde5d96f22f3ada2e36be8738e8e98acb95b69456011ca4d23683951b9b222c64c

C:\Windows\system\wGymNer.exe

MD5 c9765e2899d0ab19a5faeec7f1d2fe6f
SHA1 2833bb547d13846152f780b2a29b71aeeb43a348
SHA256 a09c1980237d93c46e2292f0cd67569eb08cd085c0a7d324a2dd52f397e5faa5
SHA512 2ae66b9096b8b2b6e6f8379cb099bc9f49c83e02bb678f377f84d9fe40dfa119479d95495c7e70560bf794304e383c882198c4c06e1cdc23cb4127d686e00e75

C:\Windows\system\ttRxALo.exe

MD5 26643ff96735857bdbb799790102fc6a
SHA1 b0bb85c37d5a3be50393045eacbd5bea5ff5054d
SHA256 3d5acf340648e67c7d8997ff93d0c5171d746142798bf6eefbe104a784fba43f
SHA512 e18682ff7e2c8bb30fd46decf3048eee0197a4d93f5b14793d8846b6823c5c2e58df90a652ce1954836fb81a9ad7a70b5beff9f74e3311bf39a84df53d4eb49c

\Windows\system\JCdFTUu.exe

MD5 bace3866ec155abed5077ad4f79c5002
SHA1 119da7dae18e6858d6ae38bc252eb5520434cc02
SHA256 efe3114007136142ad9fea90fa796392001a9eb7c058d785a4ac912919fa11d5
SHA512 380aca86370fbb01820cd682bc1f4c45c2f281799a780ef24e37bffea917a7be56224402d4b04705b66f80d785e445fc81248fc76168e1311a20e1ece553adc8

C:\Windows\system\nQzPIqA.exe

MD5 67cfd0eab4f669aaad85a64fbb970c51
SHA1 7f460392fd2477957426ebef714cede4c1116a7d
SHA256 511b03e6690c210e17ea258d6921ae78bed4f0b798159e853b902fd85cee62c7
SHA512 c6e7e0335615b8d169092535453906233343a3d0660aab8f5b91afeef4e93d113262c25bffb7f179fb881d1a450ea11dbc36b81a82d699b4d96c34d1ead3f35a

memory/2280-109-0x0000000002230000-0x0000000002584000-memory.dmp

C:\Windows\system\bsUXYey.exe

MD5 3677208bdf51189d7221e7ef48e33bbe
SHA1 4669a560c53de92e23256584fec6e32d9648c585
SHA256 a0c9ace358166fb697724fd636fe640a2958f43b485c9366a10acf9b88dd62da
SHA512 b2abcdd4c752bc86e5c61be4a43d0be0487e99e22fd1261f40568ad0663b2197d225ac6aa2d116967cd3ee629808839ebf7c96cc1738cef421cbe1fb0dc3ac79

C:\Windows\system\IeSKwia.exe

MD5 59695fcda41cccec8f234442fd88aa4d
SHA1 03b280e55dca39ad3fe90a0ac78572846c1ba951
SHA256 8c44c8390ab1a905e593c841ebe1278ff71a2f3e5c678b5efde9980f281cac17
SHA512 0af1dfc8021f96ae57544bab333c07c095126cf3c076950c079634cdd39f023597646fc8b95d49e2d815f1062a804deb5276cf6fd3e7a0dc901f3e0a2ad8ca06

memory/1896-102-0x000000013F730000-0x000000013FA84000-memory.dmp

memory/2280-101-0x000000013F730000-0x000000013FA84000-memory.dmp

C:\Windows\system\tklzRsk.exe

MD5 77dea11faade6994d388a245215969f8
SHA1 2eda401266b705589f1763c42f1b5c71469b25c4
SHA256 b6a51b5afd495e14c133677728a7da5a27b7c583ded8963ce1354b2ce6b3237e
SHA512 921770e760f4ebea6a1f5f166c1f0d99abf39e042607ec47fa3a63d3b2121f62a0414d3de384299b0b449b1efb0232ed68ee1e13d0d602e0523c9a562c05c933

C:\Windows\system\uKlQOeS.exe

MD5 f00b056b1c8005a5698468c907b86da1
SHA1 23715e4f8d351356a3607d5bf890854a45fa77f3
SHA256 95941287055834986072ec863898b0e17797cf9f81e413b431b784f4d97c360e
SHA512 910cd2f9ddeb1d9e5896804c3ba1720a59c534ff28f75fd2c072b706a5f89e6b1e1cbcf41cc719a4651cc29c872e9fcb66ecaef883b1a69871732d9731fa832f

memory/2552-81-0x000000013FEB0000-0x0000000140204000-memory.dmp

memory/2280-80-0x000000013FEB0000-0x0000000140204000-memory.dmp

memory/2280-88-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

memory/2648-86-0x000000013F200000-0x000000013F554000-memory.dmp

C:\Windows\system\falZAkK.exe

MD5 8f4ad9c64522a94bd4d7637657ddf53b
SHA1 4af1e5f5ccdc2a9a692aecddf5b3575f21460973
SHA256 ead5aa7d4d7c9cfbb8ba672a37924328d8a22ee2bd024f6ee3c026b1c059304e
SHA512 5e412c3cb54898dd7772151865bfe08cc805930383d4decef76a5a9df1f02747537ec1c389d0203bdda89fcebfc6e4536aaea3ecb6f7c9f5e9dfb4af4c839b56

memory/2280-140-0x000000013FEB0000-0x0000000140204000-memory.dmp

memory/2544-141-0x000000013FEB0000-0x0000000140204000-memory.dmp

memory/2280-142-0x000000013FFB0000-0x0000000140304000-memory.dmp

memory/2552-143-0x000000013FEB0000-0x0000000140204000-memory.dmp

memory/2280-144-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

memory/2592-145-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

memory/2280-146-0x000000013FD90000-0x00000001400E4000-memory.dmp

memory/1212-147-0x000000013FD90000-0x00000001400E4000-memory.dmp

memory/1896-148-0x000000013F730000-0x000000013FA84000-memory.dmp

memory/2280-149-0x0000000002230000-0x0000000002584000-memory.dmp

memory/1712-150-0x000000013F4C0000-0x000000013F814000-memory.dmp

memory/3020-151-0x000000013F420000-0x000000013F774000-memory.dmp

memory/2684-152-0x000000013FB70000-0x000000013FEC4000-memory.dmp

memory/2712-153-0x000000013F0C0000-0x000000013F414000-memory.dmp

memory/2648-154-0x000000013F200000-0x000000013F554000-memory.dmp

memory/2768-155-0x000000013F540000-0x000000013F894000-memory.dmp

memory/2504-156-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

memory/2604-157-0x000000013FBF0000-0x000000013FF44000-memory.dmp

memory/2544-158-0x000000013FEB0000-0x0000000140204000-memory.dmp

memory/1504-159-0x000000013FFB0000-0x0000000140304000-memory.dmp

memory/2552-160-0x000000013FEB0000-0x0000000140204000-memory.dmp

memory/2592-161-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

memory/1212-163-0x000000013FD90000-0x00000001400E4000-memory.dmp

memory/1896-162-0x000000013F730000-0x000000013FA84000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 00:33

Reported

2024-06-01 00:36

Platform

win10v2004-20240426-en

Max time kernel

138s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\PeRMTfR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ttRxALo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YQMiycg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gRqaLDl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\falZAkK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IeSKwia.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nQzPIqA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uKlQOeS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bsUXYey.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JCdFTUu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hQGCgWK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ELEumah.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RJdUaAr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bBbeTMe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aMGpopW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wGymNer.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MxMnMkd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZrXDeda.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OBMGifP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tklzRsk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rhDYGuW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2720 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\MxMnMkd.exe
PID 2720 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\MxMnMkd.exe
PID 2720 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\hQGCgWK.exe
PID 2720 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\hQGCgWK.exe
PID 2720 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\ELEumah.exe
PID 2720 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\ELEumah.exe
PID 2720 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\RJdUaAr.exe
PID 2720 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\RJdUaAr.exe
PID 2720 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\PeRMTfR.exe
PID 2720 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\PeRMTfR.exe
PID 2720 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZrXDeda.exe
PID 2720 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZrXDeda.exe
PID 2720 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\OBMGifP.exe
PID 2720 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\OBMGifP.exe
PID 2720 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\bBbeTMe.exe
PID 2720 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\bBbeTMe.exe
PID 2720 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\YQMiycg.exe
PID 2720 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\YQMiycg.exe
PID 2720 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\gRqaLDl.exe
PID 2720 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\gRqaLDl.exe
PID 2720 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\aMGpopW.exe
PID 2720 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\aMGpopW.exe
PID 2720 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\falZAkK.exe
PID 2720 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\falZAkK.exe
PID 2720 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\uKlQOeS.exe
PID 2720 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\uKlQOeS.exe
PID 2720 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\tklzRsk.exe
PID 2720 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\tklzRsk.exe
PID 2720 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\bsUXYey.exe
PID 2720 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\bsUXYey.exe
PID 2720 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\IeSKwia.exe
PID 2720 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\IeSKwia.exe
PID 2720 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\nQzPIqA.exe
PID 2720 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\nQzPIqA.exe
PID 2720 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\rhDYGuW.exe
PID 2720 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\rhDYGuW.exe
PID 2720 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\wGymNer.exe
PID 2720 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\wGymNer.exe
PID 2720 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\ttRxALo.exe
PID 2720 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\ttRxALo.exe
PID 2720 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\JCdFTUu.exe
PID 2720 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe C:\Windows\System\JCdFTUu.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_2f3f05a922703504474d9c9623bf74b7_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\MxMnMkd.exe

C:\Windows\System\MxMnMkd.exe

C:\Windows\System\hQGCgWK.exe

C:\Windows\System\hQGCgWK.exe

C:\Windows\System\ELEumah.exe

C:\Windows\System\ELEumah.exe

C:\Windows\System\RJdUaAr.exe

C:\Windows\System\RJdUaAr.exe

C:\Windows\System\PeRMTfR.exe

C:\Windows\System\PeRMTfR.exe

C:\Windows\System\ZrXDeda.exe

C:\Windows\System\ZrXDeda.exe

C:\Windows\System\OBMGifP.exe

C:\Windows\System\OBMGifP.exe

C:\Windows\System\bBbeTMe.exe

C:\Windows\System\bBbeTMe.exe

C:\Windows\System\YQMiycg.exe

C:\Windows\System\YQMiycg.exe

C:\Windows\System\gRqaLDl.exe

C:\Windows\System\gRqaLDl.exe

C:\Windows\System\aMGpopW.exe

C:\Windows\System\aMGpopW.exe

C:\Windows\System\falZAkK.exe

C:\Windows\System\falZAkK.exe

C:\Windows\System\uKlQOeS.exe

C:\Windows\System\uKlQOeS.exe

C:\Windows\System\tklzRsk.exe

C:\Windows\System\tklzRsk.exe

C:\Windows\System\bsUXYey.exe

C:\Windows\System\bsUXYey.exe

C:\Windows\System\IeSKwia.exe

C:\Windows\System\IeSKwia.exe

C:\Windows\System\nQzPIqA.exe

C:\Windows\System\nQzPIqA.exe

C:\Windows\System\rhDYGuW.exe

C:\Windows\System\rhDYGuW.exe

C:\Windows\System\wGymNer.exe

C:\Windows\System\wGymNer.exe

C:\Windows\System\ttRxALo.exe

C:\Windows\System\ttRxALo.exe

C:\Windows\System\JCdFTUu.exe

C:\Windows\System\JCdFTUu.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2720-0-0x00007FF626550000-0x00007FF6268A4000-memory.dmp

memory/2720-1-0x000001EADF530000-0x000001EADF540000-memory.dmp

C:\Windows\System\MxMnMkd.exe

MD5 e51c1f7602cd4f8138284d8ce27ece40
SHA1 f3a8c50eefa634e5dfdaa39a5cfd985f4ae02e77
SHA256 aeb6886cde43946b4252e0d03b106f2b07e8505a7e919e9951c0d90df91af95b
SHA512 b56bfc97bc923401b1f35731c3819f9930a3a99a4b3638bd2f58e72fa63220cdebeb9e12b8a33cc854346e88e6034485811009a4d52e0b0f4c68e4b0c8c7803e

memory/3048-7-0x00007FF6BE790000-0x00007FF6BEAE4000-memory.dmp

C:\Windows\System\hQGCgWK.exe

MD5 80cc0586d42dee5c150d84d6be9e2e15
SHA1 bb193abf320449000ff0c8aacbb85db4586c707f
SHA256 62e823eba6c803242bb21082b0d298bc7bbbb24a524400bbed5ae5215062facc
SHA512 8ce490ebdb0faf9b3a7705d9aee7b8a0be3a79be332b1375c4493cb99faa0a26a7d42d0ba7782cae396adcaad739b5be4cabec15ec82d4db9fd0f9522962d4f6

memory/3480-14-0x00007FF639A90000-0x00007FF639DE4000-memory.dmp

C:\Windows\System\ELEumah.exe

MD5 44f76c6f86cfb0ac855a2733fa098a7f
SHA1 33c17a2a791582272bbd673333ff05636173c1bf
SHA256 4c243f98c7bd75808ad3710f7720a8971ff0e9e4508f64eb7cef1982cd5584bd
SHA512 1bec2fd0b763e93a5cf1cd266dc62a9b67a7fcd0110fa1d7d80c5ac35434e33ab777d2947f8185e3612c6dd65d6f77292c37e5f1abc33d5d38f2a64670422f68

C:\Windows\System\RJdUaAr.exe

MD5 193d1819287cb2df8f86b5a88b3ac258
SHA1 226508f0af65a7ea9b652d5dfed9ee6a8351631d
SHA256 711e439f966860ca56163ed84ea50a76a834ed90ab4e5bb5fa2fa8b33bf43c83
SHA512 38d37ed5b2a69354b8393aaea76689841b8ee39725f1450ede873ff7b0e544dce3fb628518780f89e0365b2dd2a8884ffdee2c4b88e62d59b5c8f4b67822f35a

memory/1040-24-0x00007FF7FCCD0000-0x00007FF7FD024000-memory.dmp

memory/2592-22-0x00007FF63CE30000-0x00007FF63D184000-memory.dmp

C:\Windows\System\PeRMTfR.exe

MD5 e9e53ae8877635d8e1041ed7a3e1d334
SHA1 6c8ffd7f2f6c492efe19893206be4f530301d2c1
SHA256 454b8322ef07e14e57f6311795117d1e685baac76a42156b169285a3904e38a6
SHA512 a94ba96b24e777f5e19b8accdf4abc31d89f927b38eac4f6e639bd2369f5d3cf0550e10f8a65fc20a7eb20110cd09f7c10e846c3da108b2dda8244e4a45c43ba

C:\Windows\System\ZrXDeda.exe

MD5 47a43b001f305ec13f90627fa0ae0f90
SHA1 f7373e3e2c3b7fa488eca9893b5baf840416f951
SHA256 b2220ab0db2ca5c8f0a2beab049aeff2b15f8385dce51a111bc9f3d0fff03910
SHA512 06183ce0dcb183ea22905d845b4efc23a70605f121c97701cc92e0252144b89513fd95d06c08112c5291b43c76cc688ce5bc97b31d4e609e731b593ee371d977

C:\Windows\System\OBMGifP.exe

MD5 97bed9808781c87c0126f7f556fbfc22
SHA1 bb7ec2d86e70a67877a3df434b9bf72215fb45c3
SHA256 c2b40434192ab38b8c17afbb4b7d7e8c55035c2a2ce0bb7bd7ed56f8de54a588
SHA512 c651d964264e148f141b21d661c7dc75689874e786e493faabca41ffbc00b9441db5bfce53b3def323e70f8a7284d67b456caa29a7eb54f457d7c8ebf40dce46

memory/1460-47-0x00007FF6946F0000-0x00007FF694A44000-memory.dmp

C:\Windows\System\gRqaLDl.exe

MD5 6cbe5398ca6e8fe48150c86f72969d4a
SHA1 6fa99b3085cee8b86ec42ad57002a7a82b9656bc
SHA256 c87c91b23f9f28d7fc0e28353ba5605cdd35b1976422d1de791a9e02690caa81
SHA512 8a71deb44f4e0e52b1b6766405adcfc2c0f7db61c4bde24177cb48b510d6b7aa25a90ac752113346ecf7ce8ead004a9706283b789070b955424519607093e3db

C:\Windows\System\aMGpopW.exe

MD5 36800d103bd490197653af58a1f1df6c
SHA1 bbd280f54b7bb5595344c16dd626b20395fd2c7c
SHA256 3395bb15aacccbb9e08b5350dba9ebc34f2dd113c782c5d6d9c126126e7ee0dc
SHA512 d8d04717d87e92417c5a7fd6b449c62d26f93086b2ce85713342f9b657ee009ce7fc8e3b1a2c6fe9c5c59e7a6bdcda9a58e3194eac3d6597e76bcec9332454c2

C:\Windows\System\uKlQOeS.exe

MD5 f00b056b1c8005a5698468c907b86da1
SHA1 23715e4f8d351356a3607d5bf890854a45fa77f3
SHA256 95941287055834986072ec863898b0e17797cf9f81e413b431b784f4d97c360e
SHA512 910cd2f9ddeb1d9e5896804c3ba1720a59c534ff28f75fd2c072b706a5f89e6b1e1cbcf41cc719a4651cc29c872e9fcb66ecaef883b1a69871732d9731fa832f

memory/5064-75-0x00007FF7345F0000-0x00007FF734944000-memory.dmp

C:\Windows\System\IeSKwia.exe

MD5 59695fcda41cccec8f234442fd88aa4d
SHA1 03b280e55dca39ad3fe90a0ac78572846c1ba951
SHA256 8c44c8390ab1a905e593c841ebe1278ff71a2f3e5c678b5efde9980f281cac17
SHA512 0af1dfc8021f96ae57544bab333c07c095126cf3c076950c079634cdd39f023597646fc8b95d49e2d815f1062a804deb5276cf6fd3e7a0dc901f3e0a2ad8ca06

C:\Windows\System\wGymNer.exe

MD5 c9765e2899d0ab19a5faeec7f1d2fe6f
SHA1 2833bb547d13846152f780b2a29b71aeeb43a348
SHA256 a09c1980237d93c46e2292f0cd67569eb08cd085c0a7d324a2dd52f397e5faa5
SHA512 2ae66b9096b8b2b6e6f8379cb099bc9f49c83e02bb678f377f84d9fe40dfa119479d95495c7e70560bf794304e383c882198c4c06e1cdc23cb4127d686e00e75

C:\Windows\System\JCdFTUu.exe

MD5 bace3866ec155abed5077ad4f79c5002
SHA1 119da7dae18e6858d6ae38bc252eb5520434cc02
SHA256 efe3114007136142ad9fea90fa796392001a9eb7c058d785a4ac912919fa11d5
SHA512 380aca86370fbb01820cd682bc1f4c45c2f281799a780ef24e37bffea917a7be56224402d4b04705b66f80d785e445fc81248fc76168e1311a20e1ece553adc8

C:\Windows\System\ttRxALo.exe

MD5 26643ff96735857bdbb799790102fc6a
SHA1 b0bb85c37d5a3be50393045eacbd5bea5ff5054d
SHA256 3d5acf340648e67c7d8997ff93d0c5171d746142798bf6eefbe104a784fba43f
SHA512 e18682ff7e2c8bb30fd46decf3048eee0197a4d93f5b14793d8846b6823c5c2e58df90a652ce1954836fb81a9ad7a70b5beff9f74e3311bf39a84df53d4eb49c

C:\Windows\System\rhDYGuW.exe

MD5 8b931546ea21a11db1291b5b91c1a714
SHA1 e5d3147cdf711971ebfeb370f0f8898f1a43d73b
SHA256 b5501cad731980f1be60211697df43e1d6a671b731afae1c12dbdbd59f44cc74
SHA512 db2b97a71c2b454f3deef7c0bdb2c04586199e1874b961ac1e1ca20c63fca0fde5d96f22f3ada2e36be8738e8e98acb95b69456011ca4d23683951b9b222c64c

C:\Windows\System\nQzPIqA.exe

MD5 67cfd0eab4f669aaad85a64fbb970c51
SHA1 7f460392fd2477957426ebef714cede4c1116a7d
SHA256 511b03e6690c210e17ea258d6921ae78bed4f0b798159e853b902fd85cee62c7
SHA512 c6e7e0335615b8d169092535453906233343a3d0660aab8f5b91afeef4e93d113262c25bffb7f179fb881d1a450ea11dbc36b81a82d699b4d96c34d1ead3f35a

C:\Windows\System\bsUXYey.exe

MD5 3677208bdf51189d7221e7ef48e33bbe
SHA1 4669a560c53de92e23256584fec6e32d9648c585
SHA256 a0c9ace358166fb697724fd636fe640a2958f43b485c9366a10acf9b88dd62da
SHA512 b2abcdd4c752bc86e5c61be4a43d0be0487e99e22fd1261f40568ad0663b2197d225ac6aa2d116967cd3ee629808839ebf7c96cc1738cef421cbe1fb0dc3ac79

C:\Windows\System\tklzRsk.exe

MD5 77dea11faade6994d388a245215969f8
SHA1 2eda401266b705589f1763c42f1b5c71469b25c4
SHA256 b6a51b5afd495e14c133677728a7da5a27b7c583ded8963ce1354b2ce6b3237e
SHA512 921770e760f4ebea6a1f5f166c1f0d99abf39e042607ec47fa3a63d3b2121f62a0414d3de384299b0b449b1efb0232ed68ee1e13d0d602e0523c9a562c05c933

memory/4048-80-0x00007FF701910000-0x00007FF701C64000-memory.dmp

memory/1696-79-0x00007FF722340000-0x00007FF722694000-memory.dmp

memory/5108-78-0x00007FF651A90000-0x00007FF651DE4000-memory.dmp

C:\Windows\System\falZAkK.exe

MD5 8f4ad9c64522a94bd4d7637657ddf53b
SHA1 4af1e5f5ccdc2a9a692aecddf5b3575f21460973
SHA256 ead5aa7d4d7c9cfbb8ba672a37924328d8a22ee2bd024f6ee3c026b1c059304e
SHA512 5e412c3cb54898dd7772151865bfe08cc805930383d4decef76a5a9df1f02747537ec1c389d0203bdda89fcebfc6e4536aaea3ecb6f7c9f5e9dfb4af4c839b56

memory/4468-72-0x00007FF69F380000-0x00007FF69F6D4000-memory.dmp

C:\Windows\System\YQMiycg.exe

MD5 102c970e52e5e276b235cb8f31c07987
SHA1 b1911d932c3afb90e8b40f7234b33fbf445eeae2
SHA256 c78d90b54143077e5554ab01248f4747eb1f8c09a1b0dcf7f264e1b774d39062
SHA512 c3ed0bff7040f60b98d3a679e8e1539de71569ce5bbe54e5139f041a2a1d4f21a5f70a70b21b64c61cc070617f313f0034c599cd90c7bca800ac6033b69f4418

C:\Windows\System\bBbeTMe.exe

MD5 490af6a6583b8f863b5f60abeba39f7f
SHA1 58222ae5563945f3ea795b9564b7a1ad6a9e686c
SHA256 f37be5d4ae9d8275e0b902d16f0c581e55208b9ed2af070d6766c9547ff09389
SHA512 9dc24aca0fdc70eb4b8108b7fa9b8c3f8da5f2c7d659e8e32f0a72327a798bd915bbf71b5fe8f6ef4371ddeb08e4d3b015e073d3b5990860a9ecc656d8e40606

memory/828-48-0x00007FF725E90000-0x00007FF7261E4000-memory.dmp

memory/3052-43-0x00007FF6E3380000-0x00007FF6E36D4000-memory.dmp

memory/3268-31-0x00007FF610040000-0x00007FF610394000-memory.dmp

memory/4748-120-0x00007FF6A4F50000-0x00007FF6A52A4000-memory.dmp

memory/3472-122-0x00007FF7E5760000-0x00007FF7E5AB4000-memory.dmp

memory/4928-121-0x00007FF6C3350000-0x00007FF6C36A4000-memory.dmp

memory/5036-124-0x00007FF669EE0000-0x00007FF66A234000-memory.dmp

memory/2212-125-0x00007FF6FC660000-0x00007FF6FC9B4000-memory.dmp

memory/3544-123-0x00007FF622900000-0x00007FF622C54000-memory.dmp

memory/4888-126-0x00007FF7A3EE0000-0x00007FF7A4234000-memory.dmp

memory/4076-127-0x00007FF73A0D0000-0x00007FF73A424000-memory.dmp

memory/2720-128-0x00007FF626550000-0x00007FF6268A4000-memory.dmp

memory/3048-129-0x00007FF6BE790000-0x00007FF6BEAE4000-memory.dmp

memory/3480-130-0x00007FF639A90000-0x00007FF639DE4000-memory.dmp

memory/1040-131-0x00007FF7FCCD0000-0x00007FF7FD024000-memory.dmp

memory/3268-132-0x00007FF610040000-0x00007FF610394000-memory.dmp

memory/828-133-0x00007FF725E90000-0x00007FF7261E4000-memory.dmp

memory/3048-134-0x00007FF6BE790000-0x00007FF6BEAE4000-memory.dmp

memory/3480-135-0x00007FF639A90000-0x00007FF639DE4000-memory.dmp

memory/2592-136-0x00007FF63CE30000-0x00007FF63D184000-memory.dmp

memory/1040-137-0x00007FF7FCCD0000-0x00007FF7FD024000-memory.dmp

memory/3052-138-0x00007FF6E3380000-0x00007FF6E36D4000-memory.dmp

memory/3268-139-0x00007FF610040000-0x00007FF610394000-memory.dmp

memory/1460-140-0x00007FF6946F0000-0x00007FF694A44000-memory.dmp

memory/828-141-0x00007FF725E90000-0x00007FF7261E4000-memory.dmp

memory/4468-142-0x00007FF69F380000-0x00007FF69F6D4000-memory.dmp

memory/5064-143-0x00007FF7345F0000-0x00007FF734944000-memory.dmp

memory/5108-144-0x00007FF651A90000-0x00007FF651DE4000-memory.dmp

memory/1696-145-0x00007FF722340000-0x00007FF722694000-memory.dmp

memory/4048-146-0x00007FF701910000-0x00007FF701C64000-memory.dmp

memory/4748-147-0x00007FF6A4F50000-0x00007FF6A52A4000-memory.dmp

memory/4928-148-0x00007FF6C3350000-0x00007FF6C36A4000-memory.dmp

memory/3472-149-0x00007FF7E5760000-0x00007FF7E5AB4000-memory.dmp

memory/3544-150-0x00007FF622900000-0x00007FF622C54000-memory.dmp

memory/5036-151-0x00007FF669EE0000-0x00007FF66A234000-memory.dmp

memory/2212-152-0x00007FF6FC660000-0x00007FF6FC9B4000-memory.dmp

memory/4076-153-0x00007FF73A0D0000-0x00007FF73A424000-memory.dmp

memory/4888-154-0x00007FF7A3EE0000-0x00007FF7A4234000-memory.dmp