Malware Analysis Report

2025-01-22 19:40

Sample ID 240601-b455gsdd4z
Target 2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike
SHA256 e4c685e90a69095e7f8923bb50560619dc8fa05adecae632863ba89b0e218e84
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e4c685e90a69095e7f8923bb50560619dc8fa05adecae632863ba89b0e218e84

Threat Level: Known bad

The file 2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Detects Reflective DLL injection artifacts

Cobaltstrike

xmrig

XMRig Miner payload

Xmrig family

Cobaltstrike family

UPX dump on OEP (original entry point)

Cobalt Strike reflective loader

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 01:42

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 01:42

Reported

2024-06-01 01:45

Platform

win7-20240220-en

Max time kernel

135s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\piVPthd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\comBKvq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZSoGenT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kjkaPnR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hSpAojB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uFkjWmh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tKNNkND.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\beeXyha.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VPfgvQb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AMVCqnu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iTlCKEo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ANfpkYS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MyJPbWY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HqelNXz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\prmmqnx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yeFnTdv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xhtzaIR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oETpEzU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BLmdEuB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\svcZbJq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WonbujW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2868 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\MyJPbWY.exe
PID 2868 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\MyJPbWY.exe
PID 2868 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\MyJPbWY.exe
PID 2868 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\piVPthd.exe
PID 2868 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\piVPthd.exe
PID 2868 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\piVPthd.exe
PID 2868 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\comBKvq.exe
PID 2868 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\comBKvq.exe
PID 2868 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\comBKvq.exe
PID 2868 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\HqelNXz.exe
PID 2868 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\HqelNXz.exe
PID 2868 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\HqelNXz.exe
PID 2868 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\uFkjWmh.exe
PID 2868 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\uFkjWmh.exe
PID 2868 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\uFkjWmh.exe
PID 2868 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\BLmdEuB.exe
PID 2868 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\BLmdEuB.exe
PID 2868 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\BLmdEuB.exe
PID 2868 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\tKNNkND.exe
PID 2868 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\tKNNkND.exe
PID 2868 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\tKNNkND.exe
PID 2868 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZSoGenT.exe
PID 2868 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZSoGenT.exe
PID 2868 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZSoGenT.exe
PID 2868 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\beeXyha.exe
PID 2868 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\beeXyha.exe
PID 2868 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\beeXyha.exe
PID 2868 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\prmmqnx.exe
PID 2868 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\prmmqnx.exe
PID 2868 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\prmmqnx.exe
PID 2868 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\VPfgvQb.exe
PID 2868 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\VPfgvQb.exe
PID 2868 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\VPfgvQb.exe
PID 2868 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\yeFnTdv.exe
PID 2868 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\yeFnTdv.exe
PID 2868 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\yeFnTdv.exe
PID 2868 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\AMVCqnu.exe
PID 2868 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\AMVCqnu.exe
PID 2868 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\AMVCqnu.exe
PID 2868 wrote to memory of 108 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\kjkaPnR.exe
PID 2868 wrote to memory of 108 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\kjkaPnR.exe
PID 2868 wrote to memory of 108 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\kjkaPnR.exe
PID 2868 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\svcZbJq.exe
PID 2868 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\svcZbJq.exe
PID 2868 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\svcZbJq.exe
PID 2868 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\xhtzaIR.exe
PID 2868 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\xhtzaIR.exe
PID 2868 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\xhtzaIR.exe
PID 2868 wrote to memory of 356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\hSpAojB.exe
PID 2868 wrote to memory of 356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\hSpAojB.exe
PID 2868 wrote to memory of 356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\hSpAojB.exe
PID 2868 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\iTlCKEo.exe
PID 2868 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\iTlCKEo.exe
PID 2868 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\iTlCKEo.exe
PID 2868 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\oETpEzU.exe
PID 2868 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\oETpEzU.exe
PID 2868 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\oETpEzU.exe
PID 2868 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\WonbujW.exe
PID 2868 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\WonbujW.exe
PID 2868 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\WonbujW.exe
PID 2868 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\ANfpkYS.exe
PID 2868 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\ANfpkYS.exe
PID 2868 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\ANfpkYS.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\MyJPbWY.exe

C:\Windows\System\MyJPbWY.exe

C:\Windows\System\piVPthd.exe

C:\Windows\System\piVPthd.exe

C:\Windows\System\comBKvq.exe

C:\Windows\System\comBKvq.exe

C:\Windows\System\HqelNXz.exe

C:\Windows\System\HqelNXz.exe

C:\Windows\System\uFkjWmh.exe

C:\Windows\System\uFkjWmh.exe

C:\Windows\System\BLmdEuB.exe

C:\Windows\System\BLmdEuB.exe

C:\Windows\System\tKNNkND.exe

C:\Windows\System\tKNNkND.exe

C:\Windows\System\ZSoGenT.exe

C:\Windows\System\ZSoGenT.exe

C:\Windows\System\beeXyha.exe

C:\Windows\System\beeXyha.exe

C:\Windows\System\prmmqnx.exe

C:\Windows\System\prmmqnx.exe

C:\Windows\System\VPfgvQb.exe

C:\Windows\System\VPfgvQb.exe

C:\Windows\System\yeFnTdv.exe

C:\Windows\System\yeFnTdv.exe

C:\Windows\System\AMVCqnu.exe

C:\Windows\System\AMVCqnu.exe

C:\Windows\System\kjkaPnR.exe

C:\Windows\System\kjkaPnR.exe

C:\Windows\System\svcZbJq.exe

C:\Windows\System\svcZbJq.exe

C:\Windows\System\xhtzaIR.exe

C:\Windows\System\xhtzaIR.exe

C:\Windows\System\hSpAojB.exe

C:\Windows\System\hSpAojB.exe

C:\Windows\System\iTlCKEo.exe

C:\Windows\System\iTlCKEo.exe

C:\Windows\System\oETpEzU.exe

C:\Windows\System\oETpEzU.exe

C:\Windows\System\WonbujW.exe

C:\Windows\System\WonbujW.exe

C:\Windows\System\ANfpkYS.exe

C:\Windows\System\ANfpkYS.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2868-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\MyJPbWY.exe

MD5 4f58da3f049500048c9a39f6f863c98c
SHA1 326212f86dab7f5344166007300e92e1440f4431
SHA256 c63f63ffb786bdf7a33de59fa1e7e0e3bc1ba350caf609c5e4d709bd179806f2
SHA512 0a1c984cbe403fe6634fa5aba5fd9b03d861cfff1258cb27932db329edeea6d855b87c214b4a1a2ebfcff8fa5e9aecfd3acba51d86257db4406b75211bfa0b1d

memory/2868-0-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

memory/2868-5-0x0000000002390000-0x00000000026E4000-memory.dmp

memory/2920-8-0x000000013F610000-0x000000013F964000-memory.dmp

C:\Windows\system\piVPthd.exe

MD5 2be7baad57ae9f129ac4183c7a09b685
SHA1 e647b66c19b7ae583ec9c276e0c74f5351565399
SHA256 a646f8ef55265fbe7bdc65ff70f9e0caef7893305572c84178e37f826ff2bd31
SHA512 7abef1eef6c153776180ebea4a50f4a2e420a9252747b1c85234f8443cad5c635d6181d1f10772985de2325ae8f27cdf231ad119a8db6629871fa5d4609944cc

memory/2976-16-0x000000013FDA0000-0x00000001400F4000-memory.dmp

memory/2868-14-0x000000013FDA0000-0x00000001400F4000-memory.dmp

memory/2868-21-0x000000013FBE0000-0x000000013FF34000-memory.dmp

C:\Windows\system\comBKvq.exe

MD5 6b30763627998dd3eff89ae74607775b
SHA1 71bd78a7de20ebb7e8d0831ef67f3a361fd1dbbc
SHA256 64df11cad4bdbe045c7fac02fa7f66f3bc0ecad7bad99cebe64a7a835ec5fd8e
SHA512 18f1b05471f737ef707b7e9c4eeae0d9b859a17b3e58c7db60967d5cff48505bb929acdca75bd0b8f3abccca871f1585123240a7bf5a3c9d868d564d4b192259

memory/2596-23-0x000000013FBE0000-0x000000013FF34000-memory.dmp

C:\Windows\system\HqelNXz.exe

MD5 cbd09102edc0a3a663dc42b306db49d2
SHA1 9df16875248b71129f9218a0ebc174471580065e
SHA256 446f1d862079831cec859baa7ce038640d97e1756b423434954ea1a88e432a8f
SHA512 bcfcde183490e15ab8cba8a1a81beca6f673a08b73a4ae98d21d02c6855231167e456bf9181317bdeabde48f0213c247b20c2635ec450d997a14fdd822999c59

memory/2868-28-0x0000000002390000-0x00000000026E4000-memory.dmp

memory/2592-29-0x000000013F4F0000-0x000000013F844000-memory.dmp

\Windows\system\BLmdEuB.exe

MD5 2437a6ec041a3f2035a30a2e34018be8
SHA1 316573fb2bcb1fde1d1b37f129c3181f386f3160
SHA256 3c8c8a79126b493018a17e72f56a2140f3cc7703a7abfc606f13326e715ee971
SHA512 7c9c0e71ad90cd44e15088909630008eb06a3787d15d10934036a74c4259779b8bacbcaddafd01bdca2c9fe39b7051c404c070cdf255e9f4ae74c2ed02fecec3

memory/2868-50-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

memory/2964-49-0x000000013F280000-0x000000013F5D4000-memory.dmp

memory/1952-52-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

memory/2868-51-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

memory/2868-48-0x0000000002390000-0x00000000026E4000-memory.dmp

C:\Windows\system\tKNNkND.exe

MD5 2eeb894094162cee295305ed2e2e760e
SHA1 4e6afa6ad484d97b3e0e46cd8d1a81a82b19c3d3
SHA256 4baafaa94c84f85b4c99051a525843a5efa5846022f98b88861b29df263cfb17
SHA512 50ca8e05565f8ce3ff39bef351a868398a0223997fa86f93f736c2dd33f4736d0475371aa8dfebddba07720b5c988b94f8e4c2dfaab07ae9236150bbfa2d07c5

memory/2808-43-0x000000013F680000-0x000000013F9D4000-memory.dmp

C:\Windows\system\uFkjWmh.exe

MD5 81c3ddf79e2e43eb36f6307b1788f41c
SHA1 f9c0adfab2cb06ad3673d0a3f35ea92273d33390
SHA256 e8f03bbaad390295372244349f48a862ac8b9690b8314507e8e97bc35ae5a56a
SHA512 5219cd9024fadfb162938018542a59abbf480a9d7fbb3fb075ca1b71e2c5ab6032a3c31f666eafde9e3c176b8b1cf954ddd81e77e877763e13838337eef2d26d

memory/2868-35-0x0000000002390000-0x00000000026E4000-memory.dmp

C:\Windows\system\ZSoGenT.exe

MD5 f472cec67ff39c66489a84591fea3ae4
SHA1 88c7b24636fc800f2d43ce8329ed292f7f240930
SHA256 8205d71dc22fee6b83290b84e658aa989fb83e1c618abeaff2a0e48c2f8bccdc
SHA512 a290678f14561c8d56246589c1e4c36617f6aa9e9b816a8ce151d1a94b322368534874fa782d32c7fe7065121caacffee4736f82a03c0503446f538d5733d772

memory/2440-58-0x000000013F450000-0x000000013F7A4000-memory.dmp

\Windows\system\beeXyha.exe

MD5 85e55e2b40611884b02593841640b7bc
SHA1 9aa257fd4ae9ba94b86d8b28bc1a920bb17e9f65
SHA256 4e691e6a7ba8007dd41425b8cc1ec742756c9ffc0e9c18f0f23685fbf960c658
SHA512 3ac1fcd191f634a96a5612500fcff9a9dbe421fc66afdf460d8f2ac1404c2bbbfe5389fccd5c221a907e8b6eed06a9ead8bcf7585484b8c295d370c0998961e8

C:\Windows\system\prmmqnx.exe

MD5 f78e61890109871ae4f6425658458159
SHA1 319f3463af9e4aa136576a81ebda8f0591fba45c
SHA256 db5598bf6dabaad958b622837e58b4ce3b7fd016d2c9181dbf0f351769e5567d
SHA512 c6ceeb61a5defee16f868cd3da9cfb8426bafed4ea9e8f16ac7b30a8479aa73d7eb61773f3a9e2e1907efae3acbec43e2dc078ab1171825b5380c7e1b88f187e

memory/2976-71-0x000000013FDA0000-0x00000001400F4000-memory.dmp

memory/2900-73-0x000000013FB50000-0x000000013FEA4000-memory.dmp

memory/2868-75-0x000000013FC60000-0x000000013FFB4000-memory.dmp

\Windows\system\VPfgvQb.exe

MD5 02c63682f8b452fca157a8af713f4ffb
SHA1 14191193cfd5dae7eaedd87f854b02ae93054ba2
SHA256 9fab0813d7e4e5d808eeefa4a301679d8adbf18ce0b84755c1adb4dcfe608c51
SHA512 57a0a5208e4b37b9df37c56dc942aca10d591527c5a8ccf2ed23c84da8feaf5fac5e9b6265e0fb6230cbfa028f7249ef3f5a537bddb11967afb581cd45cd6c30

memory/2868-72-0x000000013FB50000-0x000000013FEA4000-memory.dmp

memory/2920-64-0x000000013F610000-0x000000013F964000-memory.dmp

memory/2868-62-0x0000000002390000-0x00000000026E4000-memory.dmp

memory/2868-80-0x0000000002390000-0x00000000026E4000-memory.dmp

memory/2668-81-0x000000013FC60000-0x000000013FFB4000-memory.dmp

\Windows\system\kjkaPnR.exe

MD5 726b7e619600cb54c17316e398f34dd5
SHA1 7b0a156005a53b81687e6d8c79c952a771c33a4d
SHA256 4c01626a71ed59aac913e8697bb4f8a168704c80c7572db3f002ebb376dd86db
SHA512 5caa789f94f108a88fadc31d0439afa6a56d24b5fa352111b806861dc7ea76cb4c47b169e60677a8831ccccc3420505a207ab4fe5b31a62fc2f85523b4966f6d

memory/2868-105-0x000000013F0B0000-0x000000013F404000-memory.dmp

C:\Windows\system\iTlCKEo.exe

MD5 9a6f8503ffb29a8b395f9958ddf4df01
SHA1 82a87bf8fa3f129c7cf950edd8810859671569f6
SHA256 712ce9a80f131352782d172e3859f16ad1f8f1c5ac6f42ff92b85567c37fbd3d
SHA512 c7a90caebd747fc12900e9d5847dc0ec95ef54d1a3513860ef160a63a5b2f63e084fc099279f8e9992fe2e241080751d0aafd64362156d8eecb04a91803aa05a

C:\Windows\system\WonbujW.exe

MD5 95b87c877f5e0f2443d6c77e3727fc20
SHA1 4f31439daa848a54c1e74483fd83e8e5deeb0e05
SHA256 a77b34e77309a14b5b91d7657d66a8f32b50e2db3cc924452f85f372817c4c81
SHA512 d4f076aa5c6e90c8ae02ded3285854760ebf1f3309ec7734b81e575775fa87bb1007ebcaff1ea26e9c5a0966d5a7f68bf1dd6e9493dc348f14f5ad577a579fee

\Windows\system\oETpEzU.exe

MD5 7401a41f2f64dfc72b8451149bd0e409
SHA1 779de720966c397b1145ffd1299b8809b442f890
SHA256 bfd239ff2a33686c3e70b677c00090102e5b688f1f63455ff39dca7b3376ea3f
SHA512 b7fa08522b3e6e90a1831108ad3f6f975685408ed341e15b47be275ca118394b6c6820a88e7046009ae350eec0ca0ad677e43da657a9b63e846d3e09371a428f

\Windows\system\ANfpkYS.exe

MD5 a4afb7fa5b0086446545bd9101bfbde6
SHA1 bdbf94df5c934a6dddc85aad8fc729aa72169307
SHA256 f8c9d67f9022b87b1b369ef41b33ac8dd8e94a229f3b77b409c231a941d355aa
SHA512 616c3976e73bf52bb480a6a2b2e56d51262f2d3b8c00081ccffc64e79d454bb9c54b9348e09c7368e3c575ba3b89a582160681fdbba5493cc27953b82a7e68af

memory/108-131-0x000000013F0B0000-0x000000013F404000-memory.dmp

memory/2772-129-0x000000013F8E0000-0x000000013FC34000-memory.dmp

C:\Windows\system\hSpAojB.exe

MD5 f41a1cec0ad8b59e3509e8f7271a6029
SHA1 f323c758ad3dc7f1523a711b6892caa5abd31f14
SHA256 b01dbe95191312e2cebdd771e261edbcfe90670dd044e0dacb69cd12eb59e1b1
SHA512 b37b3496c57fb2a5f33427f5e8ef93b6da4f593de68b86a4b242a304906f31cb2a2d2585f05719432d95abbf515a07fb5e2e39d93460b78e5d245b4742399819

C:\Windows\system\svcZbJq.exe

MD5 c866c324fb3b5a0583a83c4a1c6549c2
SHA1 51b2cb86baf2079a9515ae04f4bb330dfbb85a38
SHA256 d5575f2b9d35665ad70395c6433ec4baf1c170d6cd5db775c4c6ee1ddc7fd58c
SHA512 bf762e100ce08e0407c431eb3a2ab4801d4e5d7cbac99303f543b1cb37f7e80efd08aa286beec5f8e7b4abb02329d8cdb856c09ab7fc038e99795b64e805ffa2

C:\Windows\system\xhtzaIR.exe

MD5 c7fa5ecd53f7dbbdafea4aff3bddf3e3
SHA1 8140a134b2cf68b78b6e196641e97d7e64a67bc9
SHA256 7e8333f9cd916e259a2edb5c3f320428f50920634bb3d9107ebdda83aab685cb
SHA512 b8c0ae740235ad49ed89a1440f9059543f8ef64f847760b3a2d8329e8b07fdc5b683d1598acad9648936b606eb730889acfc0c04c4778777e144f6ab9a0c424e

memory/2732-102-0x000000013F180000-0x000000013F4D4000-memory.dmp

memory/2868-98-0x000000013F180000-0x000000013F4D4000-memory.dmp

C:\Windows\system\AMVCqnu.exe

MD5 bc75f3306f2c0ca2e3dff5b71c5d3e40
SHA1 6a0c22f051f26f223336915ae3c6822354ad7184
SHA256 9521cd1746c7c1bd11748a41fbf7e961b2d487a739d16dba3ac02edae16ea51d
SHA512 48a0e09c87d973372e8a9ccf6e8c2e8aa2dbaaec18b8f59dfb0399f4e08c9ef2a9f311e0508279497705d9186650d161b8752ee68085f2ff16433f935591e097

memory/2592-94-0x000000013F4F0000-0x000000013F844000-memory.dmp

C:\Windows\system\yeFnTdv.exe

MD5 2a89fd59a41517a3061c761a4e315721
SHA1 54556c3db399ccc4602f784e7e83ca957e359ec3
SHA256 a74809eaa27c63a1f1a75deabd9c2d22f88f5a6f00e41c8499a250099d0779a7
SHA512 6a8470fe31f59f5db769aca1a79fb8eeb6a081c122ff2aeb4f080f159b6a81e71e17bd09215cc2363911efaef89857109bd0f940e96c82b32915a640f4589587

memory/2868-137-0x0000000002390000-0x00000000026E4000-memory.dmp

memory/2868-139-0x000000013FB50000-0x000000013FEA4000-memory.dmp

memory/2520-138-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

memory/2868-140-0x000000013F180000-0x000000013F4D4000-memory.dmp

memory/2920-141-0x000000013F610000-0x000000013F964000-memory.dmp

memory/2976-142-0x000000013FDA0000-0x00000001400F4000-memory.dmp

memory/2596-143-0x000000013FBE0000-0x000000013FF34000-memory.dmp

memory/2592-144-0x000000013F4F0000-0x000000013F844000-memory.dmp

memory/2808-145-0x000000013F680000-0x000000013F9D4000-memory.dmp

memory/2964-147-0x000000013F280000-0x000000013F5D4000-memory.dmp

memory/1952-146-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

memory/2440-148-0x000000013F450000-0x000000013F7A4000-memory.dmp

memory/2520-149-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

memory/2900-150-0x000000013FB50000-0x000000013FEA4000-memory.dmp

memory/2668-151-0x000000013FC60000-0x000000013FFB4000-memory.dmp

memory/2732-152-0x000000013F180000-0x000000013F4D4000-memory.dmp

memory/2772-153-0x000000013F8E0000-0x000000013FC34000-memory.dmp

memory/108-154-0x000000013F0B0000-0x000000013F404000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 01:42

Reported

2024-06-01 01:45

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\qyTMiTZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZbNYrrY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TdatGEM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RHAOhdQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aRRBjaN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DlLbsDb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rrBXzjw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VQYqBiH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WJEJFaX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dvEBVKn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jtDyzxY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WvhFXyB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pxXZYCP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qxsKTcD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hXaJdte.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fUPKKvr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HBkMbYd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IvaACjm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gbeUSHf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sHXuQlM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YICMECR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2516 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\WvhFXyB.exe
PID 2516 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\WvhFXyB.exe
PID 2516 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\rrBXzjw.exe
PID 2516 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\rrBXzjw.exe
PID 2516 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\VQYqBiH.exe
PID 2516 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\VQYqBiH.exe
PID 2516 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\pxXZYCP.exe
PID 2516 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\pxXZYCP.exe
PID 2516 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\qyTMiTZ.exe
PID 2516 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\qyTMiTZ.exe
PID 2516 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\IvaACjm.exe
PID 2516 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\IvaACjm.exe
PID 2516 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\WJEJFaX.exe
PID 2516 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\WJEJFaX.exe
PID 2516 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\dvEBVKn.exe
PID 2516 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\dvEBVKn.exe
PID 2516 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZbNYrrY.exe
PID 2516 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZbNYrrY.exe
PID 2516 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\gbeUSHf.exe
PID 2516 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\gbeUSHf.exe
PID 2516 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\sHXuQlM.exe
PID 2516 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\sHXuQlM.exe
PID 2516 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\qxsKTcD.exe
PID 2516 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\qxsKTcD.exe
PID 2516 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\TdatGEM.exe
PID 2516 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\TdatGEM.exe
PID 2516 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\RHAOhdQ.exe
PID 2516 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\RHAOhdQ.exe
PID 2516 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\hXaJdte.exe
PID 2516 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\hXaJdte.exe
PID 2516 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\YICMECR.exe
PID 2516 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\YICMECR.exe
PID 2516 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\fUPKKvr.exe
PID 2516 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\fUPKKvr.exe
PID 2516 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\aRRBjaN.exe
PID 2516 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\aRRBjaN.exe
PID 2516 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\DlLbsDb.exe
PID 2516 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\DlLbsDb.exe
PID 2516 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\HBkMbYd.exe
PID 2516 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\HBkMbYd.exe
PID 2516 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\jtDyzxY.exe
PID 2516 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe C:\Windows\System\jtDyzxY.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef9861a9206692f8522c3513c1ca4322_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\WvhFXyB.exe

C:\Windows\System\WvhFXyB.exe

C:\Windows\System\rrBXzjw.exe

C:\Windows\System\rrBXzjw.exe

C:\Windows\System\VQYqBiH.exe

C:\Windows\System\VQYqBiH.exe

C:\Windows\System\pxXZYCP.exe

C:\Windows\System\pxXZYCP.exe

C:\Windows\System\qyTMiTZ.exe

C:\Windows\System\qyTMiTZ.exe

C:\Windows\System\IvaACjm.exe

C:\Windows\System\IvaACjm.exe

C:\Windows\System\WJEJFaX.exe

C:\Windows\System\WJEJFaX.exe

C:\Windows\System\dvEBVKn.exe

C:\Windows\System\dvEBVKn.exe

C:\Windows\System\ZbNYrrY.exe

C:\Windows\System\ZbNYrrY.exe

C:\Windows\System\gbeUSHf.exe

C:\Windows\System\gbeUSHf.exe

C:\Windows\System\sHXuQlM.exe

C:\Windows\System\sHXuQlM.exe

C:\Windows\System\qxsKTcD.exe

C:\Windows\System\qxsKTcD.exe

C:\Windows\System\TdatGEM.exe

C:\Windows\System\TdatGEM.exe

C:\Windows\System\RHAOhdQ.exe

C:\Windows\System\RHAOhdQ.exe

C:\Windows\System\hXaJdte.exe

C:\Windows\System\hXaJdte.exe

C:\Windows\System\YICMECR.exe

C:\Windows\System\YICMECR.exe

C:\Windows\System\fUPKKvr.exe

C:\Windows\System\fUPKKvr.exe

C:\Windows\System\aRRBjaN.exe

C:\Windows\System\aRRBjaN.exe

C:\Windows\System\DlLbsDb.exe

C:\Windows\System\DlLbsDb.exe

C:\Windows\System\HBkMbYd.exe

C:\Windows\System\HBkMbYd.exe

C:\Windows\System\jtDyzxY.exe

C:\Windows\System\jtDyzxY.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3976,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=3404 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 13.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2516-0-0x00007FF7309A0000-0x00007FF730CF4000-memory.dmp

memory/2516-1-0x000002E2F52C0000-0x000002E2F52D0000-memory.dmp

C:\Windows\System\WvhFXyB.exe

MD5 5af49557a8faef9653f50fb83f1bdd0d
SHA1 57cf1a384bba03b03cfb59c8b738b90b3226f69e
SHA256 4d0ce9e9ed2c2bc7a2fda08d0062e88fb7cf2da092d324e41c2bf43955850d52
SHA512 67ee7d7cf8c9f71594a22abc783177a49ebf4cca53ffea709e971e1e3b7ab18af4c97cb21cad2110e4d1ac9cb84a604b3e78ff0d6310259077b6b10710cc4caf

memory/3584-8-0x00007FF7B6A70000-0x00007FF7B6DC4000-memory.dmp

C:\Windows\System\rrBXzjw.exe

MD5 10082c659fdd6ee54a1f5f7960a34e9b
SHA1 fe9b41a52791804df1c928241bcca2a05d82fd18
SHA256 d3953aa141ad15be06c69c178816f306ff4b07837a6a5d3d6e014a4b7c17e3a4
SHA512 77b4fd58318f04ee3fb83ff2ccd5759570e3e23b1e3527e37187c4a041c4ebef24b746b5b0ddf8a61150dd19175f4a372b0224667f9944644fcf2d781613334c

C:\Windows\System\VQYqBiH.exe

MD5 bb1a278c564edc0a9c37188765a00c79
SHA1 29ddb3233e1135e638635be1fe3d39824b67d80e
SHA256 ce986c9376e5ae672878b67f17b826c3a47ea9213452332dcdafdf3a1d70348c
SHA512 24d1f03dbefc0ae408737e379026f1a013fddfee1ab88e18a1b548d83f38d3fe32063bd3ad78fa082652d22daee0f934cf13aa2a63f64bb45738f049657d1f32

memory/728-19-0x00007FF7943E0000-0x00007FF794734000-memory.dmp

memory/3176-20-0x00007FF7AB3E0000-0x00007FF7AB734000-memory.dmp

C:\Windows\System\pxXZYCP.exe

MD5 c224a3a08613841e9b9d26f5a78925e7
SHA1 1011d5acebdcabf95c324f4b6153ca632e9ee3ba
SHA256 971c7a0783f1682aa2d5d2b74dec01d13d8ed901db6d2eea25430b64ddd54f2c
SHA512 12300e6e4eac76e8953090b504ec57704b102a4265a81e93c8ed01c7010c834200bf861ad35454e52fd3e7b637a7e70584ae764fb3cf76f0d52bbb1e39c0e946

memory/2160-26-0x00007FF786450000-0x00007FF7867A4000-memory.dmp

memory/2992-30-0x00007FF7A5B60000-0x00007FF7A5EB4000-memory.dmp

C:\Windows\System\WJEJFaX.exe

MD5 a4f88fd09e4029fab1976729a430e92f
SHA1 04eaed4c8573ac5bfeeb3a8541aa6c3caedd006a
SHA256 dbfecd97b1c57a33016c09032c044a8c9e20776225a82642c9128047f6c24f31
SHA512 a43e13b3abf1c21ddb16c44ffd4abf0620809798d03e5001522fe27913efdad65812f2821b8768e68285fe0bc561bcec408f93f684e752811acb37ff6036fa7b

C:\Windows\System\gbeUSHf.exe

MD5 99612e93dbd7918e227b101e1a9c7791
SHA1 66b4e31ff9e7c13859e13c73147417f12bd706d8
SHA256 b5ea0ce172678ba348ca2b6b9a6e2349d0f7abbd4694996450fe82b4788cc286
SHA512 f26275ed0a39e305e58961184fdf139c2dd4a5252fe21cb58303e9fe8ea098e13b412dcca875a13c92074c12103ed06b798cc8099a2d91bcf0917fcc1e07584c

C:\Windows\System\sHXuQlM.exe

MD5 cdd28eece4bd7007a6d97801d6f81c9d
SHA1 e89f78ef80aa5f88a3a11a942272446a9e5aae30
SHA256 43f602c4af1ed2c300bc777d4f1292b35981ebfe65bc32fabf40629918b5ea9d
SHA512 31cb46e024e0f8d3d16d7babf18603feb96ce665f22fe2f3c7bfa7b18c67f09827c07516554c82e9f277c0457c91d2eaf03ed7d5b1b6dfac51aa4b7d42651caa

C:\Windows\System\RHAOhdQ.exe

MD5 409baab3f825d97b237565c40fdfa533
SHA1 fcc3a56176114d49ee9f00a8af758412edc4bd39
SHA256 8fb2decb100a77eefbbead8cf66155912a2104b590a932738914edcbffdaea72
SHA512 eaec2b96814a889b6308a9badbcc0f74122fb7778a085c732444eeb06769a48c467099e41a5108d98f6f96391184bc3b4e2f201a1f7798fe8303759e3da39d74

C:\Windows\System\hXaJdte.exe

MD5 eb2370a9dedda2bfd872bdedd1864e11
SHA1 fde2f3f67062bf788ab35db22fdf35e6fa9ec894
SHA256 481392b29677bc21685f755ea4969ac120b5469a08d0588c10fd4871c9b84d1d
SHA512 ddc87ea17fce04792d234e9d916d611e9824f25d2925cfc2b8a024e321935fe6b9a6c995cfb2c957cfeb3a025b3dde66b2ba16ad4d4b8ebd3f2e2dff57f11ebc

C:\Windows\System\DlLbsDb.exe

MD5 c65bc36dc7831e666b2e8e02e2d48eea
SHA1 07b7eb37ca47d426323f73fa5284d84d16728459
SHA256 c051b40c752b3c374c6520eaac9d53f8c9759310db4cdc36bfbf2b0f325e2d5c
SHA512 6f893441dfc341dde1430a76894a2b01673a9e8b9f5cff3df91e54a31327f2fb14da345cf1ec492b55ca28431f3201ca7b861c2bbdb4331fde4e5155549d7f01

C:\Windows\System\HBkMbYd.exe

MD5 98e9372bae13dd5585550bff99cd5be4
SHA1 b48967a96a6a0eccfb5a0295702557f9cd71eb17
SHA256 55c912e8902cab18b40d3c6ae3dbc2f8d3dca941c405ac26df9ba8e7f89118de
SHA512 fb1af91799dfcb586d409644698ce4dcd9dce55d99013be022e82ddad68e295941b2686ab6b6a0f0df3fd6f92dcb9b47c810a713d3ba1eeb7a8ad353eb97b61a

C:\Windows\System\jtDyzxY.exe

MD5 793488fb6b4065c08b102e17d7923128
SHA1 e41803b9d882012c618b6b06aeff294d5157f7e7
SHA256 87a50066355aac4e4142b15c2c30175783ebe661d7be1bba3b3aab69add30f41
SHA512 6c6fd7c3f6122a7f2e569d3810f9d20656df2b9827329b6f86822d6904e0e34758ea160346f72ba7d72580ea39f8a8838a2ba224b14306f54f192850010b432a

C:\Windows\System\aRRBjaN.exe

MD5 e0cccaf36f35bd816ad901c6ebc42c88
SHA1 4075e1785e6442d7f41889828008bba18c6a2517
SHA256 3f80cbfdf8897376c0b37f321c788605813f671b7ac0d5b0149e28429f209f37
SHA512 138bc98d6a56b3b6c167b53bf2ed023b1fbe4486f6e7cf76f36c04a85ee64bfde6771d02420f5c36ebc91e00769570d5419fbafc91a13b167202e1418777cf3a

C:\Windows\System\fUPKKvr.exe

MD5 a6711ec59968d8a8e23b6e685ad85bc3
SHA1 2945b973904d4064a424654644e5eba16da87d2f
SHA256 80487972e1ad962c2f009c1e062c0b3f851b39d1029e4ec7fb02b738a90655ee
SHA512 447b9afd446a3748438c3c7d8e5fa31f8e342f644bb9878228203da61f8cdca24e37fc1239e8cf0aef95139236d240bee3e8b900365082795306a052199fcf56

C:\Windows\System\YICMECR.exe

MD5 615b069749394d625fb33d491f658207
SHA1 efd31fa40393b7dbab59ec24e2c8156cfb066cc0
SHA256 44f5682c1048eb2ab94fa670df5fcc92af25b2d1d82e3bb3e45c1f39c226a0d9
SHA512 8b499fbc8e6290384ca93d1c14dfb9b69012200382fa72c1e4ce9189ddcf1a87b21fdaf560dcff555647a85257e6701d9aa77ad53a37b401dfb196612a1e8f26

C:\Windows\System\TdatGEM.exe

MD5 97a5ad724a77ac596a4f6995d6575e44
SHA1 e647120f3e926e432c1762139cd4ad29c14bb4fa
SHA256 80fb9ee0618ac50ce2d75e869a5162497ad529e1dbdb5343d3c2a3a8792ed568
SHA512 b8eac46c9555c10817dcd8e6dd279961bc74076df10d0e339507f21cba47a4ab0e5d24f065cd7fd503a288cba15a9ea93835b5cae6916473c527818b3d531dea

C:\Windows\System\qxsKTcD.exe

MD5 4a5530edc68717c2a8e311f198b1f450
SHA1 645de1e80de171ddd326f4c52e5246f85e204e01
SHA256 9eab92089008497ec81e74b5161ee4cc8c429078bece6b376d85d0e25781365b
SHA512 3de00264210eb20b8174081ef01d175a6707b5e4ac6ee72a45550b9254aa9a9898b52e14f08799fd6ef4f81fd2709647d62a04debcd362bf956fc69e17baca03

C:\Windows\System\ZbNYrrY.exe

MD5 6854c06844f79e737889446d4af3a415
SHA1 defd20448b4b0ea4cdd45be74e018cbd4ddd25a0
SHA256 ae1f46f1a94b89cd37006ff90de758f0b1c03893531145b5bff0d7165870eeea
SHA512 06821fe63d1e518c9915ad05bf8851827eff0da360ae0b0c839f59a1481a9d05c46dbec14273e2482ff498ffb90408bc0d2e272f03a3f924f4bf42d135322662

C:\Windows\System\dvEBVKn.exe

MD5 8bd0ed2ef2f6732bc441bb98d679279e
SHA1 634f376333568023bd4ba704adbe5f0d7cabbae7
SHA256 f2e51f6a42d41f6e0f9cab118dbb00bcef470e406d61b76b7a600f410fd4301b
SHA512 3de17633a3f184963ea16afee4ba8d6d58e86e70ddee933197d6b9460a4d907baa3857ca8f070765a75c4cd65a87af402ea83c2daf70e395c14dac380d78b692

C:\Windows\System\IvaACjm.exe

MD5 7b1a3f7994f0550c6b76f6cc9d786579
SHA1 a3098a8f89b32d0e92e5239fd27d919a579c29b0
SHA256 4d50a73e07f1fcfae927cccc7502e296d556ff4745b41bbaa0540f77b3e8bcbb
SHA512 00be02edac209a83f289efcc58696c3b21c178dfc9985d7dd68aef6127c88e471c3d0894ef859fb45b920862f7508973f391502b4389cf90d1af7eb983f28134

C:\Windows\System\qyTMiTZ.exe

MD5 822a4d185c3168ecccd6370a755fef36
SHA1 f830fa7ef41789fde4a5a542815982e2a0a63247
SHA256 dfc58ae346c19980f6088d8b0b060bb002a34fee890678ec212fbb53b97937dc
SHA512 35ee965fb48d4e4e040c6fcdfd8f6f122a2780de68031b7051bb861648fb5a3099c3d5151344660d9655162872c8bdbb489e362df6cbdbad7379b120d847df6b

memory/2264-112-0x00007FF77B8C0000-0x00007FF77BC14000-memory.dmp

memory/2920-113-0x00007FF6B2450000-0x00007FF6B27A4000-memory.dmp

memory/3200-114-0x00007FF722C80000-0x00007FF722FD4000-memory.dmp

memory/3268-115-0x00007FF60A6C0000-0x00007FF60AA14000-memory.dmp

memory/428-117-0x00007FF7723B0000-0x00007FF772704000-memory.dmp

memory/4848-118-0x00007FF691E60000-0x00007FF6921B4000-memory.dmp

memory/2576-116-0x00007FF6BAC50000-0x00007FF6BAFA4000-memory.dmp

memory/2212-119-0x00007FF74F6F0000-0x00007FF74FA44000-memory.dmp

memory/3732-122-0x00007FF6428D0000-0x00007FF642C24000-memory.dmp

memory/2768-123-0x00007FF610FC0000-0x00007FF611314000-memory.dmp

memory/2072-121-0x00007FF65FB60000-0x00007FF65FEB4000-memory.dmp

memory/2192-124-0x00007FF7D2370000-0x00007FF7D26C4000-memory.dmp

memory/3908-120-0x00007FF6E0800000-0x00007FF6E0B54000-memory.dmp

memory/4692-125-0x00007FF6873E0000-0x00007FF687734000-memory.dmp

memory/380-126-0x00007FF6C0970000-0x00007FF6C0CC4000-memory.dmp

memory/3840-127-0x00007FF71FD70000-0x00007FF7200C4000-memory.dmp

memory/2516-128-0x00007FF7309A0000-0x00007FF730CF4000-memory.dmp

memory/2992-129-0x00007FF7A5B60000-0x00007FF7A5EB4000-memory.dmp

memory/3584-130-0x00007FF7B6A70000-0x00007FF7B6DC4000-memory.dmp

memory/728-131-0x00007FF7943E0000-0x00007FF794734000-memory.dmp

memory/3176-132-0x00007FF7AB3E0000-0x00007FF7AB734000-memory.dmp

memory/2160-133-0x00007FF786450000-0x00007FF7867A4000-memory.dmp

memory/2264-135-0x00007FF77B8C0000-0x00007FF77BC14000-memory.dmp

memory/2992-134-0x00007FF7A5B60000-0x00007FF7A5EB4000-memory.dmp

memory/3268-136-0x00007FF60A6C0000-0x00007FF60AA14000-memory.dmp

memory/3200-137-0x00007FF722C80000-0x00007FF722FD4000-memory.dmp

memory/2920-138-0x00007FF6B2450000-0x00007FF6B27A4000-memory.dmp

memory/2212-144-0x00007FF74F6F0000-0x00007FF74FA44000-memory.dmp

memory/2768-146-0x00007FF610FC0000-0x00007FF611314000-memory.dmp

memory/3732-145-0x00007FF6428D0000-0x00007FF642C24000-memory.dmp

memory/2192-147-0x00007FF7D2370000-0x00007FF7D26C4000-memory.dmp

memory/3908-143-0x00007FF6E0800000-0x00007FF6E0B54000-memory.dmp

memory/2072-142-0x00007FF65FB60000-0x00007FF65FEB4000-memory.dmp

memory/2576-141-0x00007FF6BAC50000-0x00007FF6BAFA4000-memory.dmp

memory/428-140-0x00007FF7723B0000-0x00007FF772704000-memory.dmp

memory/4848-139-0x00007FF691E60000-0x00007FF6921B4000-memory.dmp

memory/3840-148-0x00007FF71FD70000-0x00007FF7200C4000-memory.dmp

memory/380-149-0x00007FF6C0970000-0x00007FF6C0CC4000-memory.dmp

memory/4692-150-0x00007FF6873E0000-0x00007FF687734000-memory.dmp