Malware Analysis Report

2025-01-22 19:41

Sample ID 240601-cmv4mafa57
Target 2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike
SHA256 d48bb218ec8749cdffada855ef9f6a973c451485da0385bce12317ef9fc79ca9
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d48bb218ec8749cdffada855ef9f6a973c451485da0385bce12317ef9fc79ca9

Threat Level: Known bad

The file 2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobalt Strike reflective loader

Xmrig family

Detects Reflective DLL injection artifacts

XMRig Miner payload

UPX dump on OEP (original entry point)

Cobaltstrike family

Cobaltstrike

xmrig

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

XMRig Miner payload

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 02:12

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 02:12

Reported

2024-06-01 02:14

Platform

win7-20240220-en

Max time kernel

137s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\KWBODKl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yeVozfe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OigWIyB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ROpSQra.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PUjLxlm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IHQsJgc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\scLJBKw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YTzUtQV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MEcxGin.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sUtOlVE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KziynoP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yRSJbka.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NlulgTj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UmtRphF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UoioNTL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FymBsDe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jfdTVhG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ULQKosb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ojTwSQW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bBspvQu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HLsPFqh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1028 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\KWBODKl.exe
PID 1028 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\KWBODKl.exe
PID 1028 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\KWBODKl.exe
PID 1028 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\yeVozfe.exe
PID 1028 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\yeVozfe.exe
PID 1028 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\yeVozfe.exe
PID 1028 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\PUjLxlm.exe
PID 1028 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\PUjLxlm.exe
PID 1028 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\PUjLxlm.exe
PID 1028 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\IHQsJgc.exe
PID 1028 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\IHQsJgc.exe
PID 1028 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\IHQsJgc.exe
PID 1028 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\ULQKosb.exe
PID 1028 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\ULQKosb.exe
PID 1028 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\ULQKosb.exe
PID 1028 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\OigWIyB.exe
PID 1028 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\OigWIyB.exe
PID 1028 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\OigWIyB.exe
PID 1028 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\KziynoP.exe
PID 1028 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\KziynoP.exe
PID 1028 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\KziynoP.exe
PID 1028 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\ojTwSQW.exe
PID 1028 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\ojTwSQW.exe
PID 1028 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\ojTwSQW.exe
PID 1028 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\yRSJbka.exe
PID 1028 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\yRSJbka.exe
PID 1028 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\yRSJbka.exe
PID 1028 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\scLJBKw.exe
PID 1028 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\scLJBKw.exe
PID 1028 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\scLJBKw.exe
PID 1028 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\YTzUtQV.exe
PID 1028 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\YTzUtQV.exe
PID 1028 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\YTzUtQV.exe
PID 1028 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\MEcxGin.exe
PID 1028 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\MEcxGin.exe
PID 1028 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\MEcxGin.exe
PID 1028 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\NlulgTj.exe
PID 1028 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\NlulgTj.exe
PID 1028 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\NlulgTj.exe
PID 1028 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\sUtOlVE.exe
PID 1028 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\sUtOlVE.exe
PID 1028 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\sUtOlVE.exe
PID 1028 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\UmtRphF.exe
PID 1028 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\UmtRphF.exe
PID 1028 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\UmtRphF.exe
PID 1028 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\bBspvQu.exe
PID 1028 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\bBspvQu.exe
PID 1028 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\bBspvQu.exe
PID 1028 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\UoioNTL.exe
PID 1028 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\UoioNTL.exe
PID 1028 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\UoioNTL.exe
PID 1028 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\FymBsDe.exe
PID 1028 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\FymBsDe.exe
PID 1028 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\FymBsDe.exe
PID 1028 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\ROpSQra.exe
PID 1028 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\ROpSQra.exe
PID 1028 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\ROpSQra.exe
PID 1028 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\jfdTVhG.exe
PID 1028 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\jfdTVhG.exe
PID 1028 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\jfdTVhG.exe
PID 1028 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\HLsPFqh.exe
PID 1028 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\HLsPFqh.exe
PID 1028 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\HLsPFqh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\KWBODKl.exe

C:\Windows\System\KWBODKl.exe

C:\Windows\System\yeVozfe.exe

C:\Windows\System\yeVozfe.exe

C:\Windows\System\PUjLxlm.exe

C:\Windows\System\PUjLxlm.exe

C:\Windows\System\IHQsJgc.exe

C:\Windows\System\IHQsJgc.exe

C:\Windows\System\ULQKosb.exe

C:\Windows\System\ULQKosb.exe

C:\Windows\System\OigWIyB.exe

C:\Windows\System\OigWIyB.exe

C:\Windows\System\KziynoP.exe

C:\Windows\System\KziynoP.exe

C:\Windows\System\ojTwSQW.exe

C:\Windows\System\ojTwSQW.exe

C:\Windows\System\yRSJbka.exe

C:\Windows\System\yRSJbka.exe

C:\Windows\System\scLJBKw.exe

C:\Windows\System\scLJBKw.exe

C:\Windows\System\YTzUtQV.exe

C:\Windows\System\YTzUtQV.exe

C:\Windows\System\MEcxGin.exe

C:\Windows\System\MEcxGin.exe

C:\Windows\System\NlulgTj.exe

C:\Windows\System\NlulgTj.exe

C:\Windows\System\sUtOlVE.exe

C:\Windows\System\sUtOlVE.exe

C:\Windows\System\UmtRphF.exe

C:\Windows\System\UmtRphF.exe

C:\Windows\System\bBspvQu.exe

C:\Windows\System\bBspvQu.exe

C:\Windows\System\UoioNTL.exe

C:\Windows\System\UoioNTL.exe

C:\Windows\System\FymBsDe.exe

C:\Windows\System\FymBsDe.exe

C:\Windows\System\ROpSQra.exe

C:\Windows\System\ROpSQra.exe

C:\Windows\System\jfdTVhG.exe

C:\Windows\System\jfdTVhG.exe

C:\Windows\System\HLsPFqh.exe

C:\Windows\System\HLsPFqh.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1028-0-0x000000013F220000-0x000000013F574000-memory.dmp

memory/1028-1-0x0000000000100000-0x0000000000110000-memory.dmp

\Windows\system\KWBODKl.exe

MD5 3c9de06f8a149b7f77eb94fed8938e6c
SHA1 6591a73b8d05e6978edfc4ac76960b80440a1afd
SHA256 63024aa787716f0f47be3dbd0231d0b5ee7a4f49fc18835bd497c65d2043d3f5
SHA512 0e000760d30bf3ab452dd26c2b0a3aabf4c37e0581720f97e4c510cc2a3c5263bc5e996013c7a177c4c5d5cf93e266b2ea84dfb085b107a19d7dcdb472981aef

\Windows\system\PUjLxlm.exe

MD5 d3f900325ec34f4390d3722e27b96754
SHA1 8e07443588fbf61c37ceaf770a24cb6fb7d5b7ea
SHA256 e5d803830a86855adf94f098eeb175905e01267eb403adc8222e5aff5cce0a7b
SHA512 4b99030c6ca27c27bd622838204f4c2858edc62046ef44b15d06584f0bbeaf1baf0956e31b81f98f56ac59eba52375fe94e7a01e9b774501aacb57c3e851f218

memory/2524-28-0x000000013F860000-0x000000013FBB4000-memory.dmp

memory/2648-29-0x000000013FA80000-0x000000013FDD4000-memory.dmp

memory/1028-27-0x000000013FA80000-0x000000013FDD4000-memory.dmp

memory/1028-26-0x000000013FC00000-0x000000013FF54000-memory.dmp

C:\Windows\system\IHQsJgc.exe

MD5 8099351dd5cac8355d7c9ae7e3d41dff
SHA1 586eb8e92badfd4c58230e95a4a4af4f458de596
SHA256 5c30559c6551576539afc984b22a24bebcd0c55f71b6b2d07f9116e4c4fd6ea6
SHA512 03df95f83477f6ea34e7df600e2047a9c871834b6e4520d0203d65af031d6f8d3621add524834514460c3ddaeb88a374bea3ca2200bd08c0d92ceba28cf7ef02

memory/1028-21-0x000000013F860000-0x000000013FBB4000-memory.dmp

memory/1332-19-0x000000013FC00000-0x000000013FF54000-memory.dmp

memory/2916-13-0x000000013F070000-0x000000013F3C4000-memory.dmp

C:\Windows\system\yeVozfe.exe

MD5 2f2ba90f90026b4276ca5ee778513d52
SHA1 93353fe2a9efb19a2b1ff676b9596927d7fcb197
SHA256 cb8e33671a93ac276b5a26a510c30fcbd19cb11fdcfd0fa85bd26bda7732eaf8
SHA512 06267a8a2909062fa2dac9927d18ac6ab066cdac0ce24771bf34b547867293de281e29a4e653054f5d5c755ce7cdae199d98320538b7eb0458c0e75829d36bf7

\Windows\system\ULQKosb.exe

MD5 76806b7bf642b36a5a6fa144b0d8cf9a
SHA1 ad1d324d666d47663dcbeecb511b0ec7b6084773
SHA256 5021b4bd7dcff0f4247794ab608e9abcaf8ad254965f802c769ea6cb5263f5da
SHA512 992f7c67c538b1a0b5a7a9f1c01208dead1957ea5075be51b4744a860ae8dd21612d68613c1691cc819a56d0890f238f09f59d2d53a9592a9c7e2ab7f9f1b9cd

memory/2808-36-0x000000013F8D0000-0x000000013FC24000-memory.dmp

memory/1028-35-0x000000013F8D0000-0x000000013FC24000-memory.dmp

C:\Windows\system\OigWIyB.exe

MD5 f210c93e358f6758c3c2ed93db65ac58
SHA1 3cb0071ca69a64ebb424baf36915afdb5de44ca1
SHA256 bcefddbcda34704b5361e7363ff4f9447b614303f3196d14d6a515ed9969b82d
SHA512 9c500f4912669b65405d6fda737f144a89741edfd8d9cf339311f227b362652b000d15f9b7cc6559a84ad6195ba89b1c0c627b87d136ca00d72b9c13f6aaab31

\Windows\system\KziynoP.exe

MD5 1ba934b36bf991f0e6acc55cc826dfae
SHA1 2963fabe74316feb14d539effbd63fcea65aa63a
SHA256 cc57de283b82deabb635694fa47fec1ea35dc08d65965861571f671d56240b48
SHA512 02674fecdf6ccd09498a632f9f0271c9c45c248e0464bfff5e026777b54129159fe7bd72c742636b6488c12c446367d2fd90ce0b169342cbcba2f3eb596c2b46

memory/1028-43-0x0000000002480000-0x00000000027D4000-memory.dmp

C:\Windows\system\ojTwSQW.exe

MD5 939d62afb05eb1746bb2499dc5caa6b8
SHA1 516369df39e5288abd000837246005aeb4110322
SHA256 478fd249b13d86f556641521b72442bae18d6db169bb794339dac7e3f6c7b95c
SHA512 e6dac55531d6e2a28dd5be90cb8eb5ea9ee7bceb8ce4a2c7809831d5070de1f36ed6ec47dbdc002cbf4db6922e8f2b2b5232cf5f85c37f42f5bc7aa55a911ddd

memory/1028-53-0x000000013FD70000-0x00000001400C4000-memory.dmp

memory/2388-57-0x000000013F9E0000-0x000000013FD34000-memory.dmp

memory/1028-56-0x000000013F9E0000-0x000000013FD34000-memory.dmp

memory/2664-55-0x000000013FD70000-0x00000001400C4000-memory.dmp

C:\Windows\system\yRSJbka.exe

MD5 f31ed82f49c2a7b32486137049ba2dfb
SHA1 cdcdc10e92de25c00a4158e76950fa377060e157
SHA256 31856a8a3dcbbe885665d633a716321728913555199b47e9ab150d11c3b7dc67
SHA512 2445259ea7b1e98a14d436ca3a037f9ff3149d0c5af88cd8bb723da66334c8f5bcafead8ec7c66221aaf9ef00b250b97387ea9c48252ac67315b4d162d56ce90

memory/2916-63-0x000000013F070000-0x000000013F3C4000-memory.dmp

memory/1028-62-0x000000013F220000-0x000000013F574000-memory.dmp

\Windows\system\scLJBKw.exe

MD5 12dc43dbda4d2c57cd7a57227cf2a5e5
SHA1 ddfcb4d31e3b497eeb7e4cd8891266fb50dd84f7
SHA256 aa6077dae07d3a342f27703d31c7b59f89cc06051c85e8d3e9b03c30d65f717e
SHA512 bdcdd5206bf6638d747d5fb6ec028dca2c4ab28a39c0dac2881cd4d8a3cedadd123d880f56e019178b68b9c91f755e58f2666494724a3982d04bd491dce336d1

\Windows\system\MEcxGin.exe

MD5 7223200ee6876ef35d70ec397de99287
SHA1 528cf74cc2b1ab69c95f3ed25e45671884322547
SHA256 94610af7583be46aaf6ccedc7b96331680946c6a9ccb9f818e06479c5564bacb
SHA512 7e5490d3bd24ebe411eb4426c43ec132e1daf08e7fd46b9da2f5d6c52f4070b1aa25bfc9e8c7e03c4a5b9c388d20c49cbeb3932b28396cbfa1f98227be224d11

C:\Windows\system\UoioNTL.exe

MD5 21f25762dcf3deaac990dd6cd6c5f850
SHA1 97385155b820b0a14f830292e82c38e86a6b1928
SHA256 7459537c669ba645ebcbdbd91291da3a8be57d048b726a4e77c3075d3ee17af6
SHA512 b137b578fc8aef2009154e598bd62a8b10a1e4ad729cb4f252c12deb7e10d3d126bbde17f62fc0891e7c7d59173e6c5b3e320543386c18f50542f1bdc3f3b542

C:\Windows\system\jfdTVhG.exe

MD5 741cf5fe853b1c8b6a1e55d00afc9871
SHA1 a9504171bad37ac8a30a0f585d1379d4a0308e5d
SHA256 2337316d664f8b179c3cce545d06a530f94b2014951964302e7ab6fb05f7c9bc
SHA512 3655f66061bad2903bad2d91fd61d55ed7f20d86167d1deee6ec7b36b31a4d2c928a4f0cd06d32705250279ff52c56fb2cedc4b52b6116f63912a5d05fd5e09b

\Windows\system\HLsPFqh.exe

MD5 32b15dd93146f838fbbdae860dd2998d
SHA1 b7011e11f682f41f0eee3a0426477accdf2d9c0a
SHA256 069cc3959f5594286571bb9600c56b68a28c88000250b92e4ed6056289b53db5
SHA512 a6b98dfb070c445915e0931a06e9f88cb4822b933ccc7cd4f4ea588b8c06acb450ba84b351d590e31d3972434182cbe66e78acfb50b99098d4cb231ab650e682

C:\Windows\system\ROpSQra.exe

MD5 3a959f8f3ebe1c92e8e66b8ab5f894da
SHA1 69d4438c2b5ed03c3ee659b54151e100c44fb270
SHA256 64d29ed88ac0a7122a93fad908b8bbbe237c50e5846beb54f261752a63064190
SHA512 b1f4733ff9e30f3796879a9e9907f0cf51ab8d63f7862802e12e8adff6f05fe899eb55641d2c24aab5bfc204dae0c9e4e0f3a2ea04bf2727177151df7fc3f2af

C:\Windows\system\FymBsDe.exe

MD5 54c99e9ef769fc023fbb68dbce1e7d79
SHA1 9ee5e2e7f66da6492e59573c2ac133cc7ea7b4ac
SHA256 32836c6486f77f1bcd61116cbd90b39c3fca0a63e5be15551e95a9d17d911fa8
SHA512 0b113a8dc64828e045832745844d2487fdcea057846f66724c26ac5c990c5cf2a0e3c0feca8da2ec05b0b7d84aa2c44e2be9bc32c5561f7716a3110510a13d81

C:\Windows\system\bBspvQu.exe

MD5 7f379015f637e0f0525ebadef6521070
SHA1 e4144c12567f58968cc19a5d528382ff3b273ac7
SHA256 b7964a51c7b09bba9e6cbbc72602d9ee1ef6cdf4636eaf94e5f6795d59ec1046
SHA512 8c13df5643725f8c6280c40c4b6173d1c67eb1fef79199412623e4ab766b489234ac2854f08f259a5932966e1404aee4af181ad3548f8071ffa5acf65d4a65cf

C:\Windows\system\UmtRphF.exe

MD5 646a69ecd3569ae7f19e0d7f7dad40b9
SHA1 e32c70c607078d338a11eb0ea75fd07cb8384579
SHA256 8fa0c6116c654136536bb5192284852b9e0c18d79bdff37d721d614cb5c2b809
SHA512 860c63d8e6db3b8b0d4303727cd6c994e235a4083f0a7f286db33100dc1fda83822381c9fc3962945f520c491991dc803352ef9eb7a8e56c4f005f4985073395

C:\Windows\system\sUtOlVE.exe

MD5 774688d300dae941e48f3791f81b8976
SHA1 9f1b70fbbf8d342f4258dcb45753a57ab44017b0
SHA256 ff5be47cc2bfb5bca9e571cfcfe7eaf299fce4c0c6249bfcb90c820d3990e4fe
SHA512 f674c266e2fc7b6768ee0a5202feb390b9e4a4b7941e80823d3f253413f97b3baf8f7d051321df9a03efc273e9ab5e84296d894af9199be3703a748347adae86

C:\Windows\system\NlulgTj.exe

MD5 b53760842f8c6190c625cda19f98afb4
SHA1 a578352008fa8faeda9bba62634d8711de040cd8
SHA256 76b984df2aabd47c33c806f80ea350907a495f3a23662d726e916883576ef60b
SHA512 87808ccf4729e48c9ad4c7441b32493bc7f483f9af5183072923d36927903205186c24e648af9fa4fdb52dd6e101a87da0995198670e2b1ea16fe1d24824c888

C:\Windows\system\YTzUtQV.exe

MD5 e88f292affc76333228401893c519ed3
SHA1 6c9c9a458afb21dd17a5acfc392dbfdd56a29086
SHA256 1d8925de89573d57511a627234f7fbe814c202f1da9cc130cf08b065e42776b2
SHA512 9022b8196e48703d406d5ee1db5c00a5c2ebfa1831fe2bc0e64c018657e05f570d3c37716074fe328937caeaa199aed3d51fd55686fa2ca250deaa44727777dd

memory/2628-47-0x000000013F2C0000-0x000000013F614000-memory.dmp

memory/1900-124-0x000000013F620000-0x000000013F974000-memory.dmp

memory/556-125-0x000000013F700000-0x000000013FA54000-memory.dmp

memory/1028-128-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

memory/1940-132-0x000000013F840000-0x000000013FB94000-memory.dmp

memory/1028-134-0x000000013F700000-0x000000013FA54000-memory.dmp

memory/1028-133-0x000000013FEA0000-0x00000001401F4000-memory.dmp

memory/1028-131-0x000000013F840000-0x000000013FB94000-memory.dmp

memory/2772-130-0x000000013F310000-0x000000013F664000-memory.dmp

memory/2640-129-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

memory/2556-127-0x000000013F030000-0x000000013F384000-memory.dmp

memory/1028-126-0x0000000002480000-0x00000000027D4000-memory.dmp

memory/1028-135-0x000000013F8D0000-0x000000013FC24000-memory.dmp

memory/1900-136-0x000000013F620000-0x000000013F974000-memory.dmp

memory/1028-137-0x000000013F700000-0x000000013FA54000-memory.dmp

memory/2916-138-0x000000013F070000-0x000000013F3C4000-memory.dmp

memory/1332-139-0x000000013FC00000-0x000000013FF54000-memory.dmp

memory/2648-140-0x000000013FA80000-0x000000013FDD4000-memory.dmp

memory/2524-141-0x000000013F860000-0x000000013FBB4000-memory.dmp

memory/2808-142-0x000000013F8D0000-0x000000013FC24000-memory.dmp

memory/2628-143-0x000000013F2C0000-0x000000013F614000-memory.dmp

memory/2664-144-0x000000013FD70000-0x00000001400C4000-memory.dmp

memory/2388-145-0x000000013F9E0000-0x000000013FD34000-memory.dmp

memory/556-146-0x000000013F700000-0x000000013FA54000-memory.dmp

memory/2556-147-0x000000013F030000-0x000000013F384000-memory.dmp

memory/2640-148-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

memory/2772-149-0x000000013F310000-0x000000013F664000-memory.dmp

memory/1940-150-0x000000013F840000-0x000000013FB94000-memory.dmp

memory/1900-151-0x000000013F620000-0x000000013F974000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 02:12

Reported

2024-06-01 02:14

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\FymBsDe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PUjLxlm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IHQsJgc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ojTwSQW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sUtOlVE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bBspvQu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ULQKosb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OigWIyB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YTzUtQV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UoioNTL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jfdTVhG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KWBODKl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yRSJbka.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MEcxGin.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NlulgTj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HLsPFqh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yeVozfe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KziynoP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\scLJBKw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UmtRphF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ROpSQra.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5032 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\KWBODKl.exe
PID 5032 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\KWBODKl.exe
PID 5032 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\yeVozfe.exe
PID 5032 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\yeVozfe.exe
PID 5032 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\PUjLxlm.exe
PID 5032 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\PUjLxlm.exe
PID 5032 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\IHQsJgc.exe
PID 5032 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\IHQsJgc.exe
PID 5032 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\ULQKosb.exe
PID 5032 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\ULQKosb.exe
PID 5032 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\OigWIyB.exe
PID 5032 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\OigWIyB.exe
PID 5032 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\KziynoP.exe
PID 5032 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\KziynoP.exe
PID 5032 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\ojTwSQW.exe
PID 5032 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\ojTwSQW.exe
PID 5032 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\yRSJbka.exe
PID 5032 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\yRSJbka.exe
PID 5032 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\scLJBKw.exe
PID 5032 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\scLJBKw.exe
PID 5032 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\YTzUtQV.exe
PID 5032 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\YTzUtQV.exe
PID 5032 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\MEcxGin.exe
PID 5032 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\MEcxGin.exe
PID 5032 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\NlulgTj.exe
PID 5032 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\NlulgTj.exe
PID 5032 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\sUtOlVE.exe
PID 5032 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\sUtOlVE.exe
PID 5032 wrote to memory of 508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\UmtRphF.exe
PID 5032 wrote to memory of 508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\UmtRphF.exe
PID 5032 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\bBspvQu.exe
PID 5032 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\bBspvQu.exe
PID 5032 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\UoioNTL.exe
PID 5032 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\UoioNTL.exe
PID 5032 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\FymBsDe.exe
PID 5032 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\FymBsDe.exe
PID 5032 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\ROpSQra.exe
PID 5032 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\ROpSQra.exe
PID 5032 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\jfdTVhG.exe
PID 5032 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\jfdTVhG.exe
PID 5032 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\HLsPFqh.exe
PID 5032 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe C:\Windows\System\HLsPFqh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_abf808c3f8aa3bb4ffda0a555b260523_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\KWBODKl.exe

C:\Windows\System\KWBODKl.exe

C:\Windows\System\yeVozfe.exe

C:\Windows\System\yeVozfe.exe

C:\Windows\System\PUjLxlm.exe

C:\Windows\System\PUjLxlm.exe

C:\Windows\System\IHQsJgc.exe

C:\Windows\System\IHQsJgc.exe

C:\Windows\System\ULQKosb.exe

C:\Windows\System\ULQKosb.exe

C:\Windows\System\OigWIyB.exe

C:\Windows\System\OigWIyB.exe

C:\Windows\System\KziynoP.exe

C:\Windows\System\KziynoP.exe

C:\Windows\System\ojTwSQW.exe

C:\Windows\System\ojTwSQW.exe

C:\Windows\System\yRSJbka.exe

C:\Windows\System\yRSJbka.exe

C:\Windows\System\scLJBKw.exe

C:\Windows\System\scLJBKw.exe

C:\Windows\System\YTzUtQV.exe

C:\Windows\System\YTzUtQV.exe

C:\Windows\System\MEcxGin.exe

C:\Windows\System\MEcxGin.exe

C:\Windows\System\NlulgTj.exe

C:\Windows\System\NlulgTj.exe

C:\Windows\System\sUtOlVE.exe

C:\Windows\System\sUtOlVE.exe

C:\Windows\System\UmtRphF.exe

C:\Windows\System\UmtRphF.exe

C:\Windows\System\bBspvQu.exe

C:\Windows\System\bBspvQu.exe

C:\Windows\System\UoioNTL.exe

C:\Windows\System\UoioNTL.exe

C:\Windows\System\FymBsDe.exe

C:\Windows\System\FymBsDe.exe

C:\Windows\System\ROpSQra.exe

C:\Windows\System\ROpSQra.exe

C:\Windows\System\jfdTVhG.exe

C:\Windows\System\jfdTVhG.exe

C:\Windows\System\HLsPFqh.exe

C:\Windows\System\HLsPFqh.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/5032-0-0x00007FF69A610000-0x00007FF69A964000-memory.dmp

memory/5032-1-0x000001FBD9C60000-0x000001FBD9C70000-memory.dmp

C:\Windows\System\KWBODKl.exe

MD5 3c9de06f8a149b7f77eb94fed8938e6c
SHA1 6591a73b8d05e6978edfc4ac76960b80440a1afd
SHA256 63024aa787716f0f47be3dbd0231d0b5ee7a4f49fc18835bd497c65d2043d3f5
SHA512 0e000760d30bf3ab452dd26c2b0a3aabf4c37e0581720f97e4c510cc2a3c5263bc5e996013c7a177c4c5d5cf93e266b2ea84dfb085b107a19d7dcdb472981aef

C:\Windows\System\yeVozfe.exe

MD5 2f2ba90f90026b4276ca5ee778513d52
SHA1 93353fe2a9efb19a2b1ff676b9596927d7fcb197
SHA256 cb8e33671a93ac276b5a26a510c30fcbd19cb11fdcfd0fa85bd26bda7732eaf8
SHA512 06267a8a2909062fa2dac9927d18ac6ab066cdac0ce24771bf34b547867293de281e29a4e653054f5d5c755ce7cdae199d98320538b7eb0458c0e75829d36bf7

memory/4920-8-0x00007FF795350000-0x00007FF7956A4000-memory.dmp

C:\Windows\System\PUjLxlm.exe

MD5 d3f900325ec34f4390d3722e27b96754
SHA1 8e07443588fbf61c37ceaf770a24cb6fb7d5b7ea
SHA256 e5d803830a86855adf94f098eeb175905e01267eb403adc8222e5aff5cce0a7b
SHA512 4b99030c6ca27c27bd622838204f4c2858edc62046ef44b15d06584f0bbeaf1baf0956e31b81f98f56ac59eba52375fe94e7a01e9b774501aacb57c3e851f218

C:\Windows\System\IHQsJgc.exe

MD5 8099351dd5cac8355d7c9ae7e3d41dff
SHA1 586eb8e92badfd4c58230e95a4a4af4f458de596
SHA256 5c30559c6551576539afc984b22a24bebcd0c55f71b6b2d07f9116e4c4fd6ea6
SHA512 03df95f83477f6ea34e7df600e2047a9c871834b6e4520d0203d65af031d6f8d3621add524834514460c3ddaeb88a374bea3ca2200bd08c0d92ceba28cf7ef02

C:\Windows\System\ULQKosb.exe

MD5 76806b7bf642b36a5a6fa144b0d8cf9a
SHA1 ad1d324d666d47663dcbeecb511b0ec7b6084773
SHA256 5021b4bd7dcff0f4247794ab608e9abcaf8ad254965f802c769ea6cb5263f5da
SHA512 992f7c67c538b1a0b5a7a9f1c01208dead1957ea5075be51b4744a860ae8dd21612d68613c1691cc819a56d0890f238f09f59d2d53a9592a9c7e2ab7f9f1b9cd

C:\Windows\System\OigWIyB.exe

MD5 f210c93e358f6758c3c2ed93db65ac58
SHA1 3cb0071ca69a64ebb424baf36915afdb5de44ca1
SHA256 bcefddbcda34704b5361e7363ff4f9447b614303f3196d14d6a515ed9969b82d
SHA512 9c500f4912669b65405d6fda737f144a89741edfd8d9cf339311f227b362652b000d15f9b7cc6559a84ad6195ba89b1c0c627b87d136ca00d72b9c13f6aaab31

memory/3460-33-0x00007FF622C90000-0x00007FF622FE4000-memory.dmp

memory/1728-32-0x00007FF73E680000-0x00007FF73E9D4000-memory.dmp

memory/3904-23-0x00007FF78C640000-0x00007FF78C994000-memory.dmp

memory/2820-35-0x00007FF74A6D0000-0x00007FF74AA24000-memory.dmp

memory/3312-41-0x00007FF69CEE0000-0x00007FF69D234000-memory.dmp

C:\Windows\System\KziynoP.exe

MD5 1ba934b36bf991f0e6acc55cc826dfae
SHA1 2963fabe74316feb14d539effbd63fcea65aa63a
SHA256 cc57de283b82deabb635694fa47fec1ea35dc08d65965861571f671d56240b48
SHA512 02674fecdf6ccd09498a632f9f0271c9c45c248e0464bfff5e026777b54129159fe7bd72c742636b6488c12c446367d2fd90ce0b169342cbcba2f3eb596c2b46

C:\Windows\System\ojTwSQW.exe

MD5 939d62afb05eb1746bb2499dc5caa6b8
SHA1 516369df39e5288abd000837246005aeb4110322
SHA256 478fd249b13d86f556641521b72442bae18d6db169bb794339dac7e3f6c7b95c
SHA512 e6dac55531d6e2a28dd5be90cb8eb5ea9ee7bceb8ce4a2c7809831d5070de1f36ed6ec47dbdc002cbf4db6922e8f2b2b5232cf5f85c37f42f5bc7aa55a911ddd

memory/2840-59-0x00007FF67E6C0000-0x00007FF67EA14000-memory.dmp

C:\Windows\System\scLJBKw.exe

MD5 12dc43dbda4d2c57cd7a57227cf2a5e5
SHA1 ddfcb4d31e3b497eeb7e4cd8891266fb50dd84f7
SHA256 aa6077dae07d3a342f27703d31c7b59f89cc06051c85e8d3e9b03c30d65f717e
SHA512 bdcdd5206bf6638d747d5fb6ec028dca2c4ab28a39c0dac2881cd4d8a3cedadd123d880f56e019178b68b9c91f755e58f2666494724a3982d04bd491dce336d1

C:\Windows\System\MEcxGin.exe

MD5 7223200ee6876ef35d70ec397de99287
SHA1 528cf74cc2b1ab69c95f3ed25e45671884322547
SHA256 94610af7583be46aaf6ccedc7b96331680946c6a9ccb9f818e06479c5564bacb
SHA512 7e5490d3bd24ebe411eb4426c43ec132e1daf08e7fd46b9da2f5d6c52f4070b1aa25bfc9e8c7e03c4a5b9c388d20c49cbeb3932b28396cbfa1f98227be224d11

C:\Windows\System\NlulgTj.exe

MD5 b53760842f8c6190c625cda19f98afb4
SHA1 a578352008fa8faeda9bba62634d8711de040cd8
SHA256 76b984df2aabd47c33c806f80ea350907a495f3a23662d726e916883576ef60b
SHA512 87808ccf4729e48c9ad4c7441b32493bc7f483f9af5183072923d36927903205186c24e648af9fa4fdb52dd6e101a87da0995198670e2b1ea16fe1d24824c888

memory/824-84-0x00007FF7018C0000-0x00007FF701C14000-memory.dmp

memory/4632-91-0x00007FF6F21A0000-0x00007FF6F24F4000-memory.dmp

memory/508-92-0x00007FF60AE00000-0x00007FF60B154000-memory.dmp

memory/3992-90-0x00007FF6173B0000-0x00007FF617704000-memory.dmp

memory/2152-89-0x00007FF6E82E0000-0x00007FF6E8634000-memory.dmp

C:\Windows\System\UmtRphF.exe

MD5 646a69ecd3569ae7f19e0d7f7dad40b9
SHA1 e32c70c607078d338a11eb0ea75fd07cb8384579
SHA256 8fa0c6116c654136536bb5192284852b9e0c18d79bdff37d721d614cb5c2b809
SHA512 860c63d8e6db3b8b0d4303727cd6c994e235a4083f0a7f286db33100dc1fda83822381c9fc3962945f520c491991dc803352ef9eb7a8e56c4f005f4985073395

C:\Windows\System\sUtOlVE.exe

MD5 774688d300dae941e48f3791f81b8976
SHA1 9f1b70fbbf8d342f4258dcb45753a57ab44017b0
SHA256 ff5be47cc2bfb5bca9e571cfcfe7eaf299fce4c0c6249bfcb90c820d3990e4fe
SHA512 f674c266e2fc7b6768ee0a5202feb390b9e4a4b7941e80823d3f253413f97b3baf8f7d051321df9a03efc273e9ab5e84296d894af9199be3703a748347adae86

C:\Windows\System\YTzUtQV.exe

MD5 e88f292affc76333228401893c519ed3
SHA1 6c9c9a458afb21dd17a5acfc392dbfdd56a29086
SHA256 1d8925de89573d57511a627234f7fbe814c202f1da9cc130cf08b065e42776b2
SHA512 9022b8196e48703d406d5ee1db5c00a5c2ebfa1831fe2bc0e64c018657e05f570d3c37716074fe328937caeaa199aed3d51fd55686fa2ca250deaa44727777dd

memory/1640-60-0x00007FF6A2790000-0x00007FF6A2AE4000-memory.dmp

memory/4120-57-0x00007FF755310000-0x00007FF755664000-memory.dmp

C:\Windows\System\yRSJbka.exe

MD5 f31ed82f49c2a7b32486137049ba2dfb
SHA1 cdcdc10e92de25c00a4158e76950fa377060e157
SHA256 31856a8a3dcbbe885665d633a716321728913555199b47e9ab150d11c3b7dc67
SHA512 2445259ea7b1e98a14d436ca3a037f9ff3149d0c5af88cd8bb723da66334c8f5bcafead8ec7c66221aaf9ef00b250b97387ea9c48252ac67315b4d162d56ce90

memory/4780-44-0x00007FF742670000-0x00007FF7429C4000-memory.dmp

C:\Windows\System\bBspvQu.exe

MD5 7f379015f637e0f0525ebadef6521070
SHA1 e4144c12567f58968cc19a5d528382ff3b273ac7
SHA256 b7964a51c7b09bba9e6cbbc72602d9ee1ef6cdf4636eaf94e5f6795d59ec1046
SHA512 8c13df5643725f8c6280c40c4b6173d1c67eb1fef79199412623e4ab766b489234ac2854f08f259a5932966e1404aee4af181ad3548f8071ffa5acf65d4a65cf

memory/3216-98-0x00007FF6D4830000-0x00007FF6D4B84000-memory.dmp

C:\Windows\System\FymBsDe.exe

MD5 54c99e9ef769fc023fbb68dbce1e7d79
SHA1 9ee5e2e7f66da6492e59573c2ac133cc7ea7b4ac
SHA256 32836c6486f77f1bcd61116cbd90b39c3fca0a63e5be15551e95a9d17d911fa8
SHA512 0b113a8dc64828e045832745844d2487fdcea057846f66724c26ac5c990c5cf2a0e3c0feca8da2ec05b0b7d84aa2c44e2be9bc32c5561f7716a3110510a13d81

C:\Windows\System\ROpSQra.exe

MD5 3a959f8f3ebe1c92e8e66b8ab5f894da
SHA1 69d4438c2b5ed03c3ee659b54151e100c44fb270
SHA256 64d29ed88ac0a7122a93fad908b8bbbe237c50e5846beb54f261752a63064190
SHA512 b1f4733ff9e30f3796879a9e9907f0cf51ab8d63f7862802e12e8adff6f05fe899eb55641d2c24aab5bfc204dae0c9e4e0f3a2ea04bf2727177151df7fc3f2af

C:\Windows\System\UoioNTL.exe

MD5 21f25762dcf3deaac990dd6cd6c5f850
SHA1 97385155b820b0a14f830292e82c38e86a6b1928
SHA256 7459537c669ba645ebcbdbd91291da3a8be57d048b726a4e77c3075d3ee17af6
SHA512 b137b578fc8aef2009154e598bd62a8b10a1e4ad729cb4f252c12deb7e10d3d126bbde17f62fc0891e7c7d59173e6c5b3e320543386c18f50542f1bdc3f3b542

memory/5032-105-0x00007FF69A610000-0x00007FF69A964000-memory.dmp

memory/4960-115-0x00007FF7E3AF0000-0x00007FF7E3E44000-memory.dmp

memory/2612-118-0x00007FF783A60000-0x00007FF783DB4000-memory.dmp

memory/3248-122-0x00007FF6F5220000-0x00007FF6F5574000-memory.dmp

memory/4920-127-0x00007FF795350000-0x00007FF7956A4000-memory.dmp

memory/3904-128-0x00007FF78C640000-0x00007FF78C994000-memory.dmp

C:\Windows\System\jfdTVhG.exe

MD5 741cf5fe853b1c8b6a1e55d00afc9871
SHA1 a9504171bad37ac8a30a0f585d1379d4a0308e5d
SHA256 2337316d664f8b179c3cce545d06a530f94b2014951964302e7ab6fb05f7c9bc
SHA512 3655f66061bad2903bad2d91fd61d55ed7f20d86167d1deee6ec7b36b31a4d2c928a4f0cd06d32705250279ff52c56fb2cedc4b52b6116f63912a5d05fd5e09b

C:\Windows\System\HLsPFqh.exe

MD5 32b15dd93146f838fbbdae860dd2998d
SHA1 b7011e11f682f41f0eee3a0426477accdf2d9c0a
SHA256 069cc3959f5594286571bb9600c56b68a28c88000250b92e4ed6056289b53db5
SHA512 a6b98dfb070c445915e0931a06e9f88cb4822b933ccc7cd4f4ea588b8c06acb450ba84b351d590e31d3972434182cbe66e78acfb50b99098d4cb231ab650e682

memory/1728-129-0x00007FF73E680000-0x00007FF73E9D4000-memory.dmp

memory/5036-130-0x00007FF6BA640000-0x00007FF6BA994000-memory.dmp

memory/4408-131-0x00007FF72F9E0000-0x00007FF72FD34000-memory.dmp

memory/3312-132-0x00007FF69CEE0000-0x00007FF69D234000-memory.dmp

memory/4780-133-0x00007FF742670000-0x00007FF7429C4000-memory.dmp

memory/1640-134-0x00007FF6A2790000-0x00007FF6A2AE4000-memory.dmp

memory/3216-135-0x00007FF6D4830000-0x00007FF6D4B84000-memory.dmp

memory/2612-137-0x00007FF783A60000-0x00007FF783DB4000-memory.dmp

memory/4960-136-0x00007FF7E3AF0000-0x00007FF7E3E44000-memory.dmp

memory/3248-138-0x00007FF6F5220000-0x00007FF6F5574000-memory.dmp

memory/4920-139-0x00007FF795350000-0x00007FF7956A4000-memory.dmp

memory/3904-140-0x00007FF78C640000-0x00007FF78C994000-memory.dmp

memory/3460-141-0x00007FF622C90000-0x00007FF622FE4000-memory.dmp

memory/1728-142-0x00007FF73E680000-0x00007FF73E9D4000-memory.dmp

memory/2820-143-0x00007FF74A6D0000-0x00007FF74AA24000-memory.dmp

memory/3312-144-0x00007FF69CEE0000-0x00007FF69D234000-memory.dmp

memory/4780-145-0x00007FF742670000-0x00007FF7429C4000-memory.dmp

memory/4120-146-0x00007FF755310000-0x00007FF755664000-memory.dmp

memory/1640-147-0x00007FF6A2790000-0x00007FF6A2AE4000-memory.dmp

memory/2840-148-0x00007FF67E6C0000-0x00007FF67EA14000-memory.dmp

memory/2152-150-0x00007FF6E82E0000-0x00007FF6E8634000-memory.dmp

memory/824-149-0x00007FF7018C0000-0x00007FF701C14000-memory.dmp

memory/508-151-0x00007FF60AE00000-0x00007FF60B154000-memory.dmp

memory/4632-153-0x00007FF6F21A0000-0x00007FF6F24F4000-memory.dmp

memory/3992-152-0x00007FF6173B0000-0x00007FF617704000-memory.dmp

memory/3216-154-0x00007FF6D4830000-0x00007FF6D4B84000-memory.dmp

memory/4960-155-0x00007FF7E3AF0000-0x00007FF7E3E44000-memory.dmp

memory/5036-156-0x00007FF6BA640000-0x00007FF6BA994000-memory.dmp

memory/2612-157-0x00007FF783A60000-0x00007FF783DB4000-memory.dmp

memory/3248-159-0x00007FF6F5220000-0x00007FF6F5574000-memory.dmp

memory/4408-158-0x00007FF72F9E0000-0x00007FF72FD34000-memory.dmp