Malware Analysis Report

2025-01-22 19:40

Sample ID 240601-d8rtrshc73
Target 2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike
SHA256 1f9909a3a2f29fbfa912809ab13d5a7caf2556e1fd53516e819947a94cbb4e25
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1f9909a3a2f29fbfa912809ab13d5a7caf2556e1fd53516e819947a94cbb4e25

Threat Level: Known bad

The file 2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

XMRig Miner payload

xmrig

Cobaltstrike

Detects Reflective DLL injection artifacts

Xmrig family

UPX dump on OEP (original entry point)

Cobaltstrike family

Cobalt Strike reflective loader

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 03:41

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 03:41

Reported

2024-06-01 03:43

Platform

win7-20240215-en

Max time kernel

137s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\ndJPLgn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FzAOeWh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jQfQtzn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rXJnuZg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oYjrtom.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LnkPzPw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LgyNIwO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cxffbOG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DeCxccn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SpFEpLI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GsaLehY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pJRwQQq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZlVmkPT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XPsCwEl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bYzYFew.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AcqjjYg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nqdWEBv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hrzaQqS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xgqBBRe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xDmgDMO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sjASYCb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2028 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\LnkPzPw.exe
PID 2028 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\LnkPzPw.exe
PID 2028 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\LnkPzPw.exe
PID 2028 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\sjASYCb.exe
PID 2028 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\sjASYCb.exe
PID 2028 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\sjASYCb.exe
PID 2028 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\nqdWEBv.exe
PID 2028 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\nqdWEBv.exe
PID 2028 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\nqdWEBv.exe
PID 2028 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\SpFEpLI.exe
PID 2028 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\SpFEpLI.exe
PID 2028 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\SpFEpLI.exe
PID 2028 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\ndJPLgn.exe
PID 2028 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\ndJPLgn.exe
PID 2028 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\ndJPLgn.exe
PID 2028 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\hrzaQqS.exe
PID 2028 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\hrzaQqS.exe
PID 2028 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\hrzaQqS.exe
PID 2028 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\LgyNIwO.exe
PID 2028 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\LgyNIwO.exe
PID 2028 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\LgyNIwO.exe
PID 2028 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\GsaLehY.exe
PID 2028 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\GsaLehY.exe
PID 2028 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\GsaLehY.exe
PID 2028 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\FzAOeWh.exe
PID 2028 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\FzAOeWh.exe
PID 2028 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\FzAOeWh.exe
PID 2028 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\cxffbOG.exe
PID 2028 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\cxffbOG.exe
PID 2028 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\cxffbOG.exe
PID 2028 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\DeCxccn.exe
PID 2028 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\DeCxccn.exe
PID 2028 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\DeCxccn.exe
PID 2028 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\pJRwQQq.exe
PID 2028 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\pJRwQQq.exe
PID 2028 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\pJRwQQq.exe
PID 2028 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\jQfQtzn.exe
PID 2028 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\jQfQtzn.exe
PID 2028 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\jQfQtzn.exe
PID 2028 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\xgqBBRe.exe
PID 2028 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\xgqBBRe.exe
PID 2028 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\xgqBBRe.exe
PID 2028 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZlVmkPT.exe
PID 2028 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZlVmkPT.exe
PID 2028 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZlVmkPT.exe
PID 2028 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\XPsCwEl.exe
PID 2028 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\XPsCwEl.exe
PID 2028 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\XPsCwEl.exe
PID 2028 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\rXJnuZg.exe
PID 2028 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\rXJnuZg.exe
PID 2028 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\rXJnuZg.exe
PID 2028 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\bYzYFew.exe
PID 2028 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\bYzYFew.exe
PID 2028 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\bYzYFew.exe
PID 2028 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\xDmgDMO.exe
PID 2028 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\xDmgDMO.exe
PID 2028 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\xDmgDMO.exe
PID 2028 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\AcqjjYg.exe
PID 2028 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\AcqjjYg.exe
PID 2028 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\AcqjjYg.exe
PID 2028 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\oYjrtom.exe
PID 2028 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\oYjrtom.exe
PID 2028 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\oYjrtom.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\LnkPzPw.exe

C:\Windows\System\LnkPzPw.exe

C:\Windows\System\sjASYCb.exe

C:\Windows\System\sjASYCb.exe

C:\Windows\System\nqdWEBv.exe

C:\Windows\System\nqdWEBv.exe

C:\Windows\System\SpFEpLI.exe

C:\Windows\System\SpFEpLI.exe

C:\Windows\System\ndJPLgn.exe

C:\Windows\System\ndJPLgn.exe

C:\Windows\System\hrzaQqS.exe

C:\Windows\System\hrzaQqS.exe

C:\Windows\System\LgyNIwO.exe

C:\Windows\System\LgyNIwO.exe

C:\Windows\System\GsaLehY.exe

C:\Windows\System\GsaLehY.exe

C:\Windows\System\FzAOeWh.exe

C:\Windows\System\FzAOeWh.exe

C:\Windows\System\cxffbOG.exe

C:\Windows\System\cxffbOG.exe

C:\Windows\System\DeCxccn.exe

C:\Windows\System\DeCxccn.exe

C:\Windows\System\pJRwQQq.exe

C:\Windows\System\pJRwQQq.exe

C:\Windows\System\jQfQtzn.exe

C:\Windows\System\jQfQtzn.exe

C:\Windows\System\xgqBBRe.exe

C:\Windows\System\xgqBBRe.exe

C:\Windows\System\ZlVmkPT.exe

C:\Windows\System\ZlVmkPT.exe

C:\Windows\System\XPsCwEl.exe

C:\Windows\System\XPsCwEl.exe

C:\Windows\System\rXJnuZg.exe

C:\Windows\System\rXJnuZg.exe

C:\Windows\System\bYzYFew.exe

C:\Windows\System\bYzYFew.exe

C:\Windows\System\xDmgDMO.exe

C:\Windows\System\xDmgDMO.exe

C:\Windows\System\AcqjjYg.exe

C:\Windows\System\AcqjjYg.exe

C:\Windows\System\oYjrtom.exe

C:\Windows\System\oYjrtom.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2028-0-0x000000013FCE0000-0x0000000140034000-memory.dmp

memory/2028-1-0x0000000000300000-0x0000000000310000-memory.dmp

\Windows\system\LnkPzPw.exe

MD5 0b1a450a816c241743ccf8cd82e46c12
SHA1 6890203b82c54abf497bb8d9b314e60d038273f3
SHA256 a99f1285372f4cfef4b396ddc33309ff5cef770518e49ba3d3ceafbc522b27d1
SHA512 94c9cd423ccad71c2a5dda3f988bc40782b60facbd59eaa60d0f897d0b9012cb81b84575b899cd6a5a684ba68c4384ed921492b0a67fe28759fe02201debf37e

C:\Windows\system\sjASYCb.exe

MD5 662e382b553fa02fc43e3066633daf96
SHA1 3510c9f8d1e098bb75ad9d9cc934c2369832a733
SHA256 65e3cdae711fc09cc8fd3df9fcd036096d09450499b847ccaa5edea03661dec4
SHA512 232b301094795770d06ec79c88bf045176664333150c9424d7a597eeb1d3e1f91560f9b93ed69a37b83ec88f495be33667eccb99362ff6caf7bd417317a9c49e

memory/2392-13-0x000000013F140000-0x000000013F494000-memory.dmp

memory/2252-15-0x000000013FD70000-0x00000001400C4000-memory.dmp

memory/2028-8-0x000000013F140000-0x000000013F494000-memory.dmp

C:\Windows\system\nqdWEBv.exe

MD5 40529dbeb86399e7c1a473669e8e901a
SHA1 26e1933821cbe3c1061a73e566b6f400eaae50f0
SHA256 f640322e0a55b34a5a73a8cfcf048c3f2e810edbdad2bcd4d9fd1a775ba909cc
SHA512 43a142d6eb5037601f65ba4834d98c9c8621edd6c008095f7456d5f1e1a229ed6e51ff7e0d44edc276949e001ae9cbbff435252a59f38bbc72c19a94f05012e3

memory/2028-21-0x0000000002290000-0x00000000025E4000-memory.dmp

memory/2568-22-0x000000013FAB0000-0x000000013FE04000-memory.dmp

\Windows\system\SpFEpLI.exe

MD5 d9353505f693e6f5abc464f5ec680e97
SHA1 f4cf3345461082e10c7e758be9661a40fe391a70
SHA256 9f3479add24ee252245cd52ddac0bd2e4f1d612da343f3b22e37b8309a40dea3
SHA512 d649e3785a863bc361a5a9c1f15218a5a5e4cb7a8872d391be0d41d8557ada9f09504166896d53d5dcd115d668c47feb0d62d13edd79eb3395198acbd346cd9b

memory/2028-26-0x000000013F610000-0x000000013F964000-memory.dmp

memory/2652-29-0x000000013F610000-0x000000013F964000-memory.dmp

\Windows\system\ndJPLgn.exe

MD5 5ed6278c03bced2ec22ca0064d2a5c52
SHA1 375e9342f4a0ff1e5cb89ae6f358bd814411c91e
SHA256 f7b73b52e51654da2b6b2c4aa079a0a4c02bee1c14307690148871f2b7c89f9b
SHA512 c738301f9284959f573ebaf531c25a53d5d32ce295feecdc3f2303ca062eb85de4f8f30249fcf4a264a99f30145fc8d1fb10a00067bd2602b848ed2f918ed8ae

C:\Windows\system\hrzaQqS.exe

MD5 f21d87e611ae25c08addf5815832a78f
SHA1 c322014ea000a45620d3ce64449e76f6831e810e
SHA256 e078ec7779d17b29481f8b2469626f82536f6c427e79655f01c9363f01e5a998
SHA512 2292d2f39ac287835bf1da1f69a7121b7eea01f21e976ec4cbc892cd36049c45c1e30e99a734b991216d9be082b2063179eb4c6d09a3a71a62888d3a3b50bca9

memory/2580-40-0x000000013F270000-0x000000013F5C4000-memory.dmp

memory/2744-42-0x000000013FA70000-0x000000013FDC4000-memory.dmp

memory/2028-41-0x000000013FCE0000-0x0000000140034000-memory.dmp

C:\Windows\system\LgyNIwO.exe

MD5 13bd02d9e40ee6137db45786c04ccf7a
SHA1 e6abeed7e8c3da13a78b7ecbbe76f575d536526f
SHA256 ee2918bdacf82cc76aa02c06f8beea72e748cbd61d7f1a67819fedb4740607b5
SHA512 0dc4d8e18d7269eb78808a5b5fc1c1312f0c7bd2c639da7e3f2c7c909e08424d982e16f4885eb9249c920e8810c279434d89659acf160d0bc30cfbbf61974f00

memory/2028-48-0x000000013F850000-0x000000013FBA4000-memory.dmp

memory/2752-49-0x000000013F850000-0x000000013FBA4000-memory.dmp

C:\Windows\system\GsaLehY.exe

MD5 1f54b943f35fd1a9bb3cb74a9cc2d083
SHA1 c971326f83f3aaf8d4707b13b3ea32d378e6a1ef
SHA256 78b30ff1ff8ae2812e76a6eb2a769c8f75489976b6a6f9aa66c6cbb98123a5bc
SHA512 adb6c7ed389152575a2b8d47da590aa4ddf052c8bd173a6b64a08130c8b51cc4bfff3b81aa08b64bc4eb950d6b7a5e1a508b98a39c73370f1e4dbad5e8a46391

memory/2444-56-0x000000013F480000-0x000000013F7D4000-memory.dmp

memory/2028-55-0x000000013F480000-0x000000013F7D4000-memory.dmp

\Windows\system\FzAOeWh.exe

MD5 c7376725f442f42b7772ce2c76024886
SHA1 beea8ca615db5f601749ad5e2976d998fa10b32d
SHA256 d49544e625bb02126e92b565ed0f07facc072c4ff85ad6ee08be77a6292627ef
SHA512 7832562d9296f4bf087ec42393c0ccda7fabf08483679d14a3881f779485d96c323ab481f46539dcccc75f9a3b589a372fcd4962537043b298acd8d7335afd96

memory/2516-62-0x000000013F500000-0x000000013F854000-memory.dmp

memory/2252-61-0x000000013FD70000-0x00000001400C4000-memory.dmp

memory/2028-67-0x0000000002290000-0x00000000025E4000-memory.dmp

memory/1736-71-0x000000013F1E0000-0x000000013F534000-memory.dmp

C:\Windows\system\pJRwQQq.exe

MD5 85d20d8d8f7a69843ceba02e47160755
SHA1 4df0d2c33484b6dc2da547887e60dbb637a7a2d8
SHA256 69ede140877abe5f72c373d4077aa2c7dab95b14d8a6b8a38ede26370d937217
SHA512 7b592ced19e40b74e90450de44952f6455afb059067bfcae2db0c9fb7abc9221e41d4b115f04f37eed21bc83666720af3b3ad3f742848bd3e4fe4fd0d931e39f

C:\Windows\system\xgqBBRe.exe

MD5 46bf8c59265e48a0c10cddf80850b3db
SHA1 ee5fc316eb4f493e76fa6b246f8a70106ce0a95d
SHA256 bc540eb8ff45339b07228321019c2547259041bd1646eda3cfb9f561aea90806
SHA512 287d92cb051ea324c100c0b8137a2b830437ac8700108db86dc4f365ca614f79626aea37f87f1e854c4f09880a852919cef3fd2e3280d2e12dbf413614212541

C:\Windows\system\XPsCwEl.exe

MD5 030f75f48414a785d16c187fff86ac06
SHA1 a10a886350f3599b9c1a43c0596f3ebde0402f10
SHA256 cf393277d4b4cb1f9559bfcb7e6eb8b87687dddb9615e7e2d1eef7ec19571446
SHA512 67908d192478389821ae7f5807f3036b765cfabb47333c383bfd0d95de1647631c6f0c74933f7965b326c9eec6a6da9a1252cbb3695f3b82b456d40308562eac

memory/2028-114-0x000000013F440000-0x000000013F794000-memory.dmp

C:\Windows\system\oYjrtom.exe

MD5 b9d7aa6ddf652ec3495b2901d7797ce6
SHA1 1c77562230d1d02425c4d5f1ae362938c9becec4
SHA256 0177371624571e5c51415820c617a8754ed5dbe5a5156cabc46eed137812ad36
SHA512 217c1beb0d962aac2ec0434ab379b07c6cd411a4b1e84ff6d3b0aac9efbf0946cd675e8c357184ed54f0b1eb8ce593a840614d56b6a056a9c14cef70ba743cca

C:\Windows\system\AcqjjYg.exe

MD5 79873bd949eac9c6d14565c7d6bf3fb1
SHA1 8a9f6c9c7975e46bcfb4ae3f8ecc6a102aaf2098
SHA256 431368d4f20e56ec06046e7375d184657fd2badda7c3068c2a68fc58f5587df8
SHA512 daa934eb9c942a3ed397b63b960459a6c21ebeabe190ca992ef0fbf54ea4c1c1b784f6cec1d518c9e1b92569dbeab79642b89c5ec320b1fc1978fe90eec6cc0c

C:\Windows\system\xDmgDMO.exe

MD5 aaee8fa38867db9df89778dec487a630
SHA1 8abc387b1326e3d37e574aac186ed969428ede2e
SHA256 8d722ace2d7e37963e2326721354606679c2cbe853494c533a21bf2c87224f0f
SHA512 5e8c66117c1b9045e1e1b3d2021700c3d298470314fc50606b0de747a0583819e45249c2fb3a9efc9dd833f219edb728efa2d5b7df127ce2d4774e46080890e4

memory/2652-105-0x000000013F610000-0x000000013F964000-memory.dmp

C:\Windows\system\jQfQtzn.exe

MD5 9c313195b971c371e285fcbf1effee23
SHA1 5c4ae6f62cd5c20776c9780949c8db2248cbbf0b
SHA256 8f3880338bea72efbba654129f83227c5fda6ff6492fc90bfa6dddb6883f5090
SHA512 96f276e4b75e97aceff40a6b95ff98be0a47e33f2614efa69fa852b866e4e0d7a9af148a5af385bd748c4f51a72aae05b64c007a80e3886d61624aa1272e465e

memory/2028-102-0x0000000002290000-0x00000000025E4000-memory.dmp

\Windows\system\rXJnuZg.exe

MD5 20300dcaaae701a4aaf7a2dda1de39f3
SHA1 b75d52172a8e8852165ad1f52902f6445260ba4e
SHA256 af3f7560bab3f4a67c3d21ea190187927019d8f4c34e4a09c96ec4295e598385
SHA512 9aeea2a1f8ee5d670154bce37f1522b1488530d20c0760e485ca3819095aa693da15359baff83acd1f59a04376f1097c355df8a25892152e2283c27d33c6135c

memory/2848-94-0x000000013FCC0000-0x0000000140014000-memory.dmp

\Windows\system\ZlVmkPT.exe

MD5 66ea8b85a375006a05c3b289c42c4c28
SHA1 c75e549cd7efe9f1ffd113841f7c458e9033675b
SHA256 597aabe7972e9da113af5059071e5746dceb9d9a6548912129319aa068324922
SHA512 861704487e61919eca4b4f67041bad523dfc8f1e4fbf3fd3342d1975b19c674e582277f93588ebfad5ca5e2d9077723f36c11e50368a270df9dfe7df518b52f6

memory/2028-118-0x0000000002290000-0x00000000025E4000-memory.dmp

memory/2860-117-0x000000013F5C0000-0x000000013F914000-memory.dmp

memory/2028-113-0x000000013F5C0000-0x000000013F914000-memory.dmp

C:\Windows\system\bYzYFew.exe

MD5 5e7c6c28a06bde81187bd5ed99cc76fe
SHA1 de8dcb1cb18833165519e762829cfbbdb8bd72fe
SHA256 959eb434bebfcc94021e8733e2ba05bc00a3fa656b564f0044e9c98f751ec565
SHA512 2b40db68e61ed4ac7b6753c1371391e53763e41ed12d027c2a90e5c8aa3e667671249c819b3207a9dfc948d7d150bf3488347b05a3091797b4916913f92ba148

memory/2028-110-0x000000013F300000-0x000000013F654000-memory.dmp

memory/772-87-0x000000013F5E0000-0x000000013F934000-memory.dmp

memory/2028-86-0x000000013F5E0000-0x000000013F934000-memory.dmp

C:\Windows\system\DeCxccn.exe

MD5 0cb6af21a5f423932f1ff57c12ada6ac
SHA1 6cc7e9060b23b07c1aa87b231b0902422dd11d49
SHA256 c90d11ead7d2801b7b562eb2a137cbc086feb016fc2637250e65ee29a03a431d
SHA512 9644b6795d9d14776a5ee6b51d6b67d2bef3126753e5f8f1ba08acdd17bb63eeccb7ecf64490c946d0b19b46eee163f49eb75361090372794eddcbb66eb1aba0

memory/2028-80-0x000000013F610000-0x000000013F964000-memory.dmp

memory/2028-70-0x000000013F1E0000-0x000000013F534000-memory.dmp

C:\Windows\system\cxffbOG.exe

MD5 db99a1b782d4de3add291bf5123447d7
SHA1 4dad3dc28966d2eb329c3190698b88740b90ec60
SHA256 51200d3408d7c761d6fca143ef063c3c6e312abdb68f6f5c52aff8302029b9fa
SHA512 a8a54fd768cb2704cf7109fd1dd4a7b2be212081db68001120981969f7931896ddaaab8f8d3d32bd3d8fdd5c0a5dc4b1ec9b501b9252491ddf79e6ff9666011a

memory/2028-137-0x000000013F480000-0x000000013F7D4000-memory.dmp

memory/2516-138-0x000000013F500000-0x000000013F854000-memory.dmp

memory/2028-139-0x000000013F1E0000-0x000000013F534000-memory.dmp

memory/2028-140-0x000000013F5E0000-0x000000013F934000-memory.dmp

memory/2028-141-0x0000000002290000-0x00000000025E4000-memory.dmp

memory/2028-142-0x000000013F300000-0x000000013F654000-memory.dmp

memory/2028-143-0x000000013F5C0000-0x000000013F914000-memory.dmp

memory/2392-144-0x000000013F140000-0x000000013F494000-memory.dmp

memory/2252-145-0x000000013FD70000-0x00000001400C4000-memory.dmp

memory/2568-146-0x000000013FAB0000-0x000000013FE04000-memory.dmp

memory/2652-147-0x000000013F610000-0x000000013F964000-memory.dmp

memory/2580-148-0x000000013F270000-0x000000013F5C4000-memory.dmp

memory/2744-149-0x000000013FA70000-0x000000013FDC4000-memory.dmp

memory/2752-150-0x000000013F850000-0x000000013FBA4000-memory.dmp

memory/2444-151-0x000000013F480000-0x000000013F7D4000-memory.dmp

memory/1736-152-0x000000013F1E0000-0x000000013F534000-memory.dmp

memory/2516-153-0x000000013F500000-0x000000013F854000-memory.dmp

memory/772-154-0x000000013F5E0000-0x000000013F934000-memory.dmp

memory/2848-155-0x000000013FCC0000-0x0000000140014000-memory.dmp

memory/2860-156-0x000000013F5C0000-0x000000013F914000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 03:41

Reported

2024-06-01 03:43

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\mpoVQVv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aWuExFY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OVbWmzO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bNfgltV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NseSjQW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eEHpcye.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wkmqOnD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hfhKkJh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hcEMQHy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hZiwQlW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AorrAyZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mrgafwu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gJPLEoE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rOAAXVf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KWqzdvt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LwjQfgn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bgeMDbo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CpkHKQF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UkBFCja.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WFyAIVs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yqJWayl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3064 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\UkBFCja.exe
PID 3064 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\UkBFCja.exe
PID 3064 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\mrgafwu.exe
PID 3064 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\mrgafwu.exe
PID 3064 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\gJPLEoE.exe
PID 3064 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\gJPLEoE.exe
PID 3064 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\AorrAyZ.exe
PID 3064 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\AorrAyZ.exe
PID 3064 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\rOAAXVf.exe
PID 3064 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\rOAAXVf.exe
PID 3064 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\wkmqOnD.exe
PID 3064 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\wkmqOnD.exe
PID 3064 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\hfhKkJh.exe
PID 3064 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\hfhKkJh.exe
PID 3064 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\KWqzdvt.exe
PID 3064 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\KWqzdvt.exe
PID 3064 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\LwjQfgn.exe
PID 3064 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\LwjQfgn.exe
PID 3064 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\bgeMDbo.exe
PID 3064 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\bgeMDbo.exe
PID 3064 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\aWuExFY.exe
PID 3064 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\aWuExFY.exe
PID 3064 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\hcEMQHy.exe
PID 3064 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\hcEMQHy.exe
PID 3064 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\CpkHKQF.exe
PID 3064 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\CpkHKQF.exe
PID 3064 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\eEHpcye.exe
PID 3064 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\eEHpcye.exe
PID 3064 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\OVbWmzO.exe
PID 3064 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\OVbWmzO.exe
PID 3064 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\yqJWayl.exe
PID 3064 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\yqJWayl.exe
PID 3064 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\hZiwQlW.exe
PID 3064 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\hZiwQlW.exe
PID 3064 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\bNfgltV.exe
PID 3064 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\bNfgltV.exe
PID 3064 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\NseSjQW.exe
PID 3064 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\NseSjQW.exe
PID 3064 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\mpoVQVv.exe
PID 3064 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\mpoVQVv.exe
PID 3064 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\WFyAIVs.exe
PID 3064 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe C:\Windows\System\WFyAIVs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\UkBFCja.exe

C:\Windows\System\UkBFCja.exe

C:\Windows\System\mrgafwu.exe

C:\Windows\System\mrgafwu.exe

C:\Windows\System\gJPLEoE.exe

C:\Windows\System\gJPLEoE.exe

C:\Windows\System\AorrAyZ.exe

C:\Windows\System\AorrAyZ.exe

C:\Windows\System\rOAAXVf.exe

C:\Windows\System\rOAAXVf.exe

C:\Windows\System\wkmqOnD.exe

C:\Windows\System\wkmqOnD.exe

C:\Windows\System\hfhKkJh.exe

C:\Windows\System\hfhKkJh.exe

C:\Windows\System\KWqzdvt.exe

C:\Windows\System\KWqzdvt.exe

C:\Windows\System\LwjQfgn.exe

C:\Windows\System\LwjQfgn.exe

C:\Windows\System\bgeMDbo.exe

C:\Windows\System\bgeMDbo.exe

C:\Windows\System\aWuExFY.exe

C:\Windows\System\aWuExFY.exe

C:\Windows\System\hcEMQHy.exe

C:\Windows\System\hcEMQHy.exe

C:\Windows\System\CpkHKQF.exe

C:\Windows\System\CpkHKQF.exe

C:\Windows\System\eEHpcye.exe

C:\Windows\System\eEHpcye.exe

C:\Windows\System\OVbWmzO.exe

C:\Windows\System\OVbWmzO.exe

C:\Windows\System\yqJWayl.exe

C:\Windows\System\yqJWayl.exe

C:\Windows\System\hZiwQlW.exe

C:\Windows\System\hZiwQlW.exe

C:\Windows\System\bNfgltV.exe

C:\Windows\System\bNfgltV.exe

C:\Windows\System\NseSjQW.exe

C:\Windows\System\NseSjQW.exe

C:\Windows\System\mpoVQVv.exe

C:\Windows\System\mpoVQVv.exe

C:\Windows\System\WFyAIVs.exe

C:\Windows\System\WFyAIVs.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 16.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 105.193.132.51.in-addr.arpa udp

Files

memory/3064-0-0x00007FF61DFB0000-0x00007FF61E304000-memory.dmp

memory/3064-1-0x0000023DC17F0000-0x0000023DC1800000-memory.dmp

C:\Windows\System\UkBFCja.exe

MD5 60cedd9baa3e2e3734ec8e077a1fa9db
SHA1 da2154152c94911b76772917ca7ddaf15b90a4aa
SHA256 03cbba4e7c23793ebd1b0bb809ffd0a5fbfc17c52c8e709e7330054efed61af6
SHA512 5ea53bedd71af593d9b87e0d3f44e73c8948e398faf1fc1b916b54596526d0b05704afef011dfe0fea90a9f85e440339d48b1c1e52969ccf839229004846b027

memory/3616-8-0x00007FF797360000-0x00007FF7976B4000-memory.dmp

C:\Windows\System\mrgafwu.exe

MD5 b26601fb208ce14f6ae3c2047decefbc
SHA1 9be44a670c4f6af416c9de38a48177ebbefbc1ca
SHA256 9261ea2d70aca11aacc7543119ca5f49c7e0e48002aa3bc1375dbd7fdbbb4bc8
SHA512 7532d6015e391bd22bb3221a77f3531c367d1a1649b601ef78a83ac856e926c86c77b6c903d300a3f36804b59b260f86d243749070ef72c2569c6c1299566895

memory/2908-13-0x00007FF7827C0000-0x00007FF782B14000-memory.dmp

C:\Windows\System\gJPLEoE.exe

MD5 0894ce9d6bec28b5b1c41e08c7d511d7
SHA1 e51c0aa1df2adb2eed01f7e0575b215e94f61b3f
SHA256 f8505e9a97887f627ff3b268885b940049a38f9c908d715a296dee34c4130c89
SHA512 4adb9e090a4a3ae2c2454984f890053ffb44e4849d41c45cd88a09cb5d632df00cad741ab65ed12b975dd12658d027eb205062300b35eb9bda1fd69959158ba4

memory/4000-20-0x00007FF7B29E0000-0x00007FF7B2D34000-memory.dmp

C:\Windows\System\AorrAyZ.exe

MD5 866f684b2162a71f17c9bf3b3ef81bb2
SHA1 2941067abd07d7cd24ce442441c8a666dfde215c
SHA256 6a17dfce2cf9a8cd4fae138c3f348b83c5d9d78650ba9ac010874da42a9304fc
SHA512 6c733c654e36f235d824727f50367e9c49f20435a9e1b07e4aa05e219ddcb41cbb3f7726283e52a35da468b32e117755115d9144f67f37f72679b035de2465ef

memory/1860-26-0x00007FF6D9C70000-0x00007FF6D9FC4000-memory.dmp

C:\Windows\System\rOAAXVf.exe

MD5 e06d6a94d27fa3c2b4bd4b545b3b81dc
SHA1 086a7d6be2757884a88d826ec62aedff8385115e
SHA256 6de12742eaf4c14eefddd76c0f6fb8c56bd98a8ce561049175bfab352d0ec762
SHA512 1cd541814e0cd4004ad1ef2223eed35568c7da05e818fac19a36f3bf8126e721d51b90c056bd78838c2b2889b399b0923a6617d6d1738a3db9f5144c99378151

memory/3352-32-0x00007FF754890000-0x00007FF754BE4000-memory.dmp

C:\Windows\System\wkmqOnD.exe

MD5 c89070583acd5c0a87b6d6aaebbd70ff
SHA1 4f1f67f4eafd26afe5da2d7c1e8e701ebd926190
SHA256 c333cc7e15da842fbded61e78143b53747fe16148c1eb501f115c3f804e04c92
SHA512 c4a925c3fece476fdd5193616cbe5017ef1331bbb3f7ff49bca27bf0d830fa4e48908cb2c8b2f58a347f757ec3f6a43e56c5e027f969b7ebb0021bbff9bb371b

memory/4588-38-0x00007FF7757D0000-0x00007FF775B24000-memory.dmp

C:\Windows\System\hfhKkJh.exe

MD5 3c540c7f0a9e42e8a219756bb2711e15
SHA1 0d09fb911a2ea63c03be6ac158a5346828384668
SHA256 85eeb9df2e1713b3663a63b71b8eaed1c15b89dbd2a38ac8f5381bad9b038d70
SHA512 63e0dd315aecfde4507e581936e394c91c2c0c471a8aecef1232fb28688bca9835fc64333e6f9cf6fa52068830616af1e250e26a07a371b75356292031442e37

C:\Windows\System\KWqzdvt.exe

MD5 2f640df748fcc87c11dc7b99ad3bcc78
SHA1 853b953bb686a9647fd121722b2f088ed701520a
SHA256 c87d909581b26b77e35c29165fa44484ba6ab30570acb5be64492452a097116b
SHA512 56a72601dae3fddd442d82d325d838f4e16daf7960b3b3adec1372eee684a734ffa6419f0b2dbf815e945fd3e3d0d8cab95fb0ae7b073739fd073b7ceff93795

memory/3984-50-0x00007FF654500000-0x00007FF654854000-memory.dmp

memory/1188-42-0x00007FF6187C0000-0x00007FF618B14000-memory.dmp

C:\Windows\System\LwjQfgn.exe

MD5 8ecb008a810880ab341d703629a4543a
SHA1 e33eeb5917ed4aecb08f5db0666d0504e833bf4b
SHA256 4b422613fb6a13ee72fb2144bd541545d9a8e15e7963360695d0e98b5336aa63
SHA512 fb38ab4619c9c2b2cac42869066af04e5961cc6ff86539aeed6e159159a98d7e486c3a982a1df5f027cf144880635bfae450fde63f4f5ae6451158c16a7c381a

memory/1772-56-0x00007FF6B1F20000-0x00007FF6B2274000-memory.dmp

C:\Windows\System\bgeMDbo.exe

MD5 afb2c4c7a63f33151ce858ed80ed76cd
SHA1 be746d3f3b446bd2b9406fc8cd1fb048dd322562
SHA256 ed4315d5285d2e44c70a1064f16c47178460b218b506a78bdba015072cd8f3fd
SHA512 b0284e229a8a3841ba5a2363ac844682e801bc5228359396e36621fb10fecece83f3bb108f5a74f1b95a847575f254ac42e821144e080c63111895d5fb48766d

memory/5032-69-0x00007FF70ADC0000-0x00007FF70B114000-memory.dmp

memory/2908-75-0x00007FF7827C0000-0x00007FF782B14000-memory.dmp

C:\Windows\System\hcEMQHy.exe

MD5 3b2ea452999f095ce15fad591d391921
SHA1 b4b5b0f282935af3029436cc3a5e65580cf99514
SHA256 25bb3b9a4d4a324a8ce337349df44c3da451947814b956ead27c5bff39edd124
SHA512 d13aa6cb6a2e03d60bb0bab923a4016e58383598406388832a9f38059369008048f7229f35864b970a23f7b8d40dfadc1333ec11fa886bbbc5dff19ffa4a2e89

memory/3836-74-0x00007FF78F260000-0x00007FF78F5B4000-memory.dmp

memory/3616-73-0x00007FF797360000-0x00007FF7976B4000-memory.dmp

memory/4960-72-0x00007FF71EA00000-0x00007FF71ED54000-memory.dmp

memory/3064-67-0x00007FF61DFB0000-0x00007FF61E304000-memory.dmp

C:\Windows\System\aWuExFY.exe

MD5 9cca80c762346b7a9090a103eb2acd94
SHA1 e078fd4db1bd73c4889f3e9f6eb379a87b257adf
SHA256 1ead1ec34f543bd08ed7492c86bbf98bfc28b35cc4cc582eda61befbfa07dd8d
SHA512 1d65645c330a3b47187f4af0c443f75e47cac17ce0fe95906c85c903ba78caea8305d6cf15c0fbc8471cd532db5a3b51ae1fd243aac151735df5904b78ed5e01

C:\Windows\System\CpkHKQF.exe

MD5 9b893823981d689417498b7684c71ed3
SHA1 1da0537ae7b130b9e5bb03784a03af85a47773e9
SHA256 ede7b5c981506144b0c54ed72531f5b50c5541b3a038150d75ad47d9e6bd6b06
SHA512 71f91e7c5b3801c4874ff19ec1f87528b3d6582960c1721eb0199ee53bf12020e9bd5db17c84d6136458056f3300af2c74329b6a29d0f3ee7aff9c5398df0ef7

memory/1056-83-0x00007FF75ADC0000-0x00007FF75B114000-memory.dmp

C:\Windows\System\eEHpcye.exe

MD5 02285cfbb760f6088440b4231bc88c31
SHA1 ee50ab697facd057cd6c44acc23e83a79041851d
SHA256 35bc5f6da5840511d04ba4b5eb4769af65e885189768aee8da5f00e031912b08
SHA512 a593cbd867ff6383dfc26d6ac5e9addf8ca7e0171ed1d882b975b3c00354c746014dc902789316ef3c180d5f5b1719fdeb1a81789a292c84de7cba753392a25a

C:\Windows\System\OVbWmzO.exe

MD5 74838fc9ca0a1dd4b19c670ff6fb6fa3
SHA1 23a55a1f51e10412608334bebbdbf35b9b50d10e
SHA256 b395932e8b88b92bb03e9cf2ec2365bc2e066b0a6c869fda0b1103e46e859fc4
SHA512 c24698e0ac5d5a765dd26e075a37fa0dc95e315b4bd7fc366655596fb0944e06591db50b988c28e3d60ba5a7ca96211217e345c71b958ba96f679a6c57de2671

memory/3692-94-0x00007FF6FBE60000-0x00007FF6FC1B4000-memory.dmp

memory/1456-88-0x00007FF743A30000-0x00007FF743D84000-memory.dmp

memory/1860-87-0x00007FF6D9C70000-0x00007FF6D9FC4000-memory.dmp

C:\Windows\System\yqJWayl.exe

MD5 6a8c8174574a5fc420c809a5577f54fc
SHA1 31a6985e7c901221b43cfda69986adf7330c31dd
SHA256 95976b7df46241e9df5e4c78600d65a22bfc4f40453c6d66c145180208998a44
SHA512 eee5c5767e6f524633f1be2006b9c6b0ce520f6f17a2b74b6badb22aef934eeb3cd7902e12e0265f43ab69e3eb3fec6f059554679082075e711fe376eff9728e

C:\Windows\System\hZiwQlW.exe

MD5 e8835c32ba7523af40953e6d532fba24
SHA1 11ccab4b1ce7cdf4c095d0d7b8f58fde2392e385
SHA256 3db9d7efb7342573bf36bf50c897575e968b2847d04d808f762a6a27bebdaf38
SHA512 80107b79bf89daa834932ccadd0abdfdf460b2f2444be2a070dbf659ff51eae4e0219cc6595eec45fe61644e6f0561cd0ae14d309d37a6f390ecab1c05a1e46e

C:\Windows\System\bNfgltV.exe

MD5 c4ebe12fc5337027356af5fdf173fdd8
SHA1 e28c17cc8ba539be8eb00c90d77d00118832cf53
SHA256 e76d19ca2318661ee6eed141f8a2ea83ba1135174e88a4b0db650f9420912915
SHA512 ee74fdf8315f48f9e5a0575ac214b23698ae02578735a9432d23d323d49539d67a4f9d25c8ca1c925389968807c5f86cfa31c9e8eeeff5aafa9675d926564052

C:\Windows\System\mpoVQVv.exe

MD5 403746b09524bacc4dad0886fb6df1db
SHA1 899474c32dfff3c3797353376c085b7449b5c6cd
SHA256 425fc793a67373c39bf48b75316deea637f9daf0dec382cda576d6e152292d08
SHA512 c33420b165d9d4101fbcafa4a25ad4a422e5ddb46278fb0dbfce92414255d2723074ddabfc4a6f276ce9a0f955002755434b8bbbbd75d490b092382c86c9c49c

memory/548-123-0x00007FF6ED260000-0x00007FF6ED5B4000-memory.dmp

memory/3276-121-0x00007FF72D680000-0x00007FF72D9D4000-memory.dmp

memory/2052-120-0x00007FF6723E0000-0x00007FF672734000-memory.dmp

memory/4640-113-0x00007FF7D5D80000-0x00007FF7D60D4000-memory.dmp

C:\Windows\System\NseSjQW.exe

MD5 6cbabaa0c7e70d577bfc2b37f361b4c4
SHA1 2359c57aff0a11568f2f8c53ff077833d9c821a0
SHA256 a8cdb08a4c9fdf7986aaf817c29a7c454ace6685bbbb2b74cf9b9d3600e47380
SHA512 547fb1c3b50d7e1b40eae11327ade6e0d8a4a3834d0b1b85112e3d8e2daeb0baa597570a07ca2be61a230a975086cac09538e0c2aea7ecd66871baa9b2666b2c

memory/1188-109-0x00007FF6187C0000-0x00007FF618B14000-memory.dmp

memory/1828-102-0x00007FF6F0C80000-0x00007FF6F0FD4000-memory.dmp

C:\Windows\System\WFyAIVs.exe

MD5 77187a09043c04865b2ac0c9724cfa0a
SHA1 523f687eb4b2d2290217f2ffb873cdfc50aa1748
SHA256 36ee5fbb4178c9417a2b9e38bdaabdb2a6eb9c80ff716104a6c491cd3a2671ff
SHA512 a058abf514ba4d435488419b0c49ad37028c70903ccbb2ff25bd8bfbdad57456da693ec1d18e61a5ccf88a38c3f938f2ec2ce3dd3165b58c2ee328b1989933cf

memory/1772-132-0x00007FF6B1F20000-0x00007FF6B2274000-memory.dmp

memory/1496-133-0x00007FF62E8F0000-0x00007FF62EC44000-memory.dmp

memory/3836-134-0x00007FF78F260000-0x00007FF78F5B4000-memory.dmp

memory/1456-135-0x00007FF743A30000-0x00007FF743D84000-memory.dmp

memory/3692-136-0x00007FF6FBE60000-0x00007FF6FC1B4000-memory.dmp

memory/1828-137-0x00007FF6F0C80000-0x00007FF6F0FD4000-memory.dmp

memory/2052-138-0x00007FF6723E0000-0x00007FF672734000-memory.dmp

memory/4640-139-0x00007FF7D5D80000-0x00007FF7D60D4000-memory.dmp

memory/548-140-0x00007FF6ED260000-0x00007FF6ED5B4000-memory.dmp

memory/3616-141-0x00007FF797360000-0x00007FF7976B4000-memory.dmp

memory/2908-142-0x00007FF7827C0000-0x00007FF782B14000-memory.dmp

memory/4000-143-0x00007FF7B29E0000-0x00007FF7B2D34000-memory.dmp

memory/1860-144-0x00007FF6D9C70000-0x00007FF6D9FC4000-memory.dmp

memory/3352-145-0x00007FF754890000-0x00007FF754BE4000-memory.dmp

memory/4588-146-0x00007FF7757D0000-0x00007FF775B24000-memory.dmp

memory/1188-147-0x00007FF6187C0000-0x00007FF618B14000-memory.dmp

memory/3984-148-0x00007FF654500000-0x00007FF654854000-memory.dmp

memory/1772-149-0x00007FF6B1F20000-0x00007FF6B2274000-memory.dmp

memory/4960-150-0x00007FF71EA00000-0x00007FF71ED54000-memory.dmp

memory/5032-151-0x00007FF70ADC0000-0x00007FF70B114000-memory.dmp

memory/3836-152-0x00007FF78F260000-0x00007FF78F5B4000-memory.dmp

memory/1056-153-0x00007FF75ADC0000-0x00007FF75B114000-memory.dmp

memory/3692-154-0x00007FF6FBE60000-0x00007FF6FC1B4000-memory.dmp

memory/1456-155-0x00007FF743A30000-0x00007FF743D84000-memory.dmp

memory/3276-156-0x00007FF72D680000-0x00007FF72D9D4000-memory.dmp

memory/1828-157-0x00007FF6F0C80000-0x00007FF6F0FD4000-memory.dmp

memory/548-158-0x00007FF6ED260000-0x00007FF6ED5B4000-memory.dmp

memory/4640-160-0x00007FF7D5D80000-0x00007FF7D60D4000-memory.dmp

memory/2052-159-0x00007FF6723E0000-0x00007FF672734000-memory.dmp

memory/1496-161-0x00007FF62E8F0000-0x00007FF62EC44000-memory.dmp