Malware Analysis Report

2025-01-22 19:40

Sample ID 240601-dl2epafg2s
Target 2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike
SHA256 00d8bb9a84840cace6185c5bffeaef6bd426057ed5cd428d4c0b9fbfe67f1003
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

00d8bb9a84840cace6185c5bffeaef6bd426057ed5cd428d4c0b9fbfe67f1003

Threat Level: Known bad

The file 2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

UPX dump on OEP (original entry point)

Cobaltstrike

Cobalt Strike reflective loader

xmrig

XMRig Miner payload

Xmrig family

Detects Reflective DLL injection artifacts

Cobaltstrike family

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 03:06

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 03:06

Reported

2024-06-01 03:09

Platform

win7-20240508-en

Max time kernel

146s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\SfRbcsa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\btAeHbR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vgwyGAW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vFTjfuH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IZwfwNO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TAcZEzp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lLmViHT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BTGywOC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VZMRYVu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wfUdkJU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mVUoviE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gPCQbMD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\essdRrN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UMcFDEt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\isNZLof.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LSGJrdH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LxxIuUf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wnrVlzq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LnSXVCr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JKpmpDx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TtVXBOb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1984 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\LxxIuUf.exe
PID 1984 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\LxxIuUf.exe
PID 1984 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\LxxIuUf.exe
PID 1984 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\vFTjfuH.exe
PID 1984 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\vFTjfuH.exe
PID 1984 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\vFTjfuH.exe
PID 1984 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\wfUdkJU.exe
PID 1984 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\wfUdkJU.exe
PID 1984 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\wfUdkJU.exe
PID 1984 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\wnrVlzq.exe
PID 1984 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\wnrVlzq.exe
PID 1984 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\wnrVlzq.exe
PID 1984 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\mVUoviE.exe
PID 1984 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\mVUoviE.exe
PID 1984 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\mVUoviE.exe
PID 1984 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\gPCQbMD.exe
PID 1984 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\gPCQbMD.exe
PID 1984 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\gPCQbMD.exe
PID 1984 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\LnSXVCr.exe
PID 1984 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\LnSXVCr.exe
PID 1984 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\LnSXVCr.exe
PID 1984 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\essdRrN.exe
PID 1984 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\essdRrN.exe
PID 1984 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\essdRrN.exe
PID 1984 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\IZwfwNO.exe
PID 1984 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\IZwfwNO.exe
PID 1984 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\IZwfwNO.exe
PID 1984 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\UMcFDEt.exe
PID 1984 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\UMcFDEt.exe
PID 1984 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\UMcFDEt.exe
PID 1984 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\JKpmpDx.exe
PID 1984 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\JKpmpDx.exe
PID 1984 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\JKpmpDx.exe
PID 1984 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\TtVXBOb.exe
PID 1984 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\TtVXBOb.exe
PID 1984 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\TtVXBOb.exe
PID 1984 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\TAcZEzp.exe
PID 1984 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\TAcZEzp.exe
PID 1984 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\TAcZEzp.exe
PID 1984 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\isNZLof.exe
PID 1984 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\isNZLof.exe
PID 1984 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\isNZLof.exe
PID 1984 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\SfRbcsa.exe
PID 1984 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\SfRbcsa.exe
PID 1984 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\SfRbcsa.exe
PID 1984 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\btAeHbR.exe
PID 1984 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\btAeHbR.exe
PID 1984 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\btAeHbR.exe
PID 1984 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\LSGJrdH.exe
PID 1984 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\LSGJrdH.exe
PID 1984 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\LSGJrdH.exe
PID 1984 wrote to memory of 344 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\vgwyGAW.exe
PID 1984 wrote to memory of 344 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\vgwyGAW.exe
PID 1984 wrote to memory of 344 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\vgwyGAW.exe
PID 1984 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\lLmViHT.exe
PID 1984 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\lLmViHT.exe
PID 1984 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\lLmViHT.exe
PID 1984 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\VZMRYVu.exe
PID 1984 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\VZMRYVu.exe
PID 1984 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\VZMRYVu.exe
PID 1984 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\BTGywOC.exe
PID 1984 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\BTGywOC.exe
PID 1984 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\BTGywOC.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\LxxIuUf.exe

C:\Windows\System\LxxIuUf.exe

C:\Windows\System\vFTjfuH.exe

C:\Windows\System\vFTjfuH.exe

C:\Windows\System\wfUdkJU.exe

C:\Windows\System\wfUdkJU.exe

C:\Windows\System\wnrVlzq.exe

C:\Windows\System\wnrVlzq.exe

C:\Windows\System\mVUoviE.exe

C:\Windows\System\mVUoviE.exe

C:\Windows\System\gPCQbMD.exe

C:\Windows\System\gPCQbMD.exe

C:\Windows\System\LnSXVCr.exe

C:\Windows\System\LnSXVCr.exe

C:\Windows\System\essdRrN.exe

C:\Windows\System\essdRrN.exe

C:\Windows\System\IZwfwNO.exe

C:\Windows\System\IZwfwNO.exe

C:\Windows\System\UMcFDEt.exe

C:\Windows\System\UMcFDEt.exe

C:\Windows\System\JKpmpDx.exe

C:\Windows\System\JKpmpDx.exe

C:\Windows\System\TtVXBOb.exe

C:\Windows\System\TtVXBOb.exe

C:\Windows\System\TAcZEzp.exe

C:\Windows\System\TAcZEzp.exe

C:\Windows\System\isNZLof.exe

C:\Windows\System\isNZLof.exe

C:\Windows\System\SfRbcsa.exe

C:\Windows\System\SfRbcsa.exe

C:\Windows\System\btAeHbR.exe

C:\Windows\System\btAeHbR.exe

C:\Windows\System\LSGJrdH.exe

C:\Windows\System\LSGJrdH.exe

C:\Windows\System\vgwyGAW.exe

C:\Windows\System\vgwyGAW.exe

C:\Windows\System\lLmViHT.exe

C:\Windows\System\lLmViHT.exe

C:\Windows\System\VZMRYVu.exe

C:\Windows\System\VZMRYVu.exe

C:\Windows\System\BTGywOC.exe

C:\Windows\System\BTGywOC.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1984-0-0x00000000002F0000-0x0000000000300000-memory.dmp

memory/1984-1-0x000000013F400000-0x000000013F754000-memory.dmp

C:\Windows\system\LxxIuUf.exe

MD5 82e5e2f6129c2d3cb1dd2e28a844528c
SHA1 d0299cc2517ced85bf3e594bb35e47aef6c9ef34
SHA256 cdeb64a71bb7c8378d4899630dc1154c026f9f0600e016065ed9c45854e85296
SHA512 2746fc22501cea636cebb7b3da8c7da1569b2a3a5edc2e8bc049dc0587a2c9d8fd0bc041caed78d4802bd228be6cb992bb44286c4a05149ecb75338aa71507b1

memory/1632-9-0x000000013F330000-0x000000013F684000-memory.dmp

memory/1984-8-0x0000000002370000-0x00000000026C4000-memory.dmp

C:\Windows\system\vFTjfuH.exe

MD5 0db32164f1cba09b2a44c1b50880adb5
SHA1 9bde13ec38ee281041e94619d95dac570f0ddc87
SHA256 02c9d841d077094a7126b2b0a5675b623a54cec4f7972f0fae78c2f51f3ff3ce
SHA512 a9075ec195063549a95230d28b8bd6f97548bc081f1e66ce8ff0ba7d3270ce996e48ac1e7ebe1188ebb8da1bad307fe8ea9f9f0026ace07d79ed6c3814c27710

memory/2740-15-0x000000013FB60000-0x000000013FEB4000-memory.dmp

memory/1984-13-0x000000013FB60000-0x000000013FEB4000-memory.dmp

C:\Windows\system\wfUdkJU.exe

MD5 d4c0c02bd1f95044d05abe1c2d364272
SHA1 d3e2b33cf6a22e007787569dfce26cf9e9a48cc2
SHA256 fae0f822cc2da3a0606d2ab8e18102d95f39d7809d37e802a7ab80264a61958a
SHA512 38de08a4f4575e7a105d8051faf68db3a1d754fd87663a01b0b044dd125aab3e59503a170c8f24b7d8fb5653c09787533117f62ce0b440ba89c2143c935fef6b

\Windows\system\mVUoviE.exe

MD5 7614c7ac00f1b83591d7b820974780a7
SHA1 9d40173dabd00286dd895bec97dee0adf20d3299
SHA256 ee71c71e9c4252a6af21bbf3a4625376289b5f4bff0bf6ed0bfe989ee9a3ce08
SHA512 af347a08a2b2bd59a36a36c3e44a48f326bfc40c4bfa8555d3697ed501fa7859ac78773a6a27edc477907cf3449e8ea441aaafef06fc770bc188bae027d2a4be

memory/2680-44-0x000000013FCC0000-0x0000000140014000-memory.dmp

memory/1984-43-0x000000013FCC0000-0x0000000140014000-memory.dmp

memory/2508-142-0x000000013FD50000-0x00000001400A4000-memory.dmp

memory/1984-141-0x000000013FD50000-0x00000001400A4000-memory.dmp

memory/2520-140-0x000000013FA40000-0x000000013FD94000-memory.dmp

memory/2516-139-0x000000013FBC0000-0x000000013FF14000-memory.dmp

C:\Windows\system\BTGywOC.exe

MD5 8981bac019b50d40fa77ed9d72e632e3
SHA1 ef33c0597f35e0783793b4d7d925866caee4fa59
SHA256 fedb164b6eb65858a36997ad742bd5feb943418b665ff2e31d605fc29fded8c6
SHA512 88ab65afa519845047458f77f135b775a02f78c82522e3235c665c50a7df0c5db823ada375ece92ed581310c8d9d35c57d5070d58447f2b57a96d38af4987fe1

C:\Windows\system\VZMRYVu.exe

MD5 6c2dc849dbf6e904571d84951434ad8f
SHA1 f06c4e89a2bd69dc5e94ec5fb4d2b1e3de36e168
SHA256 2789ad0b02912a1e62760ac3e992a8f8f7e7c06869bb3ab3b055756113d8e874
SHA512 adeabf2f21e5d2b235a519b2ec18487c25de78743d041c17a5a891d8552140d99e22028a938e2cdb42154c2a1abeedb3a45e28a012fb96725c3a0ebd357540c1

C:\Windows\system\vgwyGAW.exe

MD5 1e0f800c59643e385261ee47b5781e25
SHA1 cf21c3a37346343f92b4cf4e6c2c0ee7e4648c13
SHA256 de26ee92b88cf6e097809f8e1256cd1c8cf76b22fcf3a38f597166304f84cc6a
SHA512 f3d6de6e46d88b9126c3b9b2d48b9154cafacf52e480185d7a1134218c93c20aeda62ebab7fb9cff749d23783991f7b143a8655266154bc2c953ee1b5efc8972

C:\Windows\system\lLmViHT.exe

MD5 5dda2ff659193f20ef728013d10a57b6
SHA1 f05b8c00a61b447b26c551158eea70984fb50640
SHA256 141b522bd53ab7ed9be4b11175fc0500871156240a0cdc6d5584064451ccde3f
SHA512 37a7c947e44b050ad97de00896397260969b4b94302f8a67955ea00f926c777a491d00a7a92868b56756892fea2158b0d14985df11eff06db640f3d42d2c2851

C:\Windows\system\btAeHbR.exe

MD5 d5c68413b9a4b7a6538efce31302ae49
SHA1 cba45677ec976c359a163644b7749cd8c9494681
SHA256 d86d220752f1755ec5992f2e03f554c2076cd42c0f773c84fc68dfc9795014df
SHA512 bac70940d3f0853d402cfd2dbb520e9e98509de6f13846cc4c499b94ba2e346815744a2c114de3e21ea8fce93b390ae4274c63a2c5832a15f63d5f23628b3379

memory/1984-112-0x000000013FF90000-0x00000001402E4000-memory.dmp

C:\Windows\system\LSGJrdH.exe

MD5 d9570b373fe74bab4ac14c6fabe32a45
SHA1 c9e8d5332e7bf590e921d415e7afceb033d65b62
SHA256 d769908cbc46f13d5d057deccdc821142cc5e680c07699092af1b0f1e9a1cb81
SHA512 0166773eb2a374c225b02a6494096a0674967e3b69ef7ecde6bf575c8180a86b07218b4edac9be758b9cb9b8109050ce7512c7516651d9696c5163ca643122c9

memory/2680-108-0x000000013FCC0000-0x0000000140014000-memory.dmp

memory/2640-107-0x000000013FEA0000-0x00000001401F4000-memory.dmp

memory/2712-106-0x000000013FDE0000-0x0000000140134000-memory.dmp

memory/2824-100-0x000000013FFD0000-0x0000000140324000-memory.dmp

memory/1984-99-0x000000013FFD0000-0x0000000140324000-memory.dmp

memory/2732-98-0x000000013F090000-0x000000013F3E4000-memory.dmp

C:\Windows\system\SfRbcsa.exe

MD5 5a10aa292e8ef8099b07422e0eef3a02
SHA1 254e87a82b06603bd56a15b63b0e7523e545ceaa
SHA256 7021b0a29a3c415344022225622109b064e9cef4da217a29b564bcadfba6e4d3
SHA512 11d46c4b9e9cad9bdac956438d0f9f166e0e7a7d1193b400c0382ed1b9b8d0ecca110760a1f6e425eabb8964ce7dd76d941563fb7d749c097de5efe82dd63e87

C:\Windows\system\isNZLof.exe

MD5 9342e07a4495bebaa790b557e323d4d1
SHA1 cddc99456f9b99f7caca53482ae2a354a2f144a8
SHA256 a794d21ebc28a551d70621dd3b702f516b9113e7fc3cd82bf58f4c82eda5c9c6
SHA512 f83f091bc9b56d479d8e8c1e86df9fd2cc3faa9c3401e20a5a572b0da938c4de3d35a93887952e092cd9f8105af86e1353b96e54c305e1a0b8e6a5fe1e3d1ad7

memory/2792-92-0x000000013F330000-0x000000013F684000-memory.dmp

memory/1984-91-0x0000000002370000-0x00000000026C4000-memory.dmp

C:\Windows\system\TAcZEzp.exe

MD5 b44f848de160ef59dc7e4ab7dc5ce3e9
SHA1 a318399d10f502c7636234b9ef68fff2dfc2e0f5
SHA256 5d22c6b151137565bd7b999e36959306b6643bf3fc1df2bb3610c5d2b01eb279
SHA512 65910e25d267e8375df44965580177678d361bfb6278e1862d3ddaf0048a511f597ac30214277ce06bad7c16f70f78436a2cfb18aac945c0ec92d7129260c359

memory/2184-85-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

memory/1984-84-0x000000013FEA0000-0x00000001401F4000-memory.dmp

C:\Windows\system\TtVXBOb.exe

MD5 ec3cc6260f45389cc678342c1fd481d1
SHA1 9c63eb070356591ebaa504e3a02991098267d925
SHA256 3e4617be33eef58105ec0750a2efea3a25cda14723492ec8d60106bfda2502d4
SHA512 8e9af4df4f77794a5397ee9cf2bff030870d7cee37d98c7824a69724d94458ebc98de64875df5c5d49accce022e4b12845d9f217b05106b21216dbc4b01adcbc

memory/3056-78-0x000000013F510000-0x000000013F864000-memory.dmp

memory/1984-77-0x0000000002370000-0x00000000026C4000-memory.dmp

memory/2508-68-0x000000013FD50000-0x00000001400A4000-memory.dmp

memory/1984-67-0x000000013FD50000-0x00000001400A4000-memory.dmp

C:\Windows\system\JKpmpDx.exe

MD5 9c7d08578e1c11a7cfee47cb73ed694b
SHA1 81a45d4cb57749588aacfacb962c55611cfd1c53
SHA256 aaa690427b72164f9e5710a07d5446aa0aeb70ed113ab546e8eab4c00935fe87
SHA512 7e90911658091535e337185f0dc0d85013ff76ff6699c267d5e7fed261365a00d3fd015153613643787b7c5761aad777bda2ba4c0eb5e1db88fd190d5b62ca4a

memory/2740-66-0x000000013FB60000-0x000000013FEB4000-memory.dmp

C:\Windows\system\UMcFDEt.exe

MD5 5144fcdd9dacc6d1c6016d189dd617a8
SHA1 796f437d6a05fb106fea7d21fcbb40413e786394
SHA256 e5e14f959083717548ef5b7c61601c4e353791510dac31f5ac07d66b095fb01e
SHA512 d9f772dd009922508438356412cb65a9be5cf12dc6c2ada4a7cfc1532f3dd4722c4d51adce93cdd1e13b975ef97881e741195e9165d5c35e091563455eb45b98

memory/2520-62-0x000000013FA40000-0x000000013FD94000-memory.dmp

\Windows\system\essdRrN.exe

MD5 2c11b7d43c4e1eacb1868faf674660cf
SHA1 de5ea6436a576f2437eef059cfebea859814613e
SHA256 e67c0244ac9126c87d17c911c95abd2377a0dacf8f49249d0afcbf950b75ee83
SHA512 81843086be4952ae3701cc95df11de28f9a8a59ca25f412db388b0d8af1dd97d269bda9e10ea85ba36d3065b9e078356b14a5c7d84306d1e9e8ea91c788e1a6e

memory/2516-60-0x000000013FBC0000-0x000000013FF14000-memory.dmp

memory/1984-58-0x000000013FBC0000-0x000000013FF14000-memory.dmp

memory/2640-37-0x000000013FEA0000-0x00000001401F4000-memory.dmp

memory/2712-36-0x000000013FDE0000-0x0000000140134000-memory.dmp

memory/1984-57-0x000000013FA40000-0x000000013FD94000-memory.dmp

C:\Windows\system\IZwfwNO.exe

MD5 431a116b95425136068081d44bb076f4
SHA1 69fc758f23906f48fb7f0fe846fa7d5b1104adf9
SHA256 b71f282b744671b190dc433e1cf9f9a6b3915e842b1c02d15b5ede7aea818349
SHA512 85f3c118d632f1895cf019b18f7b7a0aea3610fecc14a3f2adfd0a4a502fd521d00d233a99daa64d2884440afb355d71d60824d13f8617cf9f9d12c40457a212

memory/1984-50-0x000000013F400000-0x000000013F754000-memory.dmp

C:\Windows\system\LnSXVCr.exe

MD5 72d7a6daf470b861a7759138b2bf51ae
SHA1 ed125024e172ee2eb541805d4e7267cbc19e2830
SHA256 2fff3f6733c6d31debd0233654b04a827b71e16061c76ce2192c31667ce5ba52
SHA512 4316fbd522f2cb3e88163afc1f39fbf94fc0629b4de77a7f392588e7b4dbb15619a4fc6420fd44f4fa8e30129eb6dd8f4f85ba9fb4d58a3395fe46a275579ae4

C:\Windows\system\gPCQbMD.exe

MD5 9dc086d478be277e38b96fb164ab3b03
SHA1 035746ad1e3761b4bdb7c5939458b009dd84cdc6
SHA256 d7fab474b34bd09829692fc24350e19f33f7dc18653c02fee63879bf290ef540
SHA512 caa043cdba450aeda0e4819a6e7fd763d7ffdccba1976635997221e32f6da2130deed69a360cb57f0bec19ea5d238eeb6ac9b69229b1adc21e08b86ec8bffaee

C:\Windows\system\wnrVlzq.exe

MD5 d0fb58bc9e12c04c298715c9bddad32b
SHA1 3deb10cebaf09546f08e49e3dad86b9648098c75
SHA256 6592c2eb3f6e53426a899d46c67960d37e9e000f1fe2bf712ce0eeaba8010e98
SHA512 05045eaff83500f473f6f867a23e686bb2d5ba4efe5fb940175749aa114a6acfc1c1bde0d78c85832990b3b1ddad2813d0a23355c540e92e544d8fd5e7a8c0c2

memory/2732-33-0x000000013F090000-0x000000013F3E4000-memory.dmp

memory/2124-23-0x000000013FFF0000-0x0000000140344000-memory.dmp

memory/1984-20-0x000000013FFF0000-0x0000000140344000-memory.dmp

memory/1984-143-0x0000000002370000-0x00000000026C4000-memory.dmp

memory/1984-144-0x0000000002370000-0x00000000026C4000-memory.dmp

memory/1984-145-0x000000013FFD0000-0x0000000140324000-memory.dmp

memory/1984-146-0x000000013FF90000-0x00000001402E4000-memory.dmp

memory/1632-147-0x000000013F330000-0x000000013F684000-memory.dmp

memory/2124-148-0x000000013FFF0000-0x0000000140344000-memory.dmp

memory/2740-149-0x000000013FB60000-0x000000013FEB4000-memory.dmp

memory/2680-150-0x000000013FCC0000-0x0000000140014000-memory.dmp

memory/2640-152-0x000000013FEA0000-0x00000001401F4000-memory.dmp

memory/2732-151-0x000000013F090000-0x000000013F3E4000-memory.dmp

memory/2712-153-0x000000013FDE0000-0x0000000140134000-memory.dmp

memory/2516-154-0x000000013FBC0000-0x000000013FF14000-memory.dmp

memory/2520-155-0x000000013FA40000-0x000000013FD94000-memory.dmp

memory/2508-156-0x000000013FD50000-0x00000001400A4000-memory.dmp

memory/3056-157-0x000000013F510000-0x000000013F864000-memory.dmp

memory/2184-158-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

memory/2792-159-0x000000013F330000-0x000000013F684000-memory.dmp

memory/2824-160-0x000000013FFD0000-0x0000000140324000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 03:06

Reported

2024-06-01 03:09

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\RKmSXWQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AODeNMz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mKYjXzQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\txVmdmX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xZGFWqq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HSnuXtJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lqLrDUj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PGOdTDM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MtgKIxS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KqCkXlm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gRQwsKN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zBbZJOE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EnHqTCV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tUajjTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kXGjjFl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OHevKea.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SfOelpB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eBNkFaC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TtMwVWA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IjfObNl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YPWkDck.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1596 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\RKmSXWQ.exe
PID 1596 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\RKmSXWQ.exe
PID 1596 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\kXGjjFl.exe
PID 1596 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\kXGjjFl.exe
PID 1596 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\OHevKea.exe
PID 1596 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\OHevKea.exe
PID 1596 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\EnHqTCV.exe
PID 1596 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\EnHqTCV.exe
PID 1596 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\SfOelpB.exe
PID 1596 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\SfOelpB.exe
PID 1596 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\lqLrDUj.exe
PID 1596 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\lqLrDUj.exe
PID 1596 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\eBNkFaC.exe
PID 1596 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\eBNkFaC.exe
PID 1596 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\PGOdTDM.exe
PID 1596 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\PGOdTDM.exe
PID 1596 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\MtgKIxS.exe
PID 1596 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\MtgKIxS.exe
PID 1596 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\AODeNMz.exe
PID 1596 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\AODeNMz.exe
PID 1596 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\KqCkXlm.exe
PID 1596 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\KqCkXlm.exe
PID 1596 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\TtMwVWA.exe
PID 1596 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\TtMwVWA.exe
PID 1596 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\gRQwsKN.exe
PID 1596 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\gRQwsKN.exe
PID 1596 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\mKYjXzQ.exe
PID 1596 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\mKYjXzQ.exe
PID 1596 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\IjfObNl.exe
PID 1596 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\IjfObNl.exe
PID 1596 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\txVmdmX.exe
PID 1596 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\txVmdmX.exe
PID 1596 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\tUajjTS.exe
PID 1596 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\tUajjTS.exe
PID 1596 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\xZGFWqq.exe
PID 1596 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\xZGFWqq.exe
PID 1596 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\HSnuXtJ.exe
PID 1596 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\HSnuXtJ.exe
PID 1596 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\zBbZJOE.exe
PID 1596 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\zBbZJOE.exe
PID 1596 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\YPWkDck.exe
PID 1596 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe C:\Windows\System\YPWkDck.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\RKmSXWQ.exe

C:\Windows\System\RKmSXWQ.exe

C:\Windows\System\kXGjjFl.exe

C:\Windows\System\kXGjjFl.exe

C:\Windows\System\OHevKea.exe

C:\Windows\System\OHevKea.exe

C:\Windows\System\EnHqTCV.exe

C:\Windows\System\EnHqTCV.exe

C:\Windows\System\SfOelpB.exe

C:\Windows\System\SfOelpB.exe

C:\Windows\System\lqLrDUj.exe

C:\Windows\System\lqLrDUj.exe

C:\Windows\System\eBNkFaC.exe

C:\Windows\System\eBNkFaC.exe

C:\Windows\System\PGOdTDM.exe

C:\Windows\System\PGOdTDM.exe

C:\Windows\System\MtgKIxS.exe

C:\Windows\System\MtgKIxS.exe

C:\Windows\System\AODeNMz.exe

C:\Windows\System\AODeNMz.exe

C:\Windows\System\KqCkXlm.exe

C:\Windows\System\KqCkXlm.exe

C:\Windows\System\TtMwVWA.exe

C:\Windows\System\TtMwVWA.exe

C:\Windows\System\gRQwsKN.exe

C:\Windows\System\gRQwsKN.exe

C:\Windows\System\mKYjXzQ.exe

C:\Windows\System\mKYjXzQ.exe

C:\Windows\System\IjfObNl.exe

C:\Windows\System\IjfObNl.exe

C:\Windows\System\txVmdmX.exe

C:\Windows\System\txVmdmX.exe

C:\Windows\System\tUajjTS.exe

C:\Windows\System\tUajjTS.exe

C:\Windows\System\xZGFWqq.exe

C:\Windows\System\xZGFWqq.exe

C:\Windows\System\HSnuXtJ.exe

C:\Windows\System\HSnuXtJ.exe

C:\Windows\System\zBbZJOE.exe

C:\Windows\System\zBbZJOE.exe

C:\Windows\System\YPWkDck.exe

C:\Windows\System\YPWkDck.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 udp

Files

memory/1596-0-0x00007FF722F40000-0x00007FF723294000-memory.dmp

memory/1596-1-0x000001D9B0E20000-0x000001D9B0E30000-memory.dmp

C:\Windows\System\RKmSXWQ.exe

MD5 a02bfe451559028024a915589ab22f17
SHA1 19146d5cab3854a8e66bd219260f05be0d3d0107
SHA256 a20579353020bd181ba7c1098885719552a9390dae5d0060a94d28a86fa685fe
SHA512 4ca0c03ed85fc668e4418a4ab002a901ae6eb8df6ee92cfe9ba898cd5ee8a1e94a98c1b4c9057da73d1d731aae804340196236adba36e6fbdde96a33dcd2f1fb

memory/1136-7-0x00007FF7215F0000-0x00007FF721944000-memory.dmp

C:\Windows\System\OHevKea.exe

MD5 265355f60e12cfea2c85864f0bb85652
SHA1 4e896659c72a46f4cc20ec187f6c5c3ccd55be8b
SHA256 438dcf00c44e15828af68f36179dd482ae063711c92bb681c45d5cb60c3f6627
SHA512 78717417b0e3adbcc66099b0a5e71d71c8ffd9f863e3b2c3f5b004fbd67be9b239e84e37a4b52770116f3b80a108911709a52b7bab35d24e05c3d59673590fb7

C:\Windows\System\kXGjjFl.exe

MD5 1cc70d0e479f518756e74d829b249c97
SHA1 985e42660e5b687e9a273f88ce089f69806d7553
SHA256 7af1283948ab9dfd3e050a0b5c8fde929e7ba60e6fbea4d0814f4c3d722d6d9a
SHA512 c0acdec399784f565ceb9da88a2d3502999f647ba6058fd7758e5f8513b4a90794bd5e6ae0599a489481d9411587f24d5883378f4109899949140b5f4afde804

memory/2532-13-0x00007FF70E170000-0x00007FF70E4C4000-memory.dmp

memory/1512-20-0x00007FF6B2B80000-0x00007FF6B2ED4000-memory.dmp

C:\Windows\System\EnHqTCV.exe

MD5 df5017105c7a6c180fe5ea084742b8ff
SHA1 c87969a097ffaa971238bdf2feec84776afd737d
SHA256 34a4a49d9867e0b3455a7fb2d5d95834168175b913d8985982124e62936fa197
SHA512 8314ee6530b54c2e3abca6883124b2db9750198aef7e7656f65e34fee100f63a4d585bf8caf8f5c32cf6763c3c01f40aa4c923750558956648e5d08f235b24ea

memory/1808-26-0x00007FF6AAD50000-0x00007FF6AB0A4000-memory.dmp

C:\Windows\System\SfOelpB.exe

MD5 2a02ab4465e45a8fb4f9e11121b29f34
SHA1 46094c7e4946860fba624b6acae1f2b11104848a
SHA256 ce74b2cea1dc073237b8c3a6a73a4ef4194b4e2e5602b502c368f1cf2b91c9c4
SHA512 108aadaa2092d1a3831254f2f1bd1a0c3043c7af0c9a82328fa93ca6a483923fc22027c6b8392cd8c88c814228bc53f7fb23c0a7c3fb0ffeeb47fb2140b160de

C:\Windows\System\lqLrDUj.exe

MD5 50d1d71a9997648f3136815880351f22
SHA1 6df24b9709ac74e9f74e94e833ef38164e1b2a3b
SHA256 fbc9f9d5d5bab2d3ecf8f8cac629ad2a97f116268fb2b112e276d51b2bbdd4b2
SHA512 492fde94154cef4d2d8e531847593dd9f4dc5bed2a79172c06686bdd7feecd21bbfd45dabf715072e87592efaa7ed2cb25ab2e295bf84eed5ddf87e9b4a7576b

memory/1592-34-0x00007FF667DD0000-0x00007FF668124000-memory.dmp

memory/756-38-0x00007FF7446D0000-0x00007FF744A24000-memory.dmp

C:\Windows\System\eBNkFaC.exe

MD5 b75b515033ac6bdbab5936a2067d277a
SHA1 d579eaa68b94287635122a51b2b27380a821658a
SHA256 5ab73272053e31eee0c268475fe06b2b2f4b6e49ec08ae364178ab56301f9a6b
SHA512 5eed875c403a31eb51a56fd7ac4ddc0a012a38318c8753025ecc0c2a23b44d4b2ec5db5eda44f82d27db56f30c49fa64abfb107b3e78f481b0615958a3d338b7

C:\Windows\System\PGOdTDM.exe

MD5 f36c58196573f1d9b100f7c818f8b141
SHA1 2f2986eb38b972fab74c61bfe758f5d4b09da81b
SHA256 a38d250c1ad96ce8db206826288c6cb3484f5463b5f99debeda9f81f6099412c
SHA512 6fc05eba115953518e51183dce1d91faaa1d18cc9b433908042ff4408e91c6203ee8dab0933c7c665fd26a4968dc538d32ad5e82c0b7c98b36d315f649b9e503

memory/1696-46-0x00007FF73E4E0000-0x00007FF73E834000-memory.dmp

memory/1620-49-0x00007FF73E9B0000-0x00007FF73ED04000-memory.dmp

C:\Windows\System\AODeNMz.exe

MD5 023bd04b653fac9248c00062f8ac0fb6
SHA1 688cf95eac55ea769098fae98920b788990653cd
SHA256 9e7dd843be658692f3ffdf3666281043bf9079bdd6b98ceca269e2c6956a5698
SHA512 4386e6a7fcd4465cba1dd642c072d2a279eaeb2abd5bffcfa3b89503331ae5cd433ed7f60376bb932a79919fbf2c19c0e10817d97745bf4e458117c736aa2299

C:\Windows\System\MtgKIxS.exe

MD5 40f183304cfc53d16dc6d9c90839e518
SHA1 2a76c6a82ab531999975314c3fdb91be6aef2c39
SHA256 5c3d62a710d84d4e1bf59029f417a9215b864ce03a87075251d729f097e5a5a1
SHA512 2ad5376bc32674ea9e2594628bad25432e8c899ba2d9fb9cfb031ecc52311a6dcc51e197afbea01268f72c3db09e4f96518614b3aa93dfe3cbfe4f1e125b1ac3

C:\Windows\System\KqCkXlm.exe

MD5 121b56ba93232fb17d0555d63f57ecf3
SHA1 d3e99afa06693b2725f86aa006b5d4cbb3605d8c
SHA256 82d3073304ea49edbd3cdff035159a7c09b0ee2db4261376ce71028f6443eace
SHA512 c33b06bec3519df2bc107198ff7f1b10f4f6c3edbbadacb388b84375b9c7ea21e4672f960628e78b869a264ba9cc8dad0a70b2712983bfa084c384bcd6340a4a

memory/1136-67-0x00007FF7215F0000-0x00007FF721944000-memory.dmp

C:\Windows\System\TtMwVWA.exe

MD5 2632a56e1308a8120a9773dba4310456
SHA1 ef4a0565331fce7b731fd949c671b5348f844368
SHA256 b873b72b83f0e523804da89c340095eec95eef18915a6e116c9337c78d0a96d3
SHA512 ab3ae425adf897ce279b4c413917aaabdd45f524b71a882bf6b33813eb93c122ca6a4417ca8b9bf996a3e22db85e88d6fd1a005b567ae472685abce391d5e6ee

C:\Windows\System\gRQwsKN.exe

MD5 9d1f213fec22208b5e241db9db233c63
SHA1 f65ddbd910cfe7cd8f792c6666ab0a9cfcba74fb
SHA256 a8f4328f075953092c106a7b4e9fcddcc958affc39d14174b47d81ab009b3cd9
SHA512 54b84b38b02bda3aa82f2510b043e98ab3a50b2f58adbdd1fc577b0ff953cea339f4e004f6eb5bce9bf1f6659006c7fba4e493986adcab2c37ec67197b527610

memory/4772-83-0x00007FF7C7760000-0x00007FF7C7AB4000-memory.dmp

memory/4268-89-0x00007FF73F500000-0x00007FF73F854000-memory.dmp

C:\Windows\System\mKYjXzQ.exe

MD5 f59b3b6c3def64a0f34253ebf260220c
SHA1 670bbc76aa1fc301d4ce1e63b8d72b37e9b9853f
SHA256 b4b0db74c4a66554e02f44f535af12766c88281ee8951808792613010e01602d
SHA512 a5562f7859dc509dd6cfe6ea1b58585215fd71bbf3cbfd196ec035dd77e28a5fd6d20747163cc6da3330a1d8c32df4d5ef506adf68e78984384cccb7ffb02089

memory/2652-94-0x00007FF62D4D0000-0x00007FF62D824000-memory.dmp

C:\Windows\System\IjfObNl.exe

MD5 33f27b3ca896afbedb25be8e0cfbb49f
SHA1 a28b006adb6166b5c6b2890ede30633d209ef171
SHA256 145bbb235f413f6dcee4b4273508cf7bc8a3311c7534b44da5695de5f1e2cb3e
SHA512 91bf2045c804c8aedfad690f5ddb09103515edbb2adac3e9e06359d466ac128b410ea8a156fbfe839d29396a7a1de7dc3f75b6c77b6b0ff6385be07da7050e0b

memory/556-90-0x00007FF6AAF30000-0x00007FF6AB284000-memory.dmp

memory/2532-78-0x00007FF70E170000-0x00007FF70E4C4000-memory.dmp

memory/2952-70-0x00007FF635700000-0x00007FF635A54000-memory.dmp

memory/3784-63-0x00007FF625280000-0x00007FF6255D4000-memory.dmp

memory/1596-62-0x00007FF722F40000-0x00007FF723294000-memory.dmp

memory/4716-54-0x00007FF746DB0000-0x00007FF747104000-memory.dmp

C:\Windows\System\txVmdmX.exe

MD5 2b724e4cdceee75b5207d8ef05e6eeb2
SHA1 77e5e3a53e58800555123ec9b9ff783fdb67dda9
SHA256 c4df56bf6dcd58ac4b5aae4c05c8f99be9a3f27abe3a9f9ebcac82f1e08d9275
SHA512 7be21405af31d0cf6aba98d9628f27a08b1f925af0c4f3b0964a2203f76c70b55c32133fb3ac098dfa7020bd0de8f3e02627a01230301c6fa13d455150479bd7

C:\Windows\System\tUajjTS.exe

MD5 33769a651d734cd12a8ae7eaf92a8c30
SHA1 dfc9556fc8163eb76331a58eb466f097b57df675
SHA256 003b3faa65a3521e7eb0e838c0f765705afda4f996a7fe82a2938bc10897e7a1
SHA512 ee07a027412ff15b4fe4caea1801875d70d042c28ea8942d409c1092970ea11605fe04f027730b95f3f67e65efea5d1a296390a298aa692a87aef1e85e6aac7f

C:\Windows\System\xZGFWqq.exe

MD5 410c9bf6c0f36bd5825e0343369fad76
SHA1 aa298cecb774aaab41ef5de0314a23c03614de13
SHA256 633cef6fe802fd6eebfa75d66ba76123d2ae7cfb510e7c8abb286975202b103b
SHA512 7c91f84299eea8e7d6ef8e9df8dd98fec6e1a7ab2426a19f71057aa5894375f0e711e8357dd3d9b4d74cab88d9c69ebb1a87e2d76ac584de02221923c6f45dbe

memory/3120-109-0x00007FF7B2C60000-0x00007FF7B2FB4000-memory.dmp

C:\Windows\System\HSnuXtJ.exe

MD5 2f7ed284cc33ce637ff8f87b54ffe771
SHA1 79fb98d89404bd3e9be2d0190b2a608c07a1e350
SHA256 bfb4555eb73951eb35d73960944568317655718ce56f5dba57c04f4d7e1f9050
SHA512 b25d312d3c40fd114cfa0736af6a97b22a29653d265356c7202d4776ab0c7636741a65c445a5d102f878c1bf1521d4420e6d5654835846fa03343242c27f3729

C:\Windows\System\zBbZJOE.exe

MD5 12d9884fe3997c4cf260867881c162b8
SHA1 6f312297364892b6f7e453c68eac36fab72d522b
SHA256 a28c5117787422e5c617af54311b8ce515a0acff88d9a038f230ba27ad3fb9cb
SHA512 3aff6f3c01e04bfebf062b7c23b60b4a2e752494c8b351188e213ff1a2342aeba6bd985c465bf35db79c82a2c16e23d1a2c499cc257ea192b6261f9ed2433cda

C:\Windows\System\YPWkDck.exe

MD5 16cc8a45526e8ad68451b3941d03fabf
SHA1 0a6f9bbe1e2b77fa263ac43823fd8e784f7d6f9a
SHA256 d5928e3c8a8fd4a9edd0764c7323491d57231ee099c7bf51cb8cbf413909a8cf
SHA512 5ef555af8bc44e19aa75d6f367394b42f94b8005500bb8b0e1f18ef11309da6194db7d154e9170a545e82a3350809271f970a424a668e54995b0f6f789c851a2

memory/3456-115-0x00007FF78A2E0000-0x00007FF78A634000-memory.dmp

memory/1956-103-0x00007FF606DB0000-0x00007FF607104000-memory.dmp

memory/4636-128-0x00007FF6B2730000-0x00007FF6B2A84000-memory.dmp

memory/1620-130-0x00007FF73E9B0000-0x00007FF73ED04000-memory.dmp

memory/4716-132-0x00007FF746DB0000-0x00007FF747104000-memory.dmp

memory/1368-131-0x00007FF67DBB0000-0x00007FF67DF04000-memory.dmp

memory/5016-129-0x00007FF7C7820000-0x00007FF7C7B74000-memory.dmp

memory/2952-133-0x00007FF635700000-0x00007FF635A54000-memory.dmp

memory/556-134-0x00007FF6AAF30000-0x00007FF6AB284000-memory.dmp

memory/3120-135-0x00007FF7B2C60000-0x00007FF7B2FB4000-memory.dmp

memory/3456-136-0x00007FF78A2E0000-0x00007FF78A634000-memory.dmp

memory/1136-137-0x00007FF7215F0000-0x00007FF721944000-memory.dmp

memory/2532-138-0x00007FF70E170000-0x00007FF70E4C4000-memory.dmp

memory/1512-139-0x00007FF6B2B80000-0x00007FF6B2ED4000-memory.dmp

memory/1808-140-0x00007FF6AAD50000-0x00007FF6AB0A4000-memory.dmp

memory/1592-141-0x00007FF667DD0000-0x00007FF668124000-memory.dmp

memory/756-142-0x00007FF7446D0000-0x00007FF744A24000-memory.dmp

memory/1696-143-0x00007FF73E4E0000-0x00007FF73E834000-memory.dmp

memory/4716-144-0x00007FF746DB0000-0x00007FF747104000-memory.dmp

memory/3784-146-0x00007FF625280000-0x00007FF6255D4000-memory.dmp

memory/1620-145-0x00007FF73E9B0000-0x00007FF73ED04000-memory.dmp

memory/2952-147-0x00007FF635700000-0x00007FF635A54000-memory.dmp

memory/4772-148-0x00007FF7C7760000-0x00007FF7C7AB4000-memory.dmp

memory/4268-149-0x00007FF73F500000-0x00007FF73F854000-memory.dmp

memory/2652-150-0x00007FF62D4D0000-0x00007FF62D824000-memory.dmp

memory/556-151-0x00007FF6AAF30000-0x00007FF6AB284000-memory.dmp

memory/1956-152-0x00007FF606DB0000-0x00007FF607104000-memory.dmp

memory/3120-153-0x00007FF7B2C60000-0x00007FF7B2FB4000-memory.dmp

memory/3456-154-0x00007FF78A2E0000-0x00007FF78A634000-memory.dmp

memory/4636-155-0x00007FF6B2730000-0x00007FF6B2A84000-memory.dmp

memory/1368-156-0x00007FF67DBB0000-0x00007FF67DF04000-memory.dmp

memory/5016-157-0x00007FF7C7820000-0x00007FF7C7B74000-memory.dmp