Malware Analysis Report

2025-01-22 19:39

Sample ID 240601-gd6afsbg7t
Target 2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike
SHA256 e78f269aacfd41d19366b0b673c153bb5a407cf64a5f4b7ef30bdf9a7e92ccdd
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e78f269aacfd41d19366b0b673c153bb5a407cf64a5f4b7ef30bdf9a7e92ccdd

Threat Level: Known bad

The file 2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Detects Reflective DLL injection artifacts

Cobaltstrike family

xmrig

UPX dump on OEP (original entry point)

Cobaltstrike

Xmrig family

Cobalt Strike reflective loader

XMRig Miner payload

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 05:42

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 05:42

Reported

2024-06-01 05:44

Platform

win7-20240508-en

Max time kernel

147s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\BMJEOVo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bouTRxB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jAxiQZy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kqtalqA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HFRVakf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dRWUbLZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RaqoLcE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OfRLWpz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\toaARPI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vtFkrkP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wvsXQnZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FgLkXJT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YFcIdsm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LWtaTyR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aiULmuH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iBHDbbQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jgnDNPK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QdHzZQM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QhzFXpg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bOIpfoZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hSuDBoe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 848 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\wvsXQnZ.exe
PID 848 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\wvsXQnZ.exe
PID 848 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\wvsXQnZ.exe
PID 848 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\dRWUbLZ.exe
PID 848 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\dRWUbLZ.exe
PID 848 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\dRWUbLZ.exe
PID 848 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\BMJEOVo.exe
PID 848 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\BMJEOVo.exe
PID 848 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\BMJEOVo.exe
PID 848 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\jgnDNPK.exe
PID 848 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\jgnDNPK.exe
PID 848 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\jgnDNPK.exe
PID 848 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\QdHzZQM.exe
PID 848 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\QdHzZQM.exe
PID 848 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\QdHzZQM.exe
PID 848 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\QhzFXpg.exe
PID 848 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\QhzFXpg.exe
PID 848 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\QhzFXpg.exe
PID 848 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\bOIpfoZ.exe
PID 848 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\bOIpfoZ.exe
PID 848 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\bOIpfoZ.exe
PID 848 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\bouTRxB.exe
PID 848 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\bouTRxB.exe
PID 848 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\bouTRxB.exe
PID 848 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\RaqoLcE.exe
PID 848 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\RaqoLcE.exe
PID 848 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\RaqoLcE.exe
PID 848 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\jAxiQZy.exe
PID 848 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\jAxiQZy.exe
PID 848 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\jAxiQZy.exe
PID 848 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\FgLkXJT.exe
PID 848 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\FgLkXJT.exe
PID 848 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\FgLkXJT.exe
PID 848 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\YFcIdsm.exe
PID 848 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\YFcIdsm.exe
PID 848 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\YFcIdsm.exe
PID 848 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\LWtaTyR.exe
PID 848 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\LWtaTyR.exe
PID 848 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\LWtaTyR.exe
PID 848 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\kqtalqA.exe
PID 848 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\kqtalqA.exe
PID 848 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\kqtalqA.exe
PID 848 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\OfRLWpz.exe
PID 848 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\OfRLWpz.exe
PID 848 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\OfRLWpz.exe
PID 848 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\toaARPI.exe
PID 848 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\toaARPI.exe
PID 848 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\toaARPI.exe
PID 848 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\hSuDBoe.exe
PID 848 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\hSuDBoe.exe
PID 848 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\hSuDBoe.exe
PID 848 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\aiULmuH.exe
PID 848 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\aiULmuH.exe
PID 848 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\aiULmuH.exe
PID 848 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\vtFkrkP.exe
PID 848 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\vtFkrkP.exe
PID 848 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\vtFkrkP.exe
PID 848 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\iBHDbbQ.exe
PID 848 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\iBHDbbQ.exe
PID 848 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\iBHDbbQ.exe
PID 848 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\HFRVakf.exe
PID 848 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\HFRVakf.exe
PID 848 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\HFRVakf.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\wvsXQnZ.exe

C:\Windows\System\wvsXQnZ.exe

C:\Windows\System\dRWUbLZ.exe

C:\Windows\System\dRWUbLZ.exe

C:\Windows\System\BMJEOVo.exe

C:\Windows\System\BMJEOVo.exe

C:\Windows\System\jgnDNPK.exe

C:\Windows\System\jgnDNPK.exe

C:\Windows\System\QdHzZQM.exe

C:\Windows\System\QdHzZQM.exe

C:\Windows\System\QhzFXpg.exe

C:\Windows\System\QhzFXpg.exe

C:\Windows\System\bOIpfoZ.exe

C:\Windows\System\bOIpfoZ.exe

C:\Windows\System\bouTRxB.exe

C:\Windows\System\bouTRxB.exe

C:\Windows\System\RaqoLcE.exe

C:\Windows\System\RaqoLcE.exe

C:\Windows\System\jAxiQZy.exe

C:\Windows\System\jAxiQZy.exe

C:\Windows\System\FgLkXJT.exe

C:\Windows\System\FgLkXJT.exe

C:\Windows\System\YFcIdsm.exe

C:\Windows\System\YFcIdsm.exe

C:\Windows\System\LWtaTyR.exe

C:\Windows\System\LWtaTyR.exe

C:\Windows\System\kqtalqA.exe

C:\Windows\System\kqtalqA.exe

C:\Windows\System\OfRLWpz.exe

C:\Windows\System\OfRLWpz.exe

C:\Windows\System\toaARPI.exe

C:\Windows\System\toaARPI.exe

C:\Windows\System\hSuDBoe.exe

C:\Windows\System\hSuDBoe.exe

C:\Windows\System\aiULmuH.exe

C:\Windows\System\aiULmuH.exe

C:\Windows\System\vtFkrkP.exe

C:\Windows\System\vtFkrkP.exe

C:\Windows\System\iBHDbbQ.exe

C:\Windows\System\iBHDbbQ.exe

C:\Windows\System\HFRVakf.exe

C:\Windows\System\HFRVakf.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/848-0-0x000000013F760000-0x000000013FAB4000-memory.dmp

memory/848-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\wvsXQnZ.exe

MD5 ef74d75d398cb4aedfbf13a04495bcca
SHA1 c1f29bc03ad56968d1689166d9694678c8db1b63
SHA256 604e9726dc6590f67e30e3d63580bf8f946b48984eae6db2f4ffed0e06b35e53
SHA512 e8fed4b78a439ec8bd31347efb5275219505ac6c4793fd34ab984ccc2f324f009ffb024cf75d2e3b15e6e5d7bb40b9c60fd831e3cbff71bc679168a61dbb08eb

memory/848-21-0x00000000023C0000-0x0000000002714000-memory.dmp

C:\Windows\system\QhzFXpg.exe

MD5 c007bce2da0ecd940c4b6d35021179e9
SHA1 073c77ef4ca7ddac425792da2930516bace46b06
SHA256 fab4e1cdeaa545d79f93d4ddd00340ae53a99d3591c33f1e07c305238e485796
SHA512 08f6bdc51f5008d88e287e92f61f17060b8ee81ec2a39152cf1fd99d96d5f1083e74e312858dd75a59bd5cdaccb430691c4acf6dcf6fdb16dac650eb5340c816

memory/848-33-0x000000013F0E0000-0x000000013F434000-memory.dmp

\Windows\system\bouTRxB.exe

MD5 f0e3428f536fbf48cc3ad57e57ece3f8
SHA1 0c3fc48e13f13b69dd796817563edd47a4531a04
SHA256 4249bca4fa50aa71b1f346d4896463ee19a340a875e46223d16c46692de5b761
SHA512 fc027c4aa4d909ef34c78fc599678609aa39605f976614701bb92881a67ed20ea068db9af144e0bcf65720375db75731758fe86c81d884039e7ea15473580ba0

memory/848-47-0x000000013FCC0000-0x0000000140014000-memory.dmp

memory/2288-48-0x000000013FCC0000-0x0000000140014000-memory.dmp

C:\Windows\system\jAxiQZy.exe

MD5 83beb9aeda03179ca5919e27c5909f49
SHA1 b094200707b180d02b2f8e10a691473a52d1f201
SHA256 9603b79e9d7c5a498300bfcc4c86cb1d8d1d46ebd0bf4e13c8e2cefec502128d
SHA512 55cae28ff944a6e7f4046511ed816b9cb3db5153591ff76049e68a8683251f7a56fcf0a2c7433ecbc60ec92df75a552f42ece488657a9719718c802f28ec5739

memory/2468-62-0x000000013F970000-0x000000013FCC4000-memory.dmp

C:\Windows\system\bOIpfoZ.exe

MD5 8336f70c2704bc4e435f4e65ff5a12f8
SHA1 3c3b4c7a07b95833237903c259a8453964dbd01d
SHA256 260d2f9ce617c78e8ce30a1b386658db0a6b95120c556822f0227a1ee5a66af2
SHA512 e4ee00151f7e4215d0518c8eddd1c4c6a84be919efe84272249f8ffbe36e9dccd643f9ce55d49315024b358dd563bba62a72fe9eb0440645b4dfeade0cb82593

C:\Windows\system\BMJEOVo.exe

MD5 9a9b256415a686a85949651b5dccc904
SHA1 a2c457e562386480ba2327c9c1027f6806fcdd86
SHA256 e5c98090d083dc83017eb6a0bb3630bb6373c60da4c7066c1ed7d02bbac4f21a
SHA512 2cbd26a60361197cd96f84965fff27f00bb25f3ca78338f1ffb03ae2dfc8ad8822093dfa13f558cef88559228ae0cb4bf46bb714866489076a7cb9d83b602e91

C:\Windows\system\FgLkXJT.exe

MD5 95d3d0116cec8e85c52b7f4fc0ac5f15
SHA1 864657810259a3060595ecae69f7d9a2a98a3731
SHA256 89d50fad24b289d26d6fc84c75673a644fbcbdaea4c6bc113046ad4a07b9ee88
SHA512 29b930fa9a896772424751f53fb549ee494246d4319944572b3f10a5e3135f6cc5efbc83707f40b584d370bd4175b9fb6bffed5850c60977845cb3d546dde92e

memory/2564-76-0x000000013F1C0000-0x000000013F514000-memory.dmp

memory/848-75-0x000000013F080000-0x000000013F3D4000-memory.dmp

memory/2088-74-0x000000013FEB0000-0x0000000140204000-memory.dmp

memory/2528-72-0x000000013FE90000-0x00000001401E4000-memory.dmp

memory/2384-71-0x000000013F160000-0x000000013F4B4000-memory.dmp

memory/848-70-0x000000013F760000-0x000000013FAB4000-memory.dmp

C:\Windows\system\RaqoLcE.exe

MD5 faa417b647836f9845725fc87a31700d
SHA1 0bcde030d2cfcfed54c220cf2b6cad5395e6d1a2
SHA256 07140ba44aa7e249115274f709d8a3069fda1f8c8a155e0f9bd0f234736fb4a6
SHA512 cd2c85e61bff1b3c95118e3b04f39ac6e771ea04499dd0263602a5e3081130f9d3a8babca22a30f7cf801777a118f769c8a2be5de42a6827454a6d034e7e6dfa

memory/2684-56-0x000000013F750000-0x000000013FAA4000-memory.dmp

C:\Windows\system\QdHzZQM.exe

MD5 ac5e132f7304fbe20e5b954152f71e18
SHA1 cb6e0be56bc85b87f7851b22fa5937da51257944
SHA256 a8f65d1c1595ebd8984df5f0d9201a2ca3e11c88d9f0d1bd215d6cc23e8138a3
SHA512 924bf2439ec35bf92a5f57ccccb65c42a0e6515b78a3049f1875977d7421b5ebd76f20c59fba2d30d48ed8d743eb15a108a8eb1af0f019c92896f7dee009d54e

memory/848-51-0x000000013FE90000-0x00000001401E4000-memory.dmp

memory/848-40-0x000000013F160000-0x000000013F4B4000-memory.dmp

memory/2728-39-0x000000013F0E0000-0x000000013F434000-memory.dmp

C:\Windows\system\jgnDNPK.exe

MD5 33886c1cacf357fbf0264034826a727b
SHA1 bbc8c4f4c99964c8ad93b9fde3b2158d8e517211
SHA256 5981d7d14f3fb9b384cfadaae189335db8c01fe739c74a180bbc3236cc003d4f
SHA512 fd156835a10706cbab269173989ec283eb6398fe332c53470a29c7a748bcb51bfb36e5f99008b4123f3a87b89e7105b52e8bc7302abf62371b6026d84c20de29

C:\Windows\system\dRWUbLZ.exe

MD5 1863680ece376303086cb77e7ec63c3d
SHA1 908a49a011e0c12a16fff607e040da7e83f22912
SHA256 df672cbade32ab76fe20cd753d31a1be3063fd37e0f2ca6e3c8fbe04f87863bc
SHA512 2879134065a49936fcdf77f39c245386daf0c0059fef4cea6b76a0d2f10b187a370333ebb8d3870e6341548d68e0aefab9bc8e15d5c32378dda746ac7449c93d

memory/848-61-0x00000000023C0000-0x0000000002714000-memory.dmp

memory/2948-46-0x000000013F080000-0x000000013F3D4000-memory.dmp

memory/2608-35-0x000000013F690000-0x000000013F9E4000-memory.dmp

memory/1828-30-0x000000013FED0000-0x0000000140224000-memory.dmp

memory/848-28-0x000000013FED0000-0x0000000140224000-memory.dmp

memory/848-19-0x000000013F080000-0x000000013F3D4000-memory.dmp

memory/2088-10-0x000000013FEB0000-0x0000000140204000-memory.dmp

\Windows\system\YFcIdsm.exe

MD5 842cb76f3d5c63fa13a105b94bcf77e1
SHA1 9b0525324d2ac094dc845da57c70663fecae03f3
SHA256 dc751a74b2f1fe3c9c32aaecbde453c0ecec6ab018af613f2d13629cfe44af42
SHA512 8c0909a3fa5d16bb315a3a15e1bd4ff050133720d28d86506029ce323a493bc6048817548b94081459c7ede37596a6e776bef6389b2976fc6d4b51cc1c2249e3

\Windows\system\LWtaTyR.exe

MD5 b4747c70a27f4a9af8b443dd33a69e81
SHA1 0ad93574f24dfa71c32cb8333c2eb29de41640fa
SHA256 66b71488cca08b31fda2f450b8847946061e38a20e76e092ea1116177a4ea4d5
SHA512 9f00f41048ceead988b8a1d315974b9e8d71315717cbb7d7b4aaa2eb4d077a5ee21f2afd0609b0724859e0bcf085b028c79544b96e33f5d40e6ecc79b37c04d7

\Windows\system\kqtalqA.exe

MD5 99c6f634e9928057ea2f6e856b0c5a91
SHA1 3f384809e56f1f01423437e4edea9360fbee3e0d
SHA256 fb0e4dfd7aa6b78e580c59aecccfc0eed61785b84b1beec6384bb056066d210f
SHA512 a82815754a5d84cf681fece95bf8a7921d73b0cb21faaffd7d696c4f331a0746523efdd92d099ea55822ce45ab4e076edab958e9d52f1a6ea2100fc0dd76eeeb

\Windows\system\toaARPI.exe

MD5 ff76ad2e74a15993fe2654656c1d5407
SHA1 ca54b40baae7aabd40014cd5b48ce1b2d6045155
SHA256 a96bb44d30cac2836ab48f78262f78a79a694f3b8a15724d67d7257f1baa7bed
SHA512 0f9abe95bda7360746daf3a285730ef4879c30ba2b8d7a9889e6563f3dd1e9223bad2a9d67524621ec0036326a5f6ed4caf500bc32bf535d6e65d3fd6e33b900

memory/876-100-0x000000013F4D0000-0x000000013F824000-memory.dmp

C:\Windows\system\OfRLWpz.exe

MD5 308a3dbab7df890d93475904983a0afb
SHA1 7d2cbf7f75be3d3f8a231b5c5c0f9a2de7e95fe6
SHA256 a540dd13a4ebbf757b51b542091239663c9da797e5ca252dccd160ec7772f8aa
SHA512 f57d97a04808b836e12677a1372b5b562c4872eff4d637ee205807591f7a8475e163fe8a1abba92e58c11defaebbcb4557467a105065b6b053b69a5c859991a5

C:\Windows\system\hSuDBoe.exe

MD5 8480e8c508096f59a707df7123856bc5
SHA1 79db26dc121cb7ce3d9dbc1d4bf62f5410032700
SHA256 a63dc86bcf101d996e335d811b1934b15d352f900d5491ebb0fa7a6973033795
SHA512 2c61745790cdb6bc0b5b3ae44a4f8141041d628ba90532d79ca926cf7906fd8f233c8eb7d8ae461eca6e99f9debd748b1ab35c01d017bf8a512003206cac7b63

C:\Windows\system\aiULmuH.exe

MD5 c763858301406391865da913373e9921
SHA1 a402d35f89c7625e162365c024b5368e37ba0e40
SHA256 ede90a13cde488c6540d32c677f6b1904f5a26b03ffa9cd2bcb4740f0e491618
SHA512 d62b04bdb1a234c7fc2192182dfd87426ad0ff105e8a7898f9269cd27186feaa7029d3270b1371b155b5b4296fb70f04b320706ed4406cc6603187a43d4dee7c

C:\Windows\system\iBHDbbQ.exe

MD5 b4322c71b4e69571e90ab35642d987b5
SHA1 3332652dec3ec850ce60e9a60cbf9193c98a6c47
SHA256 abe2c915dd687408af43fb1acb21d349c71a5876d4f57e396ce80c9d8e1a2ce9
SHA512 5b0738d14ca089fb89e0f8178d9091e6a386718c9ab4c60ae41850587748eaee9cb5dd1a8965a51b4155a4e29bd758a5a91b44d4abc5cb9f4589916435ec1d0a

\Windows\system\HFRVakf.exe

MD5 cbb471720866e28a55b46272b0e7d75d
SHA1 0735f3f3f9d7cd29725df9c1dc4913f6c95dc534
SHA256 c77aaad4048652a766bfa96d942b3d3e29bffbed47f93edb760e6f60adeb0524
SHA512 9cf33c002e915e02d08772eef42fd7b6b1fd5775d115cd5fadfc41c890164916b690af1be78e4493e7de3ef0b07bee2129dfd5b0022e7c6da401b2992f5157cb

C:\Windows\system\vtFkrkP.exe

MD5 02a6c080a83246926a0e99297792db04
SHA1 86af7de87d084eb552ab4fc5f00cb8daf50e5f82
SHA256 388ac74c5e93c29c96b000d2afdf8b6df7a125910ddee8f240f4872d14d21ec5
SHA512 4082d273a7f514b28f10c68e6d5344d5128dddaab0c54d3d63f4ea3b3d029eed5cd3aec2afed51633ea43c5d6cbe0d8131e80dc326634ce7f34f7daf9896835a

memory/1512-105-0x000000013F6C0000-0x000000013FA14000-memory.dmp

memory/848-104-0x00000000023C0000-0x0000000002714000-memory.dmp

memory/848-103-0x00000000023C0000-0x0000000002714000-memory.dmp

memory/2288-102-0x000000013FCC0000-0x0000000140014000-memory.dmp

memory/2948-101-0x000000013F080000-0x000000013F3D4000-memory.dmp

memory/848-98-0x00000000023C0000-0x0000000002714000-memory.dmp

memory/1300-93-0x000000013F550000-0x000000013F8A4000-memory.dmp

memory/2684-137-0x000000013F750000-0x000000013FAA4000-memory.dmp

memory/2468-138-0x000000013F970000-0x000000013FCC4000-memory.dmp

memory/2528-139-0x000000013FE90000-0x00000001401E4000-memory.dmp

memory/2564-140-0x000000013F1C0000-0x000000013F514000-memory.dmp

memory/848-141-0x00000000023C0000-0x0000000002714000-memory.dmp

memory/2088-142-0x000000013FEB0000-0x0000000140204000-memory.dmp

memory/1828-143-0x000000013FED0000-0x0000000140224000-memory.dmp

memory/2608-144-0x000000013F690000-0x000000013F9E4000-memory.dmp

memory/2728-145-0x000000013F0E0000-0x000000013F434000-memory.dmp

memory/2288-146-0x000000013FCC0000-0x0000000140014000-memory.dmp

memory/2948-147-0x000000013F080000-0x000000013F3D4000-memory.dmp

memory/2468-148-0x000000013F970000-0x000000013FCC4000-memory.dmp

memory/2684-149-0x000000013F750000-0x000000013FAA4000-memory.dmp

memory/2384-150-0x000000013F160000-0x000000013F4B4000-memory.dmp

memory/2528-151-0x000000013FE90000-0x00000001401E4000-memory.dmp

memory/2564-152-0x000000013F1C0000-0x000000013F514000-memory.dmp

memory/1300-153-0x000000013F550000-0x000000013F8A4000-memory.dmp

memory/876-154-0x000000013F4D0000-0x000000013F824000-memory.dmp

memory/1512-155-0x000000013F6C0000-0x000000013FA14000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 05:42

Reported

2024-06-01 05:44

Platform

win10v2004-20240426-en

Max time kernel

138s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\gTFwhDg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SyZsavw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kwkjfnz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vbOrZlb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ySAmXKJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LLhDruG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MvzFzVW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RgZOiqw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\azetlPA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lzFZPWa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bsrJKEO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KfJlnDL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xlphQXV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zfMCiOS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pAQUduO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uwfPOHe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CMOFZzK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XerLDTN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gMEtuyH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QfYzJad.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MLBJREb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1832 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\zfMCiOS.exe
PID 1832 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\zfMCiOS.exe
PID 1832 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\pAQUduO.exe
PID 1832 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\pAQUduO.exe
PID 1832 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\kwkjfnz.exe
PID 1832 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\kwkjfnz.exe
PID 1832 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\RgZOiqw.exe
PID 1832 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\RgZOiqw.exe
PID 1832 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\gMEtuyH.exe
PID 1832 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\gMEtuyH.exe
PID 1832 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\azetlPA.exe
PID 1832 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\azetlPA.exe
PID 1832 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\lzFZPWa.exe
PID 1832 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\lzFZPWa.exe
PID 1832 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\uwfPOHe.exe
PID 1832 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\uwfPOHe.exe
PID 1832 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\LLhDruG.exe
PID 1832 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\LLhDruG.exe
PID 1832 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\vbOrZlb.exe
PID 1832 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\vbOrZlb.exe
PID 1832 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\bsrJKEO.exe
PID 1832 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\bsrJKEO.exe
PID 1832 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\QfYzJad.exe
PID 1832 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\QfYzJad.exe
PID 1832 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\KfJlnDL.exe
PID 1832 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\KfJlnDL.exe
PID 1832 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\MvzFzVW.exe
PID 1832 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\MvzFzVW.exe
PID 1832 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\MLBJREb.exe
PID 1832 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\MLBJREb.exe
PID 1832 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\CMOFZzK.exe
PID 1832 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\CMOFZzK.exe
PID 1832 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\ySAmXKJ.exe
PID 1832 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\ySAmXKJ.exe
PID 1832 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\XerLDTN.exe
PID 1832 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\XerLDTN.exe
PID 1832 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\gTFwhDg.exe
PID 1832 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\gTFwhDg.exe
PID 1832 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\xlphQXV.exe
PID 1832 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\xlphQXV.exe
PID 1832 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\SyZsavw.exe
PID 1832 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe C:\Windows\System\SyZsavw.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_ac68732b6d6d68c0b275339db0f720b6_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\zfMCiOS.exe

C:\Windows\System\zfMCiOS.exe

C:\Windows\System\pAQUduO.exe

C:\Windows\System\pAQUduO.exe

C:\Windows\System\kwkjfnz.exe

C:\Windows\System\kwkjfnz.exe

C:\Windows\System\RgZOiqw.exe

C:\Windows\System\RgZOiqw.exe

C:\Windows\System\gMEtuyH.exe

C:\Windows\System\gMEtuyH.exe

C:\Windows\System\azetlPA.exe

C:\Windows\System\azetlPA.exe

C:\Windows\System\lzFZPWa.exe

C:\Windows\System\lzFZPWa.exe

C:\Windows\System\uwfPOHe.exe

C:\Windows\System\uwfPOHe.exe

C:\Windows\System\LLhDruG.exe

C:\Windows\System\LLhDruG.exe

C:\Windows\System\vbOrZlb.exe

C:\Windows\System\vbOrZlb.exe

C:\Windows\System\bsrJKEO.exe

C:\Windows\System\bsrJKEO.exe

C:\Windows\System\QfYzJad.exe

C:\Windows\System\QfYzJad.exe

C:\Windows\System\KfJlnDL.exe

C:\Windows\System\KfJlnDL.exe

C:\Windows\System\MvzFzVW.exe

C:\Windows\System\MvzFzVW.exe

C:\Windows\System\MLBJREb.exe

C:\Windows\System\MLBJREb.exe

C:\Windows\System\CMOFZzK.exe

C:\Windows\System\CMOFZzK.exe

C:\Windows\System\ySAmXKJ.exe

C:\Windows\System\ySAmXKJ.exe

C:\Windows\System\XerLDTN.exe

C:\Windows\System\XerLDTN.exe

C:\Windows\System\gTFwhDg.exe

C:\Windows\System\gTFwhDg.exe

C:\Windows\System\xlphQXV.exe

C:\Windows\System\xlphQXV.exe

C:\Windows\System\SyZsavw.exe

C:\Windows\System\SyZsavw.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 52.111.227.11:443 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1832-0-0x00007FF74C310000-0x00007FF74C664000-memory.dmp

memory/1832-1-0x00000109126B0000-0x00000109126C0000-memory.dmp

C:\Windows\System\zfMCiOS.exe

MD5 48457e0ec6bd1d514690ab079946e182
SHA1 20fa07c83ea7a46f03d9399c624aa49fde0b6ca3
SHA256 1bc04ee4ca4e440b0fc528472f47d1b35597f7a6bd7f4f61c1ec89b0b02ccf4b
SHA512 ebe16fdbfade1a4278d5bf0117dd2f6ecd35c57a9d481ceed1c2cc2540715c55290981dcf8a8a44b557f7e8d6222cbbc894339bc7b8b32f82d1aaa8e7caebc3f

memory/840-8-0x00007FF6EE3C0000-0x00007FF6EE714000-memory.dmp

C:\Windows\System\pAQUduO.exe

MD5 5e9d477e060d6572b5f9748b210eee40
SHA1 499d4f86db774b573d9080f979b025654d3be1c9
SHA256 2e02458fda4a64d7e91e12262320b11913b1928994cfdc38de66bf37493564d7
SHA512 dec66204844642edc041539f3a10caffe3cf4363e3144f6e5163537207e952db182351c86018cac8a2ffae8b3a2b5f8ffa7a1a9225a0e243a5668465d08acdd6

C:\Windows\System\RgZOiqw.exe

MD5 07b5028030476080bc900f1e1c88e0d8
SHA1 f5570b97bdf694bc027543757d078075e68c986d
SHA256 8a26d6f041513e300fbf517844d762e409baed5a2a431532ec0b0808045fde27
SHA512 16247e6dfb1c3ce1051239cb6f357caac2f8ba1406cb52c8637bbae6b2a6faccfcf85a538272b57b8f79cbb3cbde22dc1ad12b94f8a3534d86cd121f7383273b

C:\Windows\System\gMEtuyH.exe

MD5 a1ce74b3982589c97c25f7fbbfc25f4d
SHA1 2baab373a54c3fdeca8c98d7aaeac88b65744bbb
SHA256 524b22bde7f62065cd99b491c4ed20467abc1a4ecc183563c74db9f5ddf87719
SHA512 7126b830b1a5b094bb97f33754ba297391bd4d99511beac08566a0e251c731fd00b46131b87175dbd1cde4b311db059abc68281e4b378d6a3856f5102308cd6d

C:\Windows\System\lzFZPWa.exe

MD5 742eb4ab3e4c660a98063867700c8637
SHA1 b47ed6f6a7abb547477f1f242d2f150582cd9caf
SHA256 29f06375f6e4a0f60d1a3270ff8d7390b2afa6c70cd70607df92dede45da3255
SHA512 5a6c28cccf8fdbd460868ba0f309274c8ec2bbf90644742997c4c42f3beed634bd7b328913d902039eae21433ab005e1ec3b067ab066cbca496e5dfd43c0e877

C:\Windows\System\uwfPOHe.exe

MD5 6f8d61be84580f7a2e6afa341d308287
SHA1 5f3f4d4f2a981dd36bd66e1d3f5d444f889aed2d
SHA256 14800241f97e8d213fc51f4734d7428a06eb4152fd25300481baeabf3b226352
SHA512 79acd31692bff26cea5c6cc332e2e24df6d16efa5e0e199a2f327356c666be792f4eefdc784e8424902caaaa28ecfe6a86230131382f18b194a5ffa3098fdb3f

C:\Windows\System\LLhDruG.exe

MD5 8311c1e9cc0d5d12dca5b506a79cf227
SHA1 81913b23359b46dd6bccd642a12082033d2102fe
SHA256 8afe09f403ae14aef57d54018209b0d7b493aff0afe9107367517103944b349c
SHA512 269c779e1e99299eb57c14c6e12f24b9da36510f606ad1110c38f2256669a7ca962cec62d98b6af1c17ecba16ed7853e42d8cc2143a80eb3328fcdb7a47c9661

C:\Windows\System\vbOrZlb.exe

MD5 815e264b5d59ef520ae52c400ff3e7e6
SHA1 56d0b0367a70e51d69879e3b823a490bad8fc968
SHA256 7932427364911cf8dcfb9bf9348f980ed93322b2e9a39bce97d9a35e085189bc
SHA512 5356d35b4eb0bcdf3cd9260eab1b0d12d05aede188ae876699772da44361be91923100006554631ce210fbfadd873b054060e35dc09f0e0699e7c3b92d6ad1bf

C:\Windows\System\QfYzJad.exe

MD5 302ca07acb7c8c2d3e82bb401bec810e
SHA1 32627b87d7d1bd68c78426172d4fd04e02f6e940
SHA256 3a8b9d2cb0218cdd65c5c2541eebf050f78a17a6bb7b2484c73d2d257643166e
SHA512 8c80c6ee0f383c025de497dac5f08e3c387555eb970261020f354db8647052c5eadc10ed00e9e1c267cfc10b6c7ce7d6187c09549b0d5b3773ad29a205e18af7

memory/4292-69-0x00007FF783CD0000-0x00007FF784024000-memory.dmp

C:\Windows\System\KfJlnDL.exe

MD5 916b18538c87fa3e548adce17308fcb3
SHA1 2747449a299a9a6bc5cc400f25dc29bf0e9bd7ec
SHA256 fb2ce77cfab59717546f51892dc6ba8a8c659be4b6bc4648800f7c96bc9d033d
SHA512 29b463a6c5a61c24633244afd4c6b8f0885324e2caa6f6504d93fb395e4efdf92fd29b5897dd5bf40b84d21f1e80f7d63aacac020499c5a12344eac664c2d7e3

C:\Windows\System\MvzFzVW.exe

MD5 3b568614723a6c9bc311a309d687f541
SHA1 5674bdadd15265d35e76fe066f8c17f15b29f1fb
SHA256 aa5bc5a8a2ae0ed1834f77759cb6663bf6d3f0d468d7fd0e42c7964ca067cd1c
SHA512 d2089628df3dc70f234413da6ff35c1c3babb7388e60e9a4dcb40efdad8406437c00fdccd6a6f125e290d1996f9c929d2d144c713596844494736b7ee85ed95f

C:\Windows\System\CMOFZzK.exe

MD5 0657586b1c150e31116c39296933b764
SHA1 e4387ea64091a0e0396e79be626224d3d78f16ba
SHA256 5f671a5613a4ba0fcda41ed380f0964b5e13d472a373606e7a5df46fdf8bc946
SHA512 08e546e315d721386a5584c849a778edee3cde3663871208bbbb49dfcbab6e34e6d252276c7ad14c13dfd213b2764bd05438097867faabcf0437ef0ceb40c258

C:\Windows\System\MLBJREb.exe

MD5 60d36932999bf86cfc3945c09fa0bc30
SHA1 67257ca55419bbf6bdd0feab2153e3b759b47ede
SHA256 58161a0012e735c7a33b6ab7eb82fa5718cedb1587632b3e553ba58bab67a6cf
SHA512 30278882f519014e780e32fbaaba9aedb64787225cbcc820a165adc08efba614bc1379a01f762f09d67f4067cab6c47a5101f7f77c8f703e6c63fec0fe764a41

memory/3600-95-0x00007FF688140000-0x00007FF688494000-memory.dmp

memory/4924-92-0x00007FF692F10000-0x00007FF693264000-memory.dmp

memory/2196-90-0x00007FF7B57E0000-0x00007FF7B5B34000-memory.dmp

memory/2456-78-0x00007FF62D680000-0x00007FF62D9D4000-memory.dmp

memory/1904-77-0x00007FF6A7E70000-0x00007FF6A81C4000-memory.dmp

memory/3564-72-0x00007FF73F2A0000-0x00007FF73F5F4000-memory.dmp

C:\Windows\System\bsrJKEO.exe

MD5 72dbf2736a1dc1ff013ae91c3e432e5f
SHA1 e3732d3744cac9dc0cb18c985605650efd567af4
SHA256 6bfb73d6ea894da134ceb3df253871df7e4d4790a407d2fa2465d926b9f414c2
SHA512 84d8107a6ad3450a53100028447c6726988569a1b4011d3472e69217a6c655a95fe5450e3b0bcb11242d6704454b088c4e03e652e8dc6bef4ed0f6f828e65d33

memory/1392-62-0x00007FF66CFE0000-0x00007FF66D334000-memory.dmp

memory/2080-59-0x00007FF63A310000-0x00007FF63A664000-memory.dmp

memory/3636-55-0x00007FF7E37E0000-0x00007FF7E3B34000-memory.dmp

C:\Windows\System\azetlPA.exe

MD5 b26d966cb2b20004e1e4c2f04c401a93
SHA1 075f459d5dfa5b098ccd7f9ab50be75ca0540ab7
SHA256 3fe505a1b4530d4dd87ad2e6532d5af852fb0a96228d12cdbd1495678a0b2dd1
SHA512 67ea80ceaff3131ab8ab63ec2e5fbd64117cdd0431f79f163418e6cae43f01b4ca11fa897dcef47dbad1489982632a089985a9fe0dd288c7660603c917fd747f

memory/1104-50-0x00007FF6F8480000-0x00007FF6F87D4000-memory.dmp

memory/5036-42-0x00007FF642C20000-0x00007FF642F74000-memory.dmp

memory/3616-31-0x00007FF6BFEC0000-0x00007FF6C0214000-memory.dmp

memory/4024-23-0x00007FF7CE7F0000-0x00007FF7CEB44000-memory.dmp

memory/3900-20-0x00007FF765880000-0x00007FF765BD4000-memory.dmp

C:\Windows\System\kwkjfnz.exe

MD5 17ad842dbb0ae95fa0b3995a67b809f2
SHA1 74b05ce1b8cb3d8cce9a34ee60bb8ba2da932e4f
SHA256 68ef9bca686fc635495fc28c92edee15789ed5a53d2b724a3f4ea46abf9f13ea
SHA512 79a47fa18b30d99bc7a92373d5d802edd1e26fe5a7e576774b249a3338d930831aade8839b1287078a2eb23c50babe4d20651f9edac1b9bc85e8a42ccf3936ea

memory/3836-107-0x00007FF713750000-0x00007FF713AA4000-memory.dmp

C:\Windows\System\XerLDTN.exe

MD5 3480adb9a28fc9e8d3a2e042ab6eaab3
SHA1 b5dc5e13bc024232b0ea25fe6d581de26bbeee32
SHA256 7d8883731981f36f196699a88f7be66827d4569834617cc09947a2e13414bac5
SHA512 ffcfb930c159dac0e9a71a0aa43d09d4fe6013d4a45d6630a4f9671c0fce53f31e22adf851fb28c65b64208f89764772e4675b475ea937b029daadc0bf598811

C:\Windows\System\gTFwhDg.exe

MD5 f0c2234dad13b3a4b531ea8c5813a8cd
SHA1 71a68575774b8626c9aeb3d7fa735adc18c9a6c7
SHA256 02b9fd39e1503a65d2b22e26835c2c7e8688f2905a9386399af3523b411b1d44
SHA512 33a2f040b1208db337631a53423fc27e68ddad27bdfe7402cf62035070149b0ab5c61d639fc5f26152aa791b32885758b3ab89abe01c0fea61cdfd68981871af

memory/3968-118-0x00007FF7ECB10000-0x00007FF7ECE64000-memory.dmp

memory/4024-122-0x00007FF7CE7F0000-0x00007FF7CEB44000-memory.dmp

C:\Windows\System\xlphQXV.exe

MD5 ec543f36696ad0f20cdbf51c9455eed8
SHA1 3a608f12131ace0ed46fa806cb542148627d15f3
SHA256 0b1bb0e061e685acb31b62a35dfda8f8e15d4fe1c9b8cdfcc7db9444f66d9fdf
SHA512 72aa7ab1d71a0f3508e090bf840622fada6d2fa20711713a2519449f00a56945285022f279079cf083b2bc66a78199bf218c1b6090c6d2e3290fed327c324c05

memory/5036-128-0x00007FF642C20000-0x00007FF642F74000-memory.dmp

memory/2080-129-0x00007FF63A310000-0x00007FF63A664000-memory.dmp

C:\Windows\System\SyZsavw.exe

MD5 df0552d4e5dc04b34189769589a3b225
SHA1 d1df0c2daa7da9f574adb34d3fc224d4f63c07a6
SHA256 aa8e5fa71c9a40d8003a70154ed90e2676b6ef020d0d64e6381378a9b98c49ff
SHA512 1961320b918c18a2160e63387e5d573e55f2ce99c591cfb0bff8f8702b2fc4cf26992b90a3cfa314782fba7191ed3f3d07237b01dcfdcd7402a99b3b4403ac58

memory/2428-130-0x00007FF7E6C90000-0x00007FF7E6FE4000-memory.dmp

memory/2604-127-0x00007FF6EC970000-0x00007FF6ECCC4000-memory.dmp

memory/2888-125-0x00007FF6CD9A0000-0x00007FF6CDCF4000-memory.dmp

memory/3900-113-0x00007FF765880000-0x00007FF765BD4000-memory.dmp

memory/1832-104-0x00007FF74C310000-0x00007FF74C664000-memory.dmp

C:\Windows\System\ySAmXKJ.exe

MD5 b8062ba386019a17cfbab81e5b25dc4c
SHA1 ec20909f65c64c45babd5da6de9595d4d9489616
SHA256 f0877cf334855e788ae2b763c0b8579a0def3074c4ca567d99226ec7efc52477
SHA512 d2c766a77275f8dca79c5fa82c3bf5089df0134101a32bc866fe1d1740afd531c0685b40af3df5acd9646b0e4e10f8a14df2c7af7ae2430beea6cb5462962e17

memory/1104-133-0x00007FF6F8480000-0x00007FF6F87D4000-memory.dmp

memory/4292-134-0x00007FF783CD0000-0x00007FF784024000-memory.dmp

memory/1904-135-0x00007FF6A7E70000-0x00007FF6A81C4000-memory.dmp

memory/2456-136-0x00007FF62D680000-0x00007FF62D9D4000-memory.dmp

memory/4924-137-0x00007FF692F10000-0x00007FF693264000-memory.dmp

memory/3600-138-0x00007FF688140000-0x00007FF688494000-memory.dmp

memory/2428-139-0x00007FF7E6C90000-0x00007FF7E6FE4000-memory.dmp

memory/840-140-0x00007FF6EE3C0000-0x00007FF6EE714000-memory.dmp

memory/3900-141-0x00007FF765880000-0x00007FF765BD4000-memory.dmp

memory/3616-142-0x00007FF6BFEC0000-0x00007FF6C0214000-memory.dmp

memory/4024-143-0x00007FF7CE7F0000-0x00007FF7CEB44000-memory.dmp

memory/5036-144-0x00007FF642C20000-0x00007FF642F74000-memory.dmp

memory/3636-145-0x00007FF7E37E0000-0x00007FF7E3B34000-memory.dmp

memory/1392-146-0x00007FF66CFE0000-0x00007FF66D334000-memory.dmp

memory/1104-147-0x00007FF6F8480000-0x00007FF6F87D4000-memory.dmp

memory/2080-148-0x00007FF63A310000-0x00007FF63A664000-memory.dmp

memory/3564-149-0x00007FF73F2A0000-0x00007FF73F5F4000-memory.dmp

memory/1904-151-0x00007FF6A7E70000-0x00007FF6A81C4000-memory.dmp

memory/4292-150-0x00007FF783CD0000-0x00007FF784024000-memory.dmp

memory/2456-152-0x00007FF62D680000-0x00007FF62D9D4000-memory.dmp

memory/2196-153-0x00007FF7B57E0000-0x00007FF7B5B34000-memory.dmp

memory/4924-155-0x00007FF692F10000-0x00007FF693264000-memory.dmp

memory/3600-154-0x00007FF688140000-0x00007FF688494000-memory.dmp

memory/3836-156-0x00007FF713750000-0x00007FF713AA4000-memory.dmp

memory/3968-157-0x00007FF7ECB10000-0x00007FF7ECE64000-memory.dmp

memory/2888-158-0x00007FF6CD9A0000-0x00007FF6CDCF4000-memory.dmp

memory/2604-159-0x00007FF6EC970000-0x00007FF6ECCC4000-memory.dmp

memory/2428-160-0x00007FF7E6C90000-0x00007FF7E6FE4000-memory.dmp