Malware Analysis Report

2025-01-22 19:48

Sample ID 240601-jerjssfa24
Target 2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike
SHA256 6a1599807c0b9470eff39ceb394749905a7cde78efe95134482b4fb13dfb06bb
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6a1599807c0b9470eff39ceb394749905a7cde78efe95134482b4fb13dfb06bb

Threat Level: Known bad

The file 2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

XMRig Miner payload

xmrig

UPX dump on OEP (original entry point)

Cobaltstrike

Xmrig family

Cobaltstrike family

Detects Reflective DLL injection artifacts

Cobalt Strike reflective loader

Detects Reflective DLL injection artifacts

XMRig Miner payload

UPX dump on OEP (original entry point)

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 07:35

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 07:35

Reported

2024-06-01 07:37

Platform

win7-20240508-en

Max time kernel

143s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\UUxJRWt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vBKSUyq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\knpJrBj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZCRJopC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ffsWkwk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DfsZyPw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZCGmnmw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fiZqnfk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BSUjYXo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EfzCbmu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AMuVcKe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mliegAz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bUxJguO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KKDfimE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oPSPMBF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zlpaqIh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tdRaJti.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qCbNCJM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tlsInyL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZNSeXeE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vgMqwwH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2296 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\UUxJRWt.exe
PID 2296 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\UUxJRWt.exe
PID 2296 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\UUxJRWt.exe
PID 2296 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\mliegAz.exe
PID 2296 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\mliegAz.exe
PID 2296 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\mliegAz.exe
PID 2296 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\tdRaJti.exe
PID 2296 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\tdRaJti.exe
PID 2296 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\tdRaJti.exe
PID 2296 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\qCbNCJM.exe
PID 2296 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\qCbNCJM.exe
PID 2296 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\qCbNCJM.exe
PID 2296 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\bUxJguO.exe
PID 2296 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\bUxJguO.exe
PID 2296 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\bUxJguO.exe
PID 2296 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\tlsInyL.exe
PID 2296 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\tlsInyL.exe
PID 2296 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\tlsInyL.exe
PID 2296 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZNSeXeE.exe
PID 2296 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZNSeXeE.exe
PID 2296 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZNSeXeE.exe
PID 2296 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\DfsZyPw.exe
PID 2296 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\DfsZyPw.exe
PID 2296 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\DfsZyPw.exe
PID 2296 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZCGmnmw.exe
PID 2296 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZCGmnmw.exe
PID 2296 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZCGmnmw.exe
PID 2296 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\KKDfimE.exe
PID 2296 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\KKDfimE.exe
PID 2296 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\KKDfimE.exe
PID 2296 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\oPSPMBF.exe
PID 2296 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\oPSPMBF.exe
PID 2296 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\oPSPMBF.exe
PID 2296 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\zlpaqIh.exe
PID 2296 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\zlpaqIh.exe
PID 2296 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\zlpaqIh.exe
PID 2296 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\fiZqnfk.exe
PID 2296 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\fiZqnfk.exe
PID 2296 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\fiZqnfk.exe
PID 2296 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\vgMqwwH.exe
PID 2296 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\vgMqwwH.exe
PID 2296 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\vgMqwwH.exe
PID 2296 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\BSUjYXo.exe
PID 2296 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\BSUjYXo.exe
PID 2296 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\BSUjYXo.exe
PID 2296 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\EfzCbmu.exe
PID 2296 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\EfzCbmu.exe
PID 2296 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\EfzCbmu.exe
PID 2296 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\vBKSUyq.exe
PID 2296 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\vBKSUyq.exe
PID 2296 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\vBKSUyq.exe
PID 2296 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\AMuVcKe.exe
PID 2296 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\AMuVcKe.exe
PID 2296 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\AMuVcKe.exe
PID 2296 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\knpJrBj.exe
PID 2296 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\knpJrBj.exe
PID 2296 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\knpJrBj.exe
PID 2296 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZCRJopC.exe
PID 2296 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZCRJopC.exe
PID 2296 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZCRJopC.exe
PID 2296 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\ffsWkwk.exe
PID 2296 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\ffsWkwk.exe
PID 2296 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\ffsWkwk.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\UUxJRWt.exe

C:\Windows\System\UUxJRWt.exe

C:\Windows\System\mliegAz.exe

C:\Windows\System\mliegAz.exe

C:\Windows\System\tdRaJti.exe

C:\Windows\System\tdRaJti.exe

C:\Windows\System\qCbNCJM.exe

C:\Windows\System\qCbNCJM.exe

C:\Windows\System\bUxJguO.exe

C:\Windows\System\bUxJguO.exe

C:\Windows\System\tlsInyL.exe

C:\Windows\System\tlsInyL.exe

C:\Windows\System\ZNSeXeE.exe

C:\Windows\System\ZNSeXeE.exe

C:\Windows\System\DfsZyPw.exe

C:\Windows\System\DfsZyPw.exe

C:\Windows\System\ZCGmnmw.exe

C:\Windows\System\ZCGmnmw.exe

C:\Windows\System\KKDfimE.exe

C:\Windows\System\KKDfimE.exe

C:\Windows\System\oPSPMBF.exe

C:\Windows\System\oPSPMBF.exe

C:\Windows\System\zlpaqIh.exe

C:\Windows\System\zlpaqIh.exe

C:\Windows\System\fiZqnfk.exe

C:\Windows\System\fiZqnfk.exe

C:\Windows\System\vgMqwwH.exe

C:\Windows\System\vgMqwwH.exe

C:\Windows\System\BSUjYXo.exe

C:\Windows\System\BSUjYXo.exe

C:\Windows\System\EfzCbmu.exe

C:\Windows\System\EfzCbmu.exe

C:\Windows\System\vBKSUyq.exe

C:\Windows\System\vBKSUyq.exe

C:\Windows\System\AMuVcKe.exe

C:\Windows\System\AMuVcKe.exe

C:\Windows\System\knpJrBj.exe

C:\Windows\System\knpJrBj.exe

C:\Windows\System\ZCRJopC.exe

C:\Windows\System\ZCRJopC.exe

C:\Windows\System\ffsWkwk.exe

C:\Windows\System\ffsWkwk.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2296-0-0x00000000000F0000-0x0000000000100000-memory.dmp

memory/2296-2-0x000000013FF60000-0x00000001402B4000-memory.dmp

C:\Windows\system\UUxJRWt.exe

MD5 89111ce7e12805943035675929f08a68
SHA1 547816c811aba536e172de8738946f2c7df604e3
SHA256 835329bfc8953d483d84817bd2288878f82f3555e8fff1bfa5d6a0fbd9d53b1c
SHA512 c5211d6fba4b7f87eb286f1593df6f9651d9647a7d341cf1d41f7124a187cfa7a1be83c8f81c4f192645c4ceb3678351aeb7f341d909c0dd186e43dba4ce032f

memory/3060-9-0x000000013FFB0000-0x0000000140304000-memory.dmp

memory/2296-8-0x00000000024D0000-0x0000000002824000-memory.dmp

C:\Windows\system\mliegAz.exe

MD5 b6ef0ae7dafd7151456c3e50c773e3e7
SHA1 287f6435f4fe3c84f8bb861de112716553b57a9c
SHA256 5efbb305c017f8c3b6e523387672ac6189a53ea356a3db7bd6fe77370b181184
SHA512 765683c04bb4a9e6887a8e2d986b458909bc073225b048110e79a822ef54bce70c03c0599f5b16023dd1dcbd624f6e3f0242731764e2ee1819d35d151d385dce

C:\Windows\system\tdRaJti.exe

MD5 7d8b84d63e4aa6dbb02cf7fbca8c42a4
SHA1 9584efa90a287b943d2e63c46a5eb3ce5343ef24
SHA256 8fe2ef4452f88ceac2a9800ad2cd20006b1795d5ee154e031a985a3453cd4aaa
SHA512 92ea1c666d7925a0ec6bc7f385720f967b1e7de0d4ccefd3e6eaa014d370fcf0d4e8e4f48181f0ea939993f2a41f651205307e9df61ee18d9becbbd0bc06eb0c

\Windows\system\qCbNCJM.exe

MD5 a0e46ea121ae5eb9bbd0616439e3f86f
SHA1 59511c14031271b3654eae1d0a8fbbc68aa8e7af
SHA256 ffcf9c631a444d9b614c6a1e5afa11a3d89ff42a7e5b3fd8a1f884c9d4a29996
SHA512 f8447dbb5363a004ad5793f970762f9890ec05146e8705c4bd592d2b47a38a5b98454605ae77efae8c85d1508d5dd8b6b2b5159129f1e12028800347d0decd0e

memory/2692-26-0x000000013F350000-0x000000013F6A4000-memory.dmp

memory/2296-29-0x000000013F350000-0x000000013F6A4000-memory.dmp

memory/2616-28-0x000000013FF30000-0x0000000140284000-memory.dmp

memory/2296-27-0x00000000024D0000-0x0000000002824000-memory.dmp

memory/2184-25-0x000000013F920000-0x000000013FC74000-memory.dmp

C:\Windows\system\tlsInyL.exe

MD5 20c0ee4467d998e0371e8a548d3e6e11
SHA1 0f057e880bf24bc8d35962e3f4fb80c56b5d8ff3
SHA256 13cb3b1a568793ea70e83d04a0b08c19718c352a6d84a9eae0d7831f77a0f891
SHA512 62da23a82ad7733d49872957b2b56a8dc6e15173ba37350684ff58ba78024c81172f853638b34d9f2032a2f04a83effda01d24775c26c91b24a9d85b646702fc

memory/3024-35-0x000000013FF20000-0x0000000140274000-memory.dmp

memory/1604-42-0x000000013FA00000-0x000000013FD54000-memory.dmp

\Windows\system\ZNSeXeE.exe

MD5 66758517bccae7f0ce7876bcd19c3a20
SHA1 49c14c604d4a2d794cddd5267bf89725654823a9
SHA256 f60f20371237e9b39ebaf24dd994c04df33602ad295f471233b8e77b430117b4
SHA512 fd7c4bbf3b9cbad59b214cd7e9fcf9f1cdc313ea6716437e556d42a9f8c7c887aec4c25337e377765bcceab45eb9fb987033cf58b85bbfd5e4fb65a503f0781a

C:\Windows\system\DfsZyPw.exe

MD5 37159c62cf0dd89a45089c1a771b2b89
SHA1 b741c381b8b812fd200fbc5af83953c9b8c04199
SHA256 97ac4664a7019565a5eaa2ddbb22adb9a79374faef6aa8eeaed11d56786f3de2
SHA512 c6452b1bf9a4febbe8585522a13f252856ca4ad9eb8c1819569748cba24e5282124c8b16afb9c3276e8dc178859499bfa99cb3c9b9cacce5fb920ec956b180dd

memory/2296-56-0x000000013F3E0000-0x000000013F734000-memory.dmp

C:\Windows\system\ZCGmnmw.exe

MD5 17d2c0d2877a082bb44cb607c2e9adf4
SHA1 958f09ffe4400706216e7b10ffeb84fc848a7207
SHA256 cddde39b41bc1862d6dc7de4a08796b512e8fae973423a35f97a951da0cc048c
SHA512 7f424af37c69750192048c242481ba4282657d352834512e267c4b76d816579eb1da95d7758bbc113234f7551d1245b6d93d23de62e1f40adb6dc49e6deefb09

C:\Windows\system\KKDfimE.exe

MD5 b4ecf06e219e1aa90545dd947300cd18
SHA1 dea31ffb9b67bcc22ae78daf98e01674c7b42cfb
SHA256 e0105c5add748f36863d96433cb234a5c8e6c01171f975d5f12112b6f25916b3
SHA512 37b54ea6e7791e07660fbbd7519da4d52fc9d785ac10f753f7aa308319f08ef522d687ce0f7b97583ee14b93d65d69c36003fb49f58e76593fd582401c830741

memory/1484-70-0x000000013F210000-0x000000013F564000-memory.dmp

memory/2296-81-0x00000000024D0000-0x0000000002824000-memory.dmp

memory/2552-83-0x000000013F730000-0x000000013FA84000-memory.dmp

memory/2296-82-0x000000013F730000-0x000000013FA84000-memory.dmp

\Windows\system\oPSPMBF.exe

MD5 d1e750a020b0f9e707e6a58304ee1745
SHA1 dc9894bdeacfa212760edb54507a1186b464863c
SHA256 14f5788fea6c9b921b5f5bd6dc9fc9636ba81874b2aa16663e6378d13ee106cd
SHA512 bf28fa41df73e8df61db1d5f0c49fa66bc12006501cfc8edbdebc17f9685c354c5153358fae3ed3defbd850a1ef3b1b309e08a734e933107bf46637636a389ba

memory/2780-91-0x000000013F450000-0x000000013F7A4000-memory.dmp

C:\Windows\system\fiZqnfk.exe

MD5 52f403373ead9348c35d105441efca97
SHA1 6daf4960495b09222b234c18bddecbdc92ec5753
SHA256 35e1a2ac039d5357e777f49d4c15f609b77c1d0abb2481d721448b4f2c06f034
SHA512 e8143829771c019b6b79626f55833830dba9e12c04ef94848a47f5e2587566c46fbf9b17c14a2adcfe06d39efbf4f499b448fc0b77f9687fd01efe58e8dc3fbd

memory/2296-89-0x000000013F450000-0x000000013F7A4000-memory.dmp

memory/2296-88-0x00000000024D0000-0x0000000002824000-memory.dmp

memory/1348-76-0x000000013FA50000-0x000000013FDA4000-memory.dmp

memory/2296-75-0x000000013FF60000-0x00000001402B4000-memory.dmp

C:\Windows\system\zlpaqIh.exe

MD5 3e3c2ab71af71419032f72a95587234b
SHA1 51913bf27120498194f919c59ebcd2a99231fce0
SHA256 6239df1a7a7df7d5013123ab47265ad69013e19e47e4458425def8e0a78e53b5
SHA512 616f2c8314d89a038e419b20557938df07f9f92579083e7bb6a65422609e94fe246b9918dfe137a7100a8e0b296ffc39e9608c7242a99ec158d3c449d879dbcd

memory/2296-69-0x000000013F210000-0x000000013F564000-memory.dmp

memory/2284-63-0x000000013F690000-0x000000013F9E4000-memory.dmp

memory/2296-62-0x000000013F690000-0x000000013F9E4000-memory.dmp

memory/2468-49-0x000000013FBA0000-0x000000013FEF4000-memory.dmp

memory/2296-48-0x000000013FBA0000-0x000000013FEF4000-memory.dmp

memory/2540-57-0x000000013F3E0000-0x000000013F734000-memory.dmp

memory/2296-34-0x00000000024D0000-0x0000000002824000-memory.dmp

memory/3024-95-0x000000013FF20000-0x0000000140274000-memory.dmp

C:\Windows\system\bUxJguO.exe

MD5 1f242b01747803e9df2ed025346306fe
SHA1 61b2669fc02e7044f175e3e48787d55e80ee9bd9
SHA256 8ebd8730dc6c446a2dfc529a07f403cf365c1e0ef172240ab7b4c343a3c653f8
SHA512 5b3d96805cc2df831538ccd8757b095cf50e0cafe58773f8b70efaa8847a85cf8399b257f33be2ad7d3b0533bf37a4dda6444d59f5c339903d935ac572d23abc

memory/2296-41-0x000000013FA00000-0x000000013FD54000-memory.dmp

memory/1604-96-0x000000013FA00000-0x000000013FD54000-memory.dmp

memory/2468-97-0x000000013FBA0000-0x000000013FEF4000-memory.dmp

\Windows\system\vgMqwwH.exe

MD5 e729b4e55a5ec42df549d239d6f0da3b
SHA1 e712e4524c96ae884ed886cf2a2531b5cbd58187
SHA256 6a91d2ad9b44764b542351b2685e78c45a29fc95cd66954934dadcdc05a0f710
SHA512 463fecc82bf9280821e2704d15d7d50d9870bf257145ce8429f02eb2dd4b2471cfd6fcfb6aeb87f639b5c30e32844598428b4cce28143588cc980a949b7fee62

C:\Windows\system\BSUjYXo.exe

MD5 b9f600d8c83f29df5a2df4cb0c0c6b52
SHA1 1eed129d3acdd91c93cf0ce6de3e4e36f9e61a4b
SHA256 aee646a9178d7521845516c41ae87704b5e82f867e04e2ae055aa33dcf6a66bf
SHA512 4bb26866a495ff307cdab445b3744d419e156c21200f795562a94010289f81b34e6537b0d65985e40b49d743ed11566cda94d5f5b9ba81268694e33035939fea

memory/1484-111-0x000000013F210000-0x000000013F564000-memory.dmp

memory/1020-110-0x000000013FB90000-0x000000013FEE4000-memory.dmp

memory/2284-109-0x000000013F690000-0x000000013F9E4000-memory.dmp

memory/2296-106-0x000000013FB90000-0x000000013FEE4000-memory.dmp

\Windows\system\EfzCbmu.exe

MD5 e607cd176acae67a649296ff4bd64b3e
SHA1 3d57a2ecdac0d789cf576efa1388a7677a6eee4d
SHA256 907d39339fcacd88fe0088845edd257e06e6af0e5ff0df3b3a701fac96b66efe
SHA512 80e358ee02f05a6b4fd545335a67dd872347f968543e29052748d91e4228b9a5bdbfe4ba99a9caf78ca7735c46d2fbce5b54171c8881bad65a5a4a59fee7a359

\Windows\system\vBKSUyq.exe

MD5 2cf30f80942ffc1d9c89dd9c0a107417
SHA1 415f51954a5283e8e6c22f774075b433586628ed
SHA256 cbd257e1c8966e87f28159d57505281ee0b077faad17cb073b7810f28e4ce6e7
SHA512 8a0c4cebb62d8f8cf51e2b40ab192bee9ea2cd893a8f07ebd8929a4003d342f4d709d0190afabbe52e27ccf5920120dd1cf58dc54a1655e696c2f53ad1bcc72a

\Windows\system\AMuVcKe.exe

MD5 1baf1db68fa2294e366ae54f80e2fa67
SHA1 524178e8dbdca07a37ed99d0c945d78356b851cf
SHA256 e8d24a281f6571113d3ed9f87ef22e126c58fcc9e393df23813f3a725e2f69bf
SHA512 ae92a7bcfddbff7543e457a8bd4d2933428b3ad226190e56e8736aae044cb418b55fb827572e6f14de9b679dcf9a694862aa96d2cbce36eb33a2533838ee6977

C:\Windows\system\ZCRJopC.exe

MD5 53e725ef66e2706bca8cf401a52d243b
SHA1 921eefac25ace625e56368db262793a988b453de
SHA256 ffc3e18fd01666814dfb9b48aefdc557e2bc29c74290aac7b29cc3fe2351f68a
SHA512 ce9ee8f00d3c59ee135ba9012c97d31c933f00b3b891ff3354af6fd538b0dd60cf5443857c68e49f3a46b07c18b51b0cbe347076ceca0e1fef46466bba4c8c9b

memory/1348-133-0x000000013FA50000-0x000000013FDA4000-memory.dmp

C:\Windows\system\knpJrBj.exe

MD5 3f442dc1d5dbbac5c98deec1c4b18d8f
SHA1 61a29888515b64a5e6a176396670c8aeb25ba9ff
SHA256 ab0e844eaa090769ca2baeb271458ef08c3c0d9885b39b653e857ba6c43a066a
SHA512 124298789dff066daa95886e4c48305f6ad762342a17cfd9ed9a77b0c2c882fbd5dd7e88bc82af01026b6878669a508a61f68a605ff9658f530c9774009b83f3

\Windows\system\ffsWkwk.exe

MD5 9d741155dd5c886a93c2fe00164d4e4a
SHA1 c54c20a1f3c1cc163371c47efeeb9d4efefef4a8
SHA256 b02eb718e018eca2db616762c241a98146a1c9e4a641c008005827b5914b8883
SHA512 aacd919ff70259ff6649554e3571471793c046a41985ea3ba92a5296a0f899ad50b09cc964a0852d12287bb687acca65f64d8beb05b8d759aaa9951853965854

memory/2552-142-0x000000013F730000-0x000000013FA84000-memory.dmp

memory/2296-143-0x000000013F450000-0x000000013F7A4000-memory.dmp

memory/2780-144-0x000000013F450000-0x000000013F7A4000-memory.dmp

memory/2296-145-0x000000013FB90000-0x000000013FEE4000-memory.dmp

memory/3060-146-0x000000013FFB0000-0x0000000140304000-memory.dmp

memory/2184-147-0x000000013F920000-0x000000013FC74000-memory.dmp

memory/2616-148-0x000000013FF30000-0x0000000140284000-memory.dmp

memory/2692-149-0x000000013F350000-0x000000013F6A4000-memory.dmp

memory/3024-150-0x000000013FF20000-0x0000000140274000-memory.dmp

memory/1604-151-0x000000013FA00000-0x000000013FD54000-memory.dmp

memory/2540-152-0x000000013F3E0000-0x000000013F734000-memory.dmp

memory/2468-153-0x000000013FBA0000-0x000000013FEF4000-memory.dmp

memory/2284-154-0x000000013F690000-0x000000013F9E4000-memory.dmp

memory/2552-155-0x000000013F730000-0x000000013FA84000-memory.dmp

memory/1484-156-0x000000013F210000-0x000000013F564000-memory.dmp

memory/2780-157-0x000000013F450000-0x000000013F7A4000-memory.dmp

memory/1348-158-0x000000013FA50000-0x000000013FDA4000-memory.dmp

memory/1020-159-0x000000013FB90000-0x000000013FEE4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 07:35

Reported

2024-06-01 07:37

Platform

win10v2004-20240508-en

Max time kernel

144s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\fiZqnfk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vgMqwwH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AMuVcKe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UUxJRWt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qCbNCJM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tlsInyL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zlpaqIh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tdRaJti.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BSUjYXo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EfzCbmu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oPSPMBF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vBKSUyq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\knpJrBj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mliegAz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bUxJguO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZNSeXeE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZCGmnmw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DfsZyPw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KKDfimE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZCRJopC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ffsWkwk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4236 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\UUxJRWt.exe
PID 4236 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\UUxJRWt.exe
PID 4236 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\mliegAz.exe
PID 4236 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\mliegAz.exe
PID 4236 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\tdRaJti.exe
PID 4236 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\tdRaJti.exe
PID 4236 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\qCbNCJM.exe
PID 4236 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\qCbNCJM.exe
PID 4236 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\bUxJguO.exe
PID 4236 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\bUxJguO.exe
PID 4236 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\tlsInyL.exe
PID 4236 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\tlsInyL.exe
PID 4236 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZNSeXeE.exe
PID 4236 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZNSeXeE.exe
PID 4236 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\DfsZyPw.exe
PID 4236 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\DfsZyPw.exe
PID 4236 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZCGmnmw.exe
PID 4236 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZCGmnmw.exe
PID 4236 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\KKDfimE.exe
PID 4236 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\KKDfimE.exe
PID 4236 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\oPSPMBF.exe
PID 4236 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\oPSPMBF.exe
PID 4236 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\zlpaqIh.exe
PID 4236 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\zlpaqIh.exe
PID 4236 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\fiZqnfk.exe
PID 4236 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\fiZqnfk.exe
PID 4236 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\vgMqwwH.exe
PID 4236 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\vgMqwwH.exe
PID 4236 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\BSUjYXo.exe
PID 4236 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\BSUjYXo.exe
PID 4236 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\EfzCbmu.exe
PID 4236 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\EfzCbmu.exe
PID 4236 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\vBKSUyq.exe
PID 4236 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\vBKSUyq.exe
PID 4236 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\AMuVcKe.exe
PID 4236 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\AMuVcKe.exe
PID 4236 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\knpJrBj.exe
PID 4236 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\knpJrBj.exe
PID 4236 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZCRJopC.exe
PID 4236 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZCRJopC.exe
PID 4236 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\ffsWkwk.exe
PID 4236 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe C:\Windows\System\ffsWkwk.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_77b8dee5eedcb5ffd9bde8422fb7026b_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\UUxJRWt.exe

C:\Windows\System\UUxJRWt.exe

C:\Windows\System\mliegAz.exe

C:\Windows\System\mliegAz.exe

C:\Windows\System\tdRaJti.exe

C:\Windows\System\tdRaJti.exe

C:\Windows\System\qCbNCJM.exe

C:\Windows\System\qCbNCJM.exe

C:\Windows\System\bUxJguO.exe

C:\Windows\System\bUxJguO.exe

C:\Windows\System\tlsInyL.exe

C:\Windows\System\tlsInyL.exe

C:\Windows\System\ZNSeXeE.exe

C:\Windows\System\ZNSeXeE.exe

C:\Windows\System\DfsZyPw.exe

C:\Windows\System\DfsZyPw.exe

C:\Windows\System\ZCGmnmw.exe

C:\Windows\System\ZCGmnmw.exe

C:\Windows\System\KKDfimE.exe

C:\Windows\System\KKDfimE.exe

C:\Windows\System\oPSPMBF.exe

C:\Windows\System\oPSPMBF.exe

C:\Windows\System\zlpaqIh.exe

C:\Windows\System\zlpaqIh.exe

C:\Windows\System\fiZqnfk.exe

C:\Windows\System\fiZqnfk.exe

C:\Windows\System\vgMqwwH.exe

C:\Windows\System\vgMqwwH.exe

C:\Windows\System\BSUjYXo.exe

C:\Windows\System\BSUjYXo.exe

C:\Windows\System\EfzCbmu.exe

C:\Windows\System\EfzCbmu.exe

C:\Windows\System\vBKSUyq.exe

C:\Windows\System\vBKSUyq.exe

C:\Windows\System\AMuVcKe.exe

C:\Windows\System\AMuVcKe.exe

C:\Windows\System\knpJrBj.exe

C:\Windows\System\knpJrBj.exe

C:\Windows\System\ZCRJopC.exe

C:\Windows\System\ZCRJopC.exe

C:\Windows\System\ffsWkwk.exe

C:\Windows\System\ffsWkwk.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 43.56.20.217.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4236-0-0x00007FF6E80A0000-0x00007FF6E83F4000-memory.dmp

memory/4236-1-0x0000015282870000-0x0000015282880000-memory.dmp

C:\Windows\System\UUxJRWt.exe

MD5 89111ce7e12805943035675929f08a68
SHA1 547816c811aba536e172de8738946f2c7df604e3
SHA256 835329bfc8953d483d84817bd2288878f82f3555e8fff1bfa5d6a0fbd9d53b1c
SHA512 c5211d6fba4b7f87eb286f1593df6f9651d9647a7d341cf1d41f7124a187cfa7a1be83c8f81c4f192645c4ceb3678351aeb7f341d909c0dd186e43dba4ce032f

memory/4504-8-0x00007FF642DF0000-0x00007FF643144000-memory.dmp

C:\Windows\System\tdRaJti.exe

MD5 7d8b84d63e4aa6dbb02cf7fbca8c42a4
SHA1 9584efa90a287b943d2e63c46a5eb3ce5343ef24
SHA256 8fe2ef4452f88ceac2a9800ad2cd20006b1795d5ee154e031a985a3453cd4aaa
SHA512 92ea1c666d7925a0ec6bc7f385720f967b1e7de0d4ccefd3e6eaa014d370fcf0d4e8e4f48181f0ea939993f2a41f651205307e9df61ee18d9becbbd0bc06eb0c

C:\Windows\System\mliegAz.exe

MD5 b6ef0ae7dafd7151456c3e50c773e3e7
SHA1 287f6435f4fe3c84f8bb861de112716553b57a9c
SHA256 5efbb305c017f8c3b6e523387672ac6189a53ea356a3db7bd6fe77370b181184
SHA512 765683c04bb4a9e6887a8e2d986b458909bc073225b048110e79a822ef54bce70c03c0599f5b16023dd1dcbd624f6e3f0242731764e2ee1819d35d151d385dce

memory/888-14-0x00007FF6A6480000-0x00007FF6A67D4000-memory.dmp

memory/1444-18-0x00007FF6FBAB0000-0x00007FF6FBE04000-memory.dmp

C:\Windows\System\qCbNCJM.exe

MD5 a0e46ea121ae5eb9bbd0616439e3f86f
SHA1 59511c14031271b3654eae1d0a8fbbc68aa8e7af
SHA256 ffcf9c631a444d9b614c6a1e5afa11a3d89ff42a7e5b3fd8a1f884c9d4a29996
SHA512 f8447dbb5363a004ad5793f970762f9890ec05146e8705c4bd592d2b47a38a5b98454605ae77efae8c85d1508d5dd8b6b2b5159129f1e12028800347d0decd0e

memory/1360-24-0x00007FF7CA630000-0x00007FF7CA984000-memory.dmp

C:\Windows\System\bUxJguO.exe

MD5 1f242b01747803e9df2ed025346306fe
SHA1 61b2669fc02e7044f175e3e48787d55e80ee9bd9
SHA256 8ebd8730dc6c446a2dfc529a07f403cf365c1e0ef172240ab7b4c343a3c653f8
SHA512 5b3d96805cc2df831538ccd8757b095cf50e0cafe58773f8b70efaa8847a85cf8399b257f33be2ad7d3b0533bf37a4dda6444d59f5c339903d935ac572d23abc

memory/4728-30-0x00007FF6E22E0000-0x00007FF6E2634000-memory.dmp

C:\Windows\System\tlsInyL.exe

MD5 20c0ee4467d998e0371e8a548d3e6e11
SHA1 0f057e880bf24bc8d35962e3f4fb80c56b5d8ff3
SHA256 13cb3b1a568793ea70e83d04a0b08c19718c352a6d84a9eae0d7831f77a0f891
SHA512 62da23a82ad7733d49872957b2b56a8dc6e15173ba37350684ff58ba78024c81172f853638b34d9f2032a2f04a83effda01d24775c26c91b24a9d85b646702fc

C:\Windows\System\ZNSeXeE.exe

MD5 66758517bccae7f0ce7876bcd19c3a20
SHA1 49c14c604d4a2d794cddd5267bf89725654823a9
SHA256 f60f20371237e9b39ebaf24dd994c04df33602ad295f471233b8e77b430117b4
SHA512 fd7c4bbf3b9cbad59b214cd7e9fcf9f1cdc313ea6716437e556d42a9f8c7c887aec4c25337e377765bcceab45eb9fb987033cf58b85bbfd5e4fb65a503f0781a

memory/5008-42-0x00007FF7A79D0000-0x00007FF7A7D24000-memory.dmp

memory/3892-44-0x00007FF6FF7C0000-0x00007FF6FFB14000-memory.dmp

C:\Windows\System\DfsZyPw.exe

MD5 37159c62cf0dd89a45089c1a771b2b89
SHA1 b741c381b8b812fd200fbc5af83953c9b8c04199
SHA256 97ac4664a7019565a5eaa2ddbb22adb9a79374faef6aa8eeaed11d56786f3de2
SHA512 c6452b1bf9a4febbe8585522a13f252856ca4ad9eb8c1819569748cba24e5282124c8b16afb9c3276e8dc178859499bfa99cb3c9b9cacce5fb920ec956b180dd

C:\Windows\System\ZCGmnmw.exe

MD5 17d2c0d2877a082bb44cb607c2e9adf4
SHA1 958f09ffe4400706216e7b10ffeb84fc848a7207
SHA256 cddde39b41bc1862d6dc7de4a08796b512e8fae973423a35f97a951da0cc048c
SHA512 7f424af37c69750192048c242481ba4282657d352834512e267c4b76d816579eb1da95d7758bbc113234f7551d1245b6d93d23de62e1f40adb6dc49e6deefb09

C:\Windows\System\KKDfimE.exe

MD5 b4ecf06e219e1aa90545dd947300cd18
SHA1 dea31ffb9b67bcc22ae78daf98e01674c7b42cfb
SHA256 e0105c5add748f36863d96433cb234a5c8e6c01171f975d5f12112b6f25916b3
SHA512 37b54ea6e7791e07660fbbd7519da4d52fc9d785ac10f753f7aa308319f08ef522d687ce0f7b97583ee14b93d65d69c36003fb49f58e76593fd582401c830741

memory/4236-64-0x00007FF6E80A0000-0x00007FF6E83F4000-memory.dmp

C:\Windows\System\oPSPMBF.exe

MD5 d1e750a020b0f9e707e6a58304ee1745
SHA1 dc9894bdeacfa212760edb54507a1186b464863c
SHA256 14f5788fea6c9b921b5f5bd6dc9fc9636ba81874b2aa16663e6378d13ee106cd
SHA512 bf28fa41df73e8df61db1d5f0c49fa66bc12006501cfc8edbdebc17f9685c354c5153358fae3ed3defbd850a1ef3b1b309e08a734e933107bf46637636a389ba

memory/4296-71-0x00007FF7F8EB0000-0x00007FF7F9204000-memory.dmp

C:\Windows\System\zlpaqIh.exe

MD5 3e3c2ab71af71419032f72a95587234b
SHA1 51913bf27120498194f919c59ebcd2a99231fce0
SHA256 6239df1a7a7df7d5013123ab47265ad69013e19e47e4458425def8e0a78e53b5
SHA512 616f2c8314d89a038e419b20557938df07f9f92579083e7bb6a65422609e94fe246b9918dfe137a7100a8e0b296ffc39e9608c7242a99ec158d3c449d879dbcd

C:\Windows\System\fiZqnfk.exe

MD5 52f403373ead9348c35d105441efca97
SHA1 6daf4960495b09222b234c18bddecbdc92ec5753
SHA256 35e1a2ac039d5357e777f49d4c15f609b77c1d0abb2481d721448b4f2c06f034
SHA512 e8143829771c019b6b79626f55833830dba9e12c04ef94848a47f5e2587566c46fbf9b17c14a2adcfe06d39efbf4f499b448fc0b77f9687fd01efe58e8dc3fbd

C:\Windows\System\BSUjYXo.exe

MD5 b9f600d8c83f29df5a2df4cb0c0c6b52
SHA1 1eed129d3acdd91c93cf0ce6de3e4e36f9e61a4b
SHA256 aee646a9178d7521845516c41ae87704b5e82f867e04e2ae055aa33dcf6a66bf
SHA512 4bb26866a495ff307cdab445b3744d419e156c21200f795562a94010289f81b34e6537b0d65985e40b49d743ed11566cda94d5f5b9ba81268694e33035939fea

C:\Windows\System\EfzCbmu.exe

MD5 e607cd176acae67a649296ff4bd64b3e
SHA1 3d57a2ecdac0d789cf576efa1388a7677a6eee4d
SHA256 907d39339fcacd88fe0088845edd257e06e6af0e5ff0df3b3a701fac96b66efe
SHA512 80e358ee02f05a6b4fd545335a67dd872347f968543e29052748d91e4228b9a5bdbfe4ba99a9caf78ca7735c46d2fbce5b54171c8881bad65a5a4a59fee7a359

C:\Windows\System\vBKSUyq.exe

MD5 2cf30f80942ffc1d9c89dd9c0a107417
SHA1 415f51954a5283e8e6c22f774075b433586628ed
SHA256 cbd257e1c8966e87f28159d57505281ee0b077faad17cb073b7810f28e4ce6e7
SHA512 8a0c4cebb62d8f8cf51e2b40ab192bee9ea2cd893a8f07ebd8929a4003d342f4d709d0190afabbe52e27ccf5920120dd1cf58dc54a1655e696c2f53ad1bcc72a

C:\Windows\System\knpJrBj.exe

MD5 3f442dc1d5dbbac5c98deec1c4b18d8f
SHA1 61a29888515b64a5e6a176396670c8aeb25ba9ff
SHA256 ab0e844eaa090769ca2baeb271458ef08c3c0d9885b39b653e857ba6c43a066a
SHA512 124298789dff066daa95886e4c48305f6ad762342a17cfd9ed9a77b0c2c882fbd5dd7e88bc82af01026b6878669a508a61f68a605ff9658f530c9774009b83f3

C:\Windows\System\ZCRJopC.exe

MD5 53e725ef66e2706bca8cf401a52d243b
SHA1 921eefac25ace625e56368db262793a988b453de
SHA256 ffc3e18fd01666814dfb9b48aefdc557e2bc29c74290aac7b29cc3fe2351f68a
SHA512 ce9ee8f00d3c59ee135ba9012c97d31c933f00b3b891ff3354af6fd538b0dd60cf5443857c68e49f3a46b07c18b51b0cbe347076ceca0e1fef46466bba4c8c9b

C:\Windows\System\ffsWkwk.exe

MD5 9d741155dd5c886a93c2fe00164d4e4a
SHA1 c54c20a1f3c1cc163371c47efeeb9d4efefef4a8
SHA256 b02eb718e018eca2db616762c241a98146a1c9e4a641c008005827b5914b8883
SHA512 aacd919ff70259ff6649554e3571471793c046a41985ea3ba92a5296a0f899ad50b09cc964a0852d12287bb687acca65f64d8beb05b8d759aaa9951853965854

C:\Windows\System\AMuVcKe.exe

MD5 1baf1db68fa2294e366ae54f80e2fa67
SHA1 524178e8dbdca07a37ed99d0c945d78356b851cf
SHA256 e8d24a281f6571113d3ed9f87ef22e126c58fcc9e393df23813f3a725e2f69bf
SHA512 ae92a7bcfddbff7543e457a8bd4d2933428b3ad226190e56e8736aae044cb418b55fb827572e6f14de9b679dcf9a694862aa96d2cbce36eb33a2533838ee6977

C:\Windows\System\vgMqwwH.exe

MD5 e729b4e55a5ec42df549d239d6f0da3b
SHA1 e712e4524c96ae884ed886cf2a2531b5cbd58187
SHA256 6a91d2ad9b44764b542351b2685e78c45a29fc95cd66954934dadcdc05a0f710
SHA512 463fecc82bf9280821e2704d15d7d50d9870bf257145ce8429f02eb2dd4b2471cfd6fcfb6aeb87f639b5c30e32844598428b4cce28143588cc980a949b7fee62

memory/1012-65-0x00007FF70C210000-0x00007FF70C564000-memory.dmp

memory/2580-55-0x00007FF716D40000-0x00007FF717094000-memory.dmp

memory/2560-51-0x00007FF7EEEF0000-0x00007FF7EF244000-memory.dmp

memory/3188-119-0x00007FF73A470000-0x00007FF73A7C4000-memory.dmp

memory/4012-120-0x00007FF693900000-0x00007FF693C54000-memory.dmp

memory/1824-121-0x00007FF7847D0000-0x00007FF784B24000-memory.dmp

memory/4352-122-0x00007FF62BF60000-0x00007FF62C2B4000-memory.dmp

memory/3392-123-0x00007FF67CF80000-0x00007FF67D2D4000-memory.dmp

memory/3448-124-0x00007FF7C9050000-0x00007FF7C93A4000-memory.dmp

memory/4992-125-0x00007FF674560000-0x00007FF6748B4000-memory.dmp

memory/1652-126-0x00007FF6C3F10000-0x00007FF6C4264000-memory.dmp

memory/4020-128-0x00007FF7972C0000-0x00007FF797614000-memory.dmp

memory/3428-127-0x00007FF6AD6A0000-0x00007FF6AD9F4000-memory.dmp

memory/1444-129-0x00007FF6FBAB0000-0x00007FF6FBE04000-memory.dmp

memory/1360-130-0x00007FF7CA630000-0x00007FF7CA984000-memory.dmp

memory/4728-131-0x00007FF6E22E0000-0x00007FF6E2634000-memory.dmp

memory/2580-132-0x00007FF716D40000-0x00007FF717094000-memory.dmp

memory/4504-133-0x00007FF642DF0000-0x00007FF643144000-memory.dmp

memory/888-134-0x00007FF6A6480000-0x00007FF6A67D4000-memory.dmp

memory/1444-135-0x00007FF6FBAB0000-0x00007FF6FBE04000-memory.dmp

memory/1360-136-0x00007FF7CA630000-0x00007FF7CA984000-memory.dmp

memory/4728-137-0x00007FF6E22E0000-0x00007FF6E2634000-memory.dmp

memory/5008-138-0x00007FF7A79D0000-0x00007FF7A7D24000-memory.dmp

memory/3892-139-0x00007FF6FF7C0000-0x00007FF6FFB14000-memory.dmp

memory/2560-140-0x00007FF7EEEF0000-0x00007FF7EF244000-memory.dmp

memory/1012-141-0x00007FF70C210000-0x00007FF70C564000-memory.dmp

memory/2580-142-0x00007FF716D40000-0x00007FF717094000-memory.dmp

memory/4296-143-0x00007FF7F8EB0000-0x00007FF7F9204000-memory.dmp

memory/3188-144-0x00007FF73A470000-0x00007FF73A7C4000-memory.dmp

memory/4012-145-0x00007FF693900000-0x00007FF693C54000-memory.dmp

memory/1824-146-0x00007FF7847D0000-0x00007FF784B24000-memory.dmp

memory/4352-147-0x00007FF62BF60000-0x00007FF62C2B4000-memory.dmp

memory/3448-148-0x00007FF7C9050000-0x00007FF7C93A4000-memory.dmp

memory/3392-149-0x00007FF67CF80000-0x00007FF67D2D4000-memory.dmp

memory/1652-151-0x00007FF6C3F10000-0x00007FF6C4264000-memory.dmp

memory/4020-153-0x00007FF7972C0000-0x00007FF797614000-memory.dmp

memory/4992-152-0x00007FF674560000-0x00007FF6748B4000-memory.dmp

memory/3428-150-0x00007FF6AD6A0000-0x00007FF6AD9F4000-memory.dmp