Malware Analysis Report

2025-01-22 19:53

Sample ID 240601-jhedmsec4z
Target 2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike
SHA256 2812b83df1c5b798e27f6b502d6f56e7b2dcc5c92681ffadd04022d5b7ecc1f6
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2812b83df1c5b798e27f6b502d6f56e7b2dcc5c92681ffadd04022d5b7ecc1f6

Threat Level: Known bad

The file 2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

XMRig Miner payload

Cobaltstrike family

UPX dump on OEP (original entry point)

Xmrig family

xmrig

Cobaltstrike

Cobalt Strike reflective loader

Detects Reflective DLL injection artifacts

Detects Reflective DLL injection artifacts

XMRig Miner payload

UPX dump on OEP (original entry point)

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 07:39

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 07:39

Reported

2024-06-01 07:42

Platform

win7-20240508-en

Max time kernel

144s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\upBFOdI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ldMBkKf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cvzwgQD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rRUAKWb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FbdoAuI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CkPnPkj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RGDHYYw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CyhwBhE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RozHNzE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iLfKNRo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NULmVgk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EComwkx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lzmDjJJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OiwFKPQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZMUBftx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mIdMjhP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ASyUBSN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AJPtZsF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zHLVcUe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mNrCLNM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\Engpspt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2324 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\CyhwBhE.exe
PID 2324 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\CyhwBhE.exe
PID 2324 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\CyhwBhE.exe
PID 2324 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\cvzwgQD.exe
PID 2324 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\cvzwgQD.exe
PID 2324 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\cvzwgQD.exe
PID 2324 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\OiwFKPQ.exe
PID 2324 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\OiwFKPQ.exe
PID 2324 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\OiwFKPQ.exe
PID 2324 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\zHLVcUe.exe
PID 2324 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\zHLVcUe.exe
PID 2324 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\zHLVcUe.exe
PID 2324 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZMUBftx.exe
PID 2324 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZMUBftx.exe
PID 2324 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZMUBftx.exe
PID 2324 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\mIdMjhP.exe
PID 2324 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\mIdMjhP.exe
PID 2324 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\mIdMjhP.exe
PID 2324 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\NULmVgk.exe
PID 2324 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\NULmVgk.exe
PID 2324 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\NULmVgk.exe
PID 2324 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\EComwkx.exe
PID 2324 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\EComwkx.exe
PID 2324 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\EComwkx.exe
PID 2324 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\mNrCLNM.exe
PID 2324 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\mNrCLNM.exe
PID 2324 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\mNrCLNM.exe
PID 2324 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\rRUAKWb.exe
PID 2324 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\rRUAKWb.exe
PID 2324 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\rRUAKWb.exe
PID 2324 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\Engpspt.exe
PID 2324 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\Engpspt.exe
PID 2324 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\Engpspt.exe
PID 2324 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\FbdoAuI.exe
PID 2324 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\FbdoAuI.exe
PID 2324 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\FbdoAuI.exe
PID 2324 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\lzmDjJJ.exe
PID 2324 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\lzmDjJJ.exe
PID 2324 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\lzmDjJJ.exe
PID 2324 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\RozHNzE.exe
PID 2324 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\RozHNzE.exe
PID 2324 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\RozHNzE.exe
PID 2324 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\iLfKNRo.exe
PID 2324 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\iLfKNRo.exe
PID 2324 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\iLfKNRo.exe
PID 2324 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\CkPnPkj.exe
PID 2324 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\CkPnPkj.exe
PID 2324 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\CkPnPkj.exe
PID 2324 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\upBFOdI.exe
PID 2324 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\upBFOdI.exe
PID 2324 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\upBFOdI.exe
PID 2324 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\ASyUBSN.exe
PID 2324 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\ASyUBSN.exe
PID 2324 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\ASyUBSN.exe
PID 2324 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\AJPtZsF.exe
PID 2324 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\AJPtZsF.exe
PID 2324 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\AJPtZsF.exe
PID 2324 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\ldMBkKf.exe
PID 2324 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\ldMBkKf.exe
PID 2324 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\ldMBkKf.exe
PID 2324 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\RGDHYYw.exe
PID 2324 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\RGDHYYw.exe
PID 2324 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\RGDHYYw.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\CyhwBhE.exe

C:\Windows\System\CyhwBhE.exe

C:\Windows\System\cvzwgQD.exe

C:\Windows\System\cvzwgQD.exe

C:\Windows\System\OiwFKPQ.exe

C:\Windows\System\OiwFKPQ.exe

C:\Windows\System\zHLVcUe.exe

C:\Windows\System\zHLVcUe.exe

C:\Windows\System\ZMUBftx.exe

C:\Windows\System\ZMUBftx.exe

C:\Windows\System\mIdMjhP.exe

C:\Windows\System\mIdMjhP.exe

C:\Windows\System\NULmVgk.exe

C:\Windows\System\NULmVgk.exe

C:\Windows\System\EComwkx.exe

C:\Windows\System\EComwkx.exe

C:\Windows\System\mNrCLNM.exe

C:\Windows\System\mNrCLNM.exe

C:\Windows\System\rRUAKWb.exe

C:\Windows\System\rRUAKWb.exe

C:\Windows\System\Engpspt.exe

C:\Windows\System\Engpspt.exe

C:\Windows\System\FbdoAuI.exe

C:\Windows\System\FbdoAuI.exe

C:\Windows\System\lzmDjJJ.exe

C:\Windows\System\lzmDjJJ.exe

C:\Windows\System\RozHNzE.exe

C:\Windows\System\RozHNzE.exe

C:\Windows\System\iLfKNRo.exe

C:\Windows\System\iLfKNRo.exe

C:\Windows\System\CkPnPkj.exe

C:\Windows\System\CkPnPkj.exe

C:\Windows\System\upBFOdI.exe

C:\Windows\System\upBFOdI.exe

C:\Windows\System\ASyUBSN.exe

C:\Windows\System\ASyUBSN.exe

C:\Windows\System\AJPtZsF.exe

C:\Windows\System\AJPtZsF.exe

C:\Windows\System\ldMBkKf.exe

C:\Windows\System\ldMBkKf.exe

C:\Windows\System\RGDHYYw.exe

C:\Windows\System\RGDHYYw.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2324-0-0x000000013F790000-0x000000013FAE4000-memory.dmp

memory/2324-1-0x0000000000100000-0x0000000000110000-memory.dmp

C:\Windows\system\CyhwBhE.exe

MD5 cd0ba8527488125d87d92bb9d2c3905a
SHA1 4d426a270dfe4d69c09c4e4474684225bb40b612
SHA256 4d1d92cd1168973d5da6e8f5a79c66f31e2c6ae991a072dd4c3e5457566f58a2
SHA512 419daa9cb4a8878efde32af5c6e5dfb8021ed0150fb25f83306368e088adfe762eeff66518380645fa13e1cf921bb86768ebd5483bfad1ffa76620f47e6b5acc

memory/2292-20-0x000000013FF80000-0x00000001402D4000-memory.dmp

memory/2324-28-0x000000013FF80000-0x00000001402D4000-memory.dmp

\Windows\system\ZMUBftx.exe

MD5 21c6e26c6a894b47971b2b738f0e91bc
SHA1 53cbf6fc493dddf2e1e8bc0d7579fbbcd311c67f
SHA256 00408afb4350adfeebfd7f99787e76810e7d648a120db910dc3e061967f6944d
SHA512 0afa8c506a173b13e3c8c16b04bd69a80709d3f09074b8617be3bb399fd5b220d1d5b7c55ff79cb48c0c599bce03cf44f525ed3d86bde33b33a117b0e05e4a5e

memory/1308-19-0x000000013F520000-0x000000013F874000-memory.dmp

C:\Windows\system\OiwFKPQ.exe

MD5 3dcb1fe98510c8faa44627192e5f5af7
SHA1 624f2d97bf265011db8ffdaeea34d18b07e06b6c
SHA256 9c5fd1b0a69d440b3476db3854fdd94f59b6aba9d9ce6b2133c9a1c3c4fc9220
SHA512 ee638829e250e506fa468992d8090ee97341fc6d31b0415946553b47e0466a6a7dcd6e14c8f8fdb3f198dda06e7c60701eaef36432acf5a590a9fb15e8254b4c

\Windows\system\cvzwgQD.exe

MD5 9f20dae255048a531322ccb73d498d17
SHA1 43660a1ba8792d934dedc2a6736afab252fafd16
SHA256 45be14f96610d2499c7ca74fd55f7af2bdca42f4340ee5a3b21ea873bc1433b3
SHA512 cdf7707bba8f6a505a765ffd49f707cc3d7c06c7b64f54f704a200876d1b62f85e0ab53a94717fb0d946f52f888a1f87866b372b2ebfd907c92d05a0ea81b3f7

memory/1264-16-0x000000013F120000-0x000000013F474000-memory.dmp

C:\Windows\system\ldMBkKf.exe

MD5 43f1e0d70519fab542cd6a43db077f73
SHA1 7f825ad754e6d6e12eb9a19ae12e099078d5c2db
SHA256 c926ad379e53665814b891c6014f8d0df8bfc0eb55a7cde2729c8d8d561a1e53
SHA512 2f606d065f052fa813c1d8607ef8a6eca9152e27d94d7ccdadf4ce9481f0be8ecf0a1a40a98e43856a0c3bc235f6f96889d20c937a0758317eb1af2ec3067786

memory/2612-135-0x000000013FDA0000-0x00000001400F4000-memory.dmp

C:\Windows\system\ASyUBSN.exe

MD5 12c1616f42906c47d76649d23bbc92fc
SHA1 eb2c4e395960aa05de7f7e0a3c39a669f3287790
SHA256 edbe387da0918b2bf2e91a164a6df8d7cbd6095d4e4c8839987d841757c06f23
SHA512 5df1b2888febf9bc8020ed002e4f07361a21fdf844496af367ffbf342f0482cda459314c1d6158f486b245253d3dd8659bbd865070c18f824e80d4a9e786878a

C:\Windows\system\RGDHYYw.exe

MD5 ab700f6af243aab5bb6b2a1e0002103c
SHA1 c12de9b2057492c51fc8da3fbc3dc38246b01f52
SHA256 8f1f0478fcc85444aa57bdd6c6ee8b13a813f59116c8bde271599afed7734013
SHA512 8c3b2e568fba636fb5dafda74d464898147a360362284c36ee127ae33f85b3969d8974cc1a8ce2a6ecfa40951bb1c5abcfd6851f686d19791e90dd5435b97173

C:\Windows\system\AJPtZsF.exe

MD5 1c19950a2d067b320bb901645a21c1df
SHA1 549c6f1a2ff3e6f79f71e1bc6c141745c9608445
SHA256 27a7c2bd8744389c6e99d0e7c69db49b01512d89aacc43ee357bc28470165577
SHA512 554ef2110e1e95e7b061bbb25c26b041aa6077466844fd24ec3fb7c6e96474be2b5c4c5e735116f0687a1f656c6418fcad81e1116826e334aa01c304db8daa3e

C:\Windows\system\upBFOdI.exe

MD5 7e35cbf156c355395bc5c285fadf04ed
SHA1 795dd19c122910e6b8acfc369afde6d78adcb255
SHA256 5fe63a45bbbfc2be7fd1823a2a1fcd42453f5b073dd744b38f9d4c3494584b16
SHA512 eb5ded9079760489eeb16a699af355770bafaac7b3613de8f2ffa1f6058c5b2bab6b7dcb2c8b0c82a5ae03e66a5e2fcd83e7e9bf5ad2f6eb04908f904ae15fb2

C:\Windows\system\CkPnPkj.exe

MD5 9667a75e222c095f546f96a04d4712dd
SHA1 f6f4e538ab8c0dec75e16fe3e03c3d23c052c1da
SHA256 55bfaff0616d80f90cc8eb6a28481bc0e68557a620484045ca6cab76df558cdb
SHA512 b4031d51503ffabee5d37a9c03acf497e70c51e6ed2cd1abfd9701ea4d26b6ea4fae6f9073c4fb480236037aaf760fcc3095fa732e38e672ccaea7f3ff4d4337

C:\Windows\system\iLfKNRo.exe

MD5 640da0ae09fe11c28c28028430b5d0b2
SHA1 46cb555d8b9124c9ea8068452b8c6d8edf8891e9
SHA256 4ec9762244844fc74e3ad83bd396d8d9dd25e472b3da469de5f5fd0c707b9678
SHA512 f705393818e2b7b47f97c4baf89ab7c7852f3c2d4bd9c0afd19395a766ccd9433e8307482d440e5215cc166395679d51638f42bdd89c0d3e8e65bb683723cd72

C:\Windows\system\RozHNzE.exe

MD5 68b4224a68d2c7cbd954db1a8aebc214
SHA1 1b1a280309390a638071d3c7c8898574252f416c
SHA256 5771ebd0e928544246bd9f8f8d0f2e11678a0fb03473148aa756a331ca876d69
SHA512 449900711eb6cb7e1b2f8604bd5ba25693c50ecca40f367423cd33346f6dd542d2ef00e66a3930d20df70058c0020d022193742984648004968202849be700d7

memory/2324-101-0x00000000023F0000-0x0000000002744000-memory.dmp

memory/2076-85-0x000000013FCE0000-0x0000000140034000-memory.dmp

memory/3044-100-0x000000013F7E0000-0x000000013FB34000-memory.dmp

memory/2324-99-0x00000000023F0000-0x0000000002744000-memory.dmp

memory/2940-92-0x000000013F390000-0x000000013F6E4000-memory.dmp

memory/2324-91-0x000000013F390000-0x000000013F6E4000-memory.dmp

C:\Windows\system\lzmDjJJ.exe

MD5 4a402908a7e9b9672918be530788327f
SHA1 e88d37adb07aaaf643ec8704d28486cfe78c4ec6
SHA256 2d7f7fe43e68cffbce3a342c941e14092f3a7fc0909d35356ed4f3cde2eb9807
SHA512 0ae272a9d7186639e9597ba6e6ab5c179574f473cad667e082b91a7a9865aefb6cc0f4a46c5dfcb48468e6f5c9d3f37fe6907c354659b16685825463accde622

C:\Windows\system\FbdoAuI.exe

MD5 de613523e01d7605d221578c60bc2147
SHA1 07cd064b10bfc631ed35ff36e36caa6c7318c6db
SHA256 b28f5bd1912180619b990fdc879baf452ff4a184419840e84a2147c85e7b797f
SHA512 7e895ba2fc3f02d2611a5a95af41ee4bbb9b5be6875e358d14bce3af68a220a1aa1eac517b4780b9728879c1d7d678b15b3ad73fba725b37d23b00c91715baf9

memory/2324-80-0x000000013FCE0000-0x0000000140034000-memory.dmp

memory/1640-79-0x000000013F350000-0x000000013F6A4000-memory.dmp

memory/2324-78-0x000000013F350000-0x000000013F6A4000-memory.dmp

memory/2576-77-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

memory/2324-76-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

C:\Windows\system\rRUAKWb.exe

MD5 a38284a6ee84355933b4bbdb528e67cf
SHA1 ec7ad729828c0e194d3230497dfa30b0343f68c3
SHA256 2d689542cbe0682e131131f9009294dd86c98de3914b5e07b9300e19fb66a243
SHA512 e3e594f1deef76cb00199ebfaf973a74832da69608fce8da0e2889ab1c9dfbe0202760dd0519f1c85900928eda18cd18169934e66d19f4f46b37f8e42c211477

memory/2324-56-0x000000013FB50000-0x000000013FEA4000-memory.dmp

C:\Windows\system\EComwkx.exe

MD5 97baedd223c57b1ca62a36439eaeee65
SHA1 4a7106ac5dc8b6a21ea4f450d346ffab85a9a8db
SHA256 6e4dc8e5cc149ce113619331217a217b9bf2a0df41c08c1fbf82e4514f801e3c
SHA512 7bc0d2438a3c58272cbbf4859f5284451fe29626cdec548f107c4cb3f87f027516fd1b58e1ed58683a8e775915846d778f6c398ef936eefcf13be00f4d94da40

C:\Windows\system\Engpspt.exe

MD5 196ad1df7bb8c2e4b7e849b2392f4446
SHA1 135c6bd9467cf13766b67ff565d0701e6f14f948
SHA256 0d3fbda06eff180b10746d37eb15201161587cf1021e2bbe663f72613e5766ff
SHA512 b8a426b61f5225ea134da9e4bb0f465af30f84c19abf87a0c308890ed16af1cae05792bb00cc1d7e4bbabac226578c9e583eb162c81091f08b3e30335ddbaf2c

memory/2612-63-0x000000013FDA0000-0x00000001400F4000-memory.dmp

memory/2324-62-0x000000013F790000-0x000000013FAE4000-memory.dmp

C:\Windows\system\mNrCLNM.exe

MD5 9e3f44e46c91f1336dccb47f46cdb68c
SHA1 39f84a6942399cf75e131971860cb05c95e5f61c
SHA256 b7d79a66f10097c163d95eea9d2b74105166786618ff2910d400b989b336e043
SHA512 a3dd2482b8d12bf03a167b45eb6c517ad6d2e9ad07253bdbf38efe3318c31ced53ed75875c5097fb59ff23c8c452250fe767f5831b2f879f0b2b999e4d26bfc4

memory/2872-59-0x000000013FB50000-0x000000013FEA4000-memory.dmp

memory/2096-50-0x000000013F340000-0x000000013F694000-memory.dmp

memory/2324-49-0x000000013F340000-0x000000013F694000-memory.dmp

C:\Windows\system\NULmVgk.exe

MD5 0bf76f9d03787bc6830584db6a0e0130
SHA1 b22df7641bd1eb80bd088f293402bbf9ef76f124
SHA256 5742bb259302d733690ed8c8dc66435eaf1ec4d048a576ab7b92dfd1f7930e68
SHA512 860bfb6ecf2281ebde15ab124840588bdfbf6378a4f114fc560cde8a48fe9996bffdda8c316bcb80f0dc1f864f07444a3981d7af152bc4d85876dea96bd4c426

memory/2992-43-0x000000013FB50000-0x000000013FEA4000-memory.dmp

memory/2696-42-0x000000013FD10000-0x0000000140064000-memory.dmp

C:\Windows\system\mIdMjhP.exe

MD5 b8eaaf7d424d082e91e90ed2a7d57374
SHA1 c2878e5a720cfb85b5c1875ec4abf93cf09bc973
SHA256 84529701e11ca8f25d3a7dec1d608c1448777747607db2a8cf392b08c4a8e1a9
SHA512 1d746f87e085e8568eeeb0b187223c35d2bfa30a9ff3eee0389a527118a70260649c8084fe596f0752c267fc2e7bf1f9b50866f3cfb91b62517540be5033886b

C:\Windows\system\zHLVcUe.exe

MD5 c2e5a43bec2efd5d34d08bb049aebde2
SHA1 446e69ca4b2c2a6d31b81f4d327acc010bd9e5c2
SHA256 1fda8f91717f75ba6aa6b97591da95039b99df7e51a6763f1ea0e660199c6fe8
SHA512 21e2b8b958e2f2c75d3b2d1034370a82dbbd3940f4d95dcaf67577423606783a932bccf521dd3c7788b01c1b2a267dd0f9b05364a9c48812574197af69abf473

memory/2324-37-0x000000013FB50000-0x000000013FEA4000-memory.dmp

memory/2324-24-0x00000000023F0000-0x0000000002744000-memory.dmp

memory/2764-33-0x000000013FA30000-0x000000013FD84000-memory.dmp

memory/2324-31-0x00000000023F0000-0x0000000002744000-memory.dmp

memory/2324-30-0x000000013FD10000-0x0000000140064000-memory.dmp

memory/2324-136-0x000000013F350000-0x000000013F6A4000-memory.dmp

memory/2324-137-0x000000013FCE0000-0x0000000140034000-memory.dmp

memory/2324-138-0x00000000023F0000-0x0000000002744000-memory.dmp

memory/1264-139-0x000000013F120000-0x000000013F474000-memory.dmp

memory/1308-140-0x000000013F520000-0x000000013F874000-memory.dmp

memory/2292-141-0x000000013FF80000-0x00000001402D4000-memory.dmp

memory/2764-142-0x000000013FA30000-0x000000013FD84000-memory.dmp

memory/2992-143-0x000000013FB50000-0x000000013FEA4000-memory.dmp

memory/2696-144-0x000000013FD10000-0x0000000140064000-memory.dmp

memory/2096-145-0x000000013F340000-0x000000013F694000-memory.dmp

memory/2872-146-0x000000013FB50000-0x000000013FEA4000-memory.dmp

memory/2612-147-0x000000013FDA0000-0x00000001400F4000-memory.dmp

memory/2576-148-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

memory/1640-149-0x000000013F350000-0x000000013F6A4000-memory.dmp

memory/2076-150-0x000000013FCE0000-0x0000000140034000-memory.dmp

memory/2940-151-0x000000013F390000-0x000000013F6E4000-memory.dmp

memory/3044-152-0x000000013F7E0000-0x000000013FB34000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 07:39

Reported

2024-06-01 07:42

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\AVuegPc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cAKeYbV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZHofxwX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XRZitva.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KrmITbE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bHMNfco.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oSIAFPb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TIvrXUm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FOVURqb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lrPGQLW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FjKcTIo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wmtwiAs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xnRvASr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sHCPDPv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ttFlTeb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hjQHIfY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LpHwkyn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xagkThT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XxAWNWl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\opjZznO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FBZXodq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3592 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\FjKcTIo.exe
PID 3592 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\FjKcTIo.exe
PID 3592 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\wmtwiAs.exe
PID 3592 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\wmtwiAs.exe
PID 3592 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\xagkThT.exe
PID 3592 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\xagkThT.exe
PID 3592 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZHofxwX.exe
PID 3592 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZHofxwX.exe
PID 3592 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\xnRvASr.exe
PID 3592 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\xnRvASr.exe
PID 3592 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\oSIAFPb.exe
PID 3592 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\oSIAFPb.exe
PID 3592 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\XxAWNWl.exe
PID 3592 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\XxAWNWl.exe
PID 3592 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\XRZitva.exe
PID 3592 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\XRZitva.exe
PID 3592 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\opjZznO.exe
PID 3592 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\opjZznO.exe
PID 3592 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\KrmITbE.exe
PID 3592 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\KrmITbE.exe
PID 3592 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\bHMNfco.exe
PID 3592 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\bHMNfco.exe
PID 3592 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\FBZXodq.exe
PID 3592 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\FBZXodq.exe
PID 3592 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\sHCPDPv.exe
PID 3592 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\sHCPDPv.exe
PID 3592 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\ttFlTeb.exe
PID 3592 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\ttFlTeb.exe
PID 3592 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\hjQHIfY.exe
PID 3592 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\hjQHIfY.exe
PID 3592 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\TIvrXUm.exe
PID 3592 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\TIvrXUm.exe
PID 3592 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\LpHwkyn.exe
PID 3592 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\LpHwkyn.exe
PID 3592 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\FOVURqb.exe
PID 3592 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\FOVURqb.exe
PID 3592 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\lrPGQLW.exe
PID 3592 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\lrPGQLW.exe
PID 3592 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\AVuegPc.exe
PID 3592 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\AVuegPc.exe
PID 3592 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\cAKeYbV.exe
PID 3592 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe C:\Windows\System\cAKeYbV.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_84b13258b241ffb19d2c3228b9d2ded6_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\FjKcTIo.exe

C:\Windows\System\FjKcTIo.exe

C:\Windows\System\wmtwiAs.exe

C:\Windows\System\wmtwiAs.exe

C:\Windows\System\xagkThT.exe

C:\Windows\System\xagkThT.exe

C:\Windows\System\ZHofxwX.exe

C:\Windows\System\ZHofxwX.exe

C:\Windows\System\xnRvASr.exe

C:\Windows\System\xnRvASr.exe

C:\Windows\System\oSIAFPb.exe

C:\Windows\System\oSIAFPb.exe

C:\Windows\System\XxAWNWl.exe

C:\Windows\System\XxAWNWl.exe

C:\Windows\System\XRZitva.exe

C:\Windows\System\XRZitva.exe

C:\Windows\System\opjZznO.exe

C:\Windows\System\opjZznO.exe

C:\Windows\System\KrmITbE.exe

C:\Windows\System\KrmITbE.exe

C:\Windows\System\bHMNfco.exe

C:\Windows\System\bHMNfco.exe

C:\Windows\System\FBZXodq.exe

C:\Windows\System\FBZXodq.exe

C:\Windows\System\sHCPDPv.exe

C:\Windows\System\sHCPDPv.exe

C:\Windows\System\ttFlTeb.exe

C:\Windows\System\ttFlTeb.exe

C:\Windows\System\hjQHIfY.exe

C:\Windows\System\hjQHIfY.exe

C:\Windows\System\TIvrXUm.exe

C:\Windows\System\TIvrXUm.exe

C:\Windows\System\LpHwkyn.exe

C:\Windows\System\LpHwkyn.exe

C:\Windows\System\FOVURqb.exe

C:\Windows\System\FOVURqb.exe

C:\Windows\System\lrPGQLW.exe

C:\Windows\System\lrPGQLW.exe

C:\Windows\System\AVuegPc.exe

C:\Windows\System\AVuegPc.exe

C:\Windows\System\cAKeYbV.exe

C:\Windows\System\cAKeYbV.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 40.173.79.40.in-addr.arpa udp

Files

memory/3592-0-0x00007FF67B4C0000-0x00007FF67B814000-memory.dmp

memory/3592-1-0x000001FAA4750000-0x000001FAA4760000-memory.dmp

C:\Windows\System\FjKcTIo.exe

MD5 79201edd9bb31d514e5bf245ef7e078e
SHA1 0f12df8c5ff3419408f2830cc9150908a055a74b
SHA256 3aaf97731117a58cc131d38f118d6260a3980fad09e50e58eaa0592d02cbf573
SHA512 b1f97826711f5fc2d3b106b5b9dc8300ed8c4641b79f5f1bd043381b4b9587bfad0a4fbec43d7056dc9dbd4fb6257e20677b4d296e2024b78924b7736e4b685f

memory/2380-8-0x00007FF7DF000000-0x00007FF7DF354000-memory.dmp

C:\Windows\System\xagkThT.exe

MD5 9e2be0c0601bd00d4fc6d14c40f17ab0
SHA1 a76a7ef98aa0db2aa44f73319fc55f78c5b41fd0
SHA256 1122c5ddab0d0ed857c49eec6baf488c1d2fb20fb5b526b9c15ef7c4b7537e37
SHA512 7bb0e8d2a8793538fc4bb0d587bc4cefb81a3510ad07450038f91cbfbddab02c067f7497bb8acdbadf4fb201b2da12f8af3c29425a81169f6285e54f01e63498

C:\Windows\System\wmtwiAs.exe

MD5 0b71bc8b98f00c1f87cb54bee2fc6fb2
SHA1 d2abf92e2771a232d9aa1a8fcadfdb0ff4b0f635
SHA256 7f0c73d1efac9b114f104bdceb9c8a96e40af4d17ea2d886448c2e94dec44c5f
SHA512 bcf95bb444947228df6499462ff4d2be267e3dc598ab84b02416d867240961f4ad036ae045c1b28ada30d5a8304f9b1fa9b5c736885862f575421ec53ff1c044

memory/1268-14-0x00007FF7E6A70000-0x00007FF7E6DC4000-memory.dmp

C:\Windows\System\ZHofxwX.exe

MD5 46d5604c6ba4b9947969c379e49c4908
SHA1 e2acaea09b8856bf35bd65eceb6b3b2bd11d85a1
SHA256 d29d8a281cf8da1615fc195bf773fbd3f328020d59abbbb5e45ab8dec8fbdb93
SHA512 053a2fa7c8c53efd3cefd4ebf7e83604c21c0858a52b8045e49cbc6f13ee1d33c5666ead3515de3836c3b6c3478fabd882da4566ead55888751679f52478c97f

memory/1560-21-0x00007FF775BE0000-0x00007FF775F34000-memory.dmp

C:\Windows\System\xnRvASr.exe

MD5 2dfd79b5b526baacceab6970dfb06d20
SHA1 56f12c126a077b5dbd49c241bca038aae17f74d9
SHA256 1e4cec97ef1bfcc64d306f67ad45e41c770fcdcdb16d48e427fe6bc20fe3f16e
SHA512 26689f98884ce30b27503cdd11073900992a82a71509f9bac55f12612f757af49c19f3330a222a21dde41b7e9aec0ad47a06f897cf78c0584f5b1cc710c93b65

memory/3368-32-0x00007FF6442E0000-0x00007FF644634000-memory.dmp

memory/1528-26-0x00007FF7A3DC0000-0x00007FF7A4114000-memory.dmp

C:\Windows\System\oSIAFPb.exe

MD5 f2c6d7b6b8b242e96e36c751a404a387
SHA1 1e2c9fa117577b27a8c4c5f2dd94400aae75c322
SHA256 565d6bf565e0de0f621e788611f1daf60f1ea2b3a97301666f95451e344f5997
SHA512 81000b2fa8de455a668bda413c4c63c67195dd1553f5fc44f8921aa290a9c3ac988d0f24323ec214434412849ff173e52959dc613d24be9a3d3081ebe6eb80cc

C:\Windows\System\XxAWNWl.exe

MD5 673d0d3adfacebf9559908cebb6bb420
SHA1 de68d279f4036145d885197633c02303b237154d
SHA256 3d16e0f70b1498159a5232b5d406fd0c233655c7f801eed5fa203ca34a349475
SHA512 af325975da19b771353e12e248da10a084d0fa72078a4fca31cffb298630be0ba0280513b53aae28eb664944c2a6dd67e5adcd7c0dac985b39479c57dd3f8c29

C:\Windows\System\opjZznO.exe

MD5 1d24676f10e1127891d8abaf4f6ac336
SHA1 78b62dc1ecfbe629f09ab079c62f889976ace995
SHA256 d515432a8d11c1260defc46b1e1940aa0ac8cabe62807ab6b961e96fe48074df
SHA512 7a1701be3d9a4bc934681bfbc062ac360cf9b2bf6ffeb182f6e4a5a653958abca1b06c53bc3f365f045e45cccc27c4c9b34c8af855b85c8bc29226e43616930f

C:\Windows\System\KrmITbE.exe

MD5 bc5c99d3213e25acdd5a2eee20535f8a
SHA1 cfad284c54343c5cb5c6c1a06b0e3cd1c8979dc4
SHA256 1e313461b66ab658143bb7ac8bd7783924b86f18a422f53ce36251d048b1d2ea
SHA512 85b49ce498af576408511f366e2a991fbd0e7171728115167d07a63822f11c810b5e155d63738873c8a4230e95a56d7258c7a435573c818517d97eb2b99b913f

C:\Windows\System\FBZXodq.exe

MD5 1cafdc295896839c80faa838f0aec496
SHA1 6025b272ade99fd57328d1c632b86561aa5e0198
SHA256 eccbfdad486aa3906f97ddbda036bf41b61bf614ea66bbb022a5fd52be9757f3
SHA512 2cfdd87baf22d233729607f7b9373d408efd77b35d577a81f219a578719d653b79ec73694f979d906e520b077c550fda8dd86d12f735c5cda528122c8c83447d

C:\Windows\System\TIvrXUm.exe

MD5 7d2b745776c48c9f1b5bc32262cd25c2
SHA1 dfb0871405c45bc0e6afcf53bf05cd257b2cb887
SHA256 3b90585bf1970bf620ab4bc9b9deb61e4f236764c629739f4bc806fa2df78906
SHA512 c852bec3ec00f334923405d7509d2b3799c9a6323e5ff634004df084a0a074ca0e3a29d52c1550ac866cbfc9580a821bcdab4ab74e892db80b3c856b55336de6

C:\Windows\System\lrPGQLW.exe

MD5 5348e765325f7eee44fc471f9bc249aa
SHA1 830d74898c817fe85f479b12e0329db2e3a407d6
SHA256 e1d04be41fe08ab5c4b08d13cbcd52d9e42bfe4a8c03dc2eb0826cde39dbf7db
SHA512 8e3d67c54adbd5fac2c923a7273ee31326de0c4a819d286f2d3188fd2c4d362c1173803b77660ceeb4e080eefa4141963caeaf5caeadd74ec4e36a83a358eca3

C:\Windows\System\cAKeYbV.exe

MD5 f51674e16afb6ed451661041f67d135d
SHA1 cbd6311438e7877712bcc71202c562c93ad02dec
SHA256 32c3906d0d865cdad49d2271c5e7ebc4337409ef511ee140ed39faca0ad19976
SHA512 afa5590730c4fed328296826e4ca1b329f88a948bd5cf156962bf68248791d74df4bfd78b2fca57267d43d2b54360b97ce77d3eceb631e08ab6916a1e9461cc7

C:\Windows\System\AVuegPc.exe

MD5 c126bac5482d89be9a77428a9a6e7ee0
SHA1 616283037b01d19b0c5ea8cf6219adfa83c54eec
SHA256 0c5fdb3db89cae5e9e7c5829d3ae42f69e6b5cef6c08f88b19cd901a7eaf715b
SHA512 a793c718fe22cb50620f21ee4ebb5ad268276188980ee0c5712edfcbbe9d6e5d4984e581e4a30916571392d3842d0d194e2658f84ae8956647640f1cbc6b820a

C:\Windows\System\FOVURqb.exe

MD5 18eab07e5b385b1a3e9c58d8a27ab528
SHA1 8149415d58d32f6f2b32a38ce18343290afe3d59
SHA256 d958a3aadcd036eb930481d511c65f117676132632190e9afde7866b17bf4a98
SHA512 3d6f56aafcb15bcf6573fc83520e05a84499e14c58a014285a7258a3b52c0f609ee1027050175803ed8929053447de6b968f415691e5bff092e6f74732f4f142

C:\Windows\System\LpHwkyn.exe

MD5 6cb6adeac73f4ac1df4d04361fc6e9dd
SHA1 47bf099939669df73c5b18c72cc00cc7de1c095f
SHA256 e880a123fedd9f607e15def0705f9d6667932467f8e965aab6ce7a88a1f6848c
SHA512 021e9de2035d0ad9b55a6dc6126f5b4455b10eba85038dd4c784f753dfbdb81e96ff580051be1ae3d1f129da255d407e2c7c3620e5d11aa2daa8eec8a529a2c0

C:\Windows\System\hjQHIfY.exe

MD5 70933f4de15414688b8317fe6ad1ad77
SHA1 b54657364d55ff31c8930c230489c88d077ba783
SHA256 8d830f3d63e37eb80e6c49c4aed67b24589ee37d3957ad1b9e9d6d6842c603f8
SHA512 3c63ab3c38648d787c24d9e13b35e1da50c590dfb9a4d3eb3cf6492fdab5f82c52133db1f3cd00e7e203b52bc7b4641d2397945d7cb1f884479cfbc198a1a458

C:\Windows\System\ttFlTeb.exe

MD5 1ed65d5cd5c697e8f8a9987576f15898
SHA1 fc9946ab103845614dbf0c8ad5d7ad7d3766613a
SHA256 faf75aa3b640f8b845bcb799a19a8d12b1a83066f4f3c8802f8c52e1239f2c60
SHA512 fa1e220bb22a822885eed6479233702d9785c6c2b988ff2860e30b164b5fac9fc7157e5eca6f6c1e128fb16595532a47518d185935e14215579d828c13e391fe

C:\Windows\System\sHCPDPv.exe

MD5 3eb5d9c771f189088abc387318211a69
SHA1 6cf27541727166ef383ae9289e69b3b28d4ed8cb
SHA256 6dda2d24df1fdfd1727f9bddfcc2b5e4f58ac9d5f9c73318228f881151a882a9
SHA512 cc5c64b00c7bca61dd61f129cb3225d8c825fede16e289841011260a84ea13685f0ccd33dad3b1264ffcdeda40988e9aee84b3e8375558fe6b4e8019a390f9dc

C:\Windows\System\bHMNfco.exe

MD5 b86a2cfed7c882ef0ddbc473967757a8
SHA1 b999628df11a90223c8a568ea188c9ffab55fb48
SHA256 0872d529132a46cbbf0fc5737df432567eb6cdfdcce8a733222ee6d45ce9de93
SHA512 feb65e9f59bf08f6cec43754d4772171b774743c0f1ef7f756cd31f7657fb88c1cb6869a5fc74c0d3eea0f0edd0869a1076eaa31a9f6cc2af30b4720779a421c

C:\Windows\System\XRZitva.exe

MD5 ec9e6eb731f6b28bc7f843e5c7576066
SHA1 4028e252c1ef8478b7ff26c749cdfc62ae51228f
SHA256 bd7de0d5a2121cd49e71e5759af182218ace813f065ccd1bff25ac53f5dc9cc9
SHA512 3c9da812aeecc2b0c04e856c33e1f4d508f93db4fcbf02c715e77cb0008ecc5598a5ff2295e0c3066dd1e90fc474e936c4b3f568810735e0544a2a8e792e82a5

memory/512-112-0x00007FF7E96E0000-0x00007FF7E9A34000-memory.dmp

memory/1472-113-0x00007FF69BB00000-0x00007FF69BE54000-memory.dmp

memory/1236-114-0x00007FF704FD0000-0x00007FF705324000-memory.dmp

memory/1068-115-0x00007FF64FB10000-0x00007FF64FE64000-memory.dmp

memory/864-117-0x00007FF78DD00000-0x00007FF78E054000-memory.dmp

memory/2624-118-0x00007FF76F830000-0x00007FF76FB84000-memory.dmp

memory/4184-119-0x00007FF71E000000-0x00007FF71E354000-memory.dmp

memory/2240-116-0x00007FF730120000-0x00007FF730474000-memory.dmp

memory/4984-120-0x00007FF6580C0000-0x00007FF658414000-memory.dmp

memory/2252-121-0x00007FF7C7AB0000-0x00007FF7C7E04000-memory.dmp

memory/2180-122-0x00007FF67A9D0000-0x00007FF67AD24000-memory.dmp

memory/3700-123-0x00007FF628A40000-0x00007FF628D94000-memory.dmp

memory/3744-124-0x00007FF636BD0000-0x00007FF636F24000-memory.dmp

memory/2528-125-0x00007FF7D14F0000-0x00007FF7D1844000-memory.dmp

memory/3616-126-0x00007FF7C9890000-0x00007FF7C9BE4000-memory.dmp

memory/2456-127-0x00007FF69AC90000-0x00007FF69AFE4000-memory.dmp

memory/3592-128-0x00007FF67B4C0000-0x00007FF67B814000-memory.dmp

memory/2380-129-0x00007FF7DF000000-0x00007FF7DF354000-memory.dmp

memory/2380-130-0x00007FF7DF000000-0x00007FF7DF354000-memory.dmp

memory/1268-131-0x00007FF7E6A70000-0x00007FF7E6DC4000-memory.dmp

memory/1560-132-0x00007FF775BE0000-0x00007FF775F34000-memory.dmp

memory/1528-133-0x00007FF7A3DC0000-0x00007FF7A4114000-memory.dmp

memory/3368-134-0x00007FF6442E0000-0x00007FF644634000-memory.dmp

memory/512-135-0x00007FF7E96E0000-0x00007FF7E9A34000-memory.dmp

memory/1472-136-0x00007FF69BB00000-0x00007FF69BE54000-memory.dmp

memory/1236-137-0x00007FF704FD0000-0x00007FF705324000-memory.dmp

memory/1068-138-0x00007FF64FB10000-0x00007FF64FE64000-memory.dmp

memory/2240-140-0x00007FF730120000-0x00007FF730474000-memory.dmp

memory/864-139-0x00007FF78DD00000-0x00007FF78E054000-memory.dmp

memory/2252-142-0x00007FF7C7AB0000-0x00007FF7C7E04000-memory.dmp

memory/2624-141-0x00007FF76F830000-0x00007FF76FB84000-memory.dmp

memory/4184-145-0x00007FF71E000000-0x00007FF71E354000-memory.dmp

memory/4984-144-0x00007FF6580C0000-0x00007FF658414000-memory.dmp

memory/2180-143-0x00007FF67A9D0000-0x00007FF67AD24000-memory.dmp

memory/2528-146-0x00007FF7D14F0000-0x00007FF7D1844000-memory.dmp

memory/3744-148-0x00007FF636BD0000-0x00007FF636F24000-memory.dmp

memory/3700-150-0x00007FF628A40000-0x00007FF628D94000-memory.dmp

memory/2456-149-0x00007FF69AC90000-0x00007FF69AFE4000-memory.dmp

memory/3616-147-0x00007FF7C9890000-0x00007FF7C9BE4000-memory.dmp