Malware Analysis Report

2025-01-22 19:42

Sample ID 240601-jzvf7aeh51
Target 2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike
SHA256 e89cd7dda6ecdd7bd19c4d2842496f84be58d445d2655f25d9b306b33a5fc1ca
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e89cd7dda6ecdd7bd19c4d2842496f84be58d445d2655f25d9b306b33a5fc1ca

Threat Level: Known bad

The file 2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

xmrig

XMRig Miner payload

Cobalt Strike reflective loader

UPX dump on OEP (original entry point)

Xmrig family

Detects Reflective DLL injection artifacts

Cobaltstrike family

Cobaltstrike

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 08:06

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 08:06

Reported

2024-06-01 08:09

Platform

win7-20240221-en

Max time kernel

138s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\UWaZxql.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UpWMNLT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xfqabcO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aUxtpEX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BAfkwYh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ucxvKpZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kUTwgDV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LmlXkpy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PWXNiyn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OGIBefu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bZCnDek.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\umUrwdv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ekySttF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mtnAHMy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PSyzFCA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KMgFVtf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DBFJSis.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rTEpnJQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yzKJLeP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AnevNxg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NRTadtI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3048 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\umUrwdv.exe
PID 3048 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\umUrwdv.exe
PID 3048 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\umUrwdv.exe
PID 3048 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\ekySttF.exe
PID 3048 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\ekySttF.exe
PID 3048 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\ekySttF.exe
PID 3048 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\AnevNxg.exe
PID 3048 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\AnevNxg.exe
PID 3048 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\AnevNxg.exe
PID 3048 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\UpWMNLT.exe
PID 3048 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\UpWMNLT.exe
PID 3048 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\UpWMNLT.exe
PID 3048 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\xfqabcO.exe
PID 3048 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\xfqabcO.exe
PID 3048 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\xfqabcO.exe
PID 3048 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\aUxtpEX.exe
PID 3048 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\aUxtpEX.exe
PID 3048 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\aUxtpEX.exe
PID 3048 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\mtnAHMy.exe
PID 3048 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\mtnAHMy.exe
PID 3048 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\mtnAHMy.exe
PID 3048 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\PSyzFCA.exe
PID 3048 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\PSyzFCA.exe
PID 3048 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\PSyzFCA.exe
PID 3048 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\NRTadtI.exe
PID 3048 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\NRTadtI.exe
PID 3048 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\NRTadtI.exe
PID 3048 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\KMgFVtf.exe
PID 3048 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\KMgFVtf.exe
PID 3048 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\KMgFVtf.exe
PID 3048 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\PWXNiyn.exe
PID 3048 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\PWXNiyn.exe
PID 3048 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\PWXNiyn.exe
PID 3048 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\DBFJSis.exe
PID 3048 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\DBFJSis.exe
PID 3048 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\DBFJSis.exe
PID 3048 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\BAfkwYh.exe
PID 3048 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\BAfkwYh.exe
PID 3048 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\BAfkwYh.exe
PID 3048 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\OGIBefu.exe
PID 3048 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\OGIBefu.exe
PID 3048 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\OGIBefu.exe
PID 3048 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\rTEpnJQ.exe
PID 3048 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\rTEpnJQ.exe
PID 3048 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\rTEpnJQ.exe
PID 3048 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\ucxvKpZ.exe
PID 3048 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\ucxvKpZ.exe
PID 3048 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\ucxvKpZ.exe
PID 3048 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\kUTwgDV.exe
PID 3048 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\kUTwgDV.exe
PID 3048 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\kUTwgDV.exe
PID 3048 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\LmlXkpy.exe
PID 3048 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\LmlXkpy.exe
PID 3048 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\LmlXkpy.exe
PID 3048 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\bZCnDek.exe
PID 3048 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\bZCnDek.exe
PID 3048 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\bZCnDek.exe
PID 3048 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\UWaZxql.exe
PID 3048 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\UWaZxql.exe
PID 3048 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\UWaZxql.exe
PID 3048 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\yzKJLeP.exe
PID 3048 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\yzKJLeP.exe
PID 3048 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\yzKJLeP.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\umUrwdv.exe

C:\Windows\System\umUrwdv.exe

C:\Windows\System\ekySttF.exe

C:\Windows\System\ekySttF.exe

C:\Windows\System\AnevNxg.exe

C:\Windows\System\AnevNxg.exe

C:\Windows\System\UpWMNLT.exe

C:\Windows\System\UpWMNLT.exe

C:\Windows\System\xfqabcO.exe

C:\Windows\System\xfqabcO.exe

C:\Windows\System\aUxtpEX.exe

C:\Windows\System\aUxtpEX.exe

C:\Windows\System\mtnAHMy.exe

C:\Windows\System\mtnAHMy.exe

C:\Windows\System\PSyzFCA.exe

C:\Windows\System\PSyzFCA.exe

C:\Windows\System\NRTadtI.exe

C:\Windows\System\NRTadtI.exe

C:\Windows\System\KMgFVtf.exe

C:\Windows\System\KMgFVtf.exe

C:\Windows\System\PWXNiyn.exe

C:\Windows\System\PWXNiyn.exe

C:\Windows\System\DBFJSis.exe

C:\Windows\System\DBFJSis.exe

C:\Windows\System\BAfkwYh.exe

C:\Windows\System\BAfkwYh.exe

C:\Windows\System\OGIBefu.exe

C:\Windows\System\OGIBefu.exe

C:\Windows\System\rTEpnJQ.exe

C:\Windows\System\rTEpnJQ.exe

C:\Windows\System\ucxvKpZ.exe

C:\Windows\System\ucxvKpZ.exe

C:\Windows\System\kUTwgDV.exe

C:\Windows\System\kUTwgDV.exe

C:\Windows\System\LmlXkpy.exe

C:\Windows\System\LmlXkpy.exe

C:\Windows\System\bZCnDek.exe

C:\Windows\System\bZCnDek.exe

C:\Windows\System\UWaZxql.exe

C:\Windows\System\UWaZxql.exe

C:\Windows\System\yzKJLeP.exe

C:\Windows\System\yzKJLeP.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3048-0-0x000000013F6C0000-0x000000013FA14000-memory.dmp

memory/3048-1-0x00000000000F0000-0x0000000000100000-memory.dmp

C:\Windows\system\umUrwdv.exe

MD5 c0c3628d1146792688a5c802b55b4dae
SHA1 4e19c0dcee3ed839a4fa874007f373c3d7f33402
SHA256 12aed708a173b52b382e2c60d40d0647b01d7e49449d532082d327a853bdcc3c
SHA512 4ad3d6fcc87a6cae8d5a1e0d1cc9e9adbbb15253e0f4cf02ffc3ba7631b76eff205d321c4ca946632211c91ecbae019aa6ae9558346ed110d6d8f984fc3884c2

memory/3048-8-0x00000000023F0000-0x0000000002744000-memory.dmp

C:\Windows\system\ekySttF.exe

MD5 bfd30d2d74e9b1ddc03f15c5295cd4dd
SHA1 ff53bf3bb4424551eb58c44daa7c0686793b690b
SHA256 a7f362e7e9ea2c818e6b8e63532f42376d0019cb6c0af691da56109540899245
SHA512 3e82d426fc9a02a24047196971d3e0359a80a9b1098b6b21c238085700a3c58f38b1159ecee34978c9f6850fbd5ab4ec0f1ea647fa72a9f9055371d07d933ab8

C:\Windows\system\AnevNxg.exe

MD5 8e174b46f493186f632843dd7a11febf
SHA1 f6f50a4d9c5bf5a232350078450acb6f692ead49
SHA256 55c176faefb3288adc2b915fe844b3addc22b78ed3e9d20589872fab149e8cdb
SHA512 51ae74dfd49cbacf4bf3b6f7a534502471efabf65f8e299c48b1b5abe7127e92d450c521e61b22586347dcfb904d376bce31da85ed6456bd7c7ebfd71f59e152

\Windows\system\UpWMNLT.exe

MD5 ccc1b2e1d4be41c4db45c6d2daa6226e
SHA1 67be4e878ae4118ade81776d7092ac5871c40ff8
SHA256 80c6531c26aecc0bc7f47502477b1e76e27906f6f14f539131c608ea58a7aa35
SHA512 accd17e7e5fae17f8672f12005d9b4941047b495a0737f989095fdc1d9cfe9391cd5fb96c13671eb5ddfcbbada091b65585bdd40635f5374ce368442321ff141

C:\Windows\system\xfqabcO.exe

MD5 cc37a8f286ec0dcdbafd37a66d21e713
SHA1 6151b45eb89d069f3c07fc30163873570a7a6a2f
SHA256 92db22fcdc9b1045c8fc91a8d121e9af905c07a852638336bd8c1fa4e977438a
SHA512 bcbc933d477e7864b5cae5df9068ed9a773b52e2d3c7f659ab9bb9e9d3745fc839c7f84ebf7ac3ad83010a98ae99ef0390f1d502f239aec57171705a29644b38

C:\Windows\system\aUxtpEX.exe

MD5 a7b8138929762d027165899c5c4d7e63
SHA1 54a1464ddbd804c4b81f94c80172ad0b898b746a
SHA256 d77593f5810ce53926cd9f29142326946b48c8c973a53a72991726339f7a7eb1
SHA512 5cd15a5ae848a3cad3fe66a83883df75c0c02822817b9f6e8077ae537bb54b6c839d3e98f59e993363dfbb8f30ad6e127a82995ae99cfc35414863d6ea4f993a

C:\Windows\system\PSyzFCA.exe

MD5 245ea5e5e8cffd773a313d94a51d7ccb
SHA1 db9abc509f0a7bda358d923011eaaa0d1aaf6bd5
SHA256 705a0e213b67cc47161f2a46a0dbafaa499a0bc32589b468e5d1e67f31b044ef
SHA512 915dbbe453c5d19e75fe582d43a02c43354da64f0e1aa63f37a48554727608b9c199fe829c8fef17a395022a82d865993ee71717154bdb7123774ff5d7513493

C:\Windows\system\KMgFVtf.exe

MD5 f2c1c601fb262a847c5dae46edee46fc
SHA1 11b081ad0a31d11cc3f094ef04b7da43d6bd7a37
SHA256 1582912961821b575b627afc79cc31ba8e06bf4f3fe8061205d2cfb62c6916ac
SHA512 95bb14c1f8033f1028a96136ec954c22323c32eb0a5f9b82b228897f755252d62c20d413f6574b9f81000a9366a46a8fe203f90e675e5ad1b4d87c24302a259b

C:\Windows\system\DBFJSis.exe

MD5 416c246f075d4a487846d823ac95ced4
SHA1 e654ae93b1c9ca49c4fd00e2a34821bffc322e40
SHA256 be40326312a00a70a13b374664f8541a09c088fea46f51a6cc6d6be6e156633e
SHA512 3bf084526b25085abb234593a8acc2cc1c76be1091f8a20a2753230ab9f3668b53e5bd12148a9352f3b9d2c2eeb15f7564fcfe17ca6fd1283af2408ebd483810

C:\Windows\system\bZCnDek.exe

MD5 ced11c088a513d14247873e368d42335
SHA1 414f42e5c30e61d0799aba4812b9984dfdf6309b
SHA256 ae86aeab54c54a9e52dfa791e6fc6d7517fa37cb30513bfe0c3a3250343ab190
SHA512 fcdeca9517e5f7153c159b4a655b7468c271c0acb9a551cd6151cec0881bbe0998709c1043622548f0dec67f37124fe71a23d2d1f9e6814d564d00f409847bcf

C:\Windows\system\yzKJLeP.exe

MD5 063c1fcb2564a304751f9c6990455cab
SHA1 d0272d773116c281c3a2df42c336c4828500083b
SHA256 937a61c2baae7151a44f34464780e786aaa0c9164822c98417919de382a26ab8
SHA512 9662c00159139e02a82d1b7763777fed907a7c084e8c3ad992a4b2327fce06e9d7fb86a815962872dba0540d812b5ab77aac6201c847800a00c4bbd425499073

C:\Windows\system\UWaZxql.exe

MD5 9903f9ea269d5490d4379054ec9983e3
SHA1 b59199429da670cc0ca8bfa0f642f108d862f14b
SHA256 9633900cfe3f576f98ee956f6a225f20e9b478fe8e433dc3c96b3f4833812b66
SHA512 0d789ffe699ac82205e39f7b8226afaa163de3a138d79bf4231857add3ebc320e09cc9998c11fc152b01faffd9a99eb2edd97e9f47210a2c88c9db867ea8fcbf

memory/772-133-0x000000013FD90000-0x00000001400E4000-memory.dmp

memory/3048-135-0x00000000023F0000-0x0000000002744000-memory.dmp

memory/3048-134-0x000000013FCE0000-0x0000000140034000-memory.dmp

memory/3048-132-0x000000013FD90000-0x00000001400E4000-memory.dmp

memory/592-131-0x000000013F6D0000-0x000000013FA24000-memory.dmp

memory/3048-130-0x00000000023F0000-0x0000000002744000-memory.dmp

memory/2212-129-0x000000013F6E0000-0x000000013FA34000-memory.dmp

memory/3048-128-0x00000000023F0000-0x0000000002744000-memory.dmp

memory/2540-127-0x000000013F870000-0x000000013FBC4000-memory.dmp

memory/3048-126-0x00000000023F0000-0x0000000002744000-memory.dmp

memory/2440-125-0x000000013FE60000-0x00000001401B4000-memory.dmp

memory/3048-124-0x000000013FE60000-0x00000001401B4000-memory.dmp

memory/2532-123-0x000000013FBB0000-0x000000013FF04000-memory.dmp

memory/3048-122-0x000000013FBB0000-0x000000013FF04000-memory.dmp

memory/2556-121-0x000000013F510000-0x000000013F864000-memory.dmp

memory/3048-120-0x00000000023F0000-0x0000000002744000-memory.dmp

memory/2804-119-0x000000013FDE0000-0x0000000140134000-memory.dmp

memory/3048-118-0x000000013FDE0000-0x0000000140134000-memory.dmp

memory/2720-117-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

memory/3048-116-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

memory/2776-115-0x000000013F610000-0x000000013F964000-memory.dmp

memory/3048-114-0x00000000023F0000-0x0000000002744000-memory.dmp

memory/2524-113-0x000000013FDD0000-0x0000000140124000-memory.dmp

memory/3048-112-0x000000013FDD0000-0x0000000140124000-memory.dmp

memory/2740-111-0x000000013F460000-0x000000013F7B4000-memory.dmp

memory/3048-110-0x00000000023F0000-0x0000000002744000-memory.dmp

memory/2692-109-0x000000013FA10000-0x000000013FD64000-memory.dmp

memory/3056-108-0x000000013F950000-0x000000013FCA4000-memory.dmp

C:\Windows\system\LmlXkpy.exe

MD5 56ee56920f6b78a7d635f72e6a85d424
SHA1 dac75213082a7a6ff69512621cfb116e514f9830
SHA256 c05feaef550037108f1216c6b9525e6f1c574fca20ae98039455d5fe869cf7f0
SHA512 c41553a2d1672b51e9b59bba8f1e9f145b16d3ecda475f22428a934f826a0712bea6dd6024784d166cc4cf7786abb5fee9a7a397b639dbb4b14976fd6d1c21e0

C:\Windows\system\kUTwgDV.exe

MD5 9231c22b9d519a52318c3e9f62c6a547
SHA1 2d0e4c432984b2496fda7bcf6edef4b168f230b2
SHA256 5fd198553e29066edf5260144cfcd247dfb2d6de4090374767cdf910dada9ca5
SHA512 092daa28a34ea75b7297e324d0f119b55dd5201f5d1696440a1fb81eeaf4e2727c8e925dd33acc04261ee6f245d8692bce2f6616171b5883da4a860486f106f4

C:\Windows\system\ucxvKpZ.exe

MD5 df9e28b2cbc6ce3574b1e36e1fec3422
SHA1 ecffd654da2fbceb6c38bbf0a4608680244dec09
SHA256 b63a8eb0913e5384e3e1dd9ace5680059f52ce339c8b644dfbeaeb3f79b796c1
SHA512 878bcdc952a93704e715e7a4ce495e7932fefe76913262644d15717cfc8f0fff67d7d18392d75b00a71b125a3c7a296402366708070381f840eaad85c7355a71

C:\Windows\system\rTEpnJQ.exe

MD5 12b6e76fc935ec64a9334e07f0a3ea9c
SHA1 d03f0530cf84892f4691e5b93f20567e72bab4ef
SHA256 0b95c942e9da970dfd5753b28918290233d1c5ee76a72aa37dbee4166adb9b8f
SHA512 a4604d146546a33085bd2cfdbc5924dc19aef757d34d491b8ae3863ea1a8bd488a1c7a57b51b0bc0cdcfb2938b202ad72f9c7083ba63843ca3e49b2e58f437c3

C:\Windows\system\OGIBefu.exe

MD5 d7ba98b607dd9398661601e233eedb05
SHA1 4f99cbf83d1b49c296d8b65db676726c0b994ddf
SHA256 f0903f9e24e4cf12378bc4493de19cc955ba95e33fb07b9c0c37cb69966f7a46
SHA512 c708f2b7ba2da4e0cc69b56d6c110654a4851caf8cf52ed9979c387439ef806667aae980736aeae0896666cb83a0c8e585826a4afcc41e690cc8c5d1be867899

C:\Windows\system\BAfkwYh.exe

MD5 6e965bb3d5bd26a7eaccde005a29d044
SHA1 f6914cc7fbcabb05e681a92c72c34794c801a6a6
SHA256 23ac4e46eb441f41bb206035b0186511c8b98063ef88d376b23bf1c8ca266924
SHA512 7bdb27bfbcf96292a9791d5034eb26280733584fe8cde3b770f6aa5ad79589390df42820967559904bc5e8b4a849d992e4020bb725ee4203da770269983391af

C:\Windows\system\PWXNiyn.exe

MD5 41e47b76509728835fe5e90fb3b7d644
SHA1 cb2f568cbc2511f3dedd917c682ee431f9c312fe
SHA256 7c37f93f00e553a98df7d77aca6354d48a1ffaa2d84c1fbe3071732b76b421b3
SHA512 ac814c6ee174116ff5c2e117bf3e76d2135e0d8474341178c5a031d64c263b162745998a0109c4f391b80dbf5fde3925fff8f8342c73649b9f85d883ae362746

C:\Windows\system\NRTadtI.exe

MD5 2e86ca7b42a2cf2c342f78aaf8c6d7f9
SHA1 870ccc84f0c5c70ed7a12e917fa6bcea8fe67454
SHA256 40dbae79cb111e1a8eebad0c12a3e6122470520c199aaf9f0e15a03141c6c431
SHA512 f5468a1604528429f70fa76d095a167938a27831a16c182709e708ecf51a755e17fa7e41bba9c5976a9a60a917ebc80f3a19a950bb194da716b4f8b2d37daa4d

C:\Windows\system\mtnAHMy.exe

MD5 b5e6b9e15588e47b371a2ab2d51f3ac3
SHA1 6b69aca3dc86e137c37da0a1bf7d07699f876be5
SHA256 8b9ced8d1f8552a668b1e02d497071e49f5aba94e935ea526cd74ba504045b97
SHA512 d7ddf7f3e37867f316617f6d9e4d7ed252bc46bbd7bb46e41709a0540ce619583140b156803315bff62f9b09b5ef43865322bb585f41ef1d08e20add79ae89fb

memory/3048-136-0x000000013F6C0000-0x000000013FA14000-memory.dmp

memory/3048-137-0x00000000023F0000-0x0000000002744000-memory.dmp

memory/3048-138-0x000000013FDD0000-0x0000000140124000-memory.dmp

memory/3056-139-0x000000013F950000-0x000000013FCA4000-memory.dmp

memory/2740-141-0x000000013F460000-0x000000013F7B4000-memory.dmp

memory/2692-140-0x000000013FA10000-0x000000013FD64000-memory.dmp

memory/2524-142-0x000000013FDD0000-0x0000000140124000-memory.dmp

memory/2776-143-0x000000013F610000-0x000000013F964000-memory.dmp

memory/2720-144-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

memory/2804-145-0x000000013FDE0000-0x0000000140134000-memory.dmp

memory/2440-148-0x000000013FE60000-0x00000001401B4000-memory.dmp

memory/592-151-0x000000013F6D0000-0x000000013FA24000-memory.dmp

memory/2540-150-0x000000013F870000-0x000000013FBC4000-memory.dmp

memory/2212-149-0x000000013F6E0000-0x000000013FA34000-memory.dmp

memory/2532-147-0x000000013FBB0000-0x000000013FF04000-memory.dmp

memory/2556-146-0x000000013F510000-0x000000013F864000-memory.dmp

memory/772-152-0x000000013FD90000-0x00000001400E4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 08:06

Reported

2024-06-01 08:09

Platform

win10v2004-20240426-en

Max time kernel

138s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\EnkJwwI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MIaNSsM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xcawopQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MkNzghZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HJACPAO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ooKjDbU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SSMMMTh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dKndjwk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pdJbigu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FgNfXIU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LHAvQrG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vJfCbhI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\didwMdY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dPgEsnK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tyLTKlU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\REvIncN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tfXOpjb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eUHjQHh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fbGGcYr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zyTJnvU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EiaNybT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2528 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\eUHjQHh.exe
PID 2528 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\eUHjQHh.exe
PID 2528 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\vJfCbhI.exe
PID 2528 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\vJfCbhI.exe
PID 2528 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\xcawopQ.exe
PID 2528 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\xcawopQ.exe
PID 2528 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\didwMdY.exe
PID 2528 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\didwMdY.exe
PID 2528 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\MkNzghZ.exe
PID 2528 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\MkNzghZ.exe
PID 2528 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\HJACPAO.exe
PID 2528 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\HJACPAO.exe
PID 2528 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\ooKjDbU.exe
PID 2528 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\ooKjDbU.exe
PID 2528 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\SSMMMTh.exe
PID 2528 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\SSMMMTh.exe
PID 2528 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\LHAvQrG.exe
PID 2528 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\LHAvQrG.exe
PID 2528 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\fbGGcYr.exe
PID 2528 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\fbGGcYr.exe
PID 2528 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\zyTJnvU.exe
PID 2528 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\zyTJnvU.exe
PID 2528 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\EiaNybT.exe
PID 2528 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\EiaNybT.exe
PID 2528 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\dKndjwk.exe
PID 2528 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\dKndjwk.exe
PID 2528 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\dPgEsnK.exe
PID 2528 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\dPgEsnK.exe
PID 2528 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\EnkJwwI.exe
PID 2528 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\EnkJwwI.exe
PID 2528 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\tyLTKlU.exe
PID 2528 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\tyLTKlU.exe
PID 2528 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\MIaNSsM.exe
PID 2528 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\MIaNSsM.exe
PID 2528 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\REvIncN.exe
PID 2528 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\REvIncN.exe
PID 2528 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\pdJbigu.exe
PID 2528 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\pdJbigu.exe
PID 2528 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\FgNfXIU.exe
PID 2528 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\FgNfXIU.exe
PID 2528 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\tfXOpjb.exe
PID 2528 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe C:\Windows\System\tfXOpjb.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\eUHjQHh.exe

C:\Windows\System\eUHjQHh.exe

C:\Windows\System\vJfCbhI.exe

C:\Windows\System\vJfCbhI.exe

C:\Windows\System\xcawopQ.exe

C:\Windows\System\xcawopQ.exe

C:\Windows\System\didwMdY.exe

C:\Windows\System\didwMdY.exe

C:\Windows\System\MkNzghZ.exe

C:\Windows\System\MkNzghZ.exe

C:\Windows\System\HJACPAO.exe

C:\Windows\System\HJACPAO.exe

C:\Windows\System\ooKjDbU.exe

C:\Windows\System\ooKjDbU.exe

C:\Windows\System\SSMMMTh.exe

C:\Windows\System\SSMMMTh.exe

C:\Windows\System\LHAvQrG.exe

C:\Windows\System\LHAvQrG.exe

C:\Windows\System\fbGGcYr.exe

C:\Windows\System\fbGGcYr.exe

C:\Windows\System\zyTJnvU.exe

C:\Windows\System\zyTJnvU.exe

C:\Windows\System\EiaNybT.exe

C:\Windows\System\EiaNybT.exe

C:\Windows\System\dKndjwk.exe

C:\Windows\System\dKndjwk.exe

C:\Windows\System\dPgEsnK.exe

C:\Windows\System\dPgEsnK.exe

C:\Windows\System\EnkJwwI.exe

C:\Windows\System\EnkJwwI.exe

C:\Windows\System\tyLTKlU.exe

C:\Windows\System\tyLTKlU.exe

C:\Windows\System\MIaNSsM.exe

C:\Windows\System\MIaNSsM.exe

C:\Windows\System\REvIncN.exe

C:\Windows\System\REvIncN.exe

C:\Windows\System\pdJbigu.exe

C:\Windows\System\pdJbigu.exe

C:\Windows\System\FgNfXIU.exe

C:\Windows\System\FgNfXIU.exe

C:\Windows\System\tfXOpjb.exe

C:\Windows\System\tfXOpjb.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
IE 52.111.236.23:443 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2528-0-0x00007FF7DBAA0000-0x00007FF7DBDF4000-memory.dmp

memory/2528-1-0x00000275C0960000-0x00000275C0970000-memory.dmp

C:\Windows\System\eUHjQHh.exe

MD5 93424194bf6013c3e8c148cc89ba7476
SHA1 73fd5b74a501aa5285008e18e4dddc87e560ea5f
SHA256 87813054f7d3a827bbde5f11dc081680e335a9598c98a1612492e37aa4c80623
SHA512 fac010f2b73ecde0091388c88f3409fddc8a002baf61016cb2760c208cd0c156444a903a3ee624bdf245f70dcd4ab57d7562771589b81515916970b450c1aba1

C:\Windows\System\xcawopQ.exe

MD5 af49093705990ebb7594012abeee0f02
SHA1 a66427a047457634a94fe617c59fce04b027faa5
SHA256 f00d2835a90ac1c577bcee9197fe1f13b9f00ab79e9719f82083f7ef1e451d5b
SHA512 b22c147e66ae1bd7c9c36266f66a65ea08b78ca5d036a3b4229eac8d2b990b5de599acace3b65bc1d267c8a40e58460606fa8e1b09cd20e7ce9b449655fcf69a

C:\Windows\System\vJfCbhI.exe

MD5 76267452c148d6d20429e60b21527cd0
SHA1 a48717daaa6a1d044d830e6ce97295678f6920f8
SHA256 3141a461cbe93779e2c583f5a39e0b155203cdfd7e1affbc7a3f4489145a7946
SHA512 2649de6f097daa8498865a4047c34baca8f638b32370eca39e621eb95ab12cc6047e036c8fe11da3d9c609b472a6677b7393773d55fb0fc54d1b6cdf332b0a42

memory/2692-16-0x00007FF7480C0000-0x00007FF748414000-memory.dmp

memory/1456-8-0x00007FF659DB0000-0x00007FF65A104000-memory.dmp

memory/3320-20-0x00007FF74AC60000-0x00007FF74AFB4000-memory.dmp

C:\Windows\System\didwMdY.exe

MD5 959613a542e33a2f3670452ecf11ae03
SHA1 b50cca84bd5d2f33aa86aca5d58d152cbe097e32
SHA256 fa00a5ff1945634faee04f3324dda351684e0b62da94c76c996874b20c681c2d
SHA512 ff8b9a9792ca77060a8a92253bdbf25e06455bdda6bd5f529fea90ddeb88726264cdf57349f62def30a91827cb0135f757071d6eeb8af9ea5eede05421d886aa

memory/744-26-0x00007FF728260000-0x00007FF7285B4000-memory.dmp

memory/1924-32-0x00007FF74EA90000-0x00007FF74EDE4000-memory.dmp

C:\Windows\System\MkNzghZ.exe

MD5 e49a515cd149a0e45a8701cce43beba2
SHA1 3379bc8446cd5e7642e522261618c3bc3ba05e2d
SHA256 c486daa081ac8967317f2959a6e285850087c419c959b468c2cdc71f06c47704
SHA512 8e43c773be9fd49cc56ea953f9d473ea135a6c94c8ab80afd8eb4ae662a7151a15841fc89de36d138725e2241f2066d8f2f21d1c2f4a1d9bb42ac7b436235971

C:\Windows\System\HJACPAO.exe

MD5 be99a067ebf67101b1d6d63ed6a27a58
SHA1 6cc243a64d255e48820de84524a640cd0e1bea8d
SHA256 c5c121a6498ca1350ea9f3e4ac6e25e2267a88811dc7664298f4d1ccb12026c4
SHA512 08d625dc97528e176af1084b1a6aa7952b3e79a1950061b7d1366d90f0aeaad8a7250bcc36ae9cd4f70c35cb5dab33b173576e3b179ae9c9bfd7eab1c2df664c

memory/1988-39-0x00007FF7C50F0000-0x00007FF7C5444000-memory.dmp

C:\Windows\System\ooKjDbU.exe

MD5 1d8e40f84f07e4977a83084aa490edb1
SHA1 3d28f7c39d9c473be59a7e34a2622e58856a217e
SHA256 6ede3da5f94bcb600bae14b6a9005e7505383c96470e7371ce616c491a87e0df
SHA512 b30ef85dafe49c996f164350d48d758b434beae5386da6aa07a31b42a12ccf1cdb3648129b93344b8d4458c4b17814db5b8bd6cfa8f1847828fd6cef0ec4f4d5

memory/3700-44-0x00007FF604F20000-0x00007FF605274000-memory.dmp

C:\Windows\System\LHAvQrG.exe

MD5 2d3bc2f57043345a2856611f4d4a73fc
SHA1 10c7d29ba785453ebcf0b73829cc39fe3f8908c2
SHA256 bd0b5231341eece78040f1a71345a042f52b87bab6889176b3b40d51e1bb5e73
SHA512 b8536e4f06e25cdcbfae82ac31eccaccd30b0963af460a35c94a59ce74dfd00adfe372eab2cbf4693a2b6eab755e7c8849d797e8f5242daf8def4b891bd9efc1

C:\Windows\System\SSMMMTh.exe

MD5 76b1b71a32b97602ee3dac249d30fbb0
SHA1 2ce759c297d8010f82872565851eeaa33104ad93
SHA256 e6cf0eca6b31a6c9085ab4718f1a4510e239b44c6d2018f862854bdd89991239
SHA512 f0966f4fac3080ee3a849fe79a0c92e7c4958cf8f97423cab234dc9a4743223954b487724f8c589fe55db6e93a8449e088498acf97f6f0eb30310a79750a3e63

C:\Windows\System\fbGGcYr.exe

MD5 200c873db5bd52da0ece22c3060e94b7
SHA1 0c0db058d00e1caad2054a2316f5b6b02bd42606
SHA256 76212da7cdfaeda212ac1a568745f9255df49ff1d06400bfafae0e33891604a3
SHA512 0540fc467698277fe15e989aa02da50356d0d4471632466ad36a64e1c1f6f79ce3331c101687c21bda0d521ce9f941e794e536a401a760526f5d4da9a8ec92f4

C:\Windows\System\zyTJnvU.exe

MD5 45ce6d4d3f9d5046bc470098fedeb096
SHA1 3197564ba24d7862d423d5f781235eba1bf2a0f4
SHA256 8558cf94c14a99a98f16b3c15dc3a206be6d713dfa8278560974cfeaea50916e
SHA512 28be56632594ae78bb66a807b5d1db28fb6c0ec1f21be699fb3a9c87e912e7ffcbe7a5fe5aea54ed9dd26c38a6546937b1b6f57c6726911ce10227fa2fe560e0

memory/2528-68-0x00007FF7DBAA0000-0x00007FF7DBDF4000-memory.dmp

C:\Windows\System\EiaNybT.exe

MD5 320ed5e37fda62da798c52b2aa1e7c8f
SHA1 0a383cef553531756182f25e0791057bce40acb8
SHA256 8d350f6f2ab43567d21621bd035051842ca7979b1e5969ebf6cb0e6778bb215c
SHA512 5c95e5c6b20f58c6f8051b603ca5192c96a612c96fa2e9a6ca8b9ba8b27d6954cba6b00279c21f82f1b6cef8d2bd6a123f1e662f8e8a1cc62e5565292f38294d

C:\Windows\System\dKndjwk.exe

MD5 b0a7dcd3b4d20689a59be1cc64eefb1c
SHA1 0f0a97e744765ddeb1a4d966d2aec236f003d9de
SHA256 d1659ec77746c528b125efda46274ee510a0b8f57b79fffd4b5f6872b690f70f
SHA512 fe59eb2f0d4be702e9715554be3894e99668f6ae8a1968aef7e2f897a070ccf46b813dd6cace279bf375610717e63dcdfdd5b4e466a9b8f1d507260649b9ce5b

C:\Windows\System\dPgEsnK.exe

MD5 4f8ecfb1fb6294b9e18f987b429c0013
SHA1 dbda51f4a8f88062e60f770b4a1d5a31bc23ea2c
SHA256 2285a4c6af4ce588b8ef179c92779a002d1625e764a4f4556ce5106e48dc7de7
SHA512 fb79e1eec2dbf9b6af64b27513eeb6247fa5f6208875c890e160c0ac4bd593e60ef00aef39e34f6c08e95d659812b18512ba603a11c073dc7b9bb9832f2a2350

memory/1456-87-0x00007FF659DB0000-0x00007FF65A104000-memory.dmp

C:\Windows\System\EnkJwwI.exe

MD5 c562704f48cf5db792c5bac0856aa6c9
SHA1 2cfd3a859b1fb4f4fa8c01d366d6375a8902008e
SHA256 ea794d2679f15f4d85815c64939a1891d6753969cba9e38033f909c106581fb0
SHA512 bf3d8b22126017364074a2d7204266b346b02cbd68fe8eeb41ee7bfa1ba54e47e25776ab84d50685725a5783edc4eaef255f9689c92db8958394555f20a262c4

memory/1656-94-0x00007FF7590A0000-0x00007FF7593F4000-memory.dmp

memory/4500-93-0x00007FF6D8580000-0x00007FF6D88D4000-memory.dmp

memory/3740-90-0x00007FF7AA2A0000-0x00007FF7AA5F4000-memory.dmp

memory/1136-89-0x00007FF6021C0000-0x00007FF602514000-memory.dmp

memory/1284-69-0x00007FF6F0BB0000-0x00007FF6F0F04000-memory.dmp

memory/4636-60-0x00007FF6F28F0000-0x00007FF6F2C44000-memory.dmp

memory/2508-56-0x00007FF7DA800000-0x00007FF7DAB54000-memory.dmp

memory/2252-55-0x00007FF7AE2E0000-0x00007FF7AE634000-memory.dmp

C:\Windows\System\tyLTKlU.exe

MD5 520ab79b8bde6882c98eed88b3054765
SHA1 fd15eefd47768b7906e17b5617ce642bb30c11f5
SHA256 d0a3289cec746bd95be9e8092b29ff16d827d1580401677b2c85911a6fd88a21
SHA512 3ac419a3b7c5f09516ff216774e831cf7554d3e5babfb6bf638647c19e696d6dd7d36112f5cfdafcadb505263941e98b87b6631d2fa9e278833d17ac38b42c8d

C:\Windows\System\MIaNSsM.exe

MD5 c58058bee8240e1d8ddbc437ba648a74
SHA1 f956558cf3893991c6f48e6abf4799920920cf4d
SHA256 cacc6b482984f1f0f1173d4add46789aaaf689bfb11231082b179d9368a5a047
SHA512 a8e2815715864a1ba0e0c2f6807478aa43e32e7cf575fceaa7a36dfb0f89688946dbfc8cf789f321bf64f30b74925da2383178c24cb56a2efa8850480f32d436

memory/856-102-0x00007FF73B380000-0x00007FF73B6D4000-memory.dmp

memory/2532-106-0x00007FF7BB5D0000-0x00007FF7BB924000-memory.dmp

C:\Windows\System\REvIncN.exe

MD5 216fd4706d29d2e95c1f4cb03c4404f5
SHA1 cbb5f0948bcbf27f803bbc89f5d3708f068cc852
SHA256 7428634ddf2d962b8448d217e95a0e7b3ec3b85ad9976173c2e217903aa7cefa
SHA512 28d6486c82ab64c4b7b0ffb61b0c06e8898265a6cb9c2a6a8d1b2bacea11d696fdc06651066289d60f24cc52e4182b7e6c9d61947178b4428689308d23a25d71

C:\Windows\System\pdJbigu.exe

MD5 303b3c385572f9e9027f5e42f3d404f0
SHA1 a359a9d2b32fffa5f84afa8811c45351ebc55815
SHA256 ccfe8e8edb4a981719b89719c7aa02136835b8f6c97544131f3a9d871616f822
SHA512 153f6579687b074e7d6eee794463850150ebf3107e322c83942c307eedaa003c8f2cf2ec4be81d794508614ca97c9bfafc87e8037b3c2d2239c46dfe9741c543

C:\Windows\System\FgNfXIU.exe

MD5 e15f4bc272f5a10bfe722b171882eb38
SHA1 13634ad4a8b99f7c9177a5ef7ddec83f9470d547
SHA256 a34028aaa5bf0ef24548faf256d4a8ecc86bbf4f71ea8f94f95300b0a2aa43c3
SHA512 1ada4995860ec1ac6aa6b55fc1ac1e92f8e30b143047ec8277056b3ae6fa3a105e8806fdff1455e5fafdadf2e3b95c959f7b2b24040c89daf70b462e35c9103a

memory/3764-114-0x00007FF7405B0000-0x00007FF740904000-memory.dmp

C:\Windows\System\tfXOpjb.exe

MD5 d69f780882d289e6fd79823023a322ae
SHA1 04b2e4793f118b42da5a6cca9119bdcf3759f906
SHA256 c0e8e313340a8a45fd67ee903cea49935304baf5afa78a746e403eb56f6fb44e
SHA512 a71a6cd57c7ac67a523e578d636324cface910144088ea18cf84e21d69c81ed2bd64402ed4048a97d93f45b8b399325fc6d3d0f8fba7183433014a20806cb4bb

memory/4176-127-0x00007FF78E160000-0x00007FF78E4B4000-memory.dmp

memory/1228-128-0x00007FF72BD20000-0x00007FF72C074000-memory.dmp

memory/1988-129-0x00007FF7C50F0000-0x00007FF7C5444000-memory.dmp

memory/1976-130-0x00007FF6FDA90000-0x00007FF6FDDE4000-memory.dmp

memory/4636-131-0x00007FF6F28F0000-0x00007FF6F2C44000-memory.dmp

memory/1456-132-0x00007FF659DB0000-0x00007FF65A104000-memory.dmp

memory/2692-133-0x00007FF7480C0000-0x00007FF748414000-memory.dmp

memory/3320-134-0x00007FF74AC60000-0x00007FF74AFB4000-memory.dmp

memory/744-135-0x00007FF728260000-0x00007FF7285B4000-memory.dmp

memory/1924-136-0x00007FF74EA90000-0x00007FF74EDE4000-memory.dmp

memory/1988-137-0x00007FF7C50F0000-0x00007FF7C5444000-memory.dmp

memory/3700-138-0x00007FF604F20000-0x00007FF605274000-memory.dmp

memory/2508-140-0x00007FF7DA800000-0x00007FF7DAB54000-memory.dmp

memory/2252-139-0x00007FF7AE2E0000-0x00007FF7AE634000-memory.dmp

memory/4636-141-0x00007FF6F28F0000-0x00007FF6F2C44000-memory.dmp

memory/1284-142-0x00007FF6F0BB0000-0x00007FF6F0F04000-memory.dmp

memory/1136-143-0x00007FF6021C0000-0x00007FF602514000-memory.dmp

memory/3740-144-0x00007FF7AA2A0000-0x00007FF7AA5F4000-memory.dmp

memory/4500-145-0x00007FF6D8580000-0x00007FF6D88D4000-memory.dmp

memory/1656-146-0x00007FF7590A0000-0x00007FF7593F4000-memory.dmp

memory/856-147-0x00007FF73B380000-0x00007FF73B6D4000-memory.dmp

memory/2532-148-0x00007FF7BB5D0000-0x00007FF7BB924000-memory.dmp

memory/3764-149-0x00007FF7405B0000-0x00007FF740904000-memory.dmp

memory/4176-150-0x00007FF78E160000-0x00007FF78E4B4000-memory.dmp

memory/1976-151-0x00007FF6FDA90000-0x00007FF6FDDE4000-memory.dmp

memory/1228-152-0x00007FF72BD20000-0x00007FF72C074000-memory.dmp