Malware Analysis Report

2025-01-22 19:35

Sample ID 240601-lrvhbsaa46
Target 2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike
SHA256 87d52aecda249b0b73ffa720744ed84ba74e8538505d38dcd613566f084c1ee6
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

87d52aecda249b0b73ffa720744ed84ba74e8538505d38dcd613566f084c1ee6

Threat Level: Known bad

The file 2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Detects Reflective DLL injection artifacts

xmrig

XMRig Miner payload

Cobaltstrike family

Cobaltstrike

Cobalt Strike reflective loader

UPX dump on OEP (original entry point)

Xmrig family

UPX dump on OEP (original entry point)

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 09:46

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 09:46

Reported

2024-06-01 09:49

Platform

win7-20240221-en

Max time kernel

137s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\EsPZzHu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eHPCekf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fbbPzrH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zKezHyA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jEEqBzN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xnaIpdU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\edGnHmu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OcgzbXo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\alLBjRm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hxmEKED.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oIwaDMe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DcaJxEw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hmkyngT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jPnWsXf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pXausMm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CsZgtIx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\suUIeeC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vLdAlRH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KeWWFPE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jOqkASk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IsgUbGr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2880 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\fbbPzrH.exe
PID 2880 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\fbbPzrH.exe
PID 2880 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\fbbPzrH.exe
PID 2880 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\zKezHyA.exe
PID 2880 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\zKezHyA.exe
PID 2880 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\zKezHyA.exe
PID 2880 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\oIwaDMe.exe
PID 2880 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\oIwaDMe.exe
PID 2880 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\oIwaDMe.exe
PID 2880 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\DcaJxEw.exe
PID 2880 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\DcaJxEw.exe
PID 2880 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\DcaJxEw.exe
PID 2880 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\hmkyngT.exe
PID 2880 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\hmkyngT.exe
PID 2880 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\hmkyngT.exe
PID 2880 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\vLdAlRH.exe
PID 2880 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\vLdAlRH.exe
PID 2880 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\vLdAlRH.exe
PID 2880 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\jPnWsXf.exe
PID 2880 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\jPnWsXf.exe
PID 2880 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\jPnWsXf.exe
PID 2880 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\jEEqBzN.exe
PID 2880 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\jEEqBzN.exe
PID 2880 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\jEEqBzN.exe
PID 2880 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\KeWWFPE.exe
PID 2880 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\KeWWFPE.exe
PID 2880 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\KeWWFPE.exe
PID 2880 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\CsZgtIx.exe
PID 2880 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\CsZgtIx.exe
PID 2880 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\CsZgtIx.exe
PID 2880 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\jOqkASk.exe
PID 2880 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\jOqkASk.exe
PID 2880 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\jOqkASk.exe
PID 2880 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\xnaIpdU.exe
PID 2880 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\xnaIpdU.exe
PID 2880 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\xnaIpdU.exe
PID 2880 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\pXausMm.exe
PID 2880 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\pXausMm.exe
PID 2880 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\pXausMm.exe
PID 2880 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\edGnHmu.exe
PID 2880 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\edGnHmu.exe
PID 2880 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\edGnHmu.exe
PID 2880 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\EsPZzHu.exe
PID 2880 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\EsPZzHu.exe
PID 2880 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\EsPZzHu.exe
PID 2880 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\OcgzbXo.exe
PID 2880 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\OcgzbXo.exe
PID 2880 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\OcgzbXo.exe
PID 2880 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\eHPCekf.exe
PID 2880 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\eHPCekf.exe
PID 2880 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\eHPCekf.exe
PID 2880 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\IsgUbGr.exe
PID 2880 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\IsgUbGr.exe
PID 2880 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\IsgUbGr.exe
PID 2880 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\alLBjRm.exe
PID 2880 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\alLBjRm.exe
PID 2880 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\alLBjRm.exe
PID 2880 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\suUIeeC.exe
PID 2880 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\suUIeeC.exe
PID 2880 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\suUIeeC.exe
PID 2880 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\hxmEKED.exe
PID 2880 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\hxmEKED.exe
PID 2880 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\hxmEKED.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\fbbPzrH.exe

C:\Windows\System\fbbPzrH.exe

C:\Windows\System\zKezHyA.exe

C:\Windows\System\zKezHyA.exe

C:\Windows\System\oIwaDMe.exe

C:\Windows\System\oIwaDMe.exe

C:\Windows\System\DcaJxEw.exe

C:\Windows\System\DcaJxEw.exe

C:\Windows\System\hmkyngT.exe

C:\Windows\System\hmkyngT.exe

C:\Windows\System\vLdAlRH.exe

C:\Windows\System\vLdAlRH.exe

C:\Windows\System\jPnWsXf.exe

C:\Windows\System\jPnWsXf.exe

C:\Windows\System\jEEqBzN.exe

C:\Windows\System\jEEqBzN.exe

C:\Windows\System\KeWWFPE.exe

C:\Windows\System\KeWWFPE.exe

C:\Windows\System\CsZgtIx.exe

C:\Windows\System\CsZgtIx.exe

C:\Windows\System\jOqkASk.exe

C:\Windows\System\jOqkASk.exe

C:\Windows\System\xnaIpdU.exe

C:\Windows\System\xnaIpdU.exe

C:\Windows\System\pXausMm.exe

C:\Windows\System\pXausMm.exe

C:\Windows\System\edGnHmu.exe

C:\Windows\System\edGnHmu.exe

C:\Windows\System\EsPZzHu.exe

C:\Windows\System\EsPZzHu.exe

C:\Windows\System\OcgzbXo.exe

C:\Windows\System\OcgzbXo.exe

C:\Windows\System\eHPCekf.exe

C:\Windows\System\eHPCekf.exe

C:\Windows\System\IsgUbGr.exe

C:\Windows\System\IsgUbGr.exe

C:\Windows\System\alLBjRm.exe

C:\Windows\System\alLBjRm.exe

C:\Windows\System\suUIeeC.exe

C:\Windows\System\suUIeeC.exe

C:\Windows\System\hxmEKED.exe

C:\Windows\System\hxmEKED.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2880-0-0x000000013FD70000-0x00000001400C4000-memory.dmp

memory/2880-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\fbbPzrH.exe

MD5 fd6b38ffd9bcc5adf02693626cd5f4e9
SHA1 0ab2d235156d0e5ef73327a9ae89222e0f373232
SHA256 935df7219823a70e974cee68927c6b9eb90bc67add1b9652ab8b23a3a398d6ec
SHA512 466f915c844689a9cff385c2cae1a9792b65544cb19321444c5dcfb6b8e9dab137c23ff2c51d27034b142d2fd6df1ba29b27442bfca7bfa789d531b82bcf70f0

C:\Windows\system\oIwaDMe.exe

MD5 2fc7e9e6ac44c054db34039deef1f4d9
SHA1 dd2d9a4149d38d0aadd050136155a81d43a39057
SHA256 596af97970d2dbc815582d15d631143a8fdcbde500e4790f14b4194d9a3ac765
SHA512 271e5d17ec51de5e772fcb724bf4da5fc1904179fa5bbc90529981a7a89b975cbb2426fae05c975e7a43cf1d32272efb0cacd99b49145583298bf455573c21ca

memory/2880-14-0x00000000023A0000-0x00000000026F4000-memory.dmp

C:\Windows\system\jEEqBzN.exe

MD5 8577e6bbbb0c9ddfe28de27fa1a2785d
SHA1 3c81931edaa22d39874dc031505a995b6eed46d2
SHA256 a053bc0e493f99a8bba2103e674980ea638e1cb418a3a0e452b1268b936a664f
SHA512 d75e8ff0207bfefdd3b5f2a5f868ffbcd8ed2930eb8b12508974b1313760456bf1016187934d9e512cf4dc072293d379a6efe54e42857112ce32e5f3a0740cac

memory/2880-55-0x00000000023A0000-0x00000000026F4000-memory.dmp

\Windows\system\xnaIpdU.exe

MD5 1b05fd506611015ae90fa7e23f05ecca
SHA1 b52d6303fc0cd0e56dcfd8420c0ab4ad0be8dd45
SHA256 6f87d33f9d083a6cf2a248cec0bfac26ceb8cfaa898d90f4eff8b5f12a42a084
SHA512 ed4d824d406b91d8ef348fd58cab2733741e7cb89416ce5cc694d98aee1fa8c49bed9c3bf829ee5b9fd77c3fadd88703218d79e7c52c81edfd2e9c6da357c849

memory/2880-72-0x00000000023A0000-0x00000000026F4000-memory.dmp

C:\Windows\system\jPnWsXf.exe

MD5 6e255a96bab3a451ce2fa63148150dac
SHA1 599fb0d2cc59b701572c2132aeb0a0a7bef8e0a8
SHA256 16fdd8845ad226ca8e541e083fd2115bbd703f490f27f2d4a395ed0369dca84b
SHA512 3b383e1017f6f873b7f0dd63c88c05fd6c57e90c72174ccc452daaafbd9785602c34ec08dfb66537b5c4ee6f89e672e2094f4ea46480fc356358850b0c5eec57

C:\Windows\system\edGnHmu.exe

MD5 0e5cb87ed290eda5383df82f16521066
SHA1 82d721ab22a331ae2f7c2b123f747662eef82faa
SHA256 71b864cc94edbbf702620b7fa28c991085c824147821a3dbc498a2e884b96579
SHA512 d29ea69e6db6feae9b78a88ac02912caf3a0b3f11abd9fe190999b18b8e288e0a43b4e31a5e49af124f6001b2263f42b74ca05fbeb6e78c9492386afff538791

memory/2864-97-0x000000013F570000-0x000000013F8C4000-memory.dmp

C:\Windows\system\eHPCekf.exe

MD5 d636400ac9092854ee24c9d2490166c6
SHA1 97405503f1f3c3f65384adf5c47f30774a7e7184
SHA256 c7d1d031c958d53582052f4188b101b510671e1103a85a102bd0597e6a6db8d3
SHA512 de3a36024c38903b5075b7e1a00185bece93df390752a6ee43630e74f4060766313f0bb45296e439777b8ce1a9884679af94a5df6f26707fca76eb38bf68d7fb

\Windows\system\hxmEKED.exe

MD5 b6b14cb9b6f1eec9d27512ecfcd8395e
SHA1 dcf855722576ebdf6206e55e0239ca14cff6cff3
SHA256 0324ed94ffbe9656390cec5110dae8fb4b1840d5af826b28c70915942abd0826
SHA512 9c54c6354ee9b3c9e783ed848d36da9fbbaf284cd1d004927f38beb14bfdab0c7a9dce38f727144cebd5613914d2b36bef4a81279d4818d9246dc3bf26f6d08d

C:\Windows\system\suUIeeC.exe

MD5 9b78fc9826730c437f77a4eb44135fba
SHA1 4866b0f617cae0ee73b404c093325be6d31b05e2
SHA256 06151dfb5daadabfc11fd79c5dcf94fb6348ab3de244c7033a84a5e55bce6bb1
SHA512 0783d65d48794b6081d52bae0bacc1084b64de0d0231dfd384ddd7fa1ffc26ac0108318d9ab376b4abbd44717e738870034b95b435d6aff01cfa7dc84078ec06

C:\Windows\system\alLBjRm.exe

MD5 a3eea8ed8f70dee6a4cfcd8fb5bd6125
SHA1 360d1cfcf22049a12fe33cb50ed2287d81c45db5
SHA256 240b4ef80a0e61f77095e385416b571320a911d5b91e7ce6fb45cd1ec9a9f484
SHA512 8b2bf17d9b720e04f58469705b0c55ba37e33f9440982a7eafc63f722989eef19c64f4ab08ccbf8d8bdc6aeb967d3a0ba06903e70b248e6386fabfd57b974095

C:\Windows\system\IsgUbGr.exe

MD5 fe8a3c8c94edd1cd5ce4acd13b3c0bc4
SHA1 a2856e1b8f433796cfbbb6eaf8926843c0eed869
SHA256 e9b820bc11995444717cba25afbf441173181034b63f1f32f3b9a02b15807384
SHA512 bc58438cac143dafad1cb38da01755234b6d7ff250fe83f690d3e88fe9613eee93169c877f6824c061ca2f40c19dc435e3e3b18b4206268cf9990352122c610b

C:\Windows\system\OcgzbXo.exe

MD5 acebf2e5c26b9a3df03014cd0f722972
SHA1 0be0a2ed1a4be33b3972d637ed3a3b7a66af7903
SHA256 43b1e741444aa3ce49dd9434e1fadaa00d4c5148285c973dd634d9c5ffb8fef1
SHA512 143123798decad02f6c33a585a5f94e560e14af05dfb0b5053334ddbdb554296a49c8d2dea65d407e073da2d58899f4f801e75295c1f7094ec1b0acb5dde748f

memory/2880-103-0x000000013F250000-0x000000013F5A4000-memory.dmp

C:\Windows\system\EsPZzHu.exe

MD5 3a8a4e910f5788d9c5b79505d51b3e12
SHA1 9fd43762d1aa85742cffb4acc77c88529434193f
SHA256 e1ddb456094e9908bcf4f5a3453c895b1e38a3a5825303c4a251064786115cdc
SHA512 fa20e04e688ca79498f2470c64e94ae3a139132e8364755a29125a3c3c418c909c84bb57c5c1080097e74d973b8c517b8aa19309d29baf01b20ceea3f4268886

memory/2880-96-0x000000013F570000-0x000000013F8C4000-memory.dmp

memory/2984-90-0x000000013F2F0000-0x000000013F644000-memory.dmp

C:\Windows\system\pXausMm.exe

MD5 bf3055ff9a6cf99f37d992829fec0460
SHA1 cc6e684777311244f397b76eeb0f44be9a61688e
SHA256 50c8410fa0bfaf8d87a46e2542b6e66c2168be3542c21a970f5df96de62d671b
SHA512 a32b3393c85fdd56d59ff92330d07fa10dac515feccd27e4a71b2c02df29332a79b5161121b8fd1ac142af2352f06035cd809609de679dfd5c04e1f1c292d0a4

memory/2484-84-0x000000013FBA0000-0x000000013FEF4000-memory.dmp

memory/2588-83-0x000000013F740000-0x000000013FA94000-memory.dmp

memory/2880-82-0x000000013F2F0000-0x000000013F644000-memory.dmp

memory/2576-81-0x000000013FB60000-0x000000013FEB4000-memory.dmp

C:\Windows\system\jOqkASk.exe

MD5 99c846bd86c596057446b5cd491488dc
SHA1 6d582f96a10857175fd729385de1d64717b72cbc
SHA256 66856f684f623ae77dc5ce0c5b24c9192bf03dc77ebcfdbe787f9fc0a52c0bd8
SHA512 23cffef37e6c084e9c4fe0be5a9f2525f3071e50f3a28fab7ed2d466b6c850607fdf307963082e8254437f372fcbb0b9dc451f3253a9486100489b83f64ab858

C:\Windows\system\KeWWFPE.exe

MD5 a8fcb27ddde2f4a48c842f5f2846f6b1
SHA1 40b841efbdac8032a8593b46a288c572905f6432
SHA256 239ec2088471013d00bf28e69b5920941f05535d20d92db627281f2e73905c48
SHA512 fda97100133dd0b765b4f8777d0c1b252a2092898a816c81590b99c5e93f1d051bfc017ff46dddd7a398695ed7c22298a77d68c945ffba76eeee02ac8f10ade1

memory/2880-63-0x00000000023A0000-0x00000000026F4000-memory.dmp

memory/2880-134-0x000000013F170000-0x000000013F4C4000-memory.dmp

memory/2880-133-0x000000013FD70000-0x00000001400C4000-memory.dmp

C:\Windows\system\vLdAlRH.exe

MD5 b3eaa1f0154918085d530044c92a2a57
SHA1 939c70a2ae4226677149401651fdf20bb5603285
SHA256 a34361f12b207f8655ea65c7650c0a8f95032e89a927c129fa8103856aa5f1e2
SHA512 8bf274d6da281098defd29a52bf3ce9582f28e700f4e9ae84854a63a5b20a1d25bdba6d06fa559e2d95db4625b2c502fb32c570b0b0d02b323c2df78c5a0736e

memory/2880-37-0x000000013F680000-0x000000013F9D4000-memory.dmp

memory/2444-74-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

memory/2880-71-0x00000000023A0000-0x00000000026F4000-memory.dmp

memory/2148-69-0x000000013F620000-0x000000013F974000-memory.dmp

memory/2620-67-0x000000013F680000-0x000000013F9D4000-memory.dmp

memory/2708-65-0x000000013F890000-0x000000013FBE4000-memory.dmp

C:\Windows\system\DcaJxEw.exe

MD5 5bb938af0ad63919e6ce184cac39ff1c
SHA1 4ad74d630127590f6dc4c04743eb5081dac3ded0
SHA256 9a4e456363641fa65a4f56fc6c1e7e16e1d652d1c4c573a2df4a1faf7493d48d
SHA512 bf7eb6d223265b524b2747bb33c236844b20968cdcb4faf04463eea2ffa36d908e3b857bbba0e27e51bc5d10d2d02c6e411961310b837f4ef9e140bd17e97581

memory/2120-59-0x000000013F5F0000-0x000000013F944000-memory.dmp

memory/2452-58-0x000000013FD80000-0x00000001400D4000-memory.dmp

memory/2880-54-0x000000013F740000-0x000000013FA94000-memory.dmp

C:\Windows\system\CsZgtIx.exe

MD5 ee64aa90c93de72e84362826a43aa8a7
SHA1 945d6c4803ed3bd6a815da9367462d7be8a59cb2
SHA256 5a140b5d57498415cbdf4ec9150b00462636d60ce8554fddcffb865e8a74ea22
SHA512 718f67e83e19df99a071ef44258d412433192810cfdd1ca3fe35dc1d5400003a4e9a7bd8db3699d119ff3a06408b0c0dc8c7a0ad6879d3c8db8953f77541c06e

C:\Windows\system\hmkyngT.exe

MD5 bccaddc298b5e01f375f5ef33e39fa6d
SHA1 649a3aa65e2aad207ad60a8ad7423e4456869d38
SHA256 1fe838e9d796003fb080c7b7e3fec8da88678415defc03da15f03f7521062ea4
SHA512 d567dc0a5c80b7ca137ec42dcf7b76e6d2bee03fa042bf7142422a71ce507546dbcf88795fa3c48345c22dfba5e7e19134da62327e90bb0d7a570a572415b5a5

memory/2880-41-0x000000013F890000-0x000000013FBE4000-memory.dmp

memory/2508-25-0x000000013FA80000-0x000000013FDD4000-memory.dmp

memory/2616-33-0x000000013F860000-0x000000013FBB4000-memory.dmp

memory/3044-30-0x000000013F170000-0x000000013F4C4000-memory.dmp

memory/2880-135-0x00000000023A0000-0x00000000026F4000-memory.dmp

C:\Windows\system\zKezHyA.exe

MD5 9412c9d37fc939e46a23eea206811123
SHA1 1c06a009bf869ef5fbd8272db3daaa4d7b96e698
SHA256 3a8ada854d2ed0092176023729aefc9fde4129ed153afe3d4c820581dc49b3ca
SHA512 06ce784370d2342d1a4cc36e20f4bd97babd25dad9b3cd1b7109ddb01e1df9d066fd798947090683612edf1e52f045b03a53005be80cd420dc71eff5f1933104

memory/2880-8-0x000000013F170000-0x000000013F4C4000-memory.dmp

memory/2452-137-0x000000013FD80000-0x00000001400D4000-memory.dmp

memory/2880-136-0x00000000023A0000-0x00000000026F4000-memory.dmp

memory/2444-138-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

memory/2576-139-0x000000013FB60000-0x000000013FEB4000-memory.dmp

memory/2588-140-0x000000013F740000-0x000000013FA94000-memory.dmp

memory/2484-141-0x000000013FBA0000-0x000000013FEF4000-memory.dmp

memory/3044-142-0x000000013F170000-0x000000013F4C4000-memory.dmp

memory/2616-144-0x000000013F860000-0x000000013FBB4000-memory.dmp

memory/2508-143-0x000000013FA80000-0x000000013FDD4000-memory.dmp

memory/2120-145-0x000000013F5F0000-0x000000013F944000-memory.dmp

memory/2708-146-0x000000013F890000-0x000000013FBE4000-memory.dmp

memory/2620-147-0x000000013F680000-0x000000013F9D4000-memory.dmp

memory/2452-148-0x000000013FD80000-0x00000001400D4000-memory.dmp

memory/2148-149-0x000000013F620000-0x000000013F974000-memory.dmp

memory/2444-150-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

memory/2484-152-0x000000013FBA0000-0x000000013FEF4000-memory.dmp

memory/2588-151-0x000000013F740000-0x000000013FA94000-memory.dmp

memory/2576-154-0x000000013FB60000-0x000000013FEB4000-memory.dmp

memory/2984-153-0x000000013F2F0000-0x000000013F644000-memory.dmp

memory/2864-155-0x000000013F570000-0x000000013F8C4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 09:46

Reported

2024-06-01 09:49

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\wALaYLV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WWkQXXM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LjimnIb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DdiqcCp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UaaivLM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bmCZaAa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\woShJul.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gfIHphm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MJjcdbp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gkRHMRe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ysGklhs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VoWoeoI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zmmcNYg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BfOSoXK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OrFARHA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iBHxLQD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CwlMxcO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\loXhctk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ioRxTwf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ClibrvC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EsBqSas.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2272 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\loXhctk.exe
PID 2272 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\loXhctk.exe
PID 2272 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\gkRHMRe.exe
PID 2272 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\gkRHMRe.exe
PID 2272 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\ysGklhs.exe
PID 2272 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\ysGklhs.exe
PID 2272 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\LjimnIb.exe
PID 2272 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\LjimnIb.exe
PID 2272 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\VoWoeoI.exe
PID 2272 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\VoWoeoI.exe
PID 2272 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\zmmcNYg.exe
PID 2272 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\zmmcNYg.exe
PID 2272 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\DdiqcCp.exe
PID 2272 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\DdiqcCp.exe
PID 2272 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\UaaivLM.exe
PID 2272 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\UaaivLM.exe
PID 2272 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\OrFARHA.exe
PID 2272 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\OrFARHA.exe
PID 2272 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\iBHxLQD.exe
PID 2272 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\iBHxLQD.exe
PID 2272 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\bmCZaAa.exe
PID 2272 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\bmCZaAa.exe
PID 2272 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\woShJul.exe
PID 2272 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\woShJul.exe
PID 2272 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\BfOSoXK.exe
PID 2272 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\BfOSoXK.exe
PID 2272 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\ioRxTwf.exe
PID 2272 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\ioRxTwf.exe
PID 2272 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\CwlMxcO.exe
PID 2272 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\CwlMxcO.exe
PID 2272 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\gfIHphm.exe
PID 2272 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\gfIHphm.exe
PID 2272 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\MJjcdbp.exe
PID 2272 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\MJjcdbp.exe
PID 2272 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\ClibrvC.exe
PID 2272 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\ClibrvC.exe
PID 2272 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\wALaYLV.exe
PID 2272 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\wALaYLV.exe
PID 2272 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\WWkQXXM.exe
PID 2272 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\WWkQXXM.exe
PID 2272 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\EsBqSas.exe
PID 2272 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe C:\Windows\System\EsBqSas.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_f5396637e6906a6e49ce4253ab8c5d75_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\loXhctk.exe

C:\Windows\System\loXhctk.exe

C:\Windows\System\gkRHMRe.exe

C:\Windows\System\gkRHMRe.exe

C:\Windows\System\ysGklhs.exe

C:\Windows\System\ysGklhs.exe

C:\Windows\System\LjimnIb.exe

C:\Windows\System\LjimnIb.exe

C:\Windows\System\VoWoeoI.exe

C:\Windows\System\VoWoeoI.exe

C:\Windows\System\zmmcNYg.exe

C:\Windows\System\zmmcNYg.exe

C:\Windows\System\DdiqcCp.exe

C:\Windows\System\DdiqcCp.exe

C:\Windows\System\UaaivLM.exe

C:\Windows\System\UaaivLM.exe

C:\Windows\System\OrFARHA.exe

C:\Windows\System\OrFARHA.exe

C:\Windows\System\iBHxLQD.exe

C:\Windows\System\iBHxLQD.exe

C:\Windows\System\bmCZaAa.exe

C:\Windows\System\bmCZaAa.exe

C:\Windows\System\woShJul.exe

C:\Windows\System\woShJul.exe

C:\Windows\System\BfOSoXK.exe

C:\Windows\System\BfOSoXK.exe

C:\Windows\System\ioRxTwf.exe

C:\Windows\System\ioRxTwf.exe

C:\Windows\System\CwlMxcO.exe

C:\Windows\System\CwlMxcO.exe

C:\Windows\System\gfIHphm.exe

C:\Windows\System\gfIHphm.exe

C:\Windows\System\MJjcdbp.exe

C:\Windows\System\MJjcdbp.exe

C:\Windows\System\ClibrvC.exe

C:\Windows\System\ClibrvC.exe

C:\Windows\System\wALaYLV.exe

C:\Windows\System\wALaYLV.exe

C:\Windows\System\WWkQXXM.exe

C:\Windows\System\WWkQXXM.exe

C:\Windows\System\EsBqSas.exe

C:\Windows\System\EsBqSas.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2272-0-0x00007FF6FFF70000-0x00007FF7002C4000-memory.dmp

memory/2272-1-0x000001B1406B0000-0x000001B1406C0000-memory.dmp

memory/3096-7-0x00007FF7B7C20000-0x00007FF7B7F74000-memory.dmp

C:\Windows\System\ysGklhs.exe

MD5 afa1abd9c827fe9a048073c15cba9a11
SHA1 4a44cc158549d890e0cdd44471557d7bd22e4b2c
SHA256 775223e108f7f73afef03f483d5208633d7e2fc9030b74a3507b5478d45c7014
SHA512 7a16ffc74f98287f7b1a92db1a329bf8249b569178483e7f94c69942c2c93c235edf34233d4d99eb76fe1cf5bd935b3d125ee2f8c750e862abb0720fbc9bd3db

C:\Windows\System\gkRHMRe.exe

MD5 095c6de0d8b4be1001fcb97c2cd01606
SHA1 22dd12ea0f7ca6b3c54098d85d30e1d071e91fd0
SHA256 6953566d2176f70d7b62606a45a8be2720e82375655bb6ac91ae751fefbaf216
SHA512 6335d5ca45d839d66aa467615c15f8ca7b352708364242f9ea8e6b7474f6a652d5cdf236142f6ca2694ce3d58f8ebb7cf10453149c3318d54af04aa86ebceba3

memory/1900-14-0x00007FF67C6A0000-0x00007FF67C9F4000-memory.dmp

C:\Windows\System\loXhctk.exe

MD5 886a2d457d8c84986b8f8f7d11fa7278
SHA1 d867c7bc314043505c59f6d2fb41be061899dbaa
SHA256 7b5aa091c64a72b68c9a094fddfb6591aae4e498cae8a99439f0eb145ad8b85a
SHA512 4cab71f9f63ed41647e161bc32f4b7a88b19021bd64af851764777692ad353bc5467bec15281f0d74b34ebdb45e4c2fae5c08b587bac8ad9b81be4686e695be4

memory/3404-19-0x00007FF774E90000-0x00007FF7751E4000-memory.dmp

C:\Windows\System\LjimnIb.exe

MD5 8528d2b5efa45e013a6d2dfdf2fcd009
SHA1 580a0f2b039ca7098179223baecb157ba6f3b46e
SHA256 a349ea71a423fddf4fa7f2183293c991baf7536e60fefbca35b4a19c55916274
SHA512 b74c1afd0f28b212c7e2d973422d13a5f383467a008335f8de0803d2f4dd1c86446151ba3f0b32e7ee89b51ac5e64e92b94ac93cef8e871625eb986bd45de476

memory/960-29-0x00007FF778490000-0x00007FF7787E4000-memory.dmp

memory/3764-30-0x00007FF7B70D0000-0x00007FF7B7424000-memory.dmp

C:\Windows\System\VoWoeoI.exe

MD5 f40ec010c81ee45a3dc1f4797702efe2
SHA1 a3c843696ec54ed56004bd34bdaa0fee2c155c99
SHA256 13863399a8221ca82c59fed8e8800cc3f9eb004e153db1d9ef3bb320acb44225
SHA512 786c4cee21cccc4979110b9f42cc6023fed8474b25859a3bf464bdbf2e22a07d9541a4e99475d7e436e00f28f7b8c12d76d9ec3a69a483ed0be4d113551201f0

C:\Windows\System\zmmcNYg.exe

MD5 9d0a5104b38ef32e7345dd79014563dc
SHA1 f05c61402280ac6ce40ab015f3404631aefd09f8
SHA256 482077c23207d762580ed9819331281efc67ae74479b97198f3b695ecceae488
SHA512 6107dddf882d15b4b33dc72ebd89c0fb06cb9ac65f6e743addf26d4415a3139b27ff66cd2fe590a654be63a90fc20c95af0c8efecca98944915102440edc1f5c

memory/4452-38-0x00007FF7144A0000-0x00007FF7147F4000-memory.dmp

C:\Windows\System\DdiqcCp.exe

MD5 7ab3f32de408a1b39385ab0d99e9fd19
SHA1 8ff90caed40cbf3bc9a5708c5a99f737603d1e14
SHA256 be1fad3430f14435db155b50ab0aae4038513fff073da11c8250437d2b80f3fa
SHA512 2593e240ad48e3bf5370482eb3757f6ee4a6c6b4e05778bfefc3111d080cedb4d5430be42dc87211c674b2e2c9adb87aee7446deddda21ec272ff0561b89bb07

C:\Windows\System\UaaivLM.exe

MD5 2a8ce3081584ed45a18411ccfbea9753
SHA1 9fba70c734463034394b45dfbbdc6be59029d630
SHA256 79dace9c2dc61a1e7e0c318f9d597d3b7cddef4f47c4f6000aa3804edd7485b6
SHA512 d288985306d6e7db482d11ef99a911e74558527f86b252b599bb0e5dfc799bf5e953376284fd73bf19ff1e25ec70d3bd26267283675fcf1191e11e0551412ac7

C:\Windows\System\OrFARHA.exe

MD5 9fc1367aba04c3c63e22b289116619c4
SHA1 b7ba66dda342c8f815617ce42a452b73247b90e4
SHA256 41754ffa8fbddf1c5659fa555096832cd7e1af54a133dcbd10203593c0a91482
SHA512 d8aca89f40a7e7857e3796c598f55a0e26ec84e0a924ddf7a48ca267fe3e7f3e321272ae93e53c8a1a11c5b11d8f4b3bc29a47fa3961c2336d881bca88e07024

memory/1964-54-0x00007FF638F10000-0x00007FF639264000-memory.dmp

memory/1384-52-0x00007FF695270000-0x00007FF6955C4000-memory.dmp

C:\Windows\System\iBHxLQD.exe

MD5 7925cd127cb3bf263612f89dea4ce82b
SHA1 e0e1bd382f3e552b4f3976c626f22e5e2d85a23e
SHA256 c984ac65192a9281b14092346838418a7c56ac05219fe8a4aadd497ac121d748
SHA512 efff861d7fee2ce127fa1ae08a58f1971c4c2e66894123334eefea3073b4d7eda0527390bbe52492ae20c44c8e179adaf4242b7bd514b940b5e5fe19b1d632dd

C:\Windows\System\bmCZaAa.exe

MD5 2dd09cf538324dff44b91f379985303d
SHA1 b00754bc689e5059adc5c4ab44ee7a85c7a03ee3
SHA256 5994457233cba1352b639297a7c909aec0f19ddf8f88642a79f9c854df483461
SHA512 a497022374214de69e4dea25da1c7262655a20e09bfdc7d4c5b38c27b54f4ae434d72c81b32ef62b52e738b0bd452e169948e3ea66899a14fa676a8d2596fbdb

memory/2272-68-0x00007FF6FFF70000-0x00007FF7002C4000-memory.dmp

C:\Windows\System\woShJul.exe

MD5 43669dc6baddccb87419cdc6f899ef23
SHA1 ffc40cc2072f8704d98c4beee80a65bec586c406
SHA256 0350219996b077cfdd5a8e254793bbcb4c549a23319a4c59ffabd61fcbe05525
SHA512 64f610ed8fc3dd3e50deebd254c3522a0c726674079b2dc80b18178b35613932e5c73b0d1863d802f569d04f7ffde22e10a3764f9b4f9d510cd8d5140c96b125

C:\Windows\System\ioRxTwf.exe

MD5 7186724f22f58a3f58f47ac62349c2f0
SHA1 e183c61cae538bb841ed7aff9856e014d9bfe00f
SHA256 17b02e6a51ba077ec044522fd276e684bb08e74060481b32e693c848b4851aff
SHA512 cd2eb903826a204125e9ccc723d8369b1ab7e11e1f5addb7a9046a0986472d6185a8944e1b2fb8cffe92f0e6c61aaa750c572ec62ec496ed24affe3f7a00f322

memory/2444-88-0x00007FF694AF0000-0x00007FF694E44000-memory.dmp

C:\Windows\System\CwlMxcO.exe

MD5 5a7d3be1f92efc75a880d3e83edf179b
SHA1 8b2247a3ad3c873d1a08784875d953e4fabf929a
SHA256 c4704ad20d7443c048b7c6948afe48eb10c90ce4fc6b83ed0379ca71a43b5391
SHA512 044b4f046bceda8768d8d4a69871e68096dca1f38a0c7daa9bd3ecc0d5737cc258ecfe1772893d029a8ad42fe7872ac32b558aad6b3821c618f8293dba0e9276

C:\Windows\System\MJjcdbp.exe

MD5 73c70c2f70f98881457bab6681792525
SHA1 52b57d23b85df24e99c0f06067abcd1043808eb2
SHA256 7c79c68bf8cf7477e756cc50851dba886e6748919cfc48c99fc454b74c217387
SHA512 bb64c007664fe925b3bf7fbc36c3879ecf0a4bd3859ae605d39f0926a477f044ef437e59627f77f16cf969016b8df728673cc0190fc741ba4959730295313767

memory/3388-114-0x00007FF7F95B0000-0x00007FF7F9904000-memory.dmp

C:\Windows\System\ClibrvC.exe

MD5 5b2d99d139c2dbdbb5d5bb7b3e3eacd1
SHA1 bd9b1250fd33757233e6e5b2c714426cd096b29c
SHA256 e85e72b733135ddbe7b0a7cda780159a2618a768e7b2d383cadd88ea252c722f
SHA512 7bfd2a1bed3c1d0067bb839e4ca301b355e0b8f6b0b296c2d22aa9f48cef3ca54294eeaea34e1ae1a5daf2bf85bab5bf0e68e93242dacce1e5a0bea29f913f6e

C:\Windows\System\EsBqSas.exe

MD5 58d932336afa4e5d324fff675db7e10c
SHA1 a94ec144cad38fe189845d76d565a8a9a0d24f79
SHA256 7327a7330eb5c9ccb946e101f18b9c42dd3f4eb20e76c3e5095d5959d7d2e72a
SHA512 6d58127b67725aaaeb9c906d48de569b4bf31ed2333844269978a64d4dd5ebb836642d7b0218d1af7758eeff638ea961671095d7393cd1792a4091487da10762

C:\Windows\System\WWkQXXM.exe

MD5 42e7f11c6c0c640df8dc9f8636d0d554
SHA1 a10ded5b307cda772effb694d229e6086f78bae9
SHA256 a7e4e65c209d7fc493474b7712b35117b51e8231bc86ae13b26a4a76a9a01a2f
SHA512 5433e506faa4470460b176b99da65faf4f05d94d6e7d00a115780d0d39ac4bed67bcc75a820db095143bcd34f4909352308361ddc328d66758ea3514ad83a607

C:\Windows\System\wALaYLV.exe

MD5 09569293d65357d74d0840b941ba079f
SHA1 64fae1f05c1320680971a5eaae769d1bf065b613
SHA256 fa252e6b1b6d2b895e01be663316942166b7e031877c1811870738e9c5d9800b
SHA512 135b9bcb3fdf6577940416adf2f6931f4e7c0659dc5ad44e43856154cda60ccd82e6d640c3155072d29328de6f791ec48186f485a37e4aed3fcd71afa7c7e3c1

memory/2412-120-0x00007FF648360000-0x00007FF6486B4000-memory.dmp

memory/856-116-0x00007FF786FC0000-0x00007FF787314000-memory.dmp

memory/4960-113-0x00007FF72E670000-0x00007FF72E9C4000-memory.dmp

memory/4536-107-0x00007FF671C80000-0x00007FF671FD4000-memory.dmp

memory/960-106-0x00007FF778490000-0x00007FF7787E4000-memory.dmp

memory/3404-105-0x00007FF774E90000-0x00007FF7751E4000-memory.dmp

C:\Windows\System\gfIHphm.exe

MD5 a1fff3881cb7e7f6827503b244cb29b5
SHA1 4b93185cce71b35f4b77f7f97954c9ac5267c2a4
SHA256 5340a50d9c00690c5e6ad7df7acfd3733eb3e5a687820daf45eef8834ebf282e
SHA512 109d9622f350ef7f1be5e4ae4338d7e0341896fb0561a00bb0faa16753c38c969371dff6d5b15f659a34bb69f44cc2b29dc4c8f6384d69f818de2d6feee11d83

memory/1900-89-0x00007FF67C6A0000-0x00007FF67C9F4000-memory.dmp

C:\Windows\System\BfOSoXK.exe

MD5 9a7798c6cd3f6748866a4d5f8eec8697
SHA1 345d2a4c8201ba69d2d07852e6addd5184198027
SHA256 676f731645d2085b74d60b6b5fc41cb7d7e4bbf8d45e14f556bb2cbcb2f3f53e
SHA512 4960ab4a7a39874a4e46685adbed6dd00a9d4d6bb585cfdcb0c98e6f990604353ae660fce73f691570de1c39e311a7eebb1fb0f06c5188a0481dbd0cdbad9510

memory/3752-83-0x00007FF6E2CF0000-0x00007FF6E3044000-memory.dmp

memory/3096-82-0x00007FF7B7C20000-0x00007FF7B7F74000-memory.dmp

memory/5004-79-0x00007FF797CD0000-0x00007FF798024000-memory.dmp

memory/2376-75-0x00007FF6F2B10000-0x00007FF6F2E64000-memory.dmp

memory/4512-74-0x00007FF6C4580000-0x00007FF6C48D4000-memory.dmp

memory/4088-49-0x00007FF7C18E0000-0x00007FF7C1C34000-memory.dmp

memory/3764-131-0x00007FF7B70D0000-0x00007FF7B7424000-memory.dmp

memory/3960-133-0x00007FF6297F0000-0x00007FF629B44000-memory.dmp

memory/912-132-0x00007FF682BA0000-0x00007FF682EF4000-memory.dmp

memory/1964-134-0x00007FF638F10000-0x00007FF639264000-memory.dmp

memory/2376-135-0x00007FF6F2B10000-0x00007FF6F2E64000-memory.dmp

memory/3752-136-0x00007FF6E2CF0000-0x00007FF6E3044000-memory.dmp

memory/2444-137-0x00007FF694AF0000-0x00007FF694E44000-memory.dmp

memory/4960-138-0x00007FF72E670000-0x00007FF72E9C4000-memory.dmp

memory/856-139-0x00007FF786FC0000-0x00007FF787314000-memory.dmp

memory/2412-140-0x00007FF648360000-0x00007FF6486B4000-memory.dmp

memory/3096-141-0x00007FF7B7C20000-0x00007FF7B7F74000-memory.dmp

memory/1900-142-0x00007FF67C6A0000-0x00007FF67C9F4000-memory.dmp

memory/3404-143-0x00007FF774E90000-0x00007FF7751E4000-memory.dmp

memory/960-144-0x00007FF778490000-0x00007FF7787E4000-memory.dmp

memory/3764-145-0x00007FF7B70D0000-0x00007FF7B7424000-memory.dmp

memory/4452-146-0x00007FF7144A0000-0x00007FF7147F4000-memory.dmp

memory/4088-147-0x00007FF7C18E0000-0x00007FF7C1C34000-memory.dmp

memory/1384-148-0x00007FF695270000-0x00007FF6955C4000-memory.dmp

memory/1964-149-0x00007FF638F10000-0x00007FF639264000-memory.dmp

memory/4512-150-0x00007FF6C4580000-0x00007FF6C48D4000-memory.dmp

memory/5004-151-0x00007FF797CD0000-0x00007FF798024000-memory.dmp

memory/2376-152-0x00007FF6F2B10000-0x00007FF6F2E64000-memory.dmp

memory/3752-153-0x00007FF6E2CF0000-0x00007FF6E3044000-memory.dmp

memory/2444-154-0x00007FF694AF0000-0x00007FF694E44000-memory.dmp

memory/4536-155-0x00007FF671C80000-0x00007FF671FD4000-memory.dmp

memory/3388-156-0x00007FF7F95B0000-0x00007FF7F9904000-memory.dmp

memory/4960-157-0x00007FF72E670000-0x00007FF72E9C4000-memory.dmp

memory/856-158-0x00007FF786FC0000-0x00007FF787314000-memory.dmp

memory/2412-159-0x00007FF648360000-0x00007FF6486B4000-memory.dmp

memory/3960-160-0x00007FF6297F0000-0x00007FF629B44000-memory.dmp

memory/912-161-0x00007FF682BA0000-0x00007FF682EF4000-memory.dmp