Malware Analysis Report

2025-01-22 19:48

Sample ID 240601-s2chtsgd37
Target 2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike
SHA256 71b4daa378e59e37a443fbf7fe2bd4924821d93b8873e73c4f00bae5db3e8160
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

71b4daa378e59e37a443fbf7fe2bd4924821d93b8873e73c4f00bae5db3e8160

Threat Level: Known bad

The file 2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobaltstrike family

Cobaltstrike

xmrig

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

XMRig Miner payload

Xmrig family

Cobalt Strike reflective loader

XMRig Miner payload

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 15:36

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 15:36

Reported

2024-06-01 15:39

Platform

win7-20240419-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\uCedUiZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pxAKQDd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KAzzyLG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zYybtCI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lyOhLsg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BUyqIfm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AyuDMVu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DjBoeBd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PVktnru.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dWLnRpY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xJQYSNY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SyIUgXp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XZnubmP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pagwcbg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yrhJXQL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ookuqpf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lMAFJOS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nBlxnjJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UDoTbdm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WecvQVu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TroEqmk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1752 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\lMAFJOS.exe
PID 1752 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\lMAFJOS.exe
PID 1752 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\lMAFJOS.exe
PID 1752 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\nBlxnjJ.exe
PID 1752 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\nBlxnjJ.exe
PID 1752 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\nBlxnjJ.exe
PID 1752 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\dWLnRpY.exe
PID 1752 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\dWLnRpY.exe
PID 1752 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\dWLnRpY.exe
PID 1752 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\lyOhLsg.exe
PID 1752 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\lyOhLsg.exe
PID 1752 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\lyOhLsg.exe
PID 1752 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\xJQYSNY.exe
PID 1752 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\xJQYSNY.exe
PID 1752 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\xJQYSNY.exe
PID 1752 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\SyIUgXp.exe
PID 1752 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\SyIUgXp.exe
PID 1752 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\SyIUgXp.exe
PID 1752 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\UDoTbdm.exe
PID 1752 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\UDoTbdm.exe
PID 1752 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\UDoTbdm.exe
PID 1752 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\WecvQVu.exe
PID 1752 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\WecvQVu.exe
PID 1752 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\WecvQVu.exe
PID 1752 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\XZnubmP.exe
PID 1752 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\XZnubmP.exe
PID 1752 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\XZnubmP.exe
PID 1752 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\uCedUiZ.exe
PID 1752 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\uCedUiZ.exe
PID 1752 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\uCedUiZ.exe
PID 1752 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\pagwcbg.exe
PID 1752 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\pagwcbg.exe
PID 1752 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\pagwcbg.exe
PID 1752 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\AyuDMVu.exe
PID 1752 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\AyuDMVu.exe
PID 1752 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\AyuDMVu.exe
PID 1752 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\DjBoeBd.exe
PID 1752 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\DjBoeBd.exe
PID 1752 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\DjBoeBd.exe
PID 1752 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\TroEqmk.exe
PID 1752 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\TroEqmk.exe
PID 1752 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\TroEqmk.exe
PID 1752 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\ookuqpf.exe
PID 1752 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\ookuqpf.exe
PID 1752 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\ookuqpf.exe
PID 1752 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\pxAKQDd.exe
PID 1752 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\pxAKQDd.exe
PID 1752 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\pxAKQDd.exe
PID 1752 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\KAzzyLG.exe
PID 1752 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\KAzzyLG.exe
PID 1752 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\KAzzyLG.exe
PID 1752 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\zYybtCI.exe
PID 1752 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\zYybtCI.exe
PID 1752 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\zYybtCI.exe
PID 1752 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\PVktnru.exe
PID 1752 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\PVktnru.exe
PID 1752 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\PVktnru.exe
PID 1752 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\yrhJXQL.exe
PID 1752 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\yrhJXQL.exe
PID 1752 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\yrhJXQL.exe
PID 1752 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\BUyqIfm.exe
PID 1752 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\BUyqIfm.exe
PID 1752 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\BUyqIfm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\lMAFJOS.exe

C:\Windows\System\lMAFJOS.exe

C:\Windows\System\nBlxnjJ.exe

C:\Windows\System\nBlxnjJ.exe

C:\Windows\System\dWLnRpY.exe

C:\Windows\System\dWLnRpY.exe

C:\Windows\System\lyOhLsg.exe

C:\Windows\System\lyOhLsg.exe

C:\Windows\System\xJQYSNY.exe

C:\Windows\System\xJQYSNY.exe

C:\Windows\System\SyIUgXp.exe

C:\Windows\System\SyIUgXp.exe

C:\Windows\System\UDoTbdm.exe

C:\Windows\System\UDoTbdm.exe

C:\Windows\System\WecvQVu.exe

C:\Windows\System\WecvQVu.exe

C:\Windows\System\XZnubmP.exe

C:\Windows\System\XZnubmP.exe

C:\Windows\System\uCedUiZ.exe

C:\Windows\System\uCedUiZ.exe

C:\Windows\System\pagwcbg.exe

C:\Windows\System\pagwcbg.exe

C:\Windows\System\AyuDMVu.exe

C:\Windows\System\AyuDMVu.exe

C:\Windows\System\DjBoeBd.exe

C:\Windows\System\DjBoeBd.exe

C:\Windows\System\TroEqmk.exe

C:\Windows\System\TroEqmk.exe

C:\Windows\System\ookuqpf.exe

C:\Windows\System\ookuqpf.exe

C:\Windows\System\pxAKQDd.exe

C:\Windows\System\pxAKQDd.exe

C:\Windows\System\KAzzyLG.exe

C:\Windows\System\KAzzyLG.exe

C:\Windows\System\zYybtCI.exe

C:\Windows\System\zYybtCI.exe

C:\Windows\System\PVktnru.exe

C:\Windows\System\PVktnru.exe

C:\Windows\System\yrhJXQL.exe

C:\Windows\System\yrhJXQL.exe

C:\Windows\System\BUyqIfm.exe

C:\Windows\System\BUyqIfm.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1752-0-0x000000013FCC0000-0x0000000140014000-memory.dmp

memory/1752-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\lMAFJOS.exe

MD5 be1898ebecebfdbb68ea9076262f9eb5
SHA1 32136f607ae3c2e6485484e3fd1cb6d658c7e95e
SHA256 30ded6997032c5a72dbd5794d3b489a37f0f1832800a1c1b5e5483294cd3bc9c
SHA512 62eeccad73ce2403bcd72e76ea717e53cef44a5467c4c0c18342d717dcc2dadf67c7368320ab584a54f86491e6816d696bc3445238cbec13e3cc006a95986961

memory/2456-10-0x000000013F8E0000-0x000000013FC34000-memory.dmp

memory/3060-15-0x000000013F020000-0x000000013F374000-memory.dmp

memory/1752-13-0x000000013F020000-0x000000013F374000-memory.dmp

C:\Windows\system\nBlxnjJ.exe

MD5 5adee43c793699f1940f9add68ac8b05
SHA1 17ad8a8edb1127b1d69049d409ab983d1891d067
SHA256 a95f85275eeeccc912d507612ce76ffa1c4da85efda0e70aa1bb73d500f12b1e
SHA512 e624cb567b19e7156a2b3c968bcbff964f7e0e77ee94aacafd62f8694819be64d4a2ec343b5b133908cca87eb2244d78dc446a8dd423054487116d93de6374fc

C:\Windows\system\dWLnRpY.exe

MD5 655ca31ec421ee4fb3e8170b24a0be9a
SHA1 ef4db7831d9d1893b2e0762e38802d7dacffeb2a
SHA256 94d0737ce8b43a0cd146f6cf87827e0b5a9c7f4ea6d83ee4f1f9630abbdfa659
SHA512 64dad0957a7d16354d9fa44bce1b73cfba1da29ab17759192016a4720daeeb85a10007b7e9464ac6a2ce42353af7c8cb3340cab16270b1e0704ad6775c0c9e44

memory/2160-22-0x000000013F3D0000-0x000000013F724000-memory.dmp

C:\Windows\system\lyOhLsg.exe

MD5 46d5579ac014a49b8e10eaab159bafcb
SHA1 6ebc0dce918fdbaa0b773f35cc9de9de44e9edf6
SHA256 2046f5dc2f65e3acf4a0c3680fb4315d9627b0f53a6b8e6ec1d57f655eb541ce
SHA512 8729a7f3d8eed33c35ed2fc74273810dcc937c21b36bd802212d7f55d4ef182fa677e0a13d489d6a2689883fe6fdf455b8819ff1fd665df74bacb9b7cdb767d7

memory/1752-27-0x000000013F480000-0x000000013F7D4000-memory.dmp

memory/2824-28-0x000000013F480000-0x000000013F7D4000-memory.dmp

memory/1752-20-0x000000013F3D0000-0x000000013F724000-memory.dmp

\Windows\system\xJQYSNY.exe

MD5 1a68ba77631e2cbf2a2e51e3498cb73b
SHA1 dcedc8b10ea2e844e348ba2f380637dc77449b52
SHA256 95844fdd07ad8a681cb6d2ad298eddfeb336f27af2960b9df9e620ba0130919b
SHA512 7032ef04abc96a21d22c2ab3d397d7991606539edf94b971bd35b1fe626f27fc6d2985d51cc164c37e79d12e0bd4609bdadc749ac389be3c49b0bab75ecc705d

C:\Windows\system\SyIUgXp.exe

MD5 50a5911561e00e055e3927d4749345fe
SHA1 aacaa5a1511fd6acb81d7c84b138e00649dd0f26
SHA256 1dc3d8d71a898e8af3b3934e07235eb7217df6135e5595fd492e93a7bea2f1a0
SHA512 91baaf17cbf10157a14874f01a80691c91b24be0dcf21196e1c7691d629346a5e007c55a6769e27b84f446e4d79a3d5fc5ea4830b3a087d10f4b7e978fc7bcf5

memory/2568-42-0x000000013FEF0000-0x0000000140244000-memory.dmp

memory/2148-35-0x000000013F420000-0x000000013F774000-memory.dmp

memory/1752-41-0x00000000023C0000-0x0000000002714000-memory.dmp

C:\Windows\system\WecvQVu.exe

MD5 2effe4683b857ae18774d28e3a8a9014
SHA1 566b81c65fdbd2efece1024e0d520e347f128140
SHA256 d32e9991aa07de37048a27ee1f689dcc83db01005230c23c4b12248733ca7403
SHA512 a328e363b208bad1547525ab0dfc7b0b57d00de7a8ebe22f0c84c30c1b74dbc983959302e766fc353244f624108bf20390398144f0be28a32ef017d5fe6ab365

memory/2908-49-0x000000013F5E0000-0x000000013F934000-memory.dmp

C:\Windows\system\XZnubmP.exe

MD5 3d39c9c5700bcc1c06017c79ab598dbd
SHA1 b51d85ce71d7a3c8c98fd0f9528e0a5299391cb8
SHA256 319d95c68711b08da8b11b6d802e2591d4e15c60a0fedfc3863fd8025670c6a0
SHA512 a5e83814fb88c3e0b3944fac58ef290adb04230553d506c2152efbd3714e03f7f63b4d5f6fd1b061dcfbe424218d59be3f6477bd1a93ec6d2e8523ac0c2982ec

C:\Windows\system\uCedUiZ.exe

MD5 9dcd5c08959a6a4f188e3e56d20510bb
SHA1 9345757685e34f6934b1a1a300edd39b106ba827
SHA256 1e5b62e8a891c998338b40ebe4f5b95adf17f9f4777a6a82e78600b2cbf7aa2e
SHA512 07b884609d6ac2a286ac6971b07914d123c3e9d2522e3f712ec527c925f5dc4c3ecaa6caa9c7162744d166a1adf64f3048822c4e4a89c13bf3a0a19ca0db9a8e

C:\Windows\system\pagwcbg.exe

MD5 501ae4e8a4d8e02490848766e96db24a
SHA1 904217b54898179c41523af2780ed68301e84e9a
SHA256 d65c890991568b0cf1a27314e52b367f71dabc223797a98107408c7c0a7a1058
SHA512 b43e7fd02cf0fafbc369cbfafe7a80f57804e021f7862c6a8628a83a218fcae7a77bc98f20fe051db3a7d8d28ad0a610d3e101ebb722acdb8747129b160e806b

memory/2160-83-0x000000013F3D0000-0x000000013F724000-memory.dmp

C:\Windows\system\DjBoeBd.exe

MD5 4d955c1813ef533c51b6ffa4d21d0812
SHA1 55e50204dee9a2b88f5710be42c832bcc6c33d0f
SHA256 1fa8b20037bdb8d1e25900a05e4656b75641a85ad8dfa355a537844a82389937
SHA512 613006a2965857ebd8587b5d0bf244a5bf50fec02a21c86d08fe8e9728c86656c094a49fa22d420bc2e167bb0cabe0cfb7c95c5ecc0ef9f8d990700cb642598e

memory/2824-90-0x000000013F480000-0x000000013F7D4000-memory.dmp

C:\Windows\system\pxAKQDd.exe

MD5 fe1624e82df490c42bdf19b517488ebe
SHA1 e692b0004e06ff980c00a2a3380aae28654ffac7
SHA256 c056f9cb6eccafd70dd3cd7c160c2fda2b67d11280948a50e537348d18a9adc3
SHA512 e70a539e8d6d25a850f12dec6a359795bcbd600e572d2dc20dcb44d864f8596c370b9cf4ca67ea84e727a5b59c74a4f85930002fd7955da0141b575b35c06bf2

C:\Windows\system\yrhJXQL.exe

MD5 c5358d21da1eb49149b61d61ec1dd04e
SHA1 d03f41d67db2dca605905ff246e51474a9a12bd2
SHA256 68313d6b22cf8068fbf9e5ca6765375a9e3d660fd34add753e4dda2f0725d7ba
SHA512 d9ce052a3ded3c0f1943a26c889fdffb2487d0ccb5956f6ce958113ba916337fb5af5d072cf2cd27c5817b821666e8683b3868d3d994ae3b1125dd6ab06ab7fe

\Windows\system\BUyqIfm.exe

MD5 abb444f78bf77ba5b70ff6f6aaab57f3
SHA1 b1b739265a836d483f838b57ad6bed8c2e16ec58
SHA256 43041d9f33a3c6c314f1f6ad6779375fe44cb8b33bf78cf936c89bf1858cdf21
SHA512 6a7b555ad46592c9f99c04603bcdae1775dfd8d8a10827298b1d5e8c348049f9d07750d9f1ed38cfac0b4500a5c980076e8012dd5cd4d5f88a879cdd7c38592c

C:\Windows\system\PVktnru.exe

MD5 2a5534d2c3dc9e594d233326d4317135
SHA1 bc00f6e9a4d36467d18b3878cdaca2d430304562
SHA256 b287e32f0e630f44baeeeaed8d358bb8c3d2575b1c19a9b3e4ebdf51250e2b36
SHA512 c155f70a7d4c6024add0e5f1fe41ee7216a4f4df1e93c237e9becf21daa7723cbc2b22cf229e582e5f9598fec0bab983bd8280d783561c9b7403ce7eaede0c19

C:\Windows\system\zYybtCI.exe

MD5 bfe30e5a8817b1744f82ac979798d8bb
SHA1 f1467952a86db150aeadeb5db27aec3eb19d0295
SHA256 e494220073dfdd1d4e88d7fc6ed6676b6cb6e901347de08b194208babf22d3d7
SHA512 26d13366105d0bada66b48ff49f8ca8d9413b5226ecfef52f57e297fe0a72b1df3c97fffe9bf5871e501258ab2e1d5c3b88ebdbeadee17e710320788970c6e45

C:\Windows\system\KAzzyLG.exe

MD5 704b2b8a69e4a40dfeb925ce9c0378b8
SHA1 291b8c7aeb585099f6b076cde502f17a88fcfbc4
SHA256 b274912cdd2f2a100d2a484e74a5e6590a9194fcf443186bfd4c6194bb3e8c6b
SHA512 8165be0efe3629f87634d48316f484b9c754857da0917ad701a2b5abdd91b8326b25b4e3d9b610dadd5cd235539f202eb44259cd0c8586924b6e4f56ba878110

memory/1752-106-0x000000013F870000-0x000000013FBC4000-memory.dmp

C:\Windows\system\ookuqpf.exe

MD5 cf3eb0778f9d16376e0aff154e89a191
SHA1 7bbbff1fc37eaab3d74dbfe98e2e41aea81fc6a6
SHA256 9aa4a7b783b0d3ed04aff4f9f4f96375701172f0fbcee9d5ed9e6157878591c2
SHA512 8295a88b544f90eae236eaee38f95df3efe8a92254a699f9ca86de27d8430ecd4bb9a2dfe4801970d47a7449464573d3b6edd7058f9cfae6f6a2d1b1f962ee83

memory/1448-101-0x000000013F480000-0x000000013F7D4000-memory.dmp

memory/1752-100-0x000000013F420000-0x000000013F774000-memory.dmp

C:\Windows\system\TroEqmk.exe

MD5 f4a1d56d6c023d5ea2a679caf2a6ac66
SHA1 27595d551d6b3b4dcca5d1bce045e4091a1e9d32
SHA256 10c7e10ee55f41606baa02d6c7dd9fd76e89e4118c13d7c504a4c5931da291bb
SHA512 34377affefb3f20680774d3e98f5ec4199688c1af0d8370f8714b9dbac392c612d43f94896a1c07ee11a975dd55df4a32c27586612127104062c1fd4c1c18d12

memory/2896-92-0x000000013F650000-0x000000013F9A4000-memory.dmp

memory/1752-91-0x000000013F650000-0x000000013F9A4000-memory.dmp

memory/2884-85-0x000000013F290000-0x000000013F5E4000-memory.dmp

memory/1752-84-0x000000013F290000-0x000000013F5E4000-memory.dmp

C:\Windows\system\AyuDMVu.exe

MD5 9b1f636f2cfd39b389a07fa6e2457240
SHA1 b92820368eb435f233e848771f23de7adaa34d5d
SHA256 fac1120a646c0105c446fa74dc128e79082c8752f5a427e0514706f09eaf1b9b
SHA512 95fa1e15dea54ae073fc6b29c706970bcaab8ab0541df0c13a548b6fafe58620059f6d64b3162ac7065ebe6c1a2bbd54de034bceb79a4eb13cde386df9f29964

memory/3040-76-0x000000013F140000-0x000000013F494000-memory.dmp

memory/1752-75-0x000000013F140000-0x000000013F494000-memory.dmp

memory/3060-74-0x000000013F020000-0x000000013F374000-memory.dmp

memory/3068-69-0x000000013F5E0000-0x000000013F934000-memory.dmp

memory/1752-68-0x000000013F5E0000-0x000000013F934000-memory.dmp

memory/2564-61-0x000000013FA00000-0x000000013FD54000-memory.dmp

memory/1752-60-0x00000000023C0000-0x0000000002714000-memory.dmp

memory/2220-55-0x000000013F8B0000-0x000000013FC04000-memory.dmp

memory/2456-54-0x000000013F8E0000-0x000000013FC34000-memory.dmp

C:\Windows\system\UDoTbdm.exe

MD5 28ef74962d934d9ee64c41035b8ba86c
SHA1 cfe77d587e19f562c1bdf7731913db843181653b
SHA256 a22581aaada54bad184bbfec4354d87977f79124af0d40104ff6949845864d85
SHA512 8c26f7d2545b5db2220a649bfa826db6146422c7d9f2b664bffc4677849bd6072c9d472a6024442ff4eb9e70bdb1ae3cc60651b6dfc05156a6a7b51716b69d67

memory/1752-46-0x000000013FCC0000-0x0000000140014000-memory.dmp

memory/2220-137-0x000000013F8B0000-0x000000013FC04000-memory.dmp

memory/2564-138-0x000000013FA00000-0x000000013FD54000-memory.dmp

memory/1752-139-0x000000013F5E0000-0x000000013F934000-memory.dmp

memory/3068-140-0x000000013F5E0000-0x000000013F934000-memory.dmp

memory/1752-141-0x000000013F140000-0x000000013F494000-memory.dmp

memory/3040-142-0x000000013F140000-0x000000013F494000-memory.dmp

memory/1752-143-0x000000013F290000-0x000000013F5E4000-memory.dmp

memory/2884-144-0x000000013F290000-0x000000013F5E4000-memory.dmp

memory/1752-145-0x000000013F650000-0x000000013F9A4000-memory.dmp

memory/2896-146-0x000000013F650000-0x000000013F9A4000-memory.dmp

memory/1752-147-0x000000013F480000-0x000000013F7D4000-memory.dmp

memory/1752-148-0x000000013F870000-0x000000013FBC4000-memory.dmp

memory/2456-149-0x000000013F8E0000-0x000000013FC34000-memory.dmp

memory/3060-150-0x000000013F020000-0x000000013F374000-memory.dmp

memory/2160-151-0x000000013F3D0000-0x000000013F724000-memory.dmp

memory/2824-152-0x000000013F480000-0x000000013F7D4000-memory.dmp

memory/2148-153-0x000000013F420000-0x000000013F774000-memory.dmp

memory/2568-154-0x000000013FEF0000-0x0000000140244000-memory.dmp

memory/2908-155-0x000000013F5E0000-0x000000013F934000-memory.dmp

memory/2220-157-0x000000013F8B0000-0x000000013FC04000-memory.dmp

memory/2564-156-0x000000013FA00000-0x000000013FD54000-memory.dmp

memory/3068-158-0x000000013F5E0000-0x000000013F934000-memory.dmp

memory/3040-159-0x000000013F140000-0x000000013F494000-memory.dmp

memory/2884-160-0x000000013F290000-0x000000013F5E4000-memory.dmp

memory/2896-161-0x000000013F650000-0x000000013F9A4000-memory.dmp

memory/1448-162-0x000000013F480000-0x000000013F7D4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 15:36

Reported

2024-06-01 15:39

Platform

win10v2004-20240426-en

Max time kernel

138s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\owUtboL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MOuSiAb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NsNTnmb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GdvlVmC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LuMVPOb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wUdbBbO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ACkGdKL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zkexpTy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TysrgbS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UQmHuxC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZBeJHER.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AYqmswd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GVhWXmX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bAMicgl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eolvLLw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ptNrVfQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JrRAGGW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OkPnUVQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vwtjwKy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nUVstDH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MNGFPqD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4796 wrote to memory of 5864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\owUtboL.exe
PID 4796 wrote to memory of 5864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\owUtboL.exe
PID 4796 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\zkexpTy.exe
PID 4796 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\zkexpTy.exe
PID 4796 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\MOuSiAb.exe
PID 4796 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\MOuSiAb.exe
PID 4796 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\TysrgbS.exe
PID 4796 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\TysrgbS.exe
PID 4796 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\NsNTnmb.exe
PID 4796 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\NsNTnmb.exe
PID 4796 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\UQmHuxC.exe
PID 4796 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\UQmHuxC.exe
PID 4796 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\eolvLLw.exe
PID 4796 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\eolvLLw.exe
PID 4796 wrote to memory of 5240 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\ptNrVfQ.exe
PID 4796 wrote to memory of 5240 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\ptNrVfQ.exe
PID 4796 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZBeJHER.exe
PID 4796 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZBeJHER.exe
PID 4796 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\GdvlVmC.exe
PID 4796 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\GdvlVmC.exe
PID 4796 wrote to memory of 6084 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\LuMVPOb.exe
PID 4796 wrote to memory of 6084 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\LuMVPOb.exe
PID 4796 wrote to memory of 5860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\AYqmswd.exe
PID 4796 wrote to memory of 5860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\AYqmswd.exe
PID 4796 wrote to memory of 5608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\JrRAGGW.exe
PID 4796 wrote to memory of 5608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\JrRAGGW.exe
PID 4796 wrote to memory of 5316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\vwtjwKy.exe
PID 4796 wrote to memory of 5316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\vwtjwKy.exe
PID 4796 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\nUVstDH.exe
PID 4796 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\nUVstDH.exe
PID 4796 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\GVhWXmX.exe
PID 4796 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\GVhWXmX.exe
PID 4796 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\bAMicgl.exe
PID 4796 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\bAMicgl.exe
PID 4796 wrote to memory of 5272 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\wUdbBbO.exe
PID 4796 wrote to memory of 5272 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\wUdbBbO.exe
PID 4796 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\ACkGdKL.exe
PID 4796 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\ACkGdKL.exe
PID 4796 wrote to memory of 5204 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\OkPnUVQ.exe
PID 4796 wrote to memory of 5204 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\OkPnUVQ.exe
PID 4796 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\MNGFPqD.exe
PID 4796 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe C:\Windows\System\MNGFPqD.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_65337e14e7c906635555301bca0e281f_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\owUtboL.exe

C:\Windows\System\owUtboL.exe

C:\Windows\System\zkexpTy.exe

C:\Windows\System\zkexpTy.exe

C:\Windows\System\MOuSiAb.exe

C:\Windows\System\MOuSiAb.exe

C:\Windows\System\TysrgbS.exe

C:\Windows\System\TysrgbS.exe

C:\Windows\System\NsNTnmb.exe

C:\Windows\System\NsNTnmb.exe

C:\Windows\System\UQmHuxC.exe

C:\Windows\System\UQmHuxC.exe

C:\Windows\System\eolvLLw.exe

C:\Windows\System\eolvLLw.exe

C:\Windows\System\ptNrVfQ.exe

C:\Windows\System\ptNrVfQ.exe

C:\Windows\System\ZBeJHER.exe

C:\Windows\System\ZBeJHER.exe

C:\Windows\System\GdvlVmC.exe

C:\Windows\System\GdvlVmC.exe

C:\Windows\System\LuMVPOb.exe

C:\Windows\System\LuMVPOb.exe

C:\Windows\System\AYqmswd.exe

C:\Windows\System\AYqmswd.exe

C:\Windows\System\JrRAGGW.exe

C:\Windows\System\JrRAGGW.exe

C:\Windows\System\vwtjwKy.exe

C:\Windows\System\vwtjwKy.exe

C:\Windows\System\nUVstDH.exe

C:\Windows\System\nUVstDH.exe

C:\Windows\System\GVhWXmX.exe

C:\Windows\System\GVhWXmX.exe

C:\Windows\System\bAMicgl.exe

C:\Windows\System\bAMicgl.exe

C:\Windows\System\wUdbBbO.exe

C:\Windows\System\wUdbBbO.exe

C:\Windows\System\ACkGdKL.exe

C:\Windows\System\ACkGdKL.exe

C:\Windows\System\OkPnUVQ.exe

C:\Windows\System\OkPnUVQ.exe

C:\Windows\System\MNGFPqD.exe

C:\Windows\System\MNGFPqD.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 97.90.14.23.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4796-0-0x00007FF78B930000-0x00007FF78BC84000-memory.dmp

memory/4796-1-0x0000024963750000-0x0000024963760000-memory.dmp

C:\Windows\System\owUtboL.exe

MD5 f49bc8a6cea6f08ecb3d230622f4629d
SHA1 a7ee99d464d4b5145aeffe43a449c114b521102c
SHA256 e65c414eb3cca890032f119e363f990e937a7ab4a4cd9b2af9ad6d6b255d5244
SHA512 387f8891e8bb58b7fce25c680a7ab48112871aa892b380edc91289575596dbe95160b8eeb2ce9d6c0a1fc89ff24156e59e205140bb103ea12b0c6102aa9b39ce

memory/5864-6-0x00007FF6F5840000-0x00007FF6F5B94000-memory.dmp

C:\Windows\System\zkexpTy.exe

MD5 9823a5a26acc6251b6683179edf53887
SHA1 226e3bb6aba90adc4b8b323674c6dac8dfff2619
SHA256 0aa3fe454c86f0d420917bd88641b335b75cd4a2d32f580c2fdf305a7228bda6
SHA512 7f1bebb83aa8364d747091839e44c32aaa4a8047d1b32105e8e2bbe87ebe2ca00a8b4e18d36345d774943caf330f183bd32c1e0ca180a748ba1dda37eba5f326

memory/4740-14-0x00007FF7F0C20000-0x00007FF7F0F74000-memory.dmp

C:\Windows\System\MOuSiAb.exe

MD5 283e4bba841bfcb84a58aad480640c19
SHA1 357d12a786caa71437be51687287973b16437184
SHA256 264806320d71134f52a189cd1586de3285f437212f63a54dba62dc7d634fac3b
SHA512 0454fa303b9cd4ec8e1a848ce62a113b6e88012368159a58f2315f935cfb4792abae06193350a59d0be1efbf86fcb9d60346877578c5f915637604b4e10fdae9

memory/4076-19-0x00007FF770990000-0x00007FF770CE4000-memory.dmp

C:\Windows\System\TysrgbS.exe

MD5 7b37bef3d1b2496f840030fb696c2974
SHA1 d448dbb99c347a4786fd5eb4023328069536febb
SHA256 4c74d9de072666410ea6cea7f6d4f7fcec06d846c690e967a2a41e076745c3b7
SHA512 75d15f9171d350f11f443814661945a8fe773a241120fcbcf705e7c989aa2afedd0a28d57a5abf505de2cb8262c7805b841b5845915adecc84d9501665a9f95c

C:\Windows\System\NsNTnmb.exe

MD5 9906c1b29d49302dcbdc63f01cb12262
SHA1 de583953e81c7797e23d00fc8b26ac3b42d82ad3
SHA256 ef46d83be4525841de7834d1310eb9961f1021898b138ee1b4c3fe1f44995862
SHA512 93dc24a3c6bbc7cd63bee200e166f8f5d72d5f8400f0a0bcc20334c7e197431c69bc5a2a5096e2d175e479e5df85bcda670ad482a703d2eac81073245df78630

C:\Windows\System\eolvLLw.exe

MD5 4dbf6e4ddcae18d39a4318ee661dac0e
SHA1 2cad5a9dba341d26c265e1353e73c545028ef4c3
SHA256 edf96435e545d2c45a669395532dd0188430f4a1fa1b71001e15c5c6806ebadc
SHA512 98a4f8fcb1c29f6e20a92b25aef40295c45b676485a891d1daec011ec133714d643a8615edc7a2e0ac2b3ef474fe48b3618ced719fa77898ad393ff4fbb1d6f2

C:\Windows\System\ZBeJHER.exe

MD5 ca2dece297d6e98e43d5054f7b7e940b
SHA1 c30be0c3f19d4d6bd31593d3767ed41982c1e0c6
SHA256 f6eeb80ca3960dd17df6c728c0f992508df8ce04054049f8f9f2f9a777b0aaaf
SHA512 37bda99a1779437b6cd115f227ebe33ccadc71fa7c75413603481e7399c47458a4eca2dd182beabe28a10add1b9ce92f00e5180c1e10f886b35da674b5e56a59

C:\Windows\System\LuMVPOb.exe

MD5 322001433848d7af5e80009aea246171
SHA1 e6bb9677c4b57e97d8396c610448e9a39291e0d4
SHA256 1d172132cf2ce956697bdbd059a42806d0ce194bfeb5b4fb3fe6f113b77b95ed
SHA512 b08af6c409504600ce2ace97419da1872c2e2e78baaac55a8e48665cda93d6023ba5c953a72b5a8ba7030922ecfb04cdc2584e45356b2dd35fb64b9dad3be748

C:\Windows\System\GdvlVmC.exe

MD5 85f8c7f35b9a81ebd027b066c3c32688
SHA1 cbf81476d8df8aaf504328fc1f52aceadc7f9601
SHA256 cf736922959936eb9f1400d51951789e193e5a06cdef15f0cd9e778b22aa5d7f
SHA512 0a1b5fbbaf742bea7d947b7fd1510e9988860770a879d26e49823a2e08191f41c20a6374ce50be5e0c482d6c4cb36aadbc1675410e5e6fe5ec878250752147d2

memory/5860-72-0x00007FF603410000-0x00007FF603764000-memory.dmp

C:\Windows\System\AYqmswd.exe

MD5 d5fa73943ebaa8bd245ad8baaf8f2843
SHA1 928580f3ae7c861477fc2cd05d696430aecf1512
SHA256 af3824f4043f8d5a16b0d3030fc2a2dfaa64e1b29212e620d9b42cc709eb772a
SHA512 3ba2fb8328442962c86dd770f9addacfbf01f6d528bf1fdd284a5bb2b138549819e3d37a79ab308e052067c63117cc30a9bf94fc8aa1a55e260631c887fd6b55

memory/2092-71-0x00007FF650A40000-0x00007FF650D94000-memory.dmp

memory/3260-70-0x00007FF7FD8F0000-0x00007FF7FDC44000-memory.dmp

memory/6084-67-0x00007FF7860B0000-0x00007FF786404000-memory.dmp

memory/4404-66-0x00007FF6C9040000-0x00007FF6C9394000-memory.dmp

memory/5240-62-0x00007FF7E38F0000-0x00007FF7E3C44000-memory.dmp

memory/1512-52-0x00007FF73B210000-0x00007FF73B564000-memory.dmp

C:\Windows\System\ptNrVfQ.exe

MD5 93a4bfffcfd031e094cb234196c8ac97
SHA1 e51e48ca46cf1ab56cbb221736bb7d221cb32c88
SHA256 e840d31898d80e84dcfbfb680691f3559305306a97ce8879ada2e287895ddf50
SHA512 72143af47be16d9928c75e240444b0b8a20a9b667283ca7fa936b37500b1b33f321e566c1a72c99051106d74a0343fee1fbc958250665b22d83914c9437792db

memory/3832-37-0x00007FF7CAE20000-0x00007FF7CB174000-memory.dmp

C:\Windows\System\UQmHuxC.exe

MD5 e1f3fa6435b92d1caa8cd7713684775d
SHA1 939ae8b103b70be496f561e7a4bc118109e32bac
SHA256 5c47876bd2d0fe71c3b2ec66249989ef7ccbe77db80796c0f441a2f212778ee8
SHA512 9c527da09976fc168c05e0593c648dcd62edc23dec3ca48e8ca24614b762625037343c6ef725680dc0d41535508f77e114a16c736c3094fe2b72b985147bb8cd

memory/2064-32-0x00007FF6A6580000-0x00007FF6A68D4000-memory.dmp

C:\Windows\System\JrRAGGW.exe

MD5 ea79d54a1f652b984173fcaac59935c9
SHA1 3dae05cfd5de3647b812785084876a8b32ac9d81
SHA256 5326f94cf9da46f6e542aae9016461acbcecbfdddbdca27772912061166fcac7
SHA512 e702be45746ae9d3b58aa74f80f6760beb6a4a0e06c7fb5f9764afa99394742fef2a73cd4fdd4ace23fbf3f982e8c6514411b92aec72c0fe4260ac22509daee3

memory/5608-80-0x00007FF6DCE90000-0x00007FF6DD1E4000-memory.dmp

C:\Windows\System\vwtjwKy.exe

MD5 36bcfaeb6413ccfd4f354ef2ad3f2903
SHA1 4caa7738055963134ac43d403007d7213edb1435
SHA256 addd1d4c3453446190f6ef5f0c0f72574c9f10083dd4e2592b01c9ef6f8ff38a
SHA512 1ade4d2ca0a2b976a07ae7e85cea39ae764da0099c3aefbec25102bd1e7283a67eda851f3acb41ad524dcd8add0700a1ae9504aeaa2cb6fa056a967be7f21d2d

C:\Windows\System\nUVstDH.exe

MD5 a935d34ce49a6b7768af1fe2e32cee5d
SHA1 22da49e31322c43db8830bcf02d5dc8bb48e302b
SHA256 e63db2516a283e1dd4f956e00d939528c2b484f2c373f4e1d45ae1ede1f6f90e
SHA512 c815534c8c808b20c0671f606ce2485622707703b6914b435a841409b9e672c5505e2c902e8e01fa5f3589d12271747b3182e6eb446035d8ec1e9726ff9d9774

memory/5316-91-0x00007FF6DC310000-0x00007FF6DC664000-memory.dmp

C:\Windows\System\GVhWXmX.exe

MD5 0c73d1e6553f121882789600284e8efa
SHA1 8f77288992ab6d107ecc6d6c3c659b03532906f4
SHA256 373a3fe9cc10a904b6b68b91a1b78d2211268e483a88aafadef6c0e7f0be3990
SHA512 f6a9b1635363455b0c55565c356e07e6078e99a279820c1fb0bd159ebd37e533205ca43792407396befcd486ce9d94c896bef865d73e03a77aae3e29cb188e01

C:\Windows\System\wUdbBbO.exe

MD5 31c5ea93101f7e00b563b3e0bca82197
SHA1 b1693ed13b7749decde293219287ad6a011bbfa3
SHA256 fa5d870127457f978a1028acb312bc441b32fbaf26d9ce6e3bfca4d0cca40fea
SHA512 d926c37f97c1905f277d09cddfbdb764061ca8bf7bf69ae1d007b7a98a8dbfeed7f03fac0a6ac5516ccf14bebcea16180ba6952654fc08db3b312a30235876cb

C:\Windows\System\MNGFPqD.exe

MD5 238fca0fd57a41672026cf014e20397f
SHA1 478002612bf61920c7255601bad226e37dd170cc
SHA256 ef36ace92f15f8e7ff23f12231b0e73ee9a1fa01b9f6fb61ffdc6f4e0c1a7e91
SHA512 338f960f752aa8bd2d0b583f1381d00f0111130fe9e2d18e1bc6b50c3d80138a5458195b59b09ab0fdac5f3a56bc4fd6ceafc34b0bb1b8b82b8d5911189c12aa

C:\Windows\System\OkPnUVQ.exe

MD5 4d533bcd7f35edbd2f166610238b107b
SHA1 9f09b5dade02da2bc7b60a566fe000607ed9d774
SHA256 0d374332d022ccb3601f921286615cc490fdc4555ecf8ceef9cc62fafc9c3c17
SHA512 e29bb300213edd568661bcbd2c51c55f39fe90952c94b906067b70e7fda8ffc0dae018e5079b9cd5868cbf7814a76dd9bea096129200f65277b96537cbe99d4f

C:\Windows\System\ACkGdKL.exe

MD5 b6268ac2af21eb4a0fe6e41fbcc60d88
SHA1 84f88d11caea78e49b919d708be4980e4fe1cb8b
SHA256 f5ebd1585491b5b7230fd6b2521cfdfdc1e3ff2d0b443b83ea80324f8333cf27
SHA512 4293726bc91e2f4280a5967d8a59c1e8b0bee04be41011d6bf1f428dee49e08fcc025d73a7bda2ac77849407191348f18414ad2fdc26746db9390e8365132216

C:\Windows\System\bAMicgl.exe

MD5 f255f813a608815427311e93becc04d9
SHA1 807ae159652423c1f41fc3c0fb6f214e200e5da3
SHA256 9ce186bd5defaca263f2232b0e407ba3e42debd9401e5c3355270101d9425c7b
SHA512 5647ef84d5b772e47daa0a20de4d74c2538874951d610f9cb529796f66ec6297e39cd6da49b76d7aa99f5b8116ec128ed82ae332697a937ed861b325be2e2ac1

memory/3568-122-0x00007FF668310000-0x00007FF668664000-memory.dmp

memory/2376-121-0x00007FF6E14F0000-0x00007FF6E1844000-memory.dmp

memory/5272-123-0x00007FF66FE00000-0x00007FF670154000-memory.dmp

memory/4160-126-0x00007FF6A47E0000-0x00007FF6A4B34000-memory.dmp

memory/4796-127-0x00007FF78B930000-0x00007FF78BC84000-memory.dmp

memory/5204-125-0x00007FF6C3D50000-0x00007FF6C40A4000-memory.dmp

memory/4300-128-0x00007FF6F6920000-0x00007FF6F6C74000-memory.dmp

memory/3208-124-0x00007FF66B2B0000-0x00007FF66B604000-memory.dmp

memory/5864-129-0x00007FF6F5840000-0x00007FF6F5B94000-memory.dmp

memory/4076-130-0x00007FF770990000-0x00007FF770CE4000-memory.dmp

memory/5240-131-0x00007FF7E38F0000-0x00007FF7E3C44000-memory.dmp

memory/5860-132-0x00007FF603410000-0x00007FF603764000-memory.dmp

memory/5608-133-0x00007FF6DCE90000-0x00007FF6DD1E4000-memory.dmp

memory/5864-134-0x00007FF6F5840000-0x00007FF6F5B94000-memory.dmp

memory/4740-135-0x00007FF7F0C20000-0x00007FF7F0F74000-memory.dmp

memory/4076-136-0x00007FF770990000-0x00007FF770CE4000-memory.dmp

memory/2064-137-0x00007FF6A6580000-0x00007FF6A68D4000-memory.dmp

memory/3832-138-0x00007FF7CAE20000-0x00007FF7CB174000-memory.dmp

memory/1512-139-0x00007FF73B210000-0x00007FF73B564000-memory.dmp

memory/3260-140-0x00007FF7FD8F0000-0x00007FF7FDC44000-memory.dmp

memory/5240-141-0x00007FF7E38F0000-0x00007FF7E3C44000-memory.dmp

memory/4404-142-0x00007FF6C9040000-0x00007FF6C9394000-memory.dmp

memory/6084-143-0x00007FF7860B0000-0x00007FF786404000-memory.dmp

memory/2092-144-0x00007FF650A40000-0x00007FF650D94000-memory.dmp

memory/5860-145-0x00007FF603410000-0x00007FF603764000-memory.dmp

memory/5608-146-0x00007FF6DCE90000-0x00007FF6DD1E4000-memory.dmp

memory/5316-147-0x00007FF6DC310000-0x00007FF6DC664000-memory.dmp

memory/4300-148-0x00007FF6F6920000-0x00007FF6F6C74000-memory.dmp

memory/2376-149-0x00007FF6E14F0000-0x00007FF6E1844000-memory.dmp

memory/3568-150-0x00007FF668310000-0x00007FF668664000-memory.dmp

memory/5272-151-0x00007FF66FE00000-0x00007FF670154000-memory.dmp

memory/4160-154-0x00007FF6A47E0000-0x00007FF6A4B34000-memory.dmp

memory/5204-153-0x00007FF6C3D50000-0x00007FF6C40A4000-memory.dmp

memory/3208-152-0x00007FF66B2B0000-0x00007FF66B604000-memory.dmp