Malware Analysis Report

2025-01-22 19:34

Sample ID 240601-s7nhaafh6v
Target 2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike
SHA256 fae1f25f55159205bddb8c2d4ffd715e56096118fbb99801abed4d8930be60c4
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fae1f25f55159205bddb8c2d4ffd715e56096118fbb99801abed4d8930be60c4

Threat Level: Known bad

The file 2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobalt Strike reflective loader

xmrig

Cobaltstrike

Xmrig family

Cobaltstrike family

XMRig Miner payload

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

XMRig Miner payload

Detects Reflective DLL injection artifacts

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 15:46

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 15:46

Reported

2024-06-01 15:48

Platform

win7-20240221-en

Max time kernel

138s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\OSHbKcX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dlwufFf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FDZRwPg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gagksvh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ilqaUWE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\etvVpwj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IRofdaI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QweDVWB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\roaTzEn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qxFzdvI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uOdukgO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lkrmtdz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GGmDkgk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QrtpjJe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XBgvxVO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qAvxrFU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wTzqaHL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\maSxhUq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fMKZYBv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MGiHwhD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jUUNAlD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1040 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\gagksvh.exe
PID 1040 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\gagksvh.exe
PID 1040 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\gagksvh.exe
PID 1040 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\OSHbKcX.exe
PID 1040 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\OSHbKcX.exe
PID 1040 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\OSHbKcX.exe
PID 1040 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\ilqaUWE.exe
PID 1040 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\ilqaUWE.exe
PID 1040 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\ilqaUWE.exe
PID 1040 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\etvVpwj.exe
PID 1040 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\etvVpwj.exe
PID 1040 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\etvVpwj.exe
PID 1040 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\uOdukgO.exe
PID 1040 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\uOdukgO.exe
PID 1040 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\uOdukgO.exe
PID 1040 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\qAvxrFU.exe
PID 1040 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\qAvxrFU.exe
PID 1040 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\qAvxrFU.exe
PID 1040 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\wTzqaHL.exe
PID 1040 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\wTzqaHL.exe
PID 1040 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\wTzqaHL.exe
PID 1040 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\IRofdaI.exe
PID 1040 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\IRofdaI.exe
PID 1040 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\IRofdaI.exe
PID 1040 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\lkrmtdz.exe
PID 1040 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\lkrmtdz.exe
PID 1040 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\lkrmtdz.exe
PID 1040 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\QweDVWB.exe
PID 1040 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\QweDVWB.exe
PID 1040 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\QweDVWB.exe
PID 1040 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\roaTzEn.exe
PID 1040 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\roaTzEn.exe
PID 1040 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\roaTzEn.exe
PID 1040 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\dlwufFf.exe
PID 1040 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\dlwufFf.exe
PID 1040 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\dlwufFf.exe
PID 1040 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\maSxhUq.exe
PID 1040 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\maSxhUq.exe
PID 1040 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\maSxhUq.exe
PID 1040 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\FDZRwPg.exe
PID 1040 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\FDZRwPg.exe
PID 1040 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\FDZRwPg.exe
PID 1040 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\fMKZYBv.exe
PID 1040 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\fMKZYBv.exe
PID 1040 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\fMKZYBv.exe
PID 1040 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\qxFzdvI.exe
PID 1040 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\qxFzdvI.exe
PID 1040 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\qxFzdvI.exe
PID 1040 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\MGiHwhD.exe
PID 1040 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\MGiHwhD.exe
PID 1040 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\MGiHwhD.exe
PID 1040 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\GGmDkgk.exe
PID 1040 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\GGmDkgk.exe
PID 1040 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\GGmDkgk.exe
PID 1040 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\QrtpjJe.exe
PID 1040 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\QrtpjJe.exe
PID 1040 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\QrtpjJe.exe
PID 1040 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\jUUNAlD.exe
PID 1040 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\jUUNAlD.exe
PID 1040 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\jUUNAlD.exe
PID 1040 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\XBgvxVO.exe
PID 1040 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\XBgvxVO.exe
PID 1040 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\XBgvxVO.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\gagksvh.exe

C:\Windows\System\gagksvh.exe

C:\Windows\System\OSHbKcX.exe

C:\Windows\System\OSHbKcX.exe

C:\Windows\System\ilqaUWE.exe

C:\Windows\System\ilqaUWE.exe

C:\Windows\System\etvVpwj.exe

C:\Windows\System\etvVpwj.exe

C:\Windows\System\uOdukgO.exe

C:\Windows\System\uOdukgO.exe

C:\Windows\System\qAvxrFU.exe

C:\Windows\System\qAvxrFU.exe

C:\Windows\System\wTzqaHL.exe

C:\Windows\System\wTzqaHL.exe

C:\Windows\System\IRofdaI.exe

C:\Windows\System\IRofdaI.exe

C:\Windows\System\lkrmtdz.exe

C:\Windows\System\lkrmtdz.exe

C:\Windows\System\QweDVWB.exe

C:\Windows\System\QweDVWB.exe

C:\Windows\System\roaTzEn.exe

C:\Windows\System\roaTzEn.exe

C:\Windows\System\dlwufFf.exe

C:\Windows\System\dlwufFf.exe

C:\Windows\System\maSxhUq.exe

C:\Windows\System\maSxhUq.exe

C:\Windows\System\FDZRwPg.exe

C:\Windows\System\FDZRwPg.exe

C:\Windows\System\fMKZYBv.exe

C:\Windows\System\fMKZYBv.exe

C:\Windows\System\qxFzdvI.exe

C:\Windows\System\qxFzdvI.exe

C:\Windows\System\MGiHwhD.exe

C:\Windows\System\MGiHwhD.exe

C:\Windows\System\GGmDkgk.exe

C:\Windows\System\GGmDkgk.exe

C:\Windows\System\QrtpjJe.exe

C:\Windows\System\QrtpjJe.exe

C:\Windows\System\jUUNAlD.exe

C:\Windows\System\jUUNAlD.exe

C:\Windows\System\XBgvxVO.exe

C:\Windows\System\XBgvxVO.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1040-0-0x000000013F290000-0x000000013F5E4000-memory.dmp

memory/1040-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\gagksvh.exe

MD5 f96c4c4c95d2491053819b3dffdd411a
SHA1 cc336663ae6d8a622a7a0fafbbd6351f58a2a7bd
SHA256 3287cfe2f369ddd59bc8ea10ba26a0b8aae185c41f52e1c5b18901d1083abc92
SHA512 14fbbc647a4e7e545ab2e44b86340dad10d527ebaf2597dd9411ae5c9d1c43ae2a1b2031f2553e9352dafca5f9042c956e608694e04487627d092c028a4baedf

\Windows\system\OSHbKcX.exe

MD5 10dd3d6e18c0d2b03175cae22a21aa12
SHA1 32efc2e2d98576bead6519b3e1fcbfda7250fbd2
SHA256 efa462afc6a97d7869668606674329386aae8cfc9c9adbac6bfcc7de5df1bda0
SHA512 ca9bad4a931b37d03bb406e3bc71d17ffc71c82b55cf25b61cea0874cbfe37bf558c9c9f88bf0452ae961a60e86872c6d85645e1c2d39d0f820e0c1b06e790de

memory/1040-8-0x0000000002400000-0x0000000002754000-memory.dmp

C:\Windows\system\ilqaUWE.exe

MD5 248d69889deecbb8515a3ee7e675e3c8
SHA1 4007980431787b87247e573cc6d2cfe75c469247
SHA256 03406571b09e87b831bf899edbfe5bf991762292836ebeff3f23fc354f5d5bfc
SHA512 fbd0752e8131adb50c301a902e2b7cdcf575c5bb63ac71a79cf119a78f3b0590267d6b434d76bc9d5a43cb8df309e93566486cf44085bf2198e1c2f12c2caa40

memory/1040-43-0x0000000002400000-0x0000000002754000-memory.dmp

\Windows\system\lkrmtdz.exe

MD5 7db7165b7a85b38f65fa137e18a4d532
SHA1 216d9259859e744b1479a592fe515b32afdf8758
SHA256 8f98e7a3c3868ba5eb5a117d5d14028662fa37d7e3de8159a66e49416a72bd3c
SHA512 00ada74ad259327e4079b5b7d047771329c1226c59e28b38ae25c1287a60f3ceb1b48953e235cfb78df196aaa8119fed2748ddfa7b4f07145953a6816336223a

memory/2516-36-0x000000013F4E0000-0x000000013F834000-memory.dmp

\Windows\system\wTzqaHL.exe

MD5 5bae5f4ec9316b40aa3fff3feb0d6e8d
SHA1 e468892e7fea79681f349bf2ae67ff27c238f65b
SHA256 0af04f2a87e4cafc691797a03dacb5048573e90bd6fc71abea43999d47a266d4
SHA512 dfae42a7945dd3a1b92ce19b8035e9a2a4dde2b0e7752e0461228027de5b87bc2e705b35d18c5c68e340aac4f00172f751e2bbd37760dbebf8b57104b8d96c54

\Windows\system\qAvxrFU.exe

MD5 b12c685b982b478cf01a72e1561e9a5b
SHA1 745990a8946bb209d25ef76da94eb75358c92f31
SHA256 49d33af8d26ba39c6d7173562923a4e693e4d0bc262d6012f025bef950614e6b
SHA512 5bf8fa423fd5763cae1c6ad4b24fc6c654517b036e650957ef28c32963df4ff1f47d46f61f41aefb417db71349b80db52d24640713bb57921e3aaf37f64422ce

\Windows\system\etvVpwj.exe

MD5 f5b1d3b30d653e8f2b75ae948c9ba82c
SHA1 b34fdd073ae20dfb0ecf1dc9549e4554851a1919
SHA256 29a0c9a43a1f42928d20b8b46f6e4ab9aedfdeeb80c9770a68fd2d9680de1b9c
SHA512 a4f4b1aa3846d3d25dd50f76d37d303ed78db6e663cea8e24bcc5fe8f8c8ee02b9c4c23056473552c438399ac1f9650b132930efb4c4c03286ef09044f64f5f3

memory/2476-28-0x000000013F130000-0x000000013F484000-memory.dmp

memory/2176-25-0x000000013F360000-0x000000013F6B4000-memory.dmp

C:\Windows\system\uOdukgO.exe

MD5 dbe4a0fec373a91e2f64170c6d35bdaa
SHA1 6b911d0f7a7e490d3219cf3d3c6b00316f6e5a11
SHA256 9a09ba110c3d280a19796b247e16aaf1c373a70551d6cffeb17d2723a52dac2b
SHA512 40fb804c18cd2de43a688728a7c2854a5029b60f9d8c338cb9bfa7f16f3d9935ea7862c2175cd018b5bca15c17e6356463bd670b3f44933d1d09fa0a5f5b9b49

memory/2356-89-0x000000013F840000-0x000000013FB94000-memory.dmp

memory/2608-98-0x000000013F860000-0x000000013FBB4000-memory.dmp

C:\Windows\system\qxFzdvI.exe

MD5 e4b5e5c1dae360fc7e9ca2d3e5894d4e
SHA1 9f34e1c6041e2b9e2a28e937963a2b4f54fefe38
SHA256 da4a8ad2c6d6f933a1d378f8f3850b8e43e65d97953a7cdb91e88a33fbacfb8d
SHA512 db5d374e88ac414adcaf6c4d6a2c499e66a2f036ad7c1ff6e0834a346ab29eeac322cb28be7a617d2a47be810285838c804dd34863f3adce10b4dbae6c82244c

C:\Windows\system\XBgvxVO.exe

MD5 45814a84be03e7e2c4759e46a06cfea4
SHA1 20c3a08c2d8dae292297fcf23ccf3fecaf8ca333
SHA256 e799ffe111475c4d31823984eb2a40932582e4252749c4772b1f3bed3a05df5b
SHA512 cf6a1beae46244213f46fe239c2a50e69baf5cdd1926c367e490cd52ca54279e55b0933e871467a3d1d7eb3e3c48e03dd85b0f28694a847e656ee0be711adc67

C:\Windows\system\jUUNAlD.exe

MD5 bef84db28792f01304b82832549579e7
SHA1 9e8bd0701b9f0a6f10a513c26d5a85e76cd1fd0f
SHA256 11af87cb694403125c6f635770a5587909c475e3ecd5513c42b861a4b3733354
SHA512 ac42a9d342f5aa9fc3375d5d5822459ab7e93fb3203a36269d0974a7729a03134cf0393764368b2a6ae7ab536ea08aac9fc40e5aebe882a76446a5ab989415d5

C:\Windows\system\QrtpjJe.exe

MD5 7f2ed0bebde9c5737251ce60b2a848e6
SHA1 810edbef9a01be89978c02e2722cb3194a23fb25
SHA256 ba73d0db475a1255bcc600e6fd7e519635728ae460bb92bfcfe26fcb2ccf8380
SHA512 7093e53e507d17d031657490985e8619c803a37b8031a42582a05a45dbd732db3d4d314ac629d8a4b0838d2abf526483516282424460d9ad00fa5216445f0924

C:\Windows\system\GGmDkgk.exe

MD5 9f5c31067a735863cc83254002bc42d6
SHA1 748124b641b3518994f4e860f7ce1ac0c1e639cc
SHA256 466577e0b239ea828625b5c73dc29ce8b5c36aa36c413bb91bba41e560da4ed9
SHA512 6b101872ac5a60cd6fdfa42e66d0169771e895ae7428f7ec299e31bcb6f4fe2b5bab941fff723ea76f4f977d47baa8eac28a7c96eb04b234eea7639f14ab4208

C:\Windows\system\MGiHwhD.exe

MD5 75288d9b261bc4eceb73817274f01f4d
SHA1 717ad0c613f33a3e9feb00ab776ac733211be02f
SHA256 bfcb88bad9eaceccef1a9400829ee2c836a8716e715f603e8f1068216d3a83a9
SHA512 06f993a6cbf100a70ea5e7d11142daf45d41bd25b84f92ff024c65c32055f58ee56d4ed8ef8502060d8a7a74d05e8947da68eb41542442948adfbd53f4e9183c

memory/1040-103-0x000000013FD80000-0x00000001400D4000-memory.dmp

C:\Windows\system\fMKZYBv.exe

MD5 e2046c72d782c876c4fee2557aa34cdb
SHA1 254d163b175726603915811b1696ece77954ecd0
SHA256 cf763a0b53df35ebd3dd440eb45cf1846ad858a0e8c367b7ca6ded513d09c593
SHA512 54f20af881e825b98fd8ec3042d1075219cff4d197c802ef18baf1756dd1e172700f58472ef70a15ee6733893b973af1a7b22c1c17853fd402bfa57ab45afed5

C:\Windows\system\FDZRwPg.exe

MD5 3d28da75a2d028debe41f8c2c1284b8a
SHA1 8d21e010d94f6f355a24fcc9d68a3f464396a1c6
SHA256 5a3723d5af8058fb4390e924a2a44d15eb33754aaf662934c1b0253e3ecef473
SHA512 206907406dea85a14882cbfd813a502041e37584e7f7089baea174b948c4e10c9089a6cd369912f11cecaf53d99b61f88286093e77509fc8ba0b6aa645a6d13f

memory/1040-96-0x000000013F860000-0x000000013FBB4000-memory.dmp

memory/2392-92-0x000000013FAD0000-0x000000013FE24000-memory.dmp

memory/2480-91-0x000000013F570000-0x000000013F8C4000-memory.dmp

memory/2468-90-0x000000013F450000-0x000000013F7A4000-memory.dmp

memory/2484-88-0x000000013FD70000-0x00000001400C4000-memory.dmp

memory/1040-87-0x0000000002400000-0x0000000002754000-memory.dmp

memory/1040-86-0x000000013FD70000-0x00000001400C4000-memory.dmp

memory/1040-85-0x0000000002400000-0x0000000002754000-memory.dmp

memory/1040-84-0x0000000002400000-0x0000000002754000-memory.dmp

memory/2800-83-0x000000013FA10000-0x000000013FD64000-memory.dmp

memory/2368-82-0x000000013F5B0000-0x000000013F904000-memory.dmp

C:\Windows\system\dlwufFf.exe

MD5 d15be0a4573ec4d4366e7f9098c41c20
SHA1 c5b2db009d6c98f0c576c6daa894725ed3ba4d22
SHA256 d94008010ccffc6a62988af4cd3e56f58a285a56702481af558751d740fd3e33
SHA512 e8160c004f28afb4c86780dd2f4b58d4a07bceec27c39b5a6e8f9a73176b58c6f15faf12bf1be7ee70a8b3414dfeac6b8f73710360bc5819e9a4b6af9932cb9a

memory/1040-79-0x000000013FA10000-0x000000013FD64000-memory.dmp

memory/2612-78-0x000000013F1F0000-0x000000013F544000-memory.dmp

memory/1040-77-0x000000013FAD0000-0x000000013FE24000-memory.dmp

C:\Windows\system\QweDVWB.exe

MD5 2dbdeede53f76a241774b4aa10970a1b
SHA1 8f28a5d5b842fa70686c1b189615b4f4432e272b
SHA256 e5f46d078d8b19d79f9283181f5afe49dc669d1f049f8fc31ab6b125f0cca2c4
SHA512 8686e3cd5c1b48be401d617386a5d3b1c3f3938c98d4d494d20734d536e05fd7f3c76f1bef0d30f6430789b2f49141d7bab5a16031f83b8ace338acc64050a1b

memory/1040-74-0x000000013F840000-0x000000013FB94000-memory.dmp

memory/2836-73-0x000000013FAB0000-0x000000013FE04000-memory.dmp

memory/1040-72-0x0000000002400000-0x0000000002754000-memory.dmp

C:\Windows\system\IRofdaI.exe

MD5 3f77c66fc4b81c9e2658d6e867c92773
SHA1 2ceb38027761bdfae36a0b21f752057eb561f251
SHA256 42c4f7b67ba67c0afbbafbc499720551f74bf20a082ed69f482c111bc57d9c8d
SHA512 48da80d070a4b897986b5b426bbcba9b51194a66117a5a5634b9650f6f95610d937ea2a24eee576e2674ada05f2977bb9325c9db13355bc9aa398b75ad401665

memory/1040-69-0x000000013FAB0000-0x000000013FE04000-memory.dmp

C:\Windows\system\maSxhUq.exe

MD5 65e54df9418ed46201e7f7b5c524ddc2
SHA1 a09e43e985aa371eb9814c26cf10f8fd1970ba6f
SHA256 5103edd965f4ef1db6a71f5edf776aebfc2d04f74908e2ac948882785a20f014
SHA512 2090505498d77163607cfc33167bafebbfb8cd634a4656c7a7f94a6dd46d4425c6a34b826fe18a59b7845a9b8e68ada149a660fb8698021b4abbf42fb96fb22d

C:\Windows\system\roaTzEn.exe

MD5 c1bc018f1261b5efba7b5526f5f8d15e
SHA1 535b66fd9a7b515f2800f108d467a401df557f79
SHA256 0027a1a594644e841e50a826b71ffe89e4881a294933c749c5cfa7c4f3910759
SHA512 4b6bef134db1585521d1c34490301af153930c01edc1a653e46eb5e9cec66d6714719a89f96a81e3f403ada31906292f57d6200fe2715671c85ea74ebea1ea2b

memory/2520-65-0x000000013F160000-0x000000013F4B4000-memory.dmp

memory/1040-63-0x0000000002400000-0x0000000002754000-memory.dmp

memory/1040-32-0x0000000002400000-0x0000000002754000-memory.dmp

memory/1040-136-0x000000013F290000-0x000000013F5E4000-memory.dmp

memory/1040-138-0x0000000002400000-0x0000000002754000-memory.dmp

memory/2476-137-0x000000013F130000-0x000000013F484000-memory.dmp

memory/2392-139-0x000000013FAD0000-0x000000013FE24000-memory.dmp

memory/2608-140-0x000000013F860000-0x000000013FBB4000-memory.dmp

memory/2176-141-0x000000013F360000-0x000000013F6B4000-memory.dmp

memory/2516-142-0x000000013F4E0000-0x000000013F834000-memory.dmp

memory/2520-144-0x000000013F160000-0x000000013F4B4000-memory.dmp

memory/2476-143-0x000000013F130000-0x000000013F484000-memory.dmp

memory/2836-145-0x000000013FAB0000-0x000000013FE04000-memory.dmp

memory/2484-146-0x000000013FD70000-0x00000001400C4000-memory.dmp

memory/2612-147-0x000000013F1F0000-0x000000013F544000-memory.dmp

memory/2368-148-0x000000013F5B0000-0x000000013F904000-memory.dmp

memory/2800-149-0x000000013FA10000-0x000000013FD64000-memory.dmp

memory/2356-150-0x000000013F840000-0x000000013FB94000-memory.dmp

memory/2468-151-0x000000013F450000-0x000000013F7A4000-memory.dmp

memory/2480-152-0x000000013F570000-0x000000013F8C4000-memory.dmp

memory/2608-154-0x000000013F860000-0x000000013FBB4000-memory.dmp

memory/2392-153-0x000000013FAD0000-0x000000013FE24000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 15:46

Reported

2024-06-01 15:48

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\QYbPNBa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ysySpJi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AShhnUq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AUVgssg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UnVECpf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MdWcfrp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XgLWTLw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\peJinwD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dXKvpCJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sAYglrA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gPbNcbb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vAawDOQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\usDPIBy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DJajXhq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zIVTQvK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LzGuhle.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JRPCTVe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OuXkPQY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RcUiXPJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VeWZenv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nMlNCZs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4556 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\AUVgssg.exe
PID 4556 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\AUVgssg.exe
PID 4556 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\RcUiXPJ.exe
PID 4556 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\RcUiXPJ.exe
PID 4556 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\UnVECpf.exe
PID 4556 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\UnVECpf.exe
PID 4556 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\vAawDOQ.exe
PID 4556 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\vAawDOQ.exe
PID 4556 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\usDPIBy.exe
PID 4556 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\usDPIBy.exe
PID 4556 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\MdWcfrp.exe
PID 4556 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\MdWcfrp.exe
PID 4556 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\DJajXhq.exe
PID 4556 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\DJajXhq.exe
PID 4556 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\XgLWTLw.exe
PID 4556 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\XgLWTLw.exe
PID 4556 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\peJinwD.exe
PID 4556 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\peJinwD.exe
PID 4556 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\zIVTQvK.exe
PID 4556 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\zIVTQvK.exe
PID 4556 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\dXKvpCJ.exe
PID 4556 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\dXKvpCJ.exe
PID 4556 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\VeWZenv.exe
PID 4556 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\VeWZenv.exe
PID 4556 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\QYbPNBa.exe
PID 4556 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\QYbPNBa.exe
PID 4556 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\LzGuhle.exe
PID 4556 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\LzGuhle.exe
PID 4556 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\JRPCTVe.exe
PID 4556 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\JRPCTVe.exe
PID 4556 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\sAYglrA.exe
PID 4556 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\sAYglrA.exe
PID 4556 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\AShhnUq.exe
PID 4556 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\AShhnUq.exe
PID 4556 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\ysySpJi.exe
PID 4556 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\ysySpJi.exe
PID 4556 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\nMlNCZs.exe
PID 4556 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\nMlNCZs.exe
PID 4556 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\OuXkPQY.exe
PID 4556 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\OuXkPQY.exe
PID 4556 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\gPbNcbb.exe
PID 4556 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe C:\Windows\System\gPbNcbb.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\AUVgssg.exe

C:\Windows\System\AUVgssg.exe

C:\Windows\System\RcUiXPJ.exe

C:\Windows\System\RcUiXPJ.exe

C:\Windows\System\UnVECpf.exe

C:\Windows\System\UnVECpf.exe

C:\Windows\System\vAawDOQ.exe

C:\Windows\System\vAawDOQ.exe

C:\Windows\System\usDPIBy.exe

C:\Windows\System\usDPIBy.exe

C:\Windows\System\MdWcfrp.exe

C:\Windows\System\MdWcfrp.exe

C:\Windows\System\DJajXhq.exe

C:\Windows\System\DJajXhq.exe

C:\Windows\System\XgLWTLw.exe

C:\Windows\System\XgLWTLw.exe

C:\Windows\System\peJinwD.exe

C:\Windows\System\peJinwD.exe

C:\Windows\System\zIVTQvK.exe

C:\Windows\System\zIVTQvK.exe

C:\Windows\System\dXKvpCJ.exe

C:\Windows\System\dXKvpCJ.exe

C:\Windows\System\VeWZenv.exe

C:\Windows\System\VeWZenv.exe

C:\Windows\System\QYbPNBa.exe

C:\Windows\System\QYbPNBa.exe

C:\Windows\System\LzGuhle.exe

C:\Windows\System\LzGuhle.exe

C:\Windows\System\JRPCTVe.exe

C:\Windows\System\JRPCTVe.exe

C:\Windows\System\sAYglrA.exe

C:\Windows\System\sAYglrA.exe

C:\Windows\System\AShhnUq.exe

C:\Windows\System\AShhnUq.exe

C:\Windows\System\ysySpJi.exe

C:\Windows\System\ysySpJi.exe

C:\Windows\System\nMlNCZs.exe

C:\Windows\System\nMlNCZs.exe

C:\Windows\System\OuXkPQY.exe

C:\Windows\System\OuXkPQY.exe

C:\Windows\System\gPbNcbb.exe

C:\Windows\System\gPbNcbb.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp

Files

memory/4556-0-0x00007FF797C00000-0x00007FF797F54000-memory.dmp

memory/4556-1-0x0000021328C60000-0x0000021328C70000-memory.dmp

C:\Windows\System\AUVgssg.exe

MD5 ffa1d555f8061e94d4858c916bf26490
SHA1 774ceab6cf30922a4cd8edd8a9a3af5086df8ec0
SHA256 65ac88bc9ab0d2888d14d105006bffd08aec3faf1f94b6991c8e00715e1e0896
SHA512 57e2e593f75c87e5d5723699da016ec3cd6afb9f43bc7f6655982062fb462a99fbedc75d0e5a49df3fd7fc088f95a1fa517d068c59f882ca63daa13428754d14

memory/2104-8-0x00007FF717750000-0x00007FF717AA4000-memory.dmp

C:\Windows\System\RcUiXPJ.exe

MD5 e3954c990835b212bfeda0784cfde775
SHA1 0658b8ccf17a829a20efcf3f3a3664b9c2535101
SHA256 1bb08e3b0cd8679f6dd56b3adae901d7c007a752eab0db556e19a11fd9a7e3f0
SHA512 47f06ab1faa30ff5c5f8dce38d2f8c7c516f88d841b1565a1f8b7b8dfb89f657f556029d031992ccf7bdec6f78e46edd216493a31af15dc6d92ad216c9b87490

C:\Windows\System\UnVECpf.exe

MD5 e30bdd061dd80f4d4c2d0c59e13a8eff
SHA1 c3dc49300a0fbc1b7fd19716c2f807a908f27a92
SHA256 9e606e5ee8ac2d935a770e8c41c59dab35d0a370c02e91e4603895ed52a45b8a
SHA512 c58336c00c50690e086924983a162a0ded901b8f082fb08f178d8f310f525a9d419ef84a5519b9e6d2e70c16b8c6bd3a73264d1ca42e340128a5a2f5b462ca0f

memory/3592-14-0x00007FF794420000-0x00007FF794774000-memory.dmp

memory/3932-25-0x00007FF6C7E60000-0x00007FF6C81B4000-memory.dmp

memory/1716-26-0x00007FF6FE6D0000-0x00007FF6FEA24000-memory.dmp

C:\Windows\System\usDPIBy.exe

MD5 83cc3db8cbbe155a9224ac7a4d069ab3
SHA1 b0ac0906d7e55af0eb11ce7aa295ed9a3940b0d8
SHA256 7e393af83a3d2485f4cc90aa86d32abc38029b439a7f3acd4e167108bb888303
SHA512 e76159d55e7539d2cfc31f11d4e691ebe034bfd85cbd0dbd81ba0cf845f70a5d37e87217f3887be07034c6a52597b89ff759e4387941824eb4440ed8974619e5

memory/1280-40-0x00007FF75D050000-0x00007FF75D3A4000-memory.dmp

C:\Windows\System\XgLWTLw.exe

MD5 8b93fdd9babbb3cd8a11d5dbbdf23ba5
SHA1 44786c076fc300a259d2820fc0c7dd333f51eb68
SHA256 6727fa8f7de75fc161f40791026ce1e6d363dee9fefbb3113e9d2708a295f417
SHA512 f08cc2bbf1ce526ff3ee8f2f81a2b056e4c7802d24cfd1ed030e79e8bca39324c59e48689f1943dad099c37b5d6e06e332bffa27cae768e185780ee8fe6888d6

memory/920-51-0x00007FF7CC720000-0x00007FF7CCA74000-memory.dmp

C:\Windows\System\peJinwD.exe

MD5 4b0d6426a8c81a3f575afa4653b2fb67
SHA1 591391d355ef75d3378eb3b88a0a3a9a269dd3cf
SHA256 973cc5e702bd87b0e1b472756ed7ff42c04bd6ea2a33a221a00ee3c67d6a3c33
SHA512 fb5f0bfacc56b2596892225b10e37f050edd1ec81ed40f73129e0a8afb0eab66903babc356785150a1f45b288f6659ce06b42f89910394fd82bd81622c2cf237

C:\Windows\System\dXKvpCJ.exe

MD5 ab1cd754d9bf651e00d158d001cf23e4
SHA1 7c5afe944125ae318a49a9da6d3df2bad691fa6b
SHA256 5aa508b18c87cee9e7d82ef1055ba5a1f793f8a240f24f71e577c036e459862f
SHA512 c72ef1731163ea9e37cdf50b4d30b84bc2e00d341eee4b3f4bc80565caac415f311e85097cc89eaa46dbbe844514ec35f31b209ab780afe6348715f2685f206d

C:\Windows\System\VeWZenv.exe

MD5 726bb16216bdde8b98c2d17d7aea4cf8
SHA1 b356d7a5dc29ae3100d2e942d7e594b44aac5294
SHA256 e1e04b223d1a62cfc53a3816020a91bd2e4c38f61836bb18b1d0669a21fff170
SHA512 c6bf37407eb0f33ab47099542242011975fa8ac4930f4e119a33cb58fafb402e62ff702852927f27d5c18643b0567c64c35266ddbdd9f203e92e038b581fe8b3

C:\Windows\System\QYbPNBa.exe

MD5 2249395465a62e82f52a23a1274dec85
SHA1 ebe3db65ca799e49bd0b8ef6c37871445fe00b24
SHA256 642dd174c99a3294d3751befc7345185693d346b9093dc98ba6eab7a67bb99da
SHA512 a01c9f8f6a538b9798a0edfb565560841757735711ad532697186ccce636bffd7cb1d25e911edbf001fccb1429af47b713e5722664b37690e5da9a9682432a6d

C:\Windows\System\ysySpJi.exe

MD5 0ae4b7d1a100c0fcab6f634540345a29
SHA1 7090bb47b9901e82bf44906650fea02aea30c88a
SHA256 b4380f292442bae520c22e5f234c87931e43569488252a93456d108ef60d017c
SHA512 15cf3fb1be5e0e4411b37d092f46b334b831fa05cff659450811e7e39a01ef3d9ac8cc8c425fc062087fd2b38b0727bd687a20dcae09678b169668a081376de2

C:\Windows\System\OuXkPQY.exe

MD5 4b77ba11a33f54f88bd46f63e477634d
SHA1 5643af55c009031ad204482ce394b41c969de46d
SHA256 27f02a6479895d8ef351bd0d7afb3b68388e59792e2eccf1801e09e3a24077ab
SHA512 3c0bc902862ce2da564b2908d9ef1d32c409387289cc02d584898380df3753db46378a9e1f56daed1eba40cff4b15210ed9135d93d0518fc719d1301d2b06d26

C:\Windows\System\gPbNcbb.exe

MD5 f71362d87081caaf964403a1ed53a811
SHA1 a504a05127e1f75384343264857a2b5eba1ea061
SHA256 a8bc193b59906e8d5e2703f107621882f87b8333a6e1eb837141a0e16a4434ca
SHA512 e3e7f06a6c977a78218d6a7561e2dcbe5a146202ba52508cd40c7b6636ec1af502d679fd04048ce6339f36361190d3034cd5733a74d3f01425f1777016f792f4

C:\Windows\System\nMlNCZs.exe

MD5 6733c8d6828908e29075e9282788543d
SHA1 73b6c6209ad488d98d14e7006f4a2e7826f4bc32
SHA256 ce899a153498ad415f3755645d2c2dabad59152d50a92a5a0cf1002c7c1f3a2c
SHA512 6eaed27ac56485a3c55d4fd5e2586b18f6f81bcbfdc28a205b5b8f67c49d6ddf14d24cab330ebfe1b36c96ae965bc68db2bc42fc72b9475b541fe80c979291c2

C:\Windows\System\AShhnUq.exe

MD5 837e44a635329d5d83f2edc3d1da1789
SHA1 03b0e30965c8085e1a7063bb044bf8839c3e2616
SHA256 f7716fae41b5b54b2b2745cae84fde9fb1d912bf352a755fd2e6223d66c3c4ef
SHA512 f47a8a7a8f3234624d565f7f332c2044c739ced8d03a3d85609904a0eed483643465051d8832da5cdfb940fe792524f8d9c7dc09b1c283bfa9b095d2fc6d954f

C:\Windows\System\sAYglrA.exe

MD5 376934bb8fdfaf9ef196779ca2688550
SHA1 fa4eb13d1c1b12be6de6e59124ef891d5290dcea
SHA256 caaad13d1192861afb891c07dd658b87550b01589612011ea96492e3e0e0516e
SHA512 c2156c9f2c1ef1c0c4036ba3c410b28e8e831bbfac99ce1db1cf6efe989ca3bfa005489c3d1dbb6ec4d9e5b2cf4185699e37daa40aa2c9856eff12bd10c03c47

C:\Windows\System\JRPCTVe.exe

MD5 300e7aa5b3dc5da22b6278a481de821a
SHA1 54a9fefbba0cbf790e1dab4b3c284cadf64caecf
SHA256 729c40a80d415e11e163e0f6cbacaf8103a6800d96187db037a076c5bed64c95
SHA512 03ab6121a3bec916bbcda858a950a78e0e1dba2e889389f3e1d7ea4586cd050e5f994357775ff1276f17bc44d6046d48b5c5c5c95554c8e1b268c342c2dcd7b8

C:\Windows\System\LzGuhle.exe

MD5 edd7e95bd83a9792bdad1f0a504a2e9c
SHA1 6c29ba84d50bdfce298cfae87874b107a4c191a6
SHA256 bb8936d306955437c9955d35bea14d183e76cffe0ed0f0b0e7e59f076242923f
SHA512 33b33db8d841a098f63a2786b3b6b1c96abf8df492d5059782a350be570ee7e3774edcf7484e103ff7023f5281de19972a9be2251ae20f85047decccec0076bb

memory/3868-66-0x00007FF61FC70000-0x00007FF61FFC4000-memory.dmp

C:\Windows\System\zIVTQvK.exe

MD5 3930e87d2a327a51e228af54f2435bed
SHA1 64ff5b4cca483bb80fabac1cc4f583a2e3d5652c
SHA256 d11f9a853db0947a1d0764c58d9128e9a5d27f21b1a98213e970773692098fb7
SHA512 229ba4b8d42c94df0e78040c88df126281145974ecd3023dc444149f5024a8df888b9fd10a28cd25ca1770d7d2ae52b5b6670541b529e9d595602e9233fa935f

memory/2200-62-0x00007FF7A8D60000-0x00007FF7A90B4000-memory.dmp

memory/2476-56-0x00007FF72DC30000-0x00007FF72DF84000-memory.dmp

memory/1112-46-0x00007FF77A8E0000-0x00007FF77AC34000-memory.dmp

C:\Windows\System\DJajXhq.exe

MD5 f18cfa34338edcd8d9e1b30d45a9b379
SHA1 7e92c3934c00e6aeb5b55f2ae01316ba0a49c501
SHA256 eda458d230fa721149f3945d8b8e173aecb84ffd03d6bf99c4e9498d4c9b3516
SHA512 a39135cb460008658e9b9712cb8794748df99a37ba98fc6059336a513290c562e58b1da84e1d120e11e02019fe3c1a20ff6ab4327105944344d61302b37e740e

memory/3468-41-0x00007FF7B45A0000-0x00007FF7B48F4000-memory.dmp

C:\Windows\System\MdWcfrp.exe

MD5 9317eb88cd3e47d911ca86f056014caf
SHA1 f69538e8e7f75b9af5f05d004c4445c37b52c387
SHA256 90bc643246467f6fa0ca14341c68bf9a5da4cec84bdcdbb00e1f4439b11ac81a
SHA512 22cb6a82b3d50d7208ac3e5a644c3f47c750245777111926530d373f92240ce8e5742647b16bcf9be7aff7f43d319366561f895268db06f534397b908840f5f6

C:\Windows\System\vAawDOQ.exe

MD5 1b588d81629f07d1a862ba5a014c4a55
SHA1 4721d5365e1724043c5e48d3dfa672d20e75810d
SHA256 087b289dcb063c2420322e048fbb9a467a8f3aff3cfd76c23848ba2c3426a44c
SHA512 3e47c56f03cc1c00ea3205c6ffa312be325bccb0b1349c644e5ee1706a43c4ca591dd24e613361bd9970562f182c4b55a719e83f812edb596224eaf7b1b5b913

memory/4992-119-0x00007FF6F49F0000-0x00007FF6F4D44000-memory.dmp

memory/2896-121-0x00007FF6005D0000-0x00007FF600924000-memory.dmp

memory/3796-122-0x00007FF6E40F0000-0x00007FF6E4444000-memory.dmp

memory/1372-123-0x00007FF784AC0000-0x00007FF784E14000-memory.dmp

memory/5108-124-0x00007FF7AEE80000-0x00007FF7AF1D4000-memory.dmp

memory/1608-120-0x00007FF693EC0000-0x00007FF694214000-memory.dmp

memory/3660-126-0x00007FF64BE70000-0x00007FF64C1C4000-memory.dmp

memory/2980-127-0x00007FF716A40000-0x00007FF716D94000-memory.dmp

memory/4148-125-0x00007FF72EF10000-0x00007FF72F264000-memory.dmp

memory/2232-118-0x00007FF61FF50000-0x00007FF6202A4000-memory.dmp

memory/4556-128-0x00007FF797C00000-0x00007FF797F54000-memory.dmp

memory/2104-129-0x00007FF717750000-0x00007FF717AA4000-memory.dmp

memory/3592-130-0x00007FF794420000-0x00007FF794774000-memory.dmp

memory/1112-131-0x00007FF77A8E0000-0x00007FF77AC34000-memory.dmp

memory/920-132-0x00007FF7CC720000-0x00007FF7CCA74000-memory.dmp

memory/2476-133-0x00007FF72DC30000-0x00007FF72DF84000-memory.dmp

memory/2200-134-0x00007FF7A8D60000-0x00007FF7A90B4000-memory.dmp

memory/3868-135-0x00007FF61FC70000-0x00007FF61FFC4000-memory.dmp

memory/2104-136-0x00007FF717750000-0x00007FF717AA4000-memory.dmp

memory/3592-137-0x00007FF794420000-0x00007FF794774000-memory.dmp

memory/3932-138-0x00007FF6C7E60000-0x00007FF6C81B4000-memory.dmp

memory/1716-139-0x00007FF6FE6D0000-0x00007FF6FEA24000-memory.dmp

memory/1280-140-0x00007FF75D050000-0x00007FF75D3A4000-memory.dmp

memory/3468-141-0x00007FF7B45A0000-0x00007FF7B48F4000-memory.dmp

memory/1112-142-0x00007FF77A8E0000-0x00007FF77AC34000-memory.dmp

memory/920-143-0x00007FF7CC720000-0x00007FF7CCA74000-memory.dmp

memory/2476-144-0x00007FF72DC30000-0x00007FF72DF84000-memory.dmp

memory/2200-145-0x00007FF7A8D60000-0x00007FF7A90B4000-memory.dmp

memory/2232-146-0x00007FF61FF50000-0x00007FF6202A4000-memory.dmp

memory/2896-148-0x00007FF6005D0000-0x00007FF600924000-memory.dmp

memory/1608-147-0x00007FF693EC0000-0x00007FF694214000-memory.dmp

memory/4992-149-0x00007FF6F49F0000-0x00007FF6F4D44000-memory.dmp

memory/2980-150-0x00007FF716A40000-0x00007FF716D94000-memory.dmp

memory/5108-154-0x00007FF7AEE80000-0x00007FF7AF1D4000-memory.dmp

memory/3796-155-0x00007FF6E40F0000-0x00007FF6E4444000-memory.dmp

memory/1372-153-0x00007FF784AC0000-0x00007FF784E14000-memory.dmp

memory/4148-152-0x00007FF72EF10000-0x00007FF72F264000-memory.dmp

memory/3660-151-0x00007FF64BE70000-0x00007FF64C1C4000-memory.dmp

memory/3868-156-0x00007FF61FC70000-0x00007FF61FFC4000-memory.dmp