Malware Analysis Report

2025-01-22 19:53

Sample ID 240601-syvj8sff6t
Target 2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike
SHA256 80e709b4318afc6b0ca242dfecc3c3f66f07e8d914aa735190721da31f080762
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

80e709b4318afc6b0ca242dfecc3c3f66f07e8d914aa735190721da31f080762

Threat Level: Known bad

The file 2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

XMRig Miner payload

Xmrig family

Cobaltstrike

Cobalt Strike reflective loader

Cobaltstrike family

UPX dump on OEP (original entry point)

xmrig

Detects Reflective DLL injection artifacts

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

XMRig Miner payload

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 15:32

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 15:32

Reported

2024-06-01 15:35

Platform

win7-20240419-en

Max time kernel

143s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\XxvXbbC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hVwNcuE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YcgVupJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fvfucdC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VnZcCnG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KRbGAAU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zVHSqqX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\Bvbefiu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rxGmciP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WfUMnzy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rNLXeXC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jyYblqv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QJNvgQL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rfSDpjK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nRBEIxO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zqfwnJi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OOocGlp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xwIzOVF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uZhzauc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JkHtGQT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aLexKiE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2288 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\KRbGAAU.exe
PID 2288 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\KRbGAAU.exe
PID 2288 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\KRbGAAU.exe
PID 2288 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\zVHSqqX.exe
PID 2288 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\zVHSqqX.exe
PID 2288 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\zVHSqqX.exe
PID 2288 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\QJNvgQL.exe
PID 2288 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\QJNvgQL.exe
PID 2288 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\QJNvgQL.exe
PID 2288 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\rfSDpjK.exe
PID 2288 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\rfSDpjK.exe
PID 2288 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\rfSDpjK.exe
PID 2288 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\Bvbefiu.exe
PID 2288 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\Bvbefiu.exe
PID 2288 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\Bvbefiu.exe
PID 2288 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\nRBEIxO.exe
PID 2288 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\nRBEIxO.exe
PID 2288 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\nRBEIxO.exe
PID 2288 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\uZhzauc.exe
PID 2288 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\uZhzauc.exe
PID 2288 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\uZhzauc.exe
PID 2288 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\JkHtGQT.exe
PID 2288 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\JkHtGQT.exe
PID 2288 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\JkHtGQT.exe
PID 2288 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\XxvXbbC.exe
PID 2288 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\XxvXbbC.exe
PID 2288 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\XxvXbbC.exe
PID 2288 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\fvfucdC.exe
PID 2288 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\fvfucdC.exe
PID 2288 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\fvfucdC.exe
PID 2288 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\aLexKiE.exe
PID 2288 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\aLexKiE.exe
PID 2288 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\aLexKiE.exe
PID 2288 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\VnZcCnG.exe
PID 2288 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\VnZcCnG.exe
PID 2288 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\VnZcCnG.exe
PID 2288 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\rxGmciP.exe
PID 2288 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\rxGmciP.exe
PID 2288 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\rxGmciP.exe
PID 2288 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\WfUMnzy.exe
PID 2288 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\WfUMnzy.exe
PID 2288 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\WfUMnzy.exe
PID 2288 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\zqfwnJi.exe
PID 2288 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\zqfwnJi.exe
PID 2288 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\zqfwnJi.exe
PID 2288 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\OOocGlp.exe
PID 2288 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\OOocGlp.exe
PID 2288 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\OOocGlp.exe
PID 2288 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\rNLXeXC.exe
PID 2288 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\rNLXeXC.exe
PID 2288 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\rNLXeXC.exe
PID 2288 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\hVwNcuE.exe
PID 2288 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\hVwNcuE.exe
PID 2288 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\hVwNcuE.exe
PID 2288 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\YcgVupJ.exe
PID 2288 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\YcgVupJ.exe
PID 2288 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\YcgVupJ.exe
PID 2288 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\jyYblqv.exe
PID 2288 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\jyYblqv.exe
PID 2288 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\jyYblqv.exe
PID 2288 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\xwIzOVF.exe
PID 2288 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\xwIzOVF.exe
PID 2288 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\xwIzOVF.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\KRbGAAU.exe

C:\Windows\System\KRbGAAU.exe

C:\Windows\System\zVHSqqX.exe

C:\Windows\System\zVHSqqX.exe

C:\Windows\System\QJNvgQL.exe

C:\Windows\System\QJNvgQL.exe

C:\Windows\System\rfSDpjK.exe

C:\Windows\System\rfSDpjK.exe

C:\Windows\System\Bvbefiu.exe

C:\Windows\System\Bvbefiu.exe

C:\Windows\System\nRBEIxO.exe

C:\Windows\System\nRBEIxO.exe

C:\Windows\System\uZhzauc.exe

C:\Windows\System\uZhzauc.exe

C:\Windows\System\JkHtGQT.exe

C:\Windows\System\JkHtGQT.exe

C:\Windows\System\XxvXbbC.exe

C:\Windows\System\XxvXbbC.exe

C:\Windows\System\fvfucdC.exe

C:\Windows\System\fvfucdC.exe

C:\Windows\System\aLexKiE.exe

C:\Windows\System\aLexKiE.exe

C:\Windows\System\VnZcCnG.exe

C:\Windows\System\VnZcCnG.exe

C:\Windows\System\rxGmciP.exe

C:\Windows\System\rxGmciP.exe

C:\Windows\System\WfUMnzy.exe

C:\Windows\System\WfUMnzy.exe

C:\Windows\System\zqfwnJi.exe

C:\Windows\System\zqfwnJi.exe

C:\Windows\System\OOocGlp.exe

C:\Windows\System\OOocGlp.exe

C:\Windows\System\rNLXeXC.exe

C:\Windows\System\rNLXeXC.exe

C:\Windows\System\hVwNcuE.exe

C:\Windows\System\hVwNcuE.exe

C:\Windows\System\YcgVupJ.exe

C:\Windows\System\YcgVupJ.exe

C:\Windows\System\jyYblqv.exe

C:\Windows\System\jyYblqv.exe

C:\Windows\System\xwIzOVF.exe

C:\Windows\System\xwIzOVF.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2288-0-0x000000013F480000-0x000000013F7D4000-memory.dmp

memory/2288-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\KRbGAAU.exe

MD5 05f92837c0787cc3ba68061f1e27a0fd
SHA1 8b17a8c9a7be0ede5b47e936aaaa59d8dcb021c4
SHA256 6df0248371b025bb00f373b309b0e757b12aa37f863316f72ef42b9fe289967c
SHA512 212761dc80196660274a6c40a436afe5d1a0bfb9ea02c0286fab64e31dfbd943f2486fcee3691a0fc8b5ebb37e829c82406b1b547d12edad74e148b1109c5a11

C:\Windows\system\zVHSqqX.exe

MD5 1b5fa9ffe8e972e2adfbd0a58a2226d4
SHA1 f6b33df4b600fa69f5560e445e9bb53c715ba732
SHA256 38344b359f83d3751ef20b598a8fd7391f086eda2d7448e619f0e475e9339396
SHA512 eb744f70cd2c4730c826541b91457ea30a5e8378956aad7c723a3f125e478ce66088ae68802ff91514c2f617bd19a4b60e5af9c932ab1edd8d86340e9fdc6952

memory/2288-10-0x000000013FB10000-0x000000013FE64000-memory.dmp

memory/2220-16-0x000000013F2C0000-0x000000013F614000-memory.dmp

memory/632-14-0x000000013FB10000-0x000000013FE64000-memory.dmp

memory/2288-7-0x00000000024A0000-0x00000000027F4000-memory.dmp

C:\Windows\system\QJNvgQL.exe

MD5 d2fbe7443287f0e74e631af28290631b
SHA1 0ea335d421609a7ee6969ec0bed6d3b43fecda35
SHA256 0459ae33bbde0745fb3be020ec89d42beacd3776cc96898dc80d5a192ec71122
SHA512 fa9381b47f2b8caee81741dd0d46fda40c05b4f4083d4203433ff97308eb2588d02d76d1cfd0e774c0f20327ebc5e1d41f340878b7ce06917dda9be0c3270c67

\Windows\system\rfSDpjK.exe

MD5 cec87816138884fae12e0c29b9f5bc07
SHA1 6eac8a7534cd05fd1da3ff7cd0fd32f93178772b
SHA256 69a15fd151d91201660ba40a0ba161d8febad3b8bf7acb94f96998873db4fd55
SHA512 74a827affdd63ee0073fd60f3a0ac55446df4b2fde207fe1b64d8f6a7423dc9f36beacf8f57d957782ed5b3ae40d8f55e5d55c59029100076a0006f33b131e85

memory/2288-22-0x000000013FA20000-0x000000013FD74000-memory.dmp

memory/2764-34-0x000000013F490000-0x000000013F7E4000-memory.dmp

memory/2668-40-0x000000013FB00000-0x000000013FE54000-memory.dmp

memory/2288-39-0x000000013FB00000-0x000000013FE54000-memory.dmp

C:\Windows\system\nRBEIxO.exe

MD5 8967fc67f94d4d2e560e176fecb9c9b3
SHA1 0fb7cbdb98b3c8aaa45055998e2a62a3db7c1c4a
SHA256 62f8dfaf92fc237cb4a43bab086322f8e0d21bfe55f2d80ef0a445b678feec36
SHA512 ec4bec0afbf1eb3cdc628621182b73e686feaf05d22e7e8a90bd37b99c890823f20c058aecc146e073e0194781037b6a4978fb91d25847fc71ea977dbb4310f7

C:\Windows\system\JkHtGQT.exe

MD5 fa023b2efed69195e7c0f03708860f6d
SHA1 ec4f8fe73d048b1c8aafd257fa69a1cfb7aa0df8
SHA256 63d12233beedc079558d065f01d74f8470f09ee61770be019b39dd9c487dc737
SHA512 0d241f57baab1ae62f97c296a5b71f0a091fda0e4683d61eacf4c98dc7b96bf51d375ec7b27aed6a853cdf73d70dd02a2e0d2347274b2a64cd5eb2bbee501683

memory/2788-54-0x000000013F570000-0x000000013F8C4000-memory.dmp

C:\Windows\system\fvfucdC.exe

MD5 c9e4fab3b68d17b803e10fc2c4688701
SHA1 fa868de5925feb21a36b8f0d152eacd665778fdc
SHA256 429aedb21ac1595ec0c633ef7a6a8d4194fd795df39274c33b7b1045f93c3c93
SHA512 86e786fc6e418ad78617de52aaaff8621a1d6a23745dbb671457d36c9db70913fe5e4352a3cd14f92427aa31918b58311ae8f08a92fac0a89078f6e179112ffc

memory/2288-69-0x000000013FF20000-0x0000000140274000-memory.dmp

memory/3044-70-0x000000013FF20000-0x0000000140274000-memory.dmp

memory/2796-81-0x000000013F0B0000-0x000000013F404000-memory.dmp

C:\Windows\system\OOocGlp.exe

MD5 4e70bc0ac3a7a4b54268f55ce0f566ae
SHA1 c7a645f42bfabcada7d69dfad12fd920a370825c
SHA256 452bdc5e8b8f13d545ba4d19b5de711f5fa8f9925dfe733af9b7707db02a6e81
SHA512 fc81dac132fa5271828f084c890b2eb044a4cdddfbf0efac2ef718c07a9dbe38a19914b8a7ff9f6ee20086825cfa8f89213a28243ad1be4292b12faf6afc4aac

C:\Windows\system\YcgVupJ.exe

MD5 8d4c52ea000ac42766e68bc04ec44e9e
SHA1 6311a6ad78c1ce3262983ceb506f66897357bf62
SHA256 45bbb21a5bba527b1b79bdf627ddecc4cd9b473a35912e0d62e9398175d8aed9
SHA512 302f5034574870d5b9e83c85794afa7663b5f4980966a0a76534f6b4df2ff149a138070193162f08ed5d636620ff480a1dc83c0c9dd598bb326ed1771d8c5765

\Windows\system\xwIzOVF.exe

MD5 4df3f8932e8864273cfbcaec9f7cde55
SHA1 b8cc66821f3ee4ffdf7fbc3dcb50a2d9df090857
SHA256 17f259a004c7324c3437ff2027431bd9caf47bd45c217e016fe35f655e05d9a0
SHA512 5ed818a269677255cad49cdef32c44861b2454b110c5e19f52b59a9136b2fe0a935cb33fcfab25233c4630d8fb7976af616fe9e311a8f39b9748fe030f903bc9

C:\Windows\system\jyYblqv.exe

MD5 f0aa685ede9b1c854e847cfcde904063
SHA1 40aae33eaac14d763929752875651fe6b1881133
SHA256 404bc5e082502be76539c47f701df730f28e5eec4e86de4e42008227ddc3ea22
SHA512 e937bba4df73d4156bde4851732a782b6ae906342e5210818081698968dcb9d52eb4b07d4d314483f7f2c2829ccdb839e8810b413ee07a240a363dfe4ce45c85

C:\Windows\system\hVwNcuE.exe

MD5 84b181de2ccbc86ba08bdcc4eb74226e
SHA1 860d69fcebb6693e8f2a749eb751fc2d4d599c70
SHA256 41543f81aeb9d58ae765c88cfa0d26d5e3b5f3f48708a6242397844c39f3a934
SHA512 854e0faf37832d5a6cdc5770a41d0052a52c656e59e5b23f6135c5e4ef180a71117256e082cc5fb5794c4f666e73a170ae6ea94361fa0d1c3f88e7188790fe31

C:\Windows\system\rNLXeXC.exe

MD5 0e0ea1951e5bd4755637e688303ad1a5
SHA1 6446e7e8fa3e7e100e7babbece8d5043f0ed296b
SHA256 de83f6362da05430a64049cce51ddaad34318833e5275b5aba19699884e60e9e
SHA512 3a5c646043eb822b3aa73b263b1626e91e5fd4aa3cb4dd0b43036656156d1ee3370a5521c644b5ee6525bf6af332c8698092f281a51057f26d0cfb08b6452667

memory/2288-103-0x000000013FF70000-0x00000001402C4000-memory.dmp

memory/2668-102-0x000000013FB00000-0x000000013FE54000-memory.dmp

C:\Windows\system\zqfwnJi.exe

MD5 4b0ff6a5095325221ec63d28fe208756
SHA1 5839885c32ffb16971acd6c0877907d1f754f9da
SHA256 f9b1054f8e95b5200006455b67ada4e73bcf24389fb646220c3a46983ed5d15a
SHA512 c0039dacbb32a4cb751fca8632a765910adfa955e0a321be515fdac8cec25817e5ce1474336c210c2afe17f52b7a15704a601f11fa0e359431433b04d3817994

memory/2744-95-0x000000013F420000-0x000000013F774000-memory.dmp

memory/2288-94-0x00000000024A0000-0x00000000027F4000-memory.dmp

memory/2856-89-0x000000013FF00000-0x0000000140254000-memory.dmp

memory/2288-88-0x000000013FF00000-0x0000000140254000-memory.dmp

C:\Windows\system\WfUMnzy.exe

MD5 ce7c5afc5d6a1efae9e95f9c23b4ef23
SHA1 df40d52f353bdac351e5819008455f5516907d33
SHA256 f65622d3a57a9ce5848d6da8c042d5e558a5da37537d813c874bef619401833d
SHA512 a40ea4d1da1806449f257885050079db30c716e42294e791411209bd8f7d12cfec8ad389da932a5d9182e6de46e9639df7cabeceaa9125cdeee6f7f9b707ab45

memory/2716-87-0x000000013FA80000-0x000000013FDD4000-memory.dmp

C:\Windows\system\rxGmciP.exe

MD5 24210ba5b458314e93a5a9591447b91f
SHA1 547e0f06fc2e20a2735f8c59998af16291e5e545
SHA256 7d1870cda788ef0b2caadfdcb15d900b95eea90d300b21245921105ea31c8706
SHA512 4067f6169bdf96ce106922df0bc5968e88966d736f9d8af268a1ed56ff963d6d08fcf41c14998d0a8f4891749691576066e4b36b8505ceaf5b4e69f52c4a3a82

C:\Windows\system\VnZcCnG.exe

MD5 883dd6a7b1dfa8c8fe25c18500918b9e
SHA1 d62bc5e6157ff642c251bd637a7e87c5133aca31
SHA256 bb395718c2f957ca42fc387af76ab5d3bbb750aa007de938e9e5ab2598d3bf59
SHA512 d84cc45ed83f9c7d7aecd8cf14bca39184fce0aa105e05c511fc68c00cccc3c634e9f74f2f8f62ebc31e16c14284969d56f3f17490a133fe18e742150c81b81d

memory/2304-75-0x000000013F120000-0x000000013F474000-memory.dmp

C:\Windows\system\aLexKiE.exe

MD5 445b476aee53dd0a1f122be544669390
SHA1 a6a4f973299d456add0d8a619de78cc3f35d9c03
SHA256 2c01e9104e8e99f4612872b62a94a4a6f6af772c6d5840700b38168a1b59dd5e
SHA512 60483b27f10863e5ebf2bb5581e58dbdc489ea9ec16c94457ac4162f6b7c59fa8354802fa9799abb2636d623c0ebc3f823e4e9cb66fc7962b3167017ce8efeb2

memory/2568-63-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

memory/2288-62-0x00000000024A0000-0x00000000027F4000-memory.dmp

memory/2220-61-0x000000013F2C0000-0x000000013F614000-memory.dmp

C:\Windows\system\XxvXbbC.exe

MD5 c5a618f35f4f2fecd85220b922089d11
SHA1 c5821e1110ce65bbf7129c16c63b2dab85e11b0c
SHA256 0be9b93afa0b6b4a8ef9903622b83359a10b756e3141b35a7eff4ef79d148bcd
SHA512 d249cc5b2af72ca26fa1232643929cde2c01a4364ef0a626cfd9f16aa21e8251d537631ccb2e2d8193a7b5b025ba949dab84e8d83523ced058e3b4727777634c

memory/2272-49-0x000000013F500000-0x000000013F854000-memory.dmp

C:\Windows\system\uZhzauc.exe

MD5 730de8c004158f85fac3804f6ee427e6
SHA1 1cfbe5feeb0022d1ed3541dc4800c308cd6d7326
SHA256 cd8fc912e43335f5ff2b2bf2c93cf2de308b17b84116de652d88d1b9514e4afa
SHA512 048ebccd39cc79f8c4d3c2bf766b91ae1a8b9150de5503ec1d2a99a59a71c3b25686768bb5d3f104d4e6f1d0faa2af2524ea04f18699f33e0e9a35ebebf17c5f

memory/2288-44-0x000000013F480000-0x000000013F7D4000-memory.dmp

C:\Windows\system\Bvbefiu.exe

MD5 337c597477f9e12de6934af41ac95c92
SHA1 12c90faec060eb02cea13b2ec987e96737f38b2a
SHA256 8f79ad92f0807fbcd07a3dba20493f5304c2dca3c72f6a4f4298082dc58f1124
SHA512 f8d745f750ceb5117c21a1268785ed005f3ca094fb4956672d09046db9e0d23d735da63e3f7dd88a5ac010cf8b0a178a827da8cc5bb84834c6a7a50e07097a1a

memory/2716-31-0x000000013FA80000-0x000000013FDD4000-memory.dmp

memory/1456-23-0x000000013FA20000-0x000000013FD74000-memory.dmp

memory/2788-134-0x000000013F570000-0x000000013F8C4000-memory.dmp

memory/2288-135-0x00000000024A0000-0x00000000027F4000-memory.dmp

memory/2288-136-0x000000013FF20000-0x0000000140274000-memory.dmp

memory/2288-137-0x000000013F120000-0x000000013F474000-memory.dmp

memory/2304-138-0x000000013F120000-0x000000013F474000-memory.dmp

memory/2288-139-0x000000013F0B0000-0x000000013F404000-memory.dmp

memory/2796-140-0x000000013F0B0000-0x000000013F404000-memory.dmp

memory/2288-141-0x000000013FF00000-0x0000000140254000-memory.dmp

memory/2856-142-0x000000013FF00000-0x0000000140254000-memory.dmp

memory/2288-143-0x00000000024A0000-0x00000000027F4000-memory.dmp

memory/2744-144-0x000000013F420000-0x000000013F774000-memory.dmp

memory/2288-145-0x000000013FF70000-0x00000001402C4000-memory.dmp

memory/632-146-0x000000013FB10000-0x000000013FE64000-memory.dmp

memory/2220-147-0x000000013F2C0000-0x000000013F614000-memory.dmp

memory/1456-148-0x000000013FA20000-0x000000013FD74000-memory.dmp

memory/2764-149-0x000000013F490000-0x000000013F7E4000-memory.dmp

memory/2716-151-0x000000013FA80000-0x000000013FDD4000-memory.dmp

memory/2668-150-0x000000013FB00000-0x000000013FE54000-memory.dmp

memory/2272-152-0x000000013F500000-0x000000013F854000-memory.dmp

memory/2788-153-0x000000013F570000-0x000000013F8C4000-memory.dmp

memory/2568-154-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

memory/3044-155-0x000000013FF20000-0x0000000140274000-memory.dmp

memory/2304-156-0x000000013F120000-0x000000013F474000-memory.dmp

memory/2796-157-0x000000013F0B0000-0x000000013F404000-memory.dmp

memory/2856-158-0x000000013FF00000-0x0000000140254000-memory.dmp

memory/2744-159-0x000000013F420000-0x000000013F774000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 15:32

Reported

2024-06-01 15:35

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\uZhzauc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XxvXbbC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zqfwnJi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jyYblqv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xwIzOVF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KRbGAAU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QJNvgQL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rfSDpjK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WfUMnzy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rNLXeXC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fvfucdC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aLexKiE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VnZcCnG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OOocGlp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hVwNcuE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zVHSqqX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\Bvbefiu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nRBEIxO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YcgVupJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JkHtGQT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rxGmciP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2396 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\KRbGAAU.exe
PID 2396 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\KRbGAAU.exe
PID 2396 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\zVHSqqX.exe
PID 2396 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\zVHSqqX.exe
PID 2396 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\QJNvgQL.exe
PID 2396 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\QJNvgQL.exe
PID 2396 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\rfSDpjK.exe
PID 2396 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\rfSDpjK.exe
PID 2396 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\Bvbefiu.exe
PID 2396 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\Bvbefiu.exe
PID 2396 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\nRBEIxO.exe
PID 2396 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\nRBEIxO.exe
PID 2396 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\uZhzauc.exe
PID 2396 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\uZhzauc.exe
PID 2396 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\JkHtGQT.exe
PID 2396 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\JkHtGQT.exe
PID 2396 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\XxvXbbC.exe
PID 2396 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\XxvXbbC.exe
PID 2396 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\fvfucdC.exe
PID 2396 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\fvfucdC.exe
PID 2396 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\aLexKiE.exe
PID 2396 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\aLexKiE.exe
PID 2396 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\VnZcCnG.exe
PID 2396 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\VnZcCnG.exe
PID 2396 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\rxGmciP.exe
PID 2396 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\rxGmciP.exe
PID 2396 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\WfUMnzy.exe
PID 2396 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\WfUMnzy.exe
PID 2396 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\zqfwnJi.exe
PID 2396 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\zqfwnJi.exe
PID 2396 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\OOocGlp.exe
PID 2396 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\OOocGlp.exe
PID 2396 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\rNLXeXC.exe
PID 2396 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\rNLXeXC.exe
PID 2396 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\hVwNcuE.exe
PID 2396 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\hVwNcuE.exe
PID 2396 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\YcgVupJ.exe
PID 2396 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\YcgVupJ.exe
PID 2396 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\jyYblqv.exe
PID 2396 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\jyYblqv.exe
PID 2396 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\xwIzOVF.exe
PID 2396 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe C:\Windows\System\xwIzOVF.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_3e079e462dfc5a824f565d76b8c87bf6_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\KRbGAAU.exe

C:\Windows\System\KRbGAAU.exe

C:\Windows\System\zVHSqqX.exe

C:\Windows\System\zVHSqqX.exe

C:\Windows\System\QJNvgQL.exe

C:\Windows\System\QJNvgQL.exe

C:\Windows\System\rfSDpjK.exe

C:\Windows\System\rfSDpjK.exe

C:\Windows\System\Bvbefiu.exe

C:\Windows\System\Bvbefiu.exe

C:\Windows\System\nRBEIxO.exe

C:\Windows\System\nRBEIxO.exe

C:\Windows\System\uZhzauc.exe

C:\Windows\System\uZhzauc.exe

C:\Windows\System\JkHtGQT.exe

C:\Windows\System\JkHtGQT.exe

C:\Windows\System\XxvXbbC.exe

C:\Windows\System\XxvXbbC.exe

C:\Windows\System\fvfucdC.exe

C:\Windows\System\fvfucdC.exe

C:\Windows\System\aLexKiE.exe

C:\Windows\System\aLexKiE.exe

C:\Windows\System\VnZcCnG.exe

C:\Windows\System\VnZcCnG.exe

C:\Windows\System\rxGmciP.exe

C:\Windows\System\rxGmciP.exe

C:\Windows\System\WfUMnzy.exe

C:\Windows\System\WfUMnzy.exe

C:\Windows\System\zqfwnJi.exe

C:\Windows\System\zqfwnJi.exe

C:\Windows\System\OOocGlp.exe

C:\Windows\System\OOocGlp.exe

C:\Windows\System\rNLXeXC.exe

C:\Windows\System\rNLXeXC.exe

C:\Windows\System\hVwNcuE.exe

C:\Windows\System\hVwNcuE.exe

C:\Windows\System\YcgVupJ.exe

C:\Windows\System\YcgVupJ.exe

C:\Windows\System\jyYblqv.exe

C:\Windows\System\jyYblqv.exe

C:\Windows\System\xwIzOVF.exe

C:\Windows\System\xwIzOVF.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 209.80.50.20.in-addr.arpa udp

Files

memory/2396-0-0x00007FF748B70000-0x00007FF748EC4000-memory.dmp

memory/2396-1-0x000001EB06380000-0x000001EB06390000-memory.dmp

C:\Windows\System\KRbGAAU.exe

MD5 05f92837c0787cc3ba68061f1e27a0fd
SHA1 8b17a8c9a7be0ede5b47e936aaaa59d8dcb021c4
SHA256 6df0248371b025bb00f373b309b0e757b12aa37f863316f72ef42b9fe289967c
SHA512 212761dc80196660274a6c40a436afe5d1a0bfb9ea02c0286fab64e31dfbd943f2486fcee3691a0fc8b5ebb37e829c82406b1b547d12edad74e148b1109c5a11

memory/3360-6-0x00007FF7CED60000-0x00007FF7CF0B4000-memory.dmp

C:\Windows\System\QJNvgQL.exe

MD5 d2fbe7443287f0e74e631af28290631b
SHA1 0ea335d421609a7ee6969ec0bed6d3b43fecda35
SHA256 0459ae33bbde0745fb3be020ec89d42beacd3776cc96898dc80d5a192ec71122
SHA512 fa9381b47f2b8caee81741dd0d46fda40c05b4f4083d4203433ff97308eb2588d02d76d1cfd0e774c0f20327ebc5e1d41f340878b7ce06917dda9be0c3270c67

C:\Windows\System\zVHSqqX.exe

MD5 1b5fa9ffe8e972e2adfbd0a58a2226d4
SHA1 f6b33df4b600fa69f5560e445e9bb53c715ba732
SHA256 38344b359f83d3751ef20b598a8fd7391f086eda2d7448e619f0e475e9339396
SHA512 eb744f70cd2c4730c826541b91457ea30a5e8378956aad7c723a3f125e478ce66088ae68802ff91514c2f617bd19a4b60e5af9c932ab1edd8d86340e9fdc6952

memory/3412-14-0x00007FF746940000-0x00007FF746C94000-memory.dmp

C:\Windows\System\rfSDpjK.exe

MD5 cec87816138884fae12e0c29b9f5bc07
SHA1 6eac8a7534cd05fd1da3ff7cd0fd32f93178772b
SHA256 69a15fd151d91201660ba40a0ba161d8febad3b8bf7acb94f96998873db4fd55
SHA512 74a827affdd63ee0073fd60f3a0ac55446df4b2fde207fe1b64d8f6a7423dc9f36beacf8f57d957782ed5b3ae40d8f55e5d55c59029100076a0006f33b131e85

memory/5112-21-0x00007FF64D4E0000-0x00007FF64D834000-memory.dmp

memory/1464-26-0x00007FF6AE240000-0x00007FF6AE594000-memory.dmp

C:\Windows\System\Bvbefiu.exe

MD5 337c597477f9e12de6934af41ac95c92
SHA1 12c90faec060eb02cea13b2ec987e96737f38b2a
SHA256 8f79ad92f0807fbcd07a3dba20493f5304c2dca3c72f6a4f4298082dc58f1124
SHA512 f8d745f750ceb5117c21a1268785ed005f3ca094fb4956672d09046db9e0d23d735da63e3f7dd88a5ac010cf8b0a178a827da8cc5bb84834c6a7a50e07097a1a

memory/1624-32-0x00007FF6F3FB0000-0x00007FF6F4304000-memory.dmp

C:\Windows\System\nRBEIxO.exe

MD5 8967fc67f94d4d2e560e176fecb9c9b3
SHA1 0fb7cbdb98b3c8aaa45055998e2a62a3db7c1c4a
SHA256 62f8dfaf92fc237cb4a43bab086322f8e0d21bfe55f2d80ef0a445b678feec36
SHA512 ec4bec0afbf1eb3cdc628621182b73e686feaf05d22e7e8a90bd37b99c890823f20c058aecc146e073e0194781037b6a4978fb91d25847fc71ea977dbb4310f7

C:\Windows\System\uZhzauc.exe

MD5 730de8c004158f85fac3804f6ee427e6
SHA1 1cfbe5feeb0022d1ed3541dc4800c308cd6d7326
SHA256 cd8fc912e43335f5ff2b2bf2c93cf2de308b17b84116de652d88d1b9514e4afa
SHA512 048ebccd39cc79f8c4d3c2bf766b91ae1a8b9150de5503ec1d2a99a59a71c3b25686768bb5d3f104d4e6f1d0faa2af2524ea04f18699f33e0e9a35ebebf17c5f

memory/4624-38-0x00007FF72BD80000-0x00007FF72C0D4000-memory.dmp

C:\Windows\System\JkHtGQT.exe

MD5 fa023b2efed69195e7c0f03708860f6d
SHA1 ec4f8fe73d048b1c8aafd257fa69a1cfb7aa0df8
SHA256 63d12233beedc079558d065f01d74f8470f09ee61770be019b39dd9c487dc737
SHA512 0d241f57baab1ae62f97c296a5b71f0a091fda0e4683d61eacf4c98dc7b96bf51d375ec7b27aed6a853cdf73d70dd02a2e0d2347274b2a64cd5eb2bbee501683

memory/4044-43-0x00007FF6D9A10000-0x00007FF6D9D64000-memory.dmp

memory/2940-50-0x00007FF630900000-0x00007FF630C54000-memory.dmp

C:\Windows\System\XxvXbbC.exe

MD5 c5a618f35f4f2fecd85220b922089d11
SHA1 c5821e1110ce65bbf7129c16c63b2dab85e11b0c
SHA256 0be9b93afa0b6b4a8ef9903622b83359a10b756e3141b35a7eff4ef79d148bcd
SHA512 d249cc5b2af72ca26fa1232643929cde2c01a4364ef0a626cfd9f16aa21e8251d537631ccb2e2d8193a7b5b025ba949dab84e8d83523ced058e3b4727777634c

memory/2944-58-0x00007FF671A80000-0x00007FF671DD4000-memory.dmp

memory/2396-61-0x00007FF748B70000-0x00007FF748EC4000-memory.dmp

C:\Windows\System\aLexKiE.exe

MD5 445b476aee53dd0a1f122be544669390
SHA1 a6a4f973299d456add0d8a619de78cc3f35d9c03
SHA256 2c01e9104e8e99f4612872b62a94a4a6f6af772c6d5840700b38168a1b59dd5e
SHA512 60483b27f10863e5ebf2bb5581e58dbdc489ea9ec16c94457ac4162f6b7c59fa8354802fa9799abb2636d623c0ebc3f823e4e9cb66fc7962b3167017ce8efeb2

memory/2764-69-0x00007FF654EC0000-0x00007FF655214000-memory.dmp

memory/3360-72-0x00007FF7CED60000-0x00007FF7CF0B4000-memory.dmp

memory/1224-74-0x00007FF660980000-0x00007FF660CD4000-memory.dmp

memory/3112-73-0x00007FF7F8FF0000-0x00007FF7F9344000-memory.dmp

C:\Windows\System\VnZcCnG.exe

MD5 883dd6a7b1dfa8c8fe25c18500918b9e
SHA1 d62bc5e6157ff642c251bd637a7e87c5133aca31
SHA256 bb395718c2f957ca42fc387af76ab5d3bbb750aa007de938e9e5ab2598d3bf59
SHA512 d84cc45ed83f9c7d7aecd8cf14bca39184fce0aa105e05c511fc68c00cccc3c634e9f74f2f8f62ebc31e16c14284969d56f3f17490a133fe18e742150c81b81d

C:\Windows\System\fvfucdC.exe

MD5 c9e4fab3b68d17b803e10fc2c4688701
SHA1 fa868de5925feb21a36b8f0d152eacd665778fdc
SHA256 429aedb21ac1595ec0c633ef7a6a8d4194fd795df39274c33b7b1045f93c3c93
SHA512 86e786fc6e418ad78617de52aaaff8621a1d6a23745dbb671457d36c9db70913fe5e4352a3cd14f92427aa31918b58311ae8f08a92fac0a89078f6e179112ffc

C:\Windows\System\rxGmciP.exe

MD5 24210ba5b458314e93a5a9591447b91f
SHA1 547e0f06fc2e20a2735f8c59998af16291e5e545
SHA256 7d1870cda788ef0b2caadfdcb15d900b95eea90d300b21245921105ea31c8706
SHA512 4067f6169bdf96ce106922df0bc5968e88966d736f9d8af268a1ed56ff963d6d08fcf41c14998d0a8f4891749691576066e4b36b8505ceaf5b4e69f52c4a3a82

memory/4940-82-0x00007FF685CE0000-0x00007FF686034000-memory.dmp

C:\Windows\System\WfUMnzy.exe

MD5 ce7c5afc5d6a1efae9e95f9c23b4ef23
SHA1 df40d52f353bdac351e5819008455f5516907d33
SHA256 f65622d3a57a9ce5848d6da8c042d5e558a5da37537d813c874bef619401833d
SHA512 a40ea4d1da1806449f257885050079db30c716e42294e791411209bd8f7d12cfec8ad389da932a5d9182e6de46e9639df7cabeceaa9125cdeee6f7f9b707ab45

memory/792-87-0x00007FF615090000-0x00007FF6153E4000-memory.dmp

C:\Windows\System\zqfwnJi.exe

MD5 4b0ff6a5095325221ec63d28fe208756
SHA1 5839885c32ffb16971acd6c0877907d1f754f9da
SHA256 f9b1054f8e95b5200006455b67ada4e73bcf24389fb646220c3a46983ed5d15a
SHA512 c0039dacbb32a4cb751fca8632a765910adfa955e0a321be515fdac8cec25817e5ce1474336c210c2afe17f52b7a15704a601f11fa0e359431433b04d3817994

memory/1464-86-0x00007FF6AE240000-0x00007FF6AE594000-memory.dmp

memory/1624-95-0x00007FF6F3FB0000-0x00007FF6F4304000-memory.dmp

memory/4552-99-0x00007FF76D4C0000-0x00007FF76D814000-memory.dmp

C:\Windows\System\rNLXeXC.exe

MD5 0e0ea1951e5bd4755637e688303ad1a5
SHA1 6446e7e8fa3e7e100e7babbece8d5043f0ed296b
SHA256 de83f6362da05430a64049cce51ddaad34318833e5275b5aba19699884e60e9e
SHA512 3a5c646043eb822b3aa73b263b1626e91e5fd4aa3cb4dd0b43036656156d1ee3370a5521c644b5ee6525bf6af332c8698092f281a51057f26d0cfb08b6452667

C:\Windows\System\OOocGlp.exe

MD5 4e70bc0ac3a7a4b54268f55ce0f566ae
SHA1 c7a645f42bfabcada7d69dfad12fd920a370825c
SHA256 452bdc5e8b8f13d545ba4d19b5de711f5fa8f9925dfe733af9b7707db02a6e81
SHA512 fc81dac132fa5271828f084c890b2eb044a4cdddfbf0efac2ef718c07a9dbe38a19914b8a7ff9f6ee20086825cfa8f89213a28243ad1be4292b12faf6afc4aac

C:\Windows\System\hVwNcuE.exe

MD5 84b181de2ccbc86ba08bdcc4eb74226e
SHA1 860d69fcebb6693e8f2a749eb751fc2d4d599c70
SHA256 41543f81aeb9d58ae765c88cfa0d26d5e3b5f3f48708a6242397844c39f3a934
SHA512 854e0faf37832d5a6cdc5770a41d0052a52c656e59e5b23f6135c5e4ef180a71117256e082cc5fb5794c4f666e73a170ae6ea94361fa0d1c3f88e7188790fe31

C:\Windows\System\jyYblqv.exe

MD5 f0aa685ede9b1c854e847cfcde904063
SHA1 40aae33eaac14d763929752875651fe6b1881133
SHA256 404bc5e082502be76539c47f701df730f28e5eec4e86de4e42008227ddc3ea22
SHA512 e937bba4df73d4156bde4851732a782b6ae906342e5210818081698968dcb9d52eb4b07d4d314483f7f2c2829ccdb839e8810b413ee07a240a363dfe4ce45c85

C:\Windows\System\YcgVupJ.exe

MD5 8d4c52ea000ac42766e68bc04ec44e9e
SHA1 6311a6ad78c1ce3262983ceb506f66897357bf62
SHA256 45bbb21a5bba527b1b79bdf627ddecc4cd9b473a35912e0d62e9398175d8aed9
SHA512 302f5034574870d5b9e83c85794afa7663b5f4980966a0a76534f6b4df2ff149a138070193162f08ed5d636620ff480a1dc83c0c9dd598bb326ed1771d8c5765

C:\Windows\System\xwIzOVF.exe

MD5 4df3f8932e8864273cfbcaec9f7cde55
SHA1 b8cc66821f3ee4ffdf7fbc3dcb50a2d9df090857
SHA256 17f259a004c7324c3437ff2027431bd9caf47bd45c217e016fe35f655e05d9a0
SHA512 5ed818a269677255cad49cdef32c44861b2454b110c5e19f52b59a9136b2fe0a935cb33fcfab25233c4630d8fb7976af616fe9e311a8f39b9748fe030f903bc9

memory/3376-121-0x00007FF67ADA0000-0x00007FF67B0F4000-memory.dmp

memory/1788-127-0x00007FF648D50000-0x00007FF6490A4000-memory.dmp

memory/2824-128-0x00007FF6ADC10000-0x00007FF6ADF64000-memory.dmp

memory/4692-130-0x00007FF6A28A0000-0x00007FF6A2BF4000-memory.dmp

memory/4896-129-0x00007FF727030000-0x00007FF727384000-memory.dmp

memory/3732-132-0x00007FF7F8190000-0x00007FF7F84E4000-memory.dmp

memory/4044-131-0x00007FF6D9A10000-0x00007FF6D9D64000-memory.dmp

memory/2944-133-0x00007FF671A80000-0x00007FF671DD4000-memory.dmp

memory/1224-134-0x00007FF660980000-0x00007FF660CD4000-memory.dmp

memory/792-135-0x00007FF615090000-0x00007FF6153E4000-memory.dmp

memory/3376-136-0x00007FF67ADA0000-0x00007FF67B0F4000-memory.dmp

memory/3412-137-0x00007FF746940000-0x00007FF746C94000-memory.dmp

memory/3360-138-0x00007FF7CED60000-0x00007FF7CF0B4000-memory.dmp

memory/5112-139-0x00007FF64D4E0000-0x00007FF64D834000-memory.dmp

memory/1464-140-0x00007FF6AE240000-0x00007FF6AE594000-memory.dmp

memory/1624-141-0x00007FF6F3FB0000-0x00007FF6F4304000-memory.dmp

memory/4624-142-0x00007FF72BD80000-0x00007FF72C0D4000-memory.dmp

memory/2940-143-0x00007FF630900000-0x00007FF630C54000-memory.dmp

memory/4044-144-0x00007FF6D9A10000-0x00007FF6D9D64000-memory.dmp

memory/2944-145-0x00007FF671A80000-0x00007FF671DD4000-memory.dmp

memory/3112-146-0x00007FF7F8FF0000-0x00007FF7F9344000-memory.dmp

memory/2764-147-0x00007FF654EC0000-0x00007FF655214000-memory.dmp

memory/1224-148-0x00007FF660980000-0x00007FF660CD4000-memory.dmp

memory/4940-149-0x00007FF685CE0000-0x00007FF686034000-memory.dmp

memory/4552-151-0x00007FF76D4C0000-0x00007FF76D814000-memory.dmp

memory/792-150-0x00007FF615090000-0x00007FF6153E4000-memory.dmp

memory/3376-152-0x00007FF67ADA0000-0x00007FF67B0F4000-memory.dmp

memory/3732-153-0x00007FF7F8190000-0x00007FF7F84E4000-memory.dmp

memory/1788-154-0x00007FF648D50000-0x00007FF6490A4000-memory.dmp

memory/2824-155-0x00007FF6ADC10000-0x00007FF6ADF64000-memory.dmp

memory/4692-156-0x00007FF6A28A0000-0x00007FF6A2BF4000-memory.dmp

memory/4896-157-0x00007FF727030000-0x00007FF727384000-memory.dmp