Malware Analysis Report

2025-01-22 19:53

Sample ID 240601-szzkksgc89
Target 2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike
SHA256 434934aa10f7e60b341728a5afbc4e87c7ab49225c98be02e5fb5966fa1f8c77
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

434934aa10f7e60b341728a5afbc4e87c7ab49225c98be02e5fb5966fa1f8c77

Threat Level: Known bad

The file 2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

XMRig Miner payload

Cobalt Strike reflective loader

Detects Reflective DLL injection artifacts

Cobaltstrike

UPX dump on OEP (original entry point)

xmrig

Cobaltstrike family

Xmrig family

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

XMRig Miner payload

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 15:34

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 15:34

Reported

2024-06-01 15:37

Platform

win7-20240221-en

Max time kernel

141s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\BUGYXYr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rFYWHuV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mScQBTO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nObuiaz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QkVvcvz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GTUhRmm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BBHhSKL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ogIXFjx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oMWvlTO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pJAnuop.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BJOGPVI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qHVOVvj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RGXlPyy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uVHpphp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AbUvely.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CEBuFWv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QpHoIUG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BspqvTK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XFdHwyj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vaHkYqO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gADwCui.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2008 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\mScQBTO.exe
PID 2008 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\mScQBTO.exe
PID 2008 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\mScQBTO.exe
PID 2008 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\BJOGPVI.exe
PID 2008 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\BJOGPVI.exe
PID 2008 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\BJOGPVI.exe
PID 2008 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\nObuiaz.exe
PID 2008 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\nObuiaz.exe
PID 2008 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\nObuiaz.exe
PID 2008 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\QkVvcvz.exe
PID 2008 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\QkVvcvz.exe
PID 2008 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\QkVvcvz.exe
PID 2008 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\GTUhRmm.exe
PID 2008 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\GTUhRmm.exe
PID 2008 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\GTUhRmm.exe
PID 2008 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\qHVOVvj.exe
PID 2008 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\qHVOVvj.exe
PID 2008 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\qHVOVvj.exe
PID 2008 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\BBHhSKL.exe
PID 2008 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\BBHhSKL.exe
PID 2008 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\BBHhSKL.exe
PID 2008 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\BspqvTK.exe
PID 2008 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\BspqvTK.exe
PID 2008 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\BspqvTK.exe
PID 2008 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\QpHoIUG.exe
PID 2008 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\QpHoIUG.exe
PID 2008 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\QpHoIUG.exe
PID 2008 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\ogIXFjx.exe
PID 2008 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\ogIXFjx.exe
PID 2008 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\ogIXFjx.exe
PID 2008 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\RGXlPyy.exe
PID 2008 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\RGXlPyy.exe
PID 2008 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\RGXlPyy.exe
PID 2008 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\BUGYXYr.exe
PID 2008 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\BUGYXYr.exe
PID 2008 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\BUGYXYr.exe
PID 2008 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\rFYWHuV.exe
PID 2008 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\rFYWHuV.exe
PID 2008 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\rFYWHuV.exe
PID 2008 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\uVHpphp.exe
PID 2008 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\uVHpphp.exe
PID 2008 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\uVHpphp.exe
PID 2008 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\AbUvely.exe
PID 2008 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\AbUvely.exe
PID 2008 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\AbUvely.exe
PID 2008 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\XFdHwyj.exe
PID 2008 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\XFdHwyj.exe
PID 2008 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\XFdHwyj.exe
PID 2008 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\vaHkYqO.exe
PID 2008 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\vaHkYqO.exe
PID 2008 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\vaHkYqO.exe
PID 2008 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\CEBuFWv.exe
PID 2008 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\CEBuFWv.exe
PID 2008 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\CEBuFWv.exe
PID 2008 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\oMWvlTO.exe
PID 2008 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\oMWvlTO.exe
PID 2008 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\oMWvlTO.exe
PID 2008 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\pJAnuop.exe
PID 2008 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\pJAnuop.exe
PID 2008 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\pJAnuop.exe
PID 2008 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\gADwCui.exe
PID 2008 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\gADwCui.exe
PID 2008 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\gADwCui.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\mScQBTO.exe

C:\Windows\System\mScQBTO.exe

C:\Windows\System\BJOGPVI.exe

C:\Windows\System\BJOGPVI.exe

C:\Windows\System\nObuiaz.exe

C:\Windows\System\nObuiaz.exe

C:\Windows\System\QkVvcvz.exe

C:\Windows\System\QkVvcvz.exe

C:\Windows\System\GTUhRmm.exe

C:\Windows\System\GTUhRmm.exe

C:\Windows\System\qHVOVvj.exe

C:\Windows\System\qHVOVvj.exe

C:\Windows\System\BBHhSKL.exe

C:\Windows\System\BBHhSKL.exe

C:\Windows\System\BspqvTK.exe

C:\Windows\System\BspqvTK.exe

C:\Windows\System\QpHoIUG.exe

C:\Windows\System\QpHoIUG.exe

C:\Windows\System\ogIXFjx.exe

C:\Windows\System\ogIXFjx.exe

C:\Windows\System\RGXlPyy.exe

C:\Windows\System\RGXlPyy.exe

C:\Windows\System\BUGYXYr.exe

C:\Windows\System\BUGYXYr.exe

C:\Windows\System\rFYWHuV.exe

C:\Windows\System\rFYWHuV.exe

C:\Windows\System\uVHpphp.exe

C:\Windows\System\uVHpphp.exe

C:\Windows\System\AbUvely.exe

C:\Windows\System\AbUvely.exe

C:\Windows\System\XFdHwyj.exe

C:\Windows\System\XFdHwyj.exe

C:\Windows\System\vaHkYqO.exe

C:\Windows\System\vaHkYqO.exe

C:\Windows\System\CEBuFWv.exe

C:\Windows\System\CEBuFWv.exe

C:\Windows\System\oMWvlTO.exe

C:\Windows\System\oMWvlTO.exe

C:\Windows\System\pJAnuop.exe

C:\Windows\System\pJAnuop.exe

C:\Windows\System\gADwCui.exe

C:\Windows\System\gADwCui.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2008-0-0x000000013F3C0000-0x000000013F714000-memory.dmp

memory/2008-1-0x00000000000F0000-0x0000000000100000-memory.dmp

C:\Windows\system\mScQBTO.exe

MD5 1c25676daa3fd9931483b6a9958cf6d4
SHA1 b49855c8616ef9919c0f092fb201d1a2ebe64f3f
SHA256 322729e6b7603859b94f5a138dcd51e89594a410ed0218483ba8063f83c6b205
SHA512 bcac67d93cb8f3ec4da47495936a8ef871cb8a3111fae89f5b7e0bb42fee4d11daaa2834a355d7b08170bf3ccaabf599255ba019061b7907bb4cfa4d9ca43fb8

C:\Windows\system\BJOGPVI.exe

MD5 f2d09c3cfe62f30f8124b793498bb5c6
SHA1 5edb40899c9b47457b9d180e2c69827edfc34e16
SHA256 ea28bdd5e8d85d0209dbb5c7697d7f6962e94cc4a19cc002409fb55b3e11450f
SHA512 10c4dcc9d372f96a1d140f641e4d9365b8dd38b5d3dc799e527b9d52e3b2f3ebf2f146111d9c1f2fd6e95004e589e6a37979fb00515f3f446aaf8c03fe188923

C:\Windows\system\nObuiaz.exe

MD5 c54c684a9f41aefdb1b66df4345bde7b
SHA1 63842b0dad05cbcabdb09f38bce66a33704db7ca
SHA256 c652756b1c5644ebc5366c3fff2ea51ec248cbf48926b206ad478588b50fb9ef
SHA512 9adfd409e404cd25b257e3caeb52e3d1e1037a397e496f6e0a25718b7c01f43aaa7f651d1ef4abdf217187873e959497bc1d195f4152e703dafd6096a79194d0

memory/2008-15-0x000000013FF20000-0x0000000140274000-memory.dmp

\Windows\system\QkVvcvz.exe

MD5 17bf992a6b1776985701daad1a6ac737
SHA1 d61b65a41cb27324cc456220a9dd51b82133c09a
SHA256 ad8a3551b94741e1a28817d5207c212d53aea65cabafeb373c588e47c38f2219
SHA512 469223cd870670894cf10c52b5d108c7d07563624970b79b1e0fa6c76e244ed642cc5a3574d2dfb875f17f16879d8812fb73a260c54890d61cc7d4ea9af7d479

C:\Windows\system\GTUhRmm.exe

MD5 f58422586bc3dc224773c2b35f7a9c2b
SHA1 7005c4b7f2b4c210261fbe5d1ece331a48bc6070
SHA256 52cb104d957c7b6e86dabbd73e756d8771175c376b72015654a3e8a275379d2b
SHA512 60cd335c1b562f989a34686114e174293d3bcd156c7074d565a73921c3f4e3a3056ef38486ebff7b805b4021a35134064694dfc21910dc2e790cd5ccfc63ba81

\Windows\system\qHVOVvj.exe

MD5 499314ddff7c1fc3a86ccfd07dbb8331
SHA1 a4c1f421575d29748ede1219ee00feecf6206f59
SHA256 428834348c7c8965fadfd94de06c89360e88d2f9878a1e15a615da77ba7a499e
SHA512 c4fbba9a63364dd18882c326884059d1557ac0ffd82acbb2909bac3c9c9fa620512576b009f522c746cf048a58cc45f4cecc5b3ecb61f54f15b0282978051c15

memory/2476-29-0x000000013FF80000-0x00000001402D4000-memory.dmp

\Windows\system\BBHhSKL.exe

MD5 3b19e46520febbbc64a04aa192f73e97
SHA1 202480729addf47c1f2be8b0cc1ed557404049b2
SHA256 be0a77d8f998756f5dd19b0f232f892980d1f559a9ad48b7e457e65b392ad8d9
SHA512 f824ce13009947b4f7f25a5bca140e7b50180526ad1b637508024d339769179e9e6bf97d1c3cb689fbeff384ee7761cea43e7eb56b06c5b44b9bc80f5c40d68e

\Windows\system\BspqvTK.exe

MD5 d67d6e8793197f964655b27a4e0794b0
SHA1 f381c59194acb620b1eac060bd8d3b73a57b1344
SHA256 8633277b61ec34cf8f8dceb6f436b4b945b2a1758824a2a1735ead16e5be75f4
SHA512 174b0ab441f3a346e510dfe98be9e870f69cc94fa0c0277fe4d8b83c755c5228a1ec140390805312fbfc168aa62efec1826d0ac49e7c3270e343b42c711e3f4d

memory/2008-40-0x000000013FDF0000-0x0000000140144000-memory.dmp

\Windows\system\QpHoIUG.exe

MD5 04949db1b21347a621983e277a755335
SHA1 b1bf634ac9c6ef368b68e1448efe5287a55f5fa6
SHA256 84c67e4149d4792266ce1b05443952f54f9d786b4f1e596b22ea79c0eab4fc8a
SHA512 8eea845870f99e9ae1f315db7127ca0b8833b55d09da35362d3bd0d5dbabe8dde4f3fd07fecfe39636d04a4ebd5b67bc65694a4ea5cbe53210675a7361dddcb0

memory/2460-49-0x000000013F800000-0x000000013FB54000-memory.dmp

memory/2008-48-0x000000013F800000-0x000000013FB54000-memory.dmp

memory/2008-47-0x0000000002400000-0x0000000002754000-memory.dmp

memory/2544-46-0x000000013FDF0000-0x0000000140144000-memory.dmp

\Windows\system\ogIXFjx.exe

MD5 a52c2514842299b1237ff8c21cdf772f
SHA1 90626e71e004a2fb90e133bb06853d36ca2fea00
SHA256 07055e14263bcf59fdbebd485415b695a0f4b39a6c5322925770abce41c6d2c2
SHA512 fbceb400e5666ea6393b55e2a409b942634db70eea444f587a37ee5e412625b9e40773af75d65ace0a7572c4e61590f1b15fe30bcfb036aecbd714e91377c27d

\Windows\system\RGXlPyy.exe

MD5 c941071465503833774f93d976994f7c
SHA1 24250c121c5797bb949fb9e8f4e2fa4827c7d503
SHA256 98df3d0ee29b282b7e88fecf6679ff612c2dfb4cfb9bd9790e4ad1d6eb7b21e5
SHA512 cb794a80ae469bf0385fab3619729f4fff48851fb22af8757f5a46686dfb1beb547ecb57c2aa25e1ba097ebc4b79035531670f2f48e84eed8389b3ddc4623d3f

memory/2008-57-0x0000000002400000-0x0000000002754000-memory.dmp

memory/2604-64-0x000000013F2A0000-0x000000013F5F4000-memory.dmp

\Windows\system\BUGYXYr.exe

MD5 61773f0276bec5f2359dab937ccae4ee
SHA1 f7ab407588477cf0a1ab9eb07e038a7659732b26
SHA256 7abe16e3d5436284d04fd56f3f0434553cb81fa8bece5efb1f30ead23902dcf3
SHA512 e87fbc1a6cab20af8a6210fe09ad96b56394649cd4ddb1e62c7726f88cad28b5dfa5136643c79bb58334ae28d20fb9c07684f500742df8652813d1f09a6c8d01

memory/2008-71-0x000000013F820000-0x000000013FB74000-memory.dmp

memory/2788-70-0x000000013F220000-0x000000013F574000-memory.dmp

memory/2008-79-0x000000013FF80000-0x00000001402D4000-memory.dmp

memory/2008-81-0x0000000002400000-0x0000000002754000-memory.dmp

memory/2756-84-0x000000013F1C0000-0x000000013F514000-memory.dmp

memory/2008-88-0x000000013F030000-0x000000013F384000-memory.dmp

\Windows\system\rFYWHuV.exe

MD5 c38ab1a5542d6215cfdd0032255dcf3a
SHA1 961e45d172e1963cc64d9166938260adf865fe1a
SHA256 0969f736736f0a6f3e63f2d930faf8b251b4abd8ab808b5c4188ed457b985e25
SHA512 a16874df4e367899afc7ad35af5d3a1ae8b7e2b7fd3ae1fdf3ca4a65570b402e98dcf38caa2c38b02855768d7f6950b521be9e6b6ffaead3a07f5e231cd4502b

memory/772-86-0x000000013F420000-0x000000013F774000-memory.dmp

memory/2008-85-0x0000000002400000-0x0000000002754000-memory.dmp

memory/2008-83-0x000000013FBB0000-0x000000013FF04000-memory.dmp

memory/2448-82-0x000000013F820000-0x000000013FB74000-memory.dmp

memory/2488-80-0x000000013F530000-0x000000013F884000-memory.dmp

memory/2948-78-0x000000013FF20000-0x0000000140274000-memory.dmp

memory/1912-77-0x000000013FE40000-0x0000000140194000-memory.dmp

memory/2008-76-0x000000013FE40000-0x0000000140194000-memory.dmp

memory/2008-74-0x0000000002400000-0x0000000002754000-memory.dmp

memory/2524-72-0x000000013FBB0000-0x000000013FF04000-memory.dmp

memory/2008-127-0x000000013FBC0000-0x000000013FF14000-memory.dmp

\Windows\system\pJAnuop.exe

MD5 c37a8eec2865e30a401afbd538b1b24e
SHA1 8593d03ea81008479e2fb5e2781281038070e801
SHA256 e93dce7c17b43c43e08e3e40ce159f9fb89969256fbdade656b8f751989ca52a
SHA512 9c9c45596b5da3e0d94b5ffb636c648b2c171c0e1e0654529543c4feafa5db1a1f4429d5ffd874acd3190793747eb1fcd4cfa7667b287a70148d0958a2c31605

C:\Windows\system\vaHkYqO.exe

MD5 f6ec695fa45369b650771729bdfe3d78
SHA1 be24a6fd08b208eb0b2cca83a98d818aaee6ad48
SHA256 4798e17535fab21242f5399311c557f2d3d1e6884bfca6dce19db47bbd85947b
SHA512 25768a2122cb529481b5f6858994317dd92b46fced7fc9300f3f449bb7e83af246296a70056ea4eabca49f9ff872aacbef0704e9cc41348a64ab05e0c01cc888

C:\Windows\system\uVHpphp.exe

MD5 b1732dc547d331fe08eedb16e15e715e
SHA1 6c99d96f1f2c4f477a1e007c7a42c5b7c69240ef
SHA256 2d3c81b848b7a2b766917c48604c65d8f27bd6dff4efc943dd05008c7ef3815f
SHA512 027c11bf72ce792fece756c140202ff59f539e585366a2b36d863d12e537f55481661be33e955e9f7bb518d18770ff844812aae28cb41910da8da5943dd942cf

\Windows\system\CEBuFWv.exe

MD5 cf91153025284aaf2a0a4eb376fc75ce
SHA1 c624b1bc4b21fda0e30c6484749c2761fef5d75f
SHA256 481a82f034212bae606f9f4643022064b853ecb8dab1b16d8574578995c5c6eb
SHA512 55ed723d070272c8396f4149bc8a1b5893135e8de5a8d11ef0bb45801908077fe8e52dad4564af69a54814d294bf4af5553e498142c00f5697208a0441f4adbc

C:\Windows\system\gADwCui.exe

MD5 2391cf2ecfe1ed5421065198f4380abb
SHA1 48781e3aa42304f2623f6c5bded459a11599dc0c
SHA256 7ef1eeacc53016fc2f6ae50e63ba3bbb921f28deb4dfafdf4c5760e7f2840d7d
SHA512 935345ca3e65f771b9feea006551f2e9ab64e35819a8e3b5b3fb9b3983debe42a4121fd60006c7bd4abdca320619e742a5eb2e8e7992eefcd15f9f8135e5c721

memory/1216-129-0x000000013FBC0000-0x000000013FF14000-memory.dmp

C:\Windows\system\XFdHwyj.exe

MD5 4a4b0dda5fb3d5a4161ecd1caaab6d4a
SHA1 02ad61dcbf765957c2d1aa0a376656c3c2191fb5
SHA256 73582387cfb2114433272b95a38dee423dfd4828e3295b4d9dd24edb7b824c1a
SHA512 f6dd7212478d64593054aa1da1136556372c9e5021e02223fe08ba3dbc2f832ad60836d2893764fff7ffc73340b81426ef07729653362a1b3c1833ecb2224895

memory/2008-125-0x0000000002400000-0x0000000002754000-memory.dmp

C:\Windows\system\oMWvlTO.exe

MD5 4f6a7d430593a4115387876c86fa3858
SHA1 c9976c3db10326335c73fb3ed44976c777cc6e9a
SHA256 e92e9f7a4334a767096602da5b80a5cd5f2f0cafdfcf7260ef78247ce3dbf163
SHA512 3e32f120c540f29a208fe1cfcd1cc821912e4c42dad735eeb7c3f2d87319c3821c033b43283750e1fcb95898a1fa9108283d5212665e14ff9214f38a0cb89d25

C:\Windows\system\AbUvely.exe

MD5 6cf2289a984480d52046b3d7384d33e3
SHA1 f4147bf8481aef883770c5c7f5903d39c697f4de
SHA256 824c002eee79b30c4bd3138f1ac4fa094b3ec8417b4d2c43a70d861f6264bf85
SHA512 0cbfe5868cdc957faa354ce9906520b9c080f13f98b20cdea8e1fbb5db0b665eaec4c4229ff2d811e467994509b2a36d0873496459098fff863e1aa4e14913af

memory/1924-92-0x000000013F030000-0x000000013F384000-memory.dmp

memory/2008-136-0x000000013F3C0000-0x000000013F714000-memory.dmp

memory/2008-137-0x000000013F800000-0x000000013FB54000-memory.dmp

memory/1924-138-0x000000013F030000-0x000000013F384000-memory.dmp

memory/2476-139-0x000000013FF80000-0x00000001402D4000-memory.dmp

memory/2948-140-0x000000013FF20000-0x0000000140274000-memory.dmp

memory/2544-141-0x000000013FDF0000-0x0000000140144000-memory.dmp

memory/2488-142-0x000000013F530000-0x000000013F884000-memory.dmp

memory/2460-143-0x000000013F800000-0x000000013FB54000-memory.dmp

memory/2604-144-0x000000013F2A0000-0x000000013F5F4000-memory.dmp

memory/2788-145-0x000000013F220000-0x000000013F574000-memory.dmp

memory/2448-146-0x000000013F820000-0x000000013FB74000-memory.dmp

memory/2524-147-0x000000013FBB0000-0x000000013FF04000-memory.dmp

memory/2756-148-0x000000013F1C0000-0x000000013F514000-memory.dmp

memory/1912-149-0x000000013FE40000-0x0000000140194000-memory.dmp

memory/772-150-0x000000013F420000-0x000000013F774000-memory.dmp

memory/1924-151-0x000000013F030000-0x000000013F384000-memory.dmp

memory/1216-152-0x000000013FBC0000-0x000000013FF14000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 15:34

Reported

2024-06-01 15:37

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\RQBLbKT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BDsxbXW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eZBBvVj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FIeuxyh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aYSJysk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gaUGNuT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fyqaHOX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sQKwaUC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cFrGEfU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vurNcLD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lxHKnoj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cHvZDjR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qkskHTO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jlwvyRh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OFPYUCM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BCLhryI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GZpDgOg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vmWjnAp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MWsPRHw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qkXuwMs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jiAcqsV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5080 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\jiAcqsV.exe
PID 5080 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\jiAcqsV.exe
PID 5080 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\gaUGNuT.exe
PID 5080 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\gaUGNuT.exe
PID 5080 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\MWsPRHw.exe
PID 5080 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\MWsPRHw.exe
PID 5080 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\qkskHTO.exe
PID 5080 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\qkskHTO.exe
PID 5080 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\qkXuwMs.exe
PID 5080 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\qkXuwMs.exe
PID 5080 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\fyqaHOX.exe
PID 5080 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\fyqaHOX.exe
PID 5080 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\sQKwaUC.exe
PID 5080 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\sQKwaUC.exe
PID 5080 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\jlwvyRh.exe
PID 5080 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\jlwvyRh.exe
PID 5080 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\OFPYUCM.exe
PID 5080 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\OFPYUCM.exe
PID 5080 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\cFrGEfU.exe
PID 5080 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\cFrGEfU.exe
PID 5080 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\vurNcLD.exe
PID 5080 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\vurNcLD.exe
PID 5080 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\BCLhryI.exe
PID 5080 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\BCLhryI.exe
PID 5080 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\lxHKnoj.exe
PID 5080 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\lxHKnoj.exe
PID 5080 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\RQBLbKT.exe
PID 5080 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\RQBLbKT.exe
PID 5080 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\BDsxbXW.exe
PID 5080 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\BDsxbXW.exe
PID 5080 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\GZpDgOg.exe
PID 5080 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\GZpDgOg.exe
PID 5080 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\eZBBvVj.exe
PID 5080 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\eZBBvVj.exe
PID 5080 wrote to memory of 616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\FIeuxyh.exe
PID 5080 wrote to memory of 616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\FIeuxyh.exe
PID 5080 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\vmWjnAp.exe
PID 5080 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\vmWjnAp.exe
PID 5080 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\aYSJysk.exe
PID 5080 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\aYSJysk.exe
PID 5080 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\cHvZDjR.exe
PID 5080 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe C:\Windows\System\cHvZDjR.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\jiAcqsV.exe

C:\Windows\System\jiAcqsV.exe

C:\Windows\System\gaUGNuT.exe

C:\Windows\System\gaUGNuT.exe

C:\Windows\System\MWsPRHw.exe

C:\Windows\System\MWsPRHw.exe

C:\Windows\System\qkskHTO.exe

C:\Windows\System\qkskHTO.exe

C:\Windows\System\qkXuwMs.exe

C:\Windows\System\qkXuwMs.exe

C:\Windows\System\fyqaHOX.exe

C:\Windows\System\fyqaHOX.exe

C:\Windows\System\sQKwaUC.exe

C:\Windows\System\sQKwaUC.exe

C:\Windows\System\jlwvyRh.exe

C:\Windows\System\jlwvyRh.exe

C:\Windows\System\OFPYUCM.exe

C:\Windows\System\OFPYUCM.exe

C:\Windows\System\cFrGEfU.exe

C:\Windows\System\cFrGEfU.exe

C:\Windows\System\vurNcLD.exe

C:\Windows\System\vurNcLD.exe

C:\Windows\System\BCLhryI.exe

C:\Windows\System\BCLhryI.exe

C:\Windows\System\lxHKnoj.exe

C:\Windows\System\lxHKnoj.exe

C:\Windows\System\RQBLbKT.exe

C:\Windows\System\RQBLbKT.exe

C:\Windows\System\BDsxbXW.exe

C:\Windows\System\BDsxbXW.exe

C:\Windows\System\GZpDgOg.exe

C:\Windows\System\GZpDgOg.exe

C:\Windows\System\eZBBvVj.exe

C:\Windows\System\eZBBvVj.exe

C:\Windows\System\FIeuxyh.exe

C:\Windows\System\FIeuxyh.exe

C:\Windows\System\vmWjnAp.exe

C:\Windows\System\vmWjnAp.exe

C:\Windows\System\aYSJysk.exe

C:\Windows\System\aYSJysk.exe

C:\Windows\System\cHvZDjR.exe

C:\Windows\System\cHvZDjR.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 33.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/5080-0-0x00007FF6560D0000-0x00007FF656424000-memory.dmp

memory/5080-1-0x00000265227C0000-0x00000265227D0000-memory.dmp

C:\Windows\System\jiAcqsV.exe

MD5 a9b669a4c0307ec40164a4cd60ec4d46
SHA1 26978867e95c5ca4b5b6e41f386f2920586559a6
SHA256 508f5822c94a3fb43aa6cc5deb53abbf91223d4b13c734840d72d98ba2289089
SHA512 90411f1703d815b165fbbcb9b67a5fdc26a304d45e55956ea619a49664059a89f6ed29749762abd09a93ffdf63d37c600bb4588c891e0386db30093154a85b33

memory/4536-8-0x00007FF722930000-0x00007FF722C84000-memory.dmp

C:\Windows\System\MWsPRHw.exe

MD5 84fef257f4511d9cc2bb7b88a15aced2
SHA1 8731f9dd664e6dbe1328c50dfc5ab221a60f1d24
SHA256 9583240fd17358299967e6225f3b9b42bea2be4a50dcd7987621bbad5d59d38f
SHA512 2e48b5fbb71e6a6a777ea1137359d204241f7a18eba0e960e3d0dfbd4c6c981568e074e752c2ea450708b0f5f234ac77ea5d0a05f435c4f4bebe682da3ad6cb2

C:\Windows\System\gaUGNuT.exe

MD5 d81cd64591b936ca25e6483da07bdb36
SHA1 1910c49e1803b99f620c3d6cf0fdf839e25d9a49
SHA256 74d15b31b0c668086bb8a51393f8fb75f5d2c99c5b0822b6d2591a172935293e
SHA512 cea767df6c0a9f252e1d426f071cf1cc99d4c6531b2789da8a44bccd03fd70087d1b679f9bae5f1e550c73bc2869c996bd5b7f54746e0a301ad8e5498f7e65d4

memory/2772-14-0x00007FF77E4A0000-0x00007FF77E7F4000-memory.dmp

memory/3148-20-0x00007FF6D03C0000-0x00007FF6D0714000-memory.dmp

C:\Windows\System\qkskHTO.exe

MD5 73262aec8f5dc200233471fc449a25d0
SHA1 1c139dde957b7c751e10717616c1eb965c11efea
SHA256 4ee6c4a0b9ae91e4a0b37b17cae2a9d003f4d6a20d07bce1fee67626affb0720
SHA512 f603e4e50261e20bf45065833935fffc92ef9374d77bf5a744e1ead0cbfd98a43633d74a03990672923037b6239d6f2e4364ef2fc6207ffc1aac520b714180f8

C:\Windows\System\qkXuwMs.exe

MD5 d153dbc749e60cc9fb5a0031d98a34c4
SHA1 66035ab2eefa1d6ac7c007d3cce0409956d2a89e
SHA256 96a7ff26c14ccbe80a0da203f364e4711e0626a0aebca997d69f05f15bc5758a
SHA512 2afc3364af0368bc4911c68b8d62372b35ef71daf3390d80884304a6257bbda6883ddd6c7c98592137e1401a024b9328516fb9b9fb175d9419cb70f48e14b23e

memory/4560-27-0x00007FF6D53A0000-0x00007FF6D56F4000-memory.dmp

memory/4868-32-0x00007FF699550000-0x00007FF6998A4000-memory.dmp

C:\Windows\System\fyqaHOX.exe

MD5 bc49593d84c3b11d88e8c06bd3ca4bfa
SHA1 b5a5ebd8d036102d5a6d08b3daa116e70b30e3c7
SHA256 0e11ef4308e523ae2c78bb4fc15f020c9b245f031319134e4111c6988623d8f7
SHA512 c456bb3ad7029184d6c73df76b10e651fc7d100c3843fb739d34d71871dba87b2f5871b60812425b57f6d4bc2e1636c1989373018a2c429c8f8fbe5103e5f795

memory/1912-38-0x00007FF73E490000-0x00007FF73E7E4000-memory.dmp

C:\Windows\System\sQKwaUC.exe

MD5 99a76330f8e675f3ebb537dd766b89e2
SHA1 47a5fe210d19afe806b2152f67770a0278bd5215
SHA256 df0a3f4ac844723686b1581a42d034fddfcd3567817c02b554081ee69d5efd25
SHA512 3b2b249e6befaf80ef3c951e4157b4039a1664ad322a898e874405843108a333d18fd3aa71bec953e1c8616cc32ca059dadb635d380cf6dc3ddb0aee63a43643

C:\Windows\System\jlwvyRh.exe

MD5 71601f91c0c514a502f72c1a38b7ab03
SHA1 7e34c2c1744347c30afbdac89d77e79ba93baef2
SHA256 12febf2d1593fdf0b0e55ac00d937ec837444d91855aac3bc442e2fb5e9f8a93
SHA512 a5a4269e328c4cb066a47634887f3400aa75afc987eaa1d09e6947334f3cc8a89189b7dc03f93e515314624ef9e510c1771be95595b5fe590467789e082f2fcf

C:\Windows\System\OFPYUCM.exe

MD5 656f2bdc52e3322cf487ce4d1c2eda54
SHA1 6d67803abe5f1e08cf9376f3987560824b33a215
SHA256 2759313c8c96a0f521f41c47e610f467ce5467821d1c74d1f5b1baef75f24924
SHA512 080edd161584cf3aa0ec5d59ffa6250ec3179fa155e1699570247cc64f60aa4544d759ad1281d10bbeb36c3c882fe82e2f01499f15752e73f7deab34b0d7be17

C:\Windows\System\cFrGEfU.exe

MD5 389b212e17b57c4097fab11ad3b7b114
SHA1 f4aa2107faf003786159b12244ddf45e6f0517c8
SHA256 0fdc1edd4e31d5081febfea5bef26f3cbd03f4d2420bbf1286b5f32c1866121e
SHA512 3a3bc6917054f325078251a1e3c9729319aba4094547f79c19a226f93ea705ba68514f27680126073b27e32e312d745c53a2b6c8685b650d17f8d17974a682ca

C:\Windows\System\BCLhryI.exe

MD5 ba4eab81a04237f4a06967581367ed20
SHA1 f906bb717c3c43855ca52e066e5793df99098e9c
SHA256 6e501abc97c88517560bf43f7b672df7af608ec4a2c3ceabc24d45659c9e2325
SHA512 ebdca2f16713d1b541e980ea9eb0264fe7bef86b616888347127f313901687d7c18602f8b4d9945a497440485e4c7409a40b70953a3b0442b9130e85dc1896bc

memory/2772-70-0x00007FF77E4A0000-0x00007FF77E7F4000-memory.dmp

C:\Windows\System\lxHKnoj.exe

MD5 eaa99260767cc8e069f1b2c810d7aa02
SHA1 b06e53a47403664f4bfbdbdac0ee0b967f4a8c91
SHA256 93e150d700a797a711aeff750dd81de2779713148a9c11ed09578f63f8f0f8d1
SHA512 7b50dd7ce30fbee56f4fc2007ad3959b8b6543ce547f6771ac4bd05a4877f7ba1146e413a9b0c831cd6bb4cd09f247c9891672ba4bce9a8177a3f71aa531a50e

C:\Windows\System\vurNcLD.exe

MD5 b1d0a10de3e0064ca01d54ee413a7f96
SHA1 9a686d8605f5fa4604391aaf3b8e5d0bde6df395
SHA256 927d64e4da27fb3155990b5205416c69b1304b2dfbe977f610ad0019d690bffa
SHA512 d9a026b26b5b7136b4c6bd9fd8bc338d6b92237c9218bc2c4e7afa556c132ebd55abeb6f31be43b518c923250f7868fb490cb4a50b0a877c4db29c1d4551b283

memory/3148-82-0x00007FF6D03C0000-0x00007FF6D0714000-memory.dmp

memory/4640-83-0x00007FF76ACF0000-0x00007FF76B044000-memory.dmp

memory/4472-73-0x00007FF6D0DC0000-0x00007FF6D1114000-memory.dmp

memory/916-65-0x00007FF68C100000-0x00007FF68C454000-memory.dmp

memory/1988-64-0x00007FF7F0D10000-0x00007FF7F1064000-memory.dmp

memory/5080-62-0x00007FF6560D0000-0x00007FF656424000-memory.dmp

memory/4208-56-0x00007FF7FBDE0000-0x00007FF7FC134000-memory.dmp

memory/4516-50-0x00007FF6CD880000-0x00007FF6CDBD4000-memory.dmp

memory/3168-44-0x00007FF726C90000-0x00007FF726FE4000-memory.dmp

memory/1860-87-0x00007FF788FC0000-0x00007FF789314000-memory.dmp

C:\Windows\System\RQBLbKT.exe

MD5 5a877d4898b874e76920ec9b558c4f1f
SHA1 ad0a36128ff0c8e907e0d7099751d05161c86a9a
SHA256 7e3b3048c970a30dad412ca99c0fb3bd7e932a7d16ca199bc875a319c6b658ff
SHA512 fdeb880ee84b295469ed5061c4da9090eaf2e06cab1c49024ee1fef99fd2ca53680781d65d737d5d000cdc83d02f49a4e40aca17f55be2f0be87f2ce74638223

C:\Windows\System\BDsxbXW.exe

MD5 b7fc4e223828e0da4a3043384c0ccd4e
SHA1 cbefde1f6b70f01a3bc169820f048fa33e96460e
SHA256 27139fac178e71715ed4ad7b8bc5a36023a3e1dc7aef2ed27184e92503214750
SHA512 a62246a662f34654df9e6fdbbd71508b5b2d66121aca527288debb99979e82c33bc3cfaa3a9de990237da568237e99cde35878f8f222dc24b721927e8546a12c

C:\Windows\System\GZpDgOg.exe

MD5 aefd5d031ae7d74ced7ac1468d271bbb
SHA1 ca699895dd5b458cd5e0e5cfe17b7ac0ef9dc926
SHA256 b005b79cfa46b8d02bf2e6928afaef32b79ee8357dfd064546d4d4e3d6be0516
SHA512 0083d1c65896ac5f38537065252b683b695cb9c8992f034539d88794dcd6e4466eb262d924379e8319450d4d06bbc751d7b1320dd5f493d73e34fd935e29cdea

memory/4548-101-0x00007FF611CB0000-0x00007FF612004000-memory.dmp

C:\Windows\System\eZBBvVj.exe

MD5 748fd6e5c4cfdd8c1fb51d72df5a161a
SHA1 82cd9d8d8957a2e9c98b8b99d7407dee9b6f3585
SHA256 a30d6599b03d625c936cb5f1451b7477765aa983ac20a9c6d851aeaf7ca3d43c
SHA512 5553401b019d259ef701e3211023e59754356556fb3cb942f575552b355326d5c3b15e8520c18171b73cdf6fd5461b89502da6d1d6112aaf1747159a1e43caf5

memory/1596-95-0x00007FF616070000-0x00007FF6163C4000-memory.dmp

memory/4192-107-0x00007FF714CE0000-0x00007FF715034000-memory.dmp

C:\Windows\System\FIeuxyh.exe

MD5 04004bb73ccdec31c79e8809b56945c1
SHA1 f0c32a8969ccd6bb6a5bf983826cc03b371f2c4b
SHA256 87ae0989d693976cb7d30303dc6b52b691fa22beee64d18ba192b5c62ce26de3
SHA512 3a24717aa24c2ccbf2770e77dd3a75a0eb2950485cee8e271d6c1a495875c7c93157243f595073c33cc680604ccd8d9a1ef3bccf4d7394b137d446b79be6ebd9

memory/616-117-0x00007FF7E1DD0000-0x00007FF7E2124000-memory.dmp

C:\Windows\System\vmWjnAp.exe

MD5 885ef28a17e8ec5f025ab8f42313663e
SHA1 8b91d28e419d8f42e0f29d12d5ede4ee41b9fec1
SHA256 1f4f1af7103b907e6c36325e65c60c399b8651fcfe1adadbe15a04fe6d60099e
SHA512 20a788ec0ade1e56447b4c25e61a238aefa614fcc4ae90c02587d6ab7f147001a7a27ae05ec4d819f0e6697910e5ba8991be8b71fbcbe547386d1e86593d2256

memory/3584-126-0x00007FF7DC320000-0x00007FF7DC674000-memory.dmp

C:\Windows\System\aYSJysk.exe

MD5 c82817e361cb2c86f24e8f419fa2f304
SHA1 04737f3a6e4f4df4e8832e74bada51d54bf7dd41
SHA256 d269fc299624aa30ca31c8180ae0ac05c2e3833cd6a3b9d179b2e626500e9b7a
SHA512 d0fef634d045829fcb40430de6eb4ac23d4b9446f2712fd471286b07393b29efdb990002206e26548d577587df49248a1307ac5cd69b91bc721c02103e5f6173

C:\Windows\System\cHvZDjR.exe

MD5 c64dab19d9ad30b3fd4c13d2e0b84784
SHA1 dedee006f5bd32bb86078981b677c0f56503f6ee
SHA256 d0f82fb3a75d5cbb3ae6e452f74ac53e34389fe37280fa5664da1147acfd436c
SHA512 986d13edd0305035e7390deb9f165903c4e23e03897e5cbb0566dd4bba8b1ea4b128f311a61feb5fd3939ed7abe30a955b92d910c2593baea73164feaec19daa

memory/1988-124-0x00007FF7F0D10000-0x00007FF7F1064000-memory.dmp

memory/4208-122-0x00007FF7FBDE0000-0x00007FF7FC134000-memory.dmp

memory/1656-131-0x00007FF6DF9C0000-0x00007FF6DFD14000-memory.dmp

memory/1464-132-0x00007FF75BF80000-0x00007FF75C2D4000-memory.dmp

memory/916-133-0x00007FF68C100000-0x00007FF68C454000-memory.dmp

memory/4472-134-0x00007FF6D0DC0000-0x00007FF6D1114000-memory.dmp

memory/1860-135-0x00007FF788FC0000-0x00007FF789314000-memory.dmp

memory/1656-136-0x00007FF6DF9C0000-0x00007FF6DFD14000-memory.dmp

memory/4536-137-0x00007FF722930000-0x00007FF722C84000-memory.dmp

memory/2772-138-0x00007FF77E4A0000-0x00007FF77E7F4000-memory.dmp

memory/3148-139-0x00007FF6D03C0000-0x00007FF6D0714000-memory.dmp

memory/4560-140-0x00007FF6D53A0000-0x00007FF6D56F4000-memory.dmp

memory/4868-141-0x00007FF699550000-0x00007FF6998A4000-memory.dmp

memory/1912-142-0x00007FF73E490000-0x00007FF73E7E4000-memory.dmp

memory/3168-143-0x00007FF726C90000-0x00007FF726FE4000-memory.dmp

memory/4516-144-0x00007FF6CD880000-0x00007FF6CDBD4000-memory.dmp

memory/4208-145-0x00007FF7FBDE0000-0x00007FF7FC134000-memory.dmp

memory/1988-146-0x00007FF7F0D10000-0x00007FF7F1064000-memory.dmp

memory/916-148-0x00007FF68C100000-0x00007FF68C454000-memory.dmp

memory/4640-149-0x00007FF76ACF0000-0x00007FF76B044000-memory.dmp

memory/4472-147-0x00007FF6D0DC0000-0x00007FF6D1114000-memory.dmp

memory/1596-150-0x00007FF616070000-0x00007FF6163C4000-memory.dmp

memory/1860-151-0x00007FF788FC0000-0x00007FF789314000-memory.dmp

memory/4548-152-0x00007FF611CB0000-0x00007FF612004000-memory.dmp

memory/4192-153-0x00007FF714CE0000-0x00007FF715034000-memory.dmp

memory/616-154-0x00007FF7E1DD0000-0x00007FF7E2124000-memory.dmp

memory/3584-155-0x00007FF7DC320000-0x00007FF7DC674000-memory.dmp

memory/1656-156-0x00007FF6DF9C0000-0x00007FF6DFD14000-memory.dmp

memory/1464-157-0x00007FF75BF80000-0x00007FF75C2D4000-memory.dmp