Malware Analysis Report

2025-01-22 19:34

Sample ID 240601-vfmssahg84
Target 2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike
SHA256 2f4372d72cfa1becdfd9a66c22bcdede56633dd2de9dc2a0bbb625c0270f9f72
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2f4372d72cfa1becdfd9a66c22bcdede56633dd2de9dc2a0bbb625c0270f9f72

Threat Level: Known bad

The file 2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

xmrig

XMRig Miner payload

Detects Reflective DLL injection artifacts

Cobaltstrike

Cobalt Strike reflective loader

Xmrig family

Cobaltstrike family

UPX dump on OEP (original entry point)

XMRig Miner payload

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 16:56

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 16:56

Reported

2024-06-01 16:58

Platform

win7-20240221-en

Max time kernel

137s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\FMLIPQd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oFQVtYi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iRdZYIo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DIBusxG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zxXsPLO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wsxEreu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zvngCiZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cwexuUh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yQOakjf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\guMaJFa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pqoqwEV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sglOgJh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DvuCSFw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BasXHHP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HFBErsU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\Ayvcffu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kXEiVWE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OrIkreF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aCdNqlV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pNPlEhB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pWaCjuc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2264 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\pWaCjuc.exe
PID 2264 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\pWaCjuc.exe
PID 2264 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\pWaCjuc.exe
PID 2264 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\BasXHHP.exe
PID 2264 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\BasXHHP.exe
PID 2264 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\BasXHHP.exe
PID 2264 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\zxXsPLO.exe
PID 2264 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\zxXsPLO.exe
PID 2264 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\zxXsPLO.exe
PID 2264 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\HFBErsU.exe
PID 2264 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\HFBErsU.exe
PID 2264 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\HFBErsU.exe
PID 2264 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\sglOgJh.exe
PID 2264 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\sglOgJh.exe
PID 2264 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\sglOgJh.exe
PID 2264 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\wsxEreu.exe
PID 2264 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\wsxEreu.exe
PID 2264 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\wsxEreu.exe
PID 2264 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\FMLIPQd.exe
PID 2264 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\FMLIPQd.exe
PID 2264 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\FMLIPQd.exe
PID 2264 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\zvngCiZ.exe
PID 2264 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\zvngCiZ.exe
PID 2264 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\zvngCiZ.exe
PID 2264 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\Ayvcffu.exe
PID 2264 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\Ayvcffu.exe
PID 2264 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\Ayvcffu.exe
PID 2264 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\cwexuUh.exe
PID 2264 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\cwexuUh.exe
PID 2264 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\cwexuUh.exe
PID 2264 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\kXEiVWE.exe
PID 2264 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\kXEiVWE.exe
PID 2264 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\kXEiVWE.exe
PID 2264 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\yQOakjf.exe
PID 2264 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\yQOakjf.exe
PID 2264 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\yQOakjf.exe
PID 2264 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\guMaJFa.exe
PID 2264 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\guMaJFa.exe
PID 2264 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\guMaJFa.exe
PID 2264 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\OrIkreF.exe
PID 2264 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\OrIkreF.exe
PID 2264 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\OrIkreF.exe
PID 2264 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\oFQVtYi.exe
PID 2264 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\oFQVtYi.exe
PID 2264 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\oFQVtYi.exe
PID 2264 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\iRdZYIo.exe
PID 2264 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\iRdZYIo.exe
PID 2264 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\iRdZYIo.exe
PID 2264 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\aCdNqlV.exe
PID 2264 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\aCdNqlV.exe
PID 2264 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\aCdNqlV.exe
PID 2264 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\DvuCSFw.exe
PID 2264 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\DvuCSFw.exe
PID 2264 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\DvuCSFw.exe
PID 2264 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\pNPlEhB.exe
PID 2264 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\pNPlEhB.exe
PID 2264 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\pNPlEhB.exe
PID 2264 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\DIBusxG.exe
PID 2264 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\DIBusxG.exe
PID 2264 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\DIBusxG.exe
PID 2264 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\pqoqwEV.exe
PID 2264 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\pqoqwEV.exe
PID 2264 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\pqoqwEV.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\pWaCjuc.exe

C:\Windows\System\pWaCjuc.exe

C:\Windows\System\BasXHHP.exe

C:\Windows\System\BasXHHP.exe

C:\Windows\System\zxXsPLO.exe

C:\Windows\System\zxXsPLO.exe

C:\Windows\System\HFBErsU.exe

C:\Windows\System\HFBErsU.exe

C:\Windows\System\sglOgJh.exe

C:\Windows\System\sglOgJh.exe

C:\Windows\System\wsxEreu.exe

C:\Windows\System\wsxEreu.exe

C:\Windows\System\FMLIPQd.exe

C:\Windows\System\FMLIPQd.exe

C:\Windows\System\zvngCiZ.exe

C:\Windows\System\zvngCiZ.exe

C:\Windows\System\Ayvcffu.exe

C:\Windows\System\Ayvcffu.exe

C:\Windows\System\cwexuUh.exe

C:\Windows\System\cwexuUh.exe

C:\Windows\System\kXEiVWE.exe

C:\Windows\System\kXEiVWE.exe

C:\Windows\System\yQOakjf.exe

C:\Windows\System\yQOakjf.exe

C:\Windows\System\guMaJFa.exe

C:\Windows\System\guMaJFa.exe

C:\Windows\System\OrIkreF.exe

C:\Windows\System\OrIkreF.exe

C:\Windows\System\oFQVtYi.exe

C:\Windows\System\oFQVtYi.exe

C:\Windows\System\iRdZYIo.exe

C:\Windows\System\iRdZYIo.exe

C:\Windows\System\aCdNqlV.exe

C:\Windows\System\aCdNqlV.exe

C:\Windows\System\DvuCSFw.exe

C:\Windows\System\DvuCSFw.exe

C:\Windows\System\pNPlEhB.exe

C:\Windows\System\pNPlEhB.exe

C:\Windows\System\DIBusxG.exe

C:\Windows\System\DIBusxG.exe

C:\Windows\System\pqoqwEV.exe

C:\Windows\System\pqoqwEV.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2264-0-0x000000013FC50000-0x000000013FFA4000-memory.dmp

memory/2264-1-0x00000000001F0000-0x0000000000200000-memory.dmp

\Windows\system\pWaCjuc.exe

MD5 16714e42e4e8440ba80772599cce3079
SHA1 ab0a43d5efeb0e42506dcce5bd32b33e074f4f23
SHA256 56e89b66b6a3fac76b49f6964f006d83fa00511937898da2b3b52903e29ab04a
SHA512 ec70e90abe84395f92a8e3ffbdcac70372a840946533db507edefe745f70bdb7604cbf60ff4144421e8899f41022440496264773d6f7884bfc7bcb0817584a24

memory/2740-8-0x000000013F330000-0x000000013F684000-memory.dmp

C:\Windows\system\BasXHHP.exe

MD5 8648b9d4bff1e828d4d7cfc27fcfa507
SHA1 da77270345c130bad68a7a8105fdd95d864c0998
SHA256 13571409ad3f69c363f468afa5d93d383118ce26ee59cb6a73f2615b58547543
SHA512 ac5fd2ee710d4a592d9c4a701cd851062a457b6cfeecde573f245fee4a9463b06497fce0a1927fae7fb5b4a8fd373c9603a5a87d0648c1d588a72b866a1c4d71

\Windows\system\zxXsPLO.exe

MD5 5a94b9191cdf21c6f94f46ec9a0f9ea6
SHA1 7c15a044355aa50edf7d28ee3197b9ad231278c2
SHA256 32624bf4faefb2fd9c2ebaf75102a3baa893aa2650eeb7a7396ad0eb8c66ee1e
SHA512 8e44b09760162581df6fc86189862139d0b24ca8e7a5558112d36030843ba2c2b6dee9cc30af79876eaaec817a8c861021ace54b3b17365af861f7834c539bce

memory/2264-16-0x0000000002490000-0x00000000027E4000-memory.dmp

memory/2512-22-0x000000013FB00000-0x000000013FE54000-memory.dmp

memory/2264-27-0x000000013F080000-0x000000013F3D4000-memory.dmp

memory/2656-29-0x000000013F2F0000-0x000000013F644000-memory.dmp

memory/2264-28-0x000000013F2F0000-0x000000013F644000-memory.dmp

memory/2516-25-0x000000013F080000-0x000000013F3D4000-memory.dmp

C:\Windows\system\HFBErsU.exe

MD5 fc46dd1332b4d9ff60be3698de3e580c
SHA1 32e1459a73b6d8404a15ce209c5e37c6093505be
SHA256 f28390b5f0c42ce16d04585c4f1ac46e22549d86ac694ffb404d226881b002b1
SHA512 282294a1a310b22765b1fc7501d5f83a275b04db9a990ca956a843b09c7f874a67dde5e55c00787969a0306a7427da62303d670b3ee66c47b3682eeb100cac18

C:\Windows\system\sglOgJh.exe

MD5 ec01262052597357df7ee48a73cdaa88
SHA1 5e09949a1cf218f0beed89e79281e0c65505f16c
SHA256 4ec280db15f03a71b20255319d5c7fa31b4c326362e4b232466c26e77fd4441c
SHA512 d99edab375118bb9715512aea11b712ddeb5da832c28309ad1d8ae9a77bdce17b1572651012b2ced9cf97e0a84775ed641ec11e67ec0c517b6666b34cfeec49e

memory/2588-34-0x000000013FFE0000-0x0000000140334000-memory.dmp

C:\Windows\system\wsxEreu.exe

MD5 d957ebc36fb9169b2cadc2f126648c64
SHA1 efefac4ca18d62b41f72a9f1b418dd6f9ebea87e
SHA256 250d7aceec512acc016a3cac55fecc77fcee6458a41a3f0569e5fedddfe5f607
SHA512 e86101390f66cca63d74c696d62ffd538c2e36b35ed3ac4743f7c107ad572e793c278ad5c1457aa6c8732153b1ecb3ff8d0213842ea1a4ffd724913109092cf6

\Windows\system\FMLIPQd.exe

MD5 f171a3e828258900f73dabee38b5ebc6
SHA1 096318fe6d6740fbec58003b4b7ed60e6c72c6f5
SHA256 2bd65a238931c1a07302a70ab725af5d72a6d74a8b08fd3cf5a314eef1a7a2c0
SHA512 a8432c3d386fd4dd55a2ad6df6a7806019af5dbe3bde1d5c9acbf01fe601d134f7eac044ba54f161c18ccfc145c6e74698197ac7aa8be0ccd7c105c9f772ca15

memory/2432-47-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

memory/2264-46-0x000000013F160000-0x000000013F4B4000-memory.dmp

memory/2568-48-0x000000013F160000-0x000000013F4B4000-memory.dmp

memory/2264-49-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

\Windows\system\zvngCiZ.exe

MD5 751b2165aacbcccc5638db94a2048e1d
SHA1 ea944fc5f2646f8e5d70b2da2e693532d64a435c
SHA256 f6d221b1f5dd05750f8b16f79b6f0690a194e2235505e341936e1016f2f61f9b
SHA512 5cf0a0316cbe7760998d251afd347d69a1133c323814ae3a5303ff4d8a36916893c06a081f1d6e6eaa3958e8bbae8ccc18f552bd5ec057e73b8860c33deeef05

memory/2636-56-0x000000013F190000-0x000000013F4E4000-memory.dmp

memory/2264-55-0x000000013F190000-0x000000013F4E4000-memory.dmp

C:\Windows\system\Ayvcffu.exe

MD5 f03f1102e4a880f7bd6325fd303f13b6
SHA1 ec226f33b69a998dc4baf08867720de32634854f
SHA256 93c397454552f214e65f876c6830b74816c52766297549c730d3dc775df59e65
SHA512 ee305da246322f9f1adb77e20151989569beafde34a261c69fbe18a4f4db127b2b0920ad55201c302c04eb9e467d690ba6a0b377e8754af7ec34deb8c99deb6c

memory/2264-62-0x000000013FC50000-0x000000013FFA4000-memory.dmp

memory/2264-63-0x000000013F8E0000-0x000000013FC34000-memory.dmp

memory/2920-64-0x000000013F8E0000-0x000000013FC34000-memory.dmp

\Windows\system\cwexuUh.exe

MD5 06c50c8b605b7a4b48714262b24ca63b
SHA1 9a99a9eedc5604b3035ce385e809f0abaab24ceb
SHA256 22dd8b43f8e597944b6d0b6d544e165b045e7b6553ad66bafde6b7c88d9d0da9
SHA512 cb91cc147567a7b082a0e270f555bbdff50d0d54d79ae030bf286b2edbb8465163aef5c08d7aa8e01ff12a1b6fec1448816c51c47fcdba4aeafb01863a5a433a

memory/2740-74-0x000000013F330000-0x000000013F684000-memory.dmp

C:\Windows\system\yQOakjf.exe

MD5 036ed2e0f899d95db525b84ef4781a41
SHA1 45522eed5d025783b085a321f99461c4b32a7821
SHA256 3b28cd16b20ec63c9256b30594789036782f322b402cbb9a28a630792a30c703
SHA512 013ba8eda846b38bbcc15a94703112fb6984e3ebb30a814ba97b2f18955e5dc59d5bc25bdb966d2004bad1bc00264d2ad73667c0662d358d7740cd2f46f912a4

memory/2264-85-0x0000000002490000-0x00000000027E4000-memory.dmp

C:\Windows\system\guMaJFa.exe

MD5 b0bc4d45216e98babefbb8d985f87458
SHA1 f1019775404c3ea4057668c20673e4c686396cc2
SHA256 eaf771fd77576a08c1ddb8261e1fe7daab9c28724f50c62a6f2995afc2c10ea4
SHA512 75a087653a659e8c4f95ccffd1600184794e7dfa9548d3664d7e5e1cc0e65fc858141ab7b64c129f0c561261f9c966930e4abe951249513b81f8d6b6967fa663

memory/2340-102-0x000000013FF40000-0x0000000140294000-memory.dmp

\Windows\system\iRdZYIo.exe

MD5 784f6fa904eab8bd13f40795bb98edec
SHA1 43a507f8f0020e61784799a9b81b9d1636678c4d
SHA256 adacd12ca42085a1b1e5060b8c039a65e43fe9aeb2441ca80388cd6c03502d87
SHA512 ff7e54dcca6a8087bd5cf41e4736cbf0e86a389ef39bc9271d96c80d6f30dc988589226b1f47df43b08c2a00b345c3ed277f5dcde5541367dec41cfa8886c71f

\Windows\system\oFQVtYi.exe

MD5 f7fab6af4a4bf9d0181e62ac6f3b1cd1
SHA1 7b913f708ab403ec5faecf6bd84d17876952b9fd
SHA256 1491bad951265383abb7972950bec3823ad0b86d403b416e4ba6d3740a13e77d
SHA512 ecceb22fe2d8397f9323f97be825003b1eb17da0a72637c2389d05207da3a3a52480978c21d97f2b57fe9770c3e1beda7fda7e6cf11efa6c3d751095e0a1e81d

C:\Windows\system\DvuCSFw.exe

MD5 74f0959f6ba21cd0ec869e59962e5a76
SHA1 a672b45840de80d8907197cd6270684aa44e4ef7
SHA256 0d92587612dbc9f25e0379c8f971d3b40a8b3bff960e344fa96cd28a58ee3059
SHA512 7698030fa5eec1feed141b6cdb0997330e91b0ed323fa3d0d5b6cff7be62c4ff32e4ea6555772fc3880d33577fbebdaf284f771b9fa314d7ca37732f79e21753

\Windows\system\pqoqwEV.exe

MD5 0068275152acf3d65e8f94121d26a32c
SHA1 23f3c7d8f6b53fa2e6318a933c3749909182b786
SHA256 78adb2a11a396778ea14caa239037c6752cc5a46272d5aad5b143d2f70a377eb
SHA512 17352692fd51803a9901da38314089e5feb098c6f3d90ffb73260e9233566224d625ba32ad9fe00456036d71a120f7bf8333d8d02aba81f5fb78e3b3a53f87ec

C:\Windows\system\DIBusxG.exe

MD5 e72b17212b262316491821e7d35d128a
SHA1 9232213afc780a1fd3d83f89286a0b7d6be31117
SHA256 b0f8d31ef6c0d8a3e979b0e290d5bc64d2280cde3a9a9c0ca9007c5f1154cb61
SHA512 a088125315823cd7f127bc7951cca555717bcb2c31403090f76493f3e52cf4c14e0608dff3be4cf1bd8ea8571d3e3bb6b6876ac32de37ba920759b5867d2af37

C:\Windows\system\pNPlEhB.exe

MD5 df116aa6ba8ef62e6ab5c1ef80ecc6b4
SHA1 f55dcb5048e302776e9e2955122592a539d27810
SHA256 388eadbd9beb30957a27a74cfa8f8cb43f9e8ad885ca8c22335d87bd5f8f0f21
SHA512 3c144c7ac6b676c7813a94ad2b84a8bd1907bd8b85a068e78b0d7f7e3ac7dd7a41b9a239feca6233e31f5b2b4a919be97fb543675f090de5dcb0793f85da7362

C:\Windows\system\aCdNqlV.exe

MD5 25cb439087e9dfff05c515906dce47fd
SHA1 ebc021161816972fc897a570831fa01018b6b708
SHA256 f4742452c87e90e041ced7782f4ea52e7b154f5448910a03b262f3e4041874de
SHA512 bfdea8332fcc15f99f01505a2d3c8c017dbe4a021288a141c72254087ff65241c576ff33b56c31de99501a53874447b4e62b635a95508aa6dff54dff2b6dd7e3

memory/2264-117-0x000000013F160000-0x000000013F4B4000-memory.dmp

memory/2588-116-0x000000013FFE0000-0x0000000140334000-memory.dmp

memory/2264-115-0x000000013F2C0000-0x000000013F614000-memory.dmp

memory/2692-112-0x000000013F500000-0x000000013F854000-memory.dmp

memory/2264-90-0x000000013F390000-0x000000013F6E4000-memory.dmp

memory/2516-89-0x000000013F080000-0x000000013F3D4000-memory.dmp

memory/2264-97-0x0000000002490000-0x00000000027E4000-memory.dmp

C:\Windows\system\OrIkreF.exe

MD5 3851b1084242624df5a2559b36dc6358
SHA1 3e95c856faac6afc572663b8692e0c3d76eac932
SHA256 d156d8d478195ec95ae9e17545145339813357007654aab7c2f0f709d9c2aa96
SHA512 23419d7f3f2cbbc8b11cdc7bdb25adffd9542d9b5b7c1be710e1155952509c0ee08458d9ff0b29b20a81e1886db6671d61ec58be3c73e5db6b5c63d3aadbcb91

memory/2264-94-0x000000013F500000-0x000000013F854000-memory.dmp

memory/1364-84-0x000000013F390000-0x000000013F6E4000-memory.dmp

memory/1552-83-0x000000013FB60000-0x000000013FEB4000-memory.dmp

memory/1456-82-0x000000013F670000-0x000000013F9C4000-memory.dmp

memory/2264-79-0x000000013F670000-0x000000013F9C4000-memory.dmp

C:\Windows\system\kXEiVWE.exe

MD5 e07957adbc3b5fd17e963b9730076c6f
SHA1 4776b54461626725056b91bac45b380262b5caec
SHA256 24239e2f076f128aa94fe763b6f368b0554cac733716a34c2cfe01230d3d7c3b
SHA512 fd831defe8e229f4749da9738a2c0426dd9a2dc0ae10f255309a207f9322b34113492edde5c984f901060d703b1cfba807c5ca4d41b2837c7a768355711b5cc8

memory/2264-139-0x000000013F8E0000-0x000000013FC34000-memory.dmp

memory/2264-140-0x000000013F670000-0x000000013F9C4000-memory.dmp

memory/2264-141-0x0000000002490000-0x00000000027E4000-memory.dmp

memory/2264-142-0x000000013F390000-0x000000013F6E4000-memory.dmp

memory/2264-143-0x000000013F500000-0x000000013F854000-memory.dmp

memory/2740-144-0x000000013F330000-0x000000013F684000-memory.dmp

memory/2512-145-0x000000013FB00000-0x000000013FE54000-memory.dmp

memory/2516-146-0x000000013F080000-0x000000013F3D4000-memory.dmp

memory/2656-147-0x000000013F2F0000-0x000000013F644000-memory.dmp

memory/2588-148-0x000000013FFE0000-0x0000000140334000-memory.dmp

memory/2568-149-0x000000013F160000-0x000000013F4B4000-memory.dmp

memory/2432-150-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

memory/2636-151-0x000000013F190000-0x000000013F4E4000-memory.dmp

memory/2920-152-0x000000013F8E0000-0x000000013FC34000-memory.dmp

memory/1456-153-0x000000013F670000-0x000000013F9C4000-memory.dmp

memory/1552-154-0x000000013FB60000-0x000000013FEB4000-memory.dmp

memory/1364-155-0x000000013F390000-0x000000013F6E4000-memory.dmp

memory/2340-156-0x000000013FF40000-0x0000000140294000-memory.dmp

memory/2692-157-0x000000013F500000-0x000000013F854000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 16:56

Reported

2024-06-01 16:58

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\pNPlEhB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DIBusxG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kXEiVWE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yQOakjf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\guMaJFa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oFQVtYi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iRdZYIo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BasXHHP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HFBErsU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sglOgJh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FMLIPQd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pWaCjuc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\Ayvcffu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OrIkreF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aCdNqlV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DvuCSFw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pqoqwEV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zxXsPLO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wsxEreu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zvngCiZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cwexuUh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1348 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\pWaCjuc.exe
PID 1348 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\pWaCjuc.exe
PID 1348 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\BasXHHP.exe
PID 1348 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\BasXHHP.exe
PID 1348 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\zxXsPLO.exe
PID 1348 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\zxXsPLO.exe
PID 1348 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\HFBErsU.exe
PID 1348 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\HFBErsU.exe
PID 1348 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\sglOgJh.exe
PID 1348 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\sglOgJh.exe
PID 1348 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\wsxEreu.exe
PID 1348 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\wsxEreu.exe
PID 1348 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\FMLIPQd.exe
PID 1348 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\FMLIPQd.exe
PID 1348 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\zvngCiZ.exe
PID 1348 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\zvngCiZ.exe
PID 1348 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\Ayvcffu.exe
PID 1348 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\Ayvcffu.exe
PID 1348 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\cwexuUh.exe
PID 1348 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\cwexuUh.exe
PID 1348 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\kXEiVWE.exe
PID 1348 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\kXEiVWE.exe
PID 1348 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\yQOakjf.exe
PID 1348 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\yQOakjf.exe
PID 1348 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\guMaJFa.exe
PID 1348 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\guMaJFa.exe
PID 1348 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\OrIkreF.exe
PID 1348 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\OrIkreF.exe
PID 1348 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\oFQVtYi.exe
PID 1348 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\oFQVtYi.exe
PID 1348 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\iRdZYIo.exe
PID 1348 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\iRdZYIo.exe
PID 1348 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\aCdNqlV.exe
PID 1348 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\aCdNqlV.exe
PID 1348 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\DvuCSFw.exe
PID 1348 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\DvuCSFw.exe
PID 1348 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\pNPlEhB.exe
PID 1348 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\pNPlEhB.exe
PID 1348 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\DIBusxG.exe
PID 1348 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\DIBusxG.exe
PID 1348 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\pqoqwEV.exe
PID 1348 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\pqoqwEV.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\pWaCjuc.exe

C:\Windows\System\pWaCjuc.exe

C:\Windows\System\BasXHHP.exe

C:\Windows\System\BasXHHP.exe

C:\Windows\System\zxXsPLO.exe

C:\Windows\System\zxXsPLO.exe

C:\Windows\System\HFBErsU.exe

C:\Windows\System\HFBErsU.exe

C:\Windows\System\sglOgJh.exe

C:\Windows\System\sglOgJh.exe

C:\Windows\System\wsxEreu.exe

C:\Windows\System\wsxEreu.exe

C:\Windows\System\FMLIPQd.exe

C:\Windows\System\FMLIPQd.exe

C:\Windows\System\zvngCiZ.exe

C:\Windows\System\zvngCiZ.exe

C:\Windows\System\Ayvcffu.exe

C:\Windows\System\Ayvcffu.exe

C:\Windows\System\cwexuUh.exe

C:\Windows\System\cwexuUh.exe

C:\Windows\System\kXEiVWE.exe

C:\Windows\System\kXEiVWE.exe

C:\Windows\System\yQOakjf.exe

C:\Windows\System\yQOakjf.exe

C:\Windows\System\guMaJFa.exe

C:\Windows\System\guMaJFa.exe

C:\Windows\System\OrIkreF.exe

C:\Windows\System\OrIkreF.exe

C:\Windows\System\oFQVtYi.exe

C:\Windows\System\oFQVtYi.exe

C:\Windows\System\iRdZYIo.exe

C:\Windows\System\iRdZYIo.exe

C:\Windows\System\aCdNqlV.exe

C:\Windows\System\aCdNqlV.exe

C:\Windows\System\DvuCSFw.exe

C:\Windows\System\DvuCSFw.exe

C:\Windows\System\pNPlEhB.exe

C:\Windows\System\pNPlEhB.exe

C:\Windows\System\DIBusxG.exe

C:\Windows\System\DIBusxG.exe

C:\Windows\System\pqoqwEV.exe

C:\Windows\System\pqoqwEV.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1348-0-0x00007FF75B5B0000-0x00007FF75B904000-memory.dmp

memory/1348-1-0x000001E7DC930000-0x000001E7DC940000-memory.dmp

C:\Windows\System\pWaCjuc.exe

MD5 16714e42e4e8440ba80772599cce3079
SHA1 ab0a43d5efeb0e42506dcce5bd32b33e074f4f23
SHA256 56e89b66b6a3fac76b49f6964f006d83fa00511937898da2b3b52903e29ab04a
SHA512 ec70e90abe84395f92a8e3ffbdcac70372a840946533db507edefe745f70bdb7604cbf60ff4144421e8899f41022440496264773d6f7884bfc7bcb0817584a24

C:\Windows\System\BasXHHP.exe

MD5 8648b9d4bff1e828d4d7cfc27fcfa507
SHA1 da77270345c130bad68a7a8105fdd95d864c0998
SHA256 13571409ad3f69c363f468afa5d93d383118ce26ee59cb6a73f2615b58547543
SHA512 ac5fd2ee710d4a592d9c4a701cd851062a457b6cfeecde573f245fee4a9463b06497fce0a1927fae7fb5b4a8fd373c9603a5a87d0648c1d588a72b866a1c4d71

C:\Windows\System\zxXsPLO.exe

MD5 5a94b9191cdf21c6f94f46ec9a0f9ea6
SHA1 7c15a044355aa50edf7d28ee3197b9ad231278c2
SHA256 32624bf4faefb2fd9c2ebaf75102a3baa893aa2650eeb7a7396ad0eb8c66ee1e
SHA512 8e44b09760162581df6fc86189862139d0b24ca8e7a5558112d36030843ba2c2b6dee9cc30af79876eaaec817a8c861021ace54b3b17365af861f7834c539bce

memory/4688-12-0x00007FF6029F0000-0x00007FF602D44000-memory.dmp

memory/4800-18-0x00007FF776DF0000-0x00007FF777144000-memory.dmp

memory/4936-7-0x00007FF7128D0000-0x00007FF712C24000-memory.dmp

C:\Windows\System\HFBErsU.exe

MD5 fc46dd1332b4d9ff60be3698de3e580c
SHA1 32e1459a73b6d8404a15ce209c5e37c6093505be
SHA256 f28390b5f0c42ce16d04585c4f1ac46e22549d86ac694ffb404d226881b002b1
SHA512 282294a1a310b22765b1fc7501d5f83a275b04db9a990ca956a843b09c7f874a67dde5e55c00787969a0306a7427da62303d670b3ee66c47b3682eeb100cac18

memory/1896-26-0x00007FF730090000-0x00007FF7303E4000-memory.dmp

C:\Windows\System\sglOgJh.exe

MD5 ec01262052597357df7ee48a73cdaa88
SHA1 5e09949a1cf218f0beed89e79281e0c65505f16c
SHA256 4ec280db15f03a71b20255319d5c7fa31b4c326362e4b232466c26e77fd4441c
SHA512 d99edab375118bb9715512aea11b712ddeb5da832c28309ad1d8ae9a77bdce17b1572651012b2ced9cf97e0a84775ed641ec11e67ec0c517b6666b34cfeec49e

memory/4344-32-0x00007FF7C9AE0000-0x00007FF7C9E34000-memory.dmp

C:\Windows\System\wsxEreu.exe

MD5 d957ebc36fb9169b2cadc2f126648c64
SHA1 efefac4ca18d62b41f72a9f1b418dd6f9ebea87e
SHA256 250d7aceec512acc016a3cac55fecc77fcee6458a41a3f0569e5fedddfe5f607
SHA512 e86101390f66cca63d74c696d62ffd538c2e36b35ed3ac4743f7c107ad572e793c278ad5c1457aa6c8732153b1ecb3ff8d0213842ea1a4ffd724913109092cf6

memory/1568-36-0x00007FF769480000-0x00007FF7697D4000-memory.dmp

C:\Windows\System\FMLIPQd.exe

MD5 f171a3e828258900f73dabee38b5ebc6
SHA1 096318fe6d6740fbec58003b4b7ed60e6c72c6f5
SHA256 2bd65a238931c1a07302a70ab725af5d72a6d74a8b08fd3cf5a314eef1a7a2c0
SHA512 a8432c3d386fd4dd55a2ad6df6a7806019af5dbe3bde1d5c9acbf01fe601d134f7eac044ba54f161c18ccfc145c6e74698197ac7aa8be0ccd7c105c9f772ca15

memory/2208-44-0x00007FF6CB540000-0x00007FF6CB894000-memory.dmp

C:\Windows\System\zvngCiZ.exe

MD5 751b2165aacbcccc5638db94a2048e1d
SHA1 ea944fc5f2646f8e5d70b2da2e693532d64a435c
SHA256 f6d221b1f5dd05750f8b16f79b6f0690a194e2235505e341936e1016f2f61f9b
SHA512 5cf0a0316cbe7760998d251afd347d69a1133c323814ae3a5303ff4d8a36916893c06a081f1d6e6eaa3958e8bbae8ccc18f552bd5ec057e73b8860c33deeef05

memory/5096-50-0x00007FF692200000-0x00007FF692554000-memory.dmp

C:\Windows\System\Ayvcffu.exe

MD5 f03f1102e4a880f7bd6325fd303f13b6
SHA1 ec226f33b69a998dc4baf08867720de32634854f
SHA256 93c397454552f214e65f876c6830b74816c52766297549c730d3dc775df59e65
SHA512 ee305da246322f9f1adb77e20151989569beafde34a261c69fbe18a4f4db127b2b0920ad55201c302c04eb9e467d690ba6a0b377e8754af7ec34deb8c99deb6c

memory/2612-54-0x00007FF62F420000-0x00007FF62F774000-memory.dmp

memory/1348-62-0x00007FF75B5B0000-0x00007FF75B904000-memory.dmp

memory/1100-63-0x00007FF6698E0000-0x00007FF669C34000-memory.dmp

C:\Windows\System\cwexuUh.exe

MD5 06c50c8b605b7a4b48714262b24ca63b
SHA1 9a99a9eedc5604b3035ce385e809f0abaab24ceb
SHA256 22dd8b43f8e597944b6d0b6d544e165b045e7b6553ad66bafde6b7c88d9d0da9
SHA512 cb91cc147567a7b082a0e270f555bbdff50d0d54d79ae030bf286b2edbb8465163aef5c08d7aa8e01ff12a1b6fec1448816c51c47fcdba4aeafb01863a5a433a

C:\Windows\System\kXEiVWE.exe

MD5 e07957adbc3b5fd17e963b9730076c6f
SHA1 4776b54461626725056b91bac45b380262b5caec
SHA256 24239e2f076f128aa94fe763b6f368b0554cac733716a34c2cfe01230d3d7c3b
SHA512 fd831defe8e229f4749da9738a2c0426dd9a2dc0ae10f255309a207f9322b34113492edde5c984f901060d703b1cfba807c5ca4d41b2837c7a768355711b5cc8

memory/2620-73-0x00007FF662B40000-0x00007FF662E94000-memory.dmp

memory/4688-75-0x00007FF6029F0000-0x00007FF602D44000-memory.dmp

C:\Windows\System\OrIkreF.exe

MD5 3851b1084242624df5a2559b36dc6358
SHA1 3e95c856faac6afc572663b8692e0c3d76eac932
SHA256 d156d8d478195ec95ae9e17545145339813357007654aab7c2f0f709d9c2aa96
SHA512 23419d7f3f2cbbc8b11cdc7bdb25adffd9542d9b5b7c1be710e1155952509c0ee08458d9ff0b29b20a81e1886db6671d61ec58be3c73e5db6b5c63d3aadbcb91

memory/2844-94-0x00007FF799C50000-0x00007FF799FA4000-memory.dmp

C:\Windows\System\oFQVtYi.exe

MD5 f7fab6af4a4bf9d0181e62ac6f3b1cd1
SHA1 7b913f708ab403ec5faecf6bd84d17876952b9fd
SHA256 1491bad951265383abb7972950bec3823ad0b86d403b416e4ba6d3740a13e77d
SHA512 ecceb22fe2d8397f9323f97be825003b1eb17da0a72637c2389d05207da3a3a52480978c21d97f2b57fe9770c3e1beda7fda7e6cf11efa6c3d751095e0a1e81d

memory/1896-104-0x00007FF730090000-0x00007FF7303E4000-memory.dmp

memory/2976-105-0x00007FF7ABAB0000-0x00007FF7ABE04000-memory.dmp

C:\Windows\System\aCdNqlV.exe

MD5 25cb439087e9dfff05c515906dce47fd
SHA1 ebc021161816972fc897a570831fa01018b6b708
SHA256 f4742452c87e90e041ced7782f4ea52e7b154f5448910a03b262f3e4041874de
SHA512 bfdea8332fcc15f99f01505a2d3c8c017dbe4a021288a141c72254087ff65241c576ff33b56c31de99501a53874447b4e62b635a95508aa6dff54dff2b6dd7e3

memory/1568-109-0x00007FF769480000-0x00007FF7697D4000-memory.dmp

memory/4344-108-0x00007FF7C9AE0000-0x00007FF7C9E34000-memory.dmp

memory/1924-107-0x00007FF6C5AA0000-0x00007FF6C5DF4000-memory.dmp

C:\Windows\System\iRdZYIo.exe

MD5 784f6fa904eab8bd13f40795bb98edec
SHA1 43a507f8f0020e61784799a9b81b9d1636678c4d
SHA256 adacd12ca42085a1b1e5060b8c039a65e43fe9aeb2441ca80388cd6c03502d87
SHA512 ff7e54dcca6a8087bd5cf41e4736cbf0e86a389ef39bc9271d96c80d6f30dc988589226b1f47df43b08c2a00b345c3ed277f5dcde5541367dec41cfa8886c71f

memory/1640-101-0x00007FF77A580000-0x00007FF77A8D4000-memory.dmp

memory/1944-95-0x00007FF63C390000-0x00007FF63C6E4000-memory.dmp

memory/4800-91-0x00007FF776DF0000-0x00007FF777144000-memory.dmp

memory/4180-90-0x00007FF69A570000-0x00007FF69A8C4000-memory.dmp

C:\Windows\System\yQOakjf.exe

MD5 036ed2e0f899d95db525b84ef4781a41
SHA1 45522eed5d025783b085a321f99461c4b32a7821
SHA256 3b28cd16b20ec63c9256b30594789036782f322b402cbb9a28a630792a30c703
SHA512 013ba8eda846b38bbcc15a94703112fb6984e3ebb30a814ba97b2f18955e5dc59d5bc25bdb966d2004bad1bc00264d2ad73667c0662d358d7740cd2f46f912a4

C:\Windows\System\guMaJFa.exe

MD5 b0bc4d45216e98babefbb8d985f87458
SHA1 f1019775404c3ea4057668c20673e4c686396cc2
SHA256 eaf771fd77576a08c1ddb8261e1fe7daab9c28724f50c62a6f2995afc2c10ea4
SHA512 75a087653a659e8c4f95ccffd1600184794e7dfa9548d3664d7e5e1cc0e65fc858141ab7b64c129f0c561261f9c966930e4abe951249513b81f8d6b6967fa663

memory/4936-70-0x00007FF7128D0000-0x00007FF712C24000-memory.dmp

C:\Windows\System\DvuCSFw.exe

MD5 74f0959f6ba21cd0ec869e59962e5a76
SHA1 a672b45840de80d8907197cd6270684aa44e4ef7
SHA256 0d92587612dbc9f25e0379c8f971d3b40a8b3bff960e344fa96cd28a58ee3059
SHA512 7698030fa5eec1feed141b6cdb0997330e91b0ed323fa3d0d5b6cff7be62c4ff32e4ea6555772fc3880d33577fbebdaf284f771b9fa314d7ca37732f79e21753

memory/2808-115-0x00007FF722780000-0x00007FF722AD4000-memory.dmp

C:\Windows\System\pNPlEhB.exe

MD5 df116aa6ba8ef62e6ab5c1ef80ecc6b4
SHA1 f55dcb5048e302776e9e2955122592a539d27810
SHA256 388eadbd9beb30957a27a74cfa8f8cb43f9e8ad885ca8c22335d87bd5f8f0f21
SHA512 3c144c7ac6b676c7813a94ad2b84a8bd1907bd8b85a068e78b0d7f7e3ac7dd7a41b9a239feca6233e31f5b2b4a919be97fb543675f090de5dcb0793f85da7362

C:\Windows\System\DIBusxG.exe

MD5 e72b17212b262316491821e7d35d128a
SHA1 9232213afc780a1fd3d83f89286a0b7d6be31117
SHA256 b0f8d31ef6c0d8a3e979b0e290d5bc64d2280cde3a9a9c0ca9007c5f1154cb61
SHA512 a088125315823cd7f127bc7951cca555717bcb2c31403090f76493f3e52cf4c14e0608dff3be4cf1bd8ea8571d3e3bb6b6876ac32de37ba920759b5867d2af37

memory/3652-128-0x00007FF6C18D0000-0x00007FF6C1C24000-memory.dmp

memory/3424-129-0x00007FF6B8AC0000-0x00007FF6B8E14000-memory.dmp

C:\Windows\System\pqoqwEV.exe

MD5 0068275152acf3d65e8f94121d26a32c
SHA1 23f3c7d8f6b53fa2e6318a933c3749909182b786
SHA256 78adb2a11a396778ea14caa239037c6752cc5a46272d5aad5b143d2f70a377eb
SHA512 17352692fd51803a9901da38314089e5feb098c6f3d90ffb73260e9233566224d625ba32ad9fe00456036d71a120f7bf8333d8d02aba81f5fb78e3b3a53f87ec

memory/3136-135-0x00007FF7940A0000-0x00007FF7943F4000-memory.dmp

memory/2612-133-0x00007FF62F420000-0x00007FF62F774000-memory.dmp

memory/2620-136-0x00007FF662B40000-0x00007FF662E94000-memory.dmp

memory/1640-137-0x00007FF77A580000-0x00007FF77A8D4000-memory.dmp

memory/2976-138-0x00007FF7ABAB0000-0x00007FF7ABE04000-memory.dmp

memory/1924-139-0x00007FF6C5AA0000-0x00007FF6C5DF4000-memory.dmp

memory/2808-140-0x00007FF722780000-0x00007FF722AD4000-memory.dmp

memory/4936-141-0x00007FF7128D0000-0x00007FF712C24000-memory.dmp

memory/4688-142-0x00007FF6029F0000-0x00007FF602D44000-memory.dmp

memory/4800-143-0x00007FF776DF0000-0x00007FF777144000-memory.dmp

memory/1896-144-0x00007FF730090000-0x00007FF7303E4000-memory.dmp

memory/4344-145-0x00007FF7C9AE0000-0x00007FF7C9E34000-memory.dmp

memory/1568-146-0x00007FF769480000-0x00007FF7697D4000-memory.dmp

memory/2208-147-0x00007FF6CB540000-0x00007FF6CB894000-memory.dmp

memory/5096-148-0x00007FF692200000-0x00007FF692554000-memory.dmp

memory/2612-149-0x00007FF62F420000-0x00007FF62F774000-memory.dmp

memory/1100-150-0x00007FF6698E0000-0x00007FF669C34000-memory.dmp

memory/1944-151-0x00007FF63C390000-0x00007FF63C6E4000-memory.dmp

memory/2620-152-0x00007FF662B40000-0x00007FF662E94000-memory.dmp

memory/4180-153-0x00007FF69A570000-0x00007FF69A8C4000-memory.dmp

memory/2844-155-0x00007FF799C50000-0x00007FF799FA4000-memory.dmp

memory/1640-154-0x00007FF77A580000-0x00007FF77A8D4000-memory.dmp

memory/2976-156-0x00007FF7ABAB0000-0x00007FF7ABE04000-memory.dmp

memory/1924-157-0x00007FF6C5AA0000-0x00007FF6C5DF4000-memory.dmp

memory/2808-158-0x00007FF722780000-0x00007FF722AD4000-memory.dmp

memory/3652-160-0x00007FF6C18D0000-0x00007FF6C1C24000-memory.dmp

memory/3424-159-0x00007FF6B8AC0000-0x00007FF6B8E14000-memory.dmp

memory/3136-161-0x00007FF7940A0000-0x00007FF7943F4000-memory.dmp