Malware Analysis Report

2025-01-22 19:34

Sample ID 240601-vg9c6shb51
Target 2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike
SHA256 b62045e2f696b7908eec3e9c791cb015c4ace38ad0fb10a6288289b45bd455c0
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b62045e2f696b7908eec3e9c791cb015c4ace38ad0fb10a6288289b45bd455c0

Threat Level: Known bad

The file 2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

xmrig

Detects Reflective DLL injection artifacts

Cobaltstrike family

Cobalt Strike reflective loader

Xmrig family

XMRig Miner payload

Cobaltstrike

UPX dump on OEP (original entry point)

UPX dump on OEP (original entry point)

XMRig Miner payload

Detects Reflective DLL injection artifacts

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 16:58

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 16:58

Reported

2024-06-01 17:01

Platform

win7-20240508-en

Max time kernel

145s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\patmCwR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\noSplHB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SuopPRn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fMMkiDG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xcMDtta.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rFmUFFH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OXdDZtH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HdZMsSB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NIlXjHe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EhkqUpS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\igchGjZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oAQounP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PhSyEMx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TbEKlqE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KAPziLo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OveqwAO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mBYIOzH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\imrtWNk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MQCUuMr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sHLGmWH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pUJgeui.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1196 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\fMMkiDG.exe
PID 1196 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\fMMkiDG.exe
PID 1196 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\fMMkiDG.exe
PID 1196 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\igchGjZ.exe
PID 1196 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\igchGjZ.exe
PID 1196 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\igchGjZ.exe
PID 1196 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\mBYIOzH.exe
PID 1196 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\mBYIOzH.exe
PID 1196 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\mBYIOzH.exe
PID 1196 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\xcMDtta.exe
PID 1196 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\xcMDtta.exe
PID 1196 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\xcMDtta.exe
PID 1196 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\PhSyEMx.exe
PID 1196 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\PhSyEMx.exe
PID 1196 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\PhSyEMx.exe
PID 1196 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\rFmUFFH.exe
PID 1196 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\rFmUFFH.exe
PID 1196 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\rFmUFFH.exe
PID 1196 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\imrtWNk.exe
PID 1196 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\imrtWNk.exe
PID 1196 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\imrtWNk.exe
PID 1196 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\MQCUuMr.exe
PID 1196 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\MQCUuMr.exe
PID 1196 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\MQCUuMr.exe
PID 1196 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\TbEKlqE.exe
PID 1196 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\TbEKlqE.exe
PID 1196 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\TbEKlqE.exe
PID 1196 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\OXdDZtH.exe
PID 1196 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\OXdDZtH.exe
PID 1196 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\OXdDZtH.exe
PID 1196 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\KAPziLo.exe
PID 1196 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\KAPziLo.exe
PID 1196 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\KAPziLo.exe
PID 1196 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\HdZMsSB.exe
PID 1196 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\HdZMsSB.exe
PID 1196 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\HdZMsSB.exe
PID 1196 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\patmCwR.exe
PID 1196 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\patmCwR.exe
PID 1196 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\patmCwR.exe
PID 1196 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\noSplHB.exe
PID 1196 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\noSplHB.exe
PID 1196 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\noSplHB.exe
PID 1196 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\sHLGmWH.exe
PID 1196 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\sHLGmWH.exe
PID 1196 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\sHLGmWH.exe
PID 1196 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\pUJgeui.exe
PID 1196 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\pUJgeui.exe
PID 1196 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\pUJgeui.exe
PID 1196 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\oAQounP.exe
PID 1196 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\oAQounP.exe
PID 1196 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\oAQounP.exe
PID 1196 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\SuopPRn.exe
PID 1196 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\SuopPRn.exe
PID 1196 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\SuopPRn.exe
PID 1196 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\NIlXjHe.exe
PID 1196 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\NIlXjHe.exe
PID 1196 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\NIlXjHe.exe
PID 1196 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\EhkqUpS.exe
PID 1196 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\EhkqUpS.exe
PID 1196 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\EhkqUpS.exe
PID 1196 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\OveqwAO.exe
PID 1196 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\OveqwAO.exe
PID 1196 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\OveqwAO.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\fMMkiDG.exe

C:\Windows\System\fMMkiDG.exe

C:\Windows\System\igchGjZ.exe

C:\Windows\System\igchGjZ.exe

C:\Windows\System\mBYIOzH.exe

C:\Windows\System\mBYIOzH.exe

C:\Windows\System\xcMDtta.exe

C:\Windows\System\xcMDtta.exe

C:\Windows\System\PhSyEMx.exe

C:\Windows\System\PhSyEMx.exe

C:\Windows\System\rFmUFFH.exe

C:\Windows\System\rFmUFFH.exe

C:\Windows\System\imrtWNk.exe

C:\Windows\System\imrtWNk.exe

C:\Windows\System\MQCUuMr.exe

C:\Windows\System\MQCUuMr.exe

C:\Windows\System\TbEKlqE.exe

C:\Windows\System\TbEKlqE.exe

C:\Windows\System\OXdDZtH.exe

C:\Windows\System\OXdDZtH.exe

C:\Windows\System\KAPziLo.exe

C:\Windows\System\KAPziLo.exe

C:\Windows\System\HdZMsSB.exe

C:\Windows\System\HdZMsSB.exe

C:\Windows\System\patmCwR.exe

C:\Windows\System\patmCwR.exe

C:\Windows\System\noSplHB.exe

C:\Windows\System\noSplHB.exe

C:\Windows\System\sHLGmWH.exe

C:\Windows\System\sHLGmWH.exe

C:\Windows\System\pUJgeui.exe

C:\Windows\System\pUJgeui.exe

C:\Windows\System\oAQounP.exe

C:\Windows\System\oAQounP.exe

C:\Windows\System\SuopPRn.exe

C:\Windows\System\SuopPRn.exe

C:\Windows\System\NIlXjHe.exe

C:\Windows\System\NIlXjHe.exe

C:\Windows\System\EhkqUpS.exe

C:\Windows\System\EhkqUpS.exe

C:\Windows\System\OveqwAO.exe

C:\Windows\System\OveqwAO.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1196-1-0x000000013FEA0000-0x00000001401F4000-memory.dmp

memory/1196-0-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\fMMkiDG.exe

MD5 bcfbdbd7522b9d4981df969650de3b10
SHA1 978e1c09a06e822dec045146f76d33ca1d34983f
SHA256 a9168fb23756997932e1b2f16fc519d595d61bc2fdb2d798998ea8e1d2ccac75
SHA512 92f2e2fcdd8f3ae000edc3bbcb103f83635c8e9b6c7e111b0ecc025763e348428b4119d7c97cb648094a6ab512663015ed2f9713213e25eabf9891cdcf11c26d

\Windows\system\igchGjZ.exe

MD5 3fff3e67d52bcfae01cd3345efb634c1
SHA1 ae83e6517c86398d8426d6c97e53626cc4bdc8a6
SHA256 b7abab427f8c5c74101bf91374005b360206d4719b530fd3287f587872a49c24
SHA512 fa7e75b1fd3252a46cfe2becd70610f109a9f1ad3010a27a28750e63dfefbd1e2c193e43fd8da5bc31c9e75e4923081b5d47e1ae77d63eab329e81ad3448c739

\Windows\system\xcMDtta.exe

MD5 41c9b749da3018b064013c712bdf50a0
SHA1 c28f309510efb7b7f5b207bfe6114ad297622388
SHA256 541ec1de9f41a754cd8a2365a9bdca972ee3a5a91faa878036e578f1bf6fd017
SHA512 9ff5d22474d8c5a20946565845bee2bc548098593e5e804980301a5104b36e65ce3a749cc708bedac0cea5414c804ad4550b93759619c5fbcdd260e9981feea4

memory/1196-23-0x0000000002210000-0x0000000002564000-memory.dmp

memory/1196-25-0x000000013F230000-0x000000013F584000-memory.dmp

memory/1436-26-0x000000013F230000-0x000000013F584000-memory.dmp

C:\Windows\system\mBYIOzH.exe

MD5 f48c00a25ca92eee7a03024c33fff720
SHA1 4bbf2a9a15d7ef38b11e694c75ec17d1c3651954
SHA256 7e08eb358805c8f9f480eeff0016a53dc9ea1cb41e3c71718cdf140562a20482
SHA512 edf052e304d635b6db0582b648949ad633e6cb86806d55b350ea6d93bed35f1d11a509d95d8fc1a9b32c2509080a23f82a78d37154777e91fa03904aee7c5711

memory/1812-28-0x000000013F280000-0x000000013F5D4000-memory.dmp

memory/2208-17-0x000000013FD80000-0x00000001400D4000-memory.dmp

C:\Windows\system\PhSyEMx.exe

MD5 1d752b1e96f0a8eeab6a2c4f509cd47b
SHA1 561dcc1d4b3b7d9380b82d30d7d3df5e12f422df
SHA256 cbc99d5edf8723be12aa539aab47810545c6684471e4745923905a53d7e1b5fe
SHA512 25b118c4c90d9b9d11dfee74f0c2a907bb9cb0e036bbeccc71c9e024900e0a0d6d6957cf869771eb70bb1d8904d3a7d14c76781a9dc4529b2df20b1c79b878d2

memory/2660-48-0x000000013F4F0000-0x000000013F844000-memory.dmp

memory/2696-50-0x000000013F500000-0x000000013F854000-memory.dmp

C:\Windows\system\OXdDZtH.exe

MD5 e34d1bc57590a1aaa415ab3b71ebc286
SHA1 86a1b1512bd410982ddb8268ed6f8c7342a736dd
SHA256 77c4d82ea7ac95b6eb4a636f7d21efcad6af213a79f14b789295d72f1ea84fc7
SHA512 656ac4556d166b918648f73a30a092d0e283e7902c168da16280780c9b31d4070adbbf5827f55c3f2023b7d99a27bcff85b2e2deb7627cf3b6b9304021891558

memory/1624-62-0x000000013F5D0000-0x000000013F924000-memory.dmp

C:\Windows\system\noSplHB.exe

MD5 e58f2fbe9444027a6ab92ea7094ad0d5
SHA1 ce66ade05ab2a961da9a2eb386050c4f76b67158
SHA256 bc62dd9cc8b27ef64e4d6c4462266bb791dca1f3ce0186cfdd9278d28babd0b2
SHA512 5f48b79fc3fa4a02c0918d33b76f2816593eda0aca570666634b98bdd651ff3630dfbd922cac39f6b71db6996484e3a288c4c96933e9d3e2d0e45b0ecf204dbc

memory/2504-86-0x000000013FE50000-0x00000001401A4000-memory.dmp

C:\Windows\system\sHLGmWH.exe

MD5 a96289db173b9aaaadf0962c929536bc
SHA1 ff5c7708dd9cd2f8597984002005a57665509a2e
SHA256 111395ea64859aa39a9f969853677a3ad526a54053fdab1b499420294bcdabb4
SHA512 b091210054c7097e2159362d097f790b6f4afd5121b56575f4f708cb05288841ebf7ba5b58540a4919f0108b59db338ebb0af08005fc2e79489a8f8f1634790f

C:\Windows\system\NIlXjHe.exe

MD5 8212286311f575825c3a66f3910c61c7
SHA1 97d2964526d34dc52c8d5adbf921e649414f3efd
SHA256 0bf24598b8a4fc3098db153cdc382036a497192f3fa5bd679695d61a85e8e860
SHA512 9e24d3158072166eb08fc1c37ba594c64bf2db595af6ec2a34750562fdb548778f08a8f1d7e707438345376ded90ecb606c2146333c5af1bffe45ad1236e9083

\Windows\system\OveqwAO.exe

MD5 9b1cde911503dca1c3b36776fab5be34
SHA1 9d25ce4a61c8fd2d2e6e55df5c132eb406b3062c
SHA256 2d18367ae21ab39a4f608623221f66778b6c6819b582766ccd5d00c5d45075a8
SHA512 3426266a45e32abdd14ad2486caf9d871c55146b02f72a6b8bed42904e874e43bdcf86fd74f1f3d5121a8b6272ec2cb282b6a614aa8cf803ae18bbba96a20b66

C:\Windows\system\EhkqUpS.exe

MD5 49fd627ef25077a058284cbf0b281d4c
SHA1 52604cbd903374212e6aadde87f89e2be2eb88de
SHA256 14f64aa0808aef9b04c013df830522417d624b0d99bcc5ea0a2030083acf4765
SHA512 d821268a3921d934d42b380dde1b6e87a842a8a814cee3d83de13f79502b6348c31110dbc9e391fb5a4d5c0617b4a7ad30b03c768c7f6d7d1616b466fc264c0d

C:\Windows\system\SuopPRn.exe

MD5 b49525616760379a0c99d280549fe69b
SHA1 560c2bdb5b717739969a12cfc3b76a6b5cf2c13c
SHA256 cd00d1fb969d78dbb86c4c93bb76cd4196fef5ba68453f00d43ea2cb84294139
SHA512 eff2ebe366730539ec7615e1b156af16168f370ac3b872cbd59a08f92f99ca25637bd0b3612ebe117ffd03d4445c41d3655874b61581b9e266e44f8cfc26611a

C:\Windows\system\oAQounP.exe

MD5 94f786978f42d4a7912845d30c6aad0f
SHA1 ae47a1584ba73613e749603394447ab4c1a12c33
SHA256 4ff60ca7d34f1469e1582288ca1af0763a42339e7f90dd8a0dc9898f307b0f59
SHA512 2efcaaeedfffffd2e0bfcb85e30c8167499cc988800f5275af392a9d8212328e3b6f8fc53a3e3a2583dda600dc01b0f1d1475ff628125f2ab0f2f6d03f249f4b

memory/1196-96-0x000000013F1D0000-0x000000013F524000-memory.dmp

memory/2696-134-0x000000013F500000-0x000000013F854000-memory.dmp

memory/2660-133-0x000000013F4F0000-0x000000013F844000-memory.dmp

C:\Windows\system\pUJgeui.exe

MD5 3ad4ddf8fa013c16f23c8b97699aa625
SHA1 b61cf7cdd27549460376d234e0905276a2d7be9b
SHA256 f03551ecff1534c6ad8ffcc0de58d03ccf6d5c4301512d51a7e20a8031c55ee1
SHA512 4e1a6784939d20196d60fe9368e4fc6476cc0bcfe9bcb61d85aa726744e12b56263c5b5ca43c39e060583f1b8c0c0057e8985b392c4a5adb539090f19800d6ef

memory/2460-81-0x000000013FBD0000-0x000000013FF24000-memory.dmp

memory/1196-80-0x0000000002210000-0x0000000002564000-memory.dmp

C:\Windows\system\patmCwR.exe

MD5 df8dac6319b4a4bdeacf5be99b87d33f
SHA1 a22dbff22fd266f84d5657572e591f73e181ebd0
SHA256 77a710e26af6d5da84e84d4d3c36ffa281191037e49ec17c6574d95d917793e8
SHA512 f274ea1c0be35962983760cd59ef7fd8e080e89b77b2d0edf40d3b527b8868298de3d93fff14f5d2ee172267f313c3672f3c012ccc8353fc16b3576dd3117282

memory/2720-75-0x000000013F680000-0x000000013F9D4000-memory.dmp

C:\Windows\system\HdZMsSB.exe

MD5 19803b1f5a2e7ec0b535a8ebd15015c1
SHA1 54288a41b9a3371ae7058b62235bbf19870f3e59
SHA256 92e9ab1dcddd455d5dfd22815defc9974035b8e95232814f2a9ff57ff5c80255
SHA512 3222aa2f33987760579311e3c1d458e915a07e0b4d333da3c4eea5e5acc2d0c9e630573a1c548fd471cd3dca54b7a66366002973360728f6dfe74d51a0fe6d91

memory/1196-71-0x000000013F680000-0x000000013F9D4000-memory.dmp

memory/1812-70-0x000000013F280000-0x000000013F5D4000-memory.dmp

memory/2596-135-0x000000013F260000-0x000000013F5B4000-memory.dmp

memory/2748-68-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

C:\Windows\system\KAPziLo.exe

MD5 2bf4520de9a0bae804141fcdaa34cded
SHA1 4120aac7ffe6b126b5218883dc8b5a61d0fb8fde
SHA256 dcbcde207380e4467499ba132080887fab0960840953a8ab2a137544be5a4e40
SHA512 d9740e85d3552b26e6c596d6c62f19680f6675e57d2c82a4723eb6424baae7ca415981048b71e2a13a3e2b59762a6b211ce7a667e6eb47f3cbe500b13170b002

memory/1196-64-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

memory/2596-57-0x000000013F260000-0x000000013F5B4000-memory.dmp

memory/2548-56-0x000000013F0B0000-0x000000013F404000-memory.dmp

memory/1196-55-0x000000013FEA0000-0x00000001401F4000-memory.dmp

C:\Windows\system\TbEKlqE.exe

MD5 453563b1f29f81fc8932bcce9d795c81
SHA1 c4600a6a56fd27c8cf595a3894e6829c68381236
SHA256 dcf7e3e44d179ba85d62a15728ff9c3c9ef7ba6c1044651ddfe2f2b26b62a422
SHA512 4dc950bfc0b7cdcac35adfd596749eadda9c79d4c5420fe4cf7441cc55ddd57d5e48bfcfddec7fc08d0f48ede6dd7e1ccc9be0f1d32e6dfc0e44bea8e61319b1

memory/1196-49-0x000000013F500000-0x000000013F854000-memory.dmp

C:\Windows\system\imrtWNk.exe

MD5 889a645ac010636f96cc5c6efb717c94
SHA1 98b7baf854d62ab4daf911102eaaa6a3ed47f80e
SHA256 8d5d64ebe0df638258e22c8ee2bcc5514267eb19eeff5a6bce1336d1bcd2c882
SHA512 852b76337e0362d5c5f5f90d81ab9b826fc062c8c68d11f56caf8690dd97f13a39bdb95f20b2f290a047cc29806c22dfb133895d49e85a30168874e2055a8499

C:\Windows\system\MQCUuMr.exe

MD5 818ef15d077bee564614b0533898a6d0
SHA1 0bd0044f002d825e309f9d7a2d74cb003c1f061a
SHA256 e5013a88ce5dec9049cdcea028252cc4113c7a58a3a822ab6dea913fb4f16b0b
SHA512 f59be4e7fdb850f696ef486f929fba596695d42388ec0b54a2cf7d2d48eb30de950f29aa3156c378d7465bad0858fdf45bea16a1afc45787089b9b152833fd82

memory/1624-136-0x000000013F5D0000-0x000000013F924000-memory.dmp

memory/2604-39-0x000000013FD70000-0x00000001400C4000-memory.dmp

C:\Windows\system\rFmUFFH.exe

MD5 47435745bcc8adb5a34fdc208435218e
SHA1 9ee8a44fbebf507d54c358c3b4f1c0e0f9c462ea
SHA256 901edfd552024a055d3ccc24f6516d714998eede9e8c661856fe6afdb3837c6d
SHA512 f115ba74c15090912425177a89a52019939a4550edd3714c18de377874d42ddc1aca4354d878dab99f785bedf5eea50e974fea0f43bd723f575ceb351367ece1

memory/3020-34-0x000000013FB40000-0x000000013FE94000-memory.dmp

memory/1196-32-0x000000013FB40000-0x000000013FE94000-memory.dmp

memory/1196-21-0x000000013F280000-0x000000013F5D4000-memory.dmp

memory/2548-10-0x000000013F0B0000-0x000000013F404000-memory.dmp

memory/1196-137-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

memory/2748-138-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

memory/1196-139-0x000000013F680000-0x000000013F9D4000-memory.dmp

memory/2720-140-0x000000013F680000-0x000000013F9D4000-memory.dmp

memory/1196-141-0x0000000002210000-0x0000000002564000-memory.dmp

memory/2460-142-0x000000013FBD0000-0x000000013FF24000-memory.dmp

memory/2504-143-0x000000013FE50000-0x00000001401A4000-memory.dmp

memory/1196-144-0x000000013F1D0000-0x000000013F524000-memory.dmp

memory/2548-145-0x000000013F0B0000-0x000000013F404000-memory.dmp

memory/2208-146-0x000000013FD80000-0x00000001400D4000-memory.dmp

memory/1436-147-0x000000013F230000-0x000000013F584000-memory.dmp

memory/2720-150-0x000000013F680000-0x000000013F9D4000-memory.dmp

memory/2504-152-0x000000013FE50000-0x00000001401A4000-memory.dmp

memory/2604-151-0x000000013FD70000-0x00000001400C4000-memory.dmp

memory/1624-149-0x000000013F5D0000-0x000000013F924000-memory.dmp

memory/2696-148-0x000000013F500000-0x000000013F854000-memory.dmp

memory/1812-153-0x000000013F280000-0x000000013F5D4000-memory.dmp

memory/2596-156-0x000000013F260000-0x000000013F5B4000-memory.dmp

memory/2748-158-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

memory/2460-157-0x000000013FBD0000-0x000000013FF24000-memory.dmp

memory/2660-155-0x000000013F4F0000-0x000000013F844000-memory.dmp

memory/3020-154-0x000000013FB40000-0x000000013FE94000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 16:58

Reported

2024-06-01 17:01

Platform

win10v2004-20240426-en

Max time kernel

137s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\yxakvBr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MljqyaD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OHclAFi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IAydSNq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SkUxvoM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xuibCfh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gjGrwYq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UMieDoB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gjJrfGD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mKqxQzN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zvMbsIJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kpIpNcs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\edKxFnQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TSBiQBp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hrPGDgY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RDSAQxi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VxdJWLl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oJlilfj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RYnElAC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\octzLZU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YuSPtjT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3964 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\oJlilfj.exe
PID 3964 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\oJlilfj.exe
PID 3964 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\kpIpNcs.exe
PID 3964 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\kpIpNcs.exe
PID 3964 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\edKxFnQ.exe
PID 3964 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\edKxFnQ.exe
PID 3964 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\gjGrwYq.exe
PID 3964 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\gjGrwYq.exe
PID 3964 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\TSBiQBp.exe
PID 3964 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\TSBiQBp.exe
PID 3964 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\yxakvBr.exe
PID 3964 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\yxakvBr.exe
PID 3964 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\MljqyaD.exe
PID 3964 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\MljqyaD.exe
PID 3964 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\YuSPtjT.exe
PID 3964 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\YuSPtjT.exe
PID 3964 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\RYnElAC.exe
PID 3964 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\RYnElAC.exe
PID 3964 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\OHclAFi.exe
PID 3964 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\OHclAFi.exe
PID 3964 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\hrPGDgY.exe
PID 3964 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\hrPGDgY.exe
PID 3964 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\zvMbsIJ.exe
PID 3964 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\zvMbsIJ.exe
PID 3964 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\IAydSNq.exe
PID 3964 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\IAydSNq.exe
PID 3964 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\UMieDoB.exe
PID 3964 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\UMieDoB.exe
PID 3964 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\gjJrfGD.exe
PID 3964 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\gjJrfGD.exe
PID 3964 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\RDSAQxi.exe
PID 3964 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\RDSAQxi.exe
PID 3964 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\mKqxQzN.exe
PID 3964 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\mKqxQzN.exe
PID 3964 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\SkUxvoM.exe
PID 3964 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\SkUxvoM.exe
PID 3964 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\VxdJWLl.exe
PID 3964 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\VxdJWLl.exe
PID 3964 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\xuibCfh.exe
PID 3964 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\xuibCfh.exe
PID 3964 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\octzLZU.exe
PID 3964 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe C:\Windows\System\octzLZU.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_8a8c6aa26df36c38d826bc20e1e31d49_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\oJlilfj.exe

C:\Windows\System\oJlilfj.exe

C:\Windows\System\kpIpNcs.exe

C:\Windows\System\kpIpNcs.exe

C:\Windows\System\edKxFnQ.exe

C:\Windows\System\edKxFnQ.exe

C:\Windows\System\gjGrwYq.exe

C:\Windows\System\gjGrwYq.exe

C:\Windows\System\TSBiQBp.exe

C:\Windows\System\TSBiQBp.exe

C:\Windows\System\yxakvBr.exe

C:\Windows\System\yxakvBr.exe

C:\Windows\System\MljqyaD.exe

C:\Windows\System\MljqyaD.exe

C:\Windows\System\YuSPtjT.exe

C:\Windows\System\YuSPtjT.exe

C:\Windows\System\RYnElAC.exe

C:\Windows\System\RYnElAC.exe

C:\Windows\System\OHclAFi.exe

C:\Windows\System\OHclAFi.exe

C:\Windows\System\hrPGDgY.exe

C:\Windows\System\hrPGDgY.exe

C:\Windows\System\zvMbsIJ.exe

C:\Windows\System\zvMbsIJ.exe

C:\Windows\System\IAydSNq.exe

C:\Windows\System\IAydSNq.exe

C:\Windows\System\UMieDoB.exe

C:\Windows\System\UMieDoB.exe

C:\Windows\System\gjJrfGD.exe

C:\Windows\System\gjJrfGD.exe

C:\Windows\System\RDSAQxi.exe

C:\Windows\System\RDSAQxi.exe

C:\Windows\System\mKqxQzN.exe

C:\Windows\System\mKqxQzN.exe

C:\Windows\System\SkUxvoM.exe

C:\Windows\System\SkUxvoM.exe

C:\Windows\System\VxdJWLl.exe

C:\Windows\System\VxdJWLl.exe

C:\Windows\System\xuibCfh.exe

C:\Windows\System\xuibCfh.exe

C:\Windows\System\octzLZU.exe

C:\Windows\System\octzLZU.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3964-0-0x00007FF6DD7F0000-0x00007FF6DDB44000-memory.dmp

memory/3964-1-0x000001C208FE0000-0x000001C208FF0000-memory.dmp

C:\Windows\System\oJlilfj.exe

MD5 b1e34aa7cf11e47f28a532a9115a405e
SHA1 34c6101a0c1598ecc99648d63fae36a427947e67
SHA256 58e1537520cb62abd652f9a62895c7e3c4bd123e0f5889609006920846b731e9
SHA512 d64c753baa74472068aa9e764aa5d6e15be5979dd48d372e1a78e6945242a4cb2f4ebb802cd5a1811a9ebe9c57063c55123f5e8c097ffa682c6acb89a44950c6

C:\Windows\System\kpIpNcs.exe

MD5 e2d5f13b5e52196897bd57ed6f7f3f87
SHA1 b2943a3b6d1f041b579033f69d7b9af965f76539
SHA256 e17028f3ea329dd2f0b8c1343d28f3f1f8d56fd8a2fb3936fd7c7a6ceee1b5df
SHA512 f0e48825d53b443ae529bb30b7800a7d2297b3cd3c023ee4c078859aa233211c18cd0141b2d768d4388cc20e0d63c50060dc3409d7ff02b6555448ce213a59ba

C:\Windows\System\edKxFnQ.exe

MD5 7ea63204cdfa0e5049d6ffd3e2af70df
SHA1 2645d9b148f36aa2a582d6441223d50df9f0e5b5
SHA256 999437c4cd8fc1ca9f48782ec34ea944a3b16fe16db39f328441011c3f175c64
SHA512 b27060d2513d2f048a4eabcb5950e2e09474fb79e908c3e42b3fe2dfa3baf4b6ba57f3898e0f564d974ad0d4d0710b30a5da4823d0ff26c3c638aaac2e50152e

memory/1164-20-0x00007FF6F0B50000-0x00007FF6F0EA4000-memory.dmp

memory/2012-19-0x00007FF766660000-0x00007FF7669B4000-memory.dmp

memory/4896-14-0x00007FF7063A0000-0x00007FF7066F4000-memory.dmp

C:\Windows\System\gjGrwYq.exe

MD5 d1d667afe1bd3e713e7dcfffde04f5ff
SHA1 bbfd0d573722485784a4adb24f181c3d484f3e39
SHA256 729eb2bd70c393e0973073982a4d49b0dbff57e04eb1d056408b3075ff4ea402
SHA512 f77d1c558e60fca3c837babd6d5b4a64aa4c4a536526c89bb3a34fdc03728a16ed404397b33fe5dcc8d764ac490482ee04a5742949ad07dd0aff2e678cedaa14

memory/3908-26-0x00007FF63B130000-0x00007FF63B484000-memory.dmp

C:\Windows\System\TSBiQBp.exe

MD5 fc2c770ce7d0f5f1135ce42d65ba3aad
SHA1 d3ffc200eae70898bc580ddd1301850852c593e4
SHA256 98947c713b9531bcaa755bd88c73577de464eb3e2064901424294f181bde5ab2
SHA512 1cab935325a23e449947ee28e5e90d23aebf69a17644051fb0f0ed1a1127ff92437555323c62ec2731e88e0654e784e4f45d64cc443a4eded551185dd05e3405

C:\Windows\System\yxakvBr.exe

MD5 29a138675504427bca0f86ca344a7d94
SHA1 e37c6da066e0a96eb81491eae6f232963c8ddbeb
SHA256 1265210a1c28e1d4d669fb04f5f2eafa059ae33908861acc4984f61424691e81
SHA512 fe0e22910e8ea98b5b4a349be20fded8f6d5fa41348165956845791ed1fe137e28313a6ba2ce01202abe30683f0414bc294556a82d170da9c3772e51622493b5

memory/452-32-0x00007FF614600000-0x00007FF614954000-memory.dmp

memory/4112-37-0x00007FF6A7DA0000-0x00007FF6A80F4000-memory.dmp

C:\Windows\System\MljqyaD.exe

MD5 1a3733f7c5ef8c82846235aa1e192e07
SHA1 696a1695c2f4d89bce0df9903e2725e1b12dfa5a
SHA256 d9224c9453c16fb70555ef7839215ec2b68d837bcdf73ffbea790c91fdb7d71b
SHA512 647c64ca4df2fdd177376bb25ea250a993ef989efd51fe674985a79ac17dd1a5b5366c24a15e7d97e71eb7c24204e5f29e9da046896d2ed015ced2ea06532904

C:\Windows\System\YuSPtjT.exe

MD5 b934082b0c07895527f43788c143a19a
SHA1 f5c8b220ff3cce01317b2ed3f64a47fb0b17f394
SHA256 d29f3ac4d0477bcde59e88f87f194a997fe05cc7e7ef6b03b1768c9b8051bc3c
SHA512 43e94c8ba9afd30aa1f91552a43b8888bd66b882bacc0b2a32700a5a9e0edd931bf0472bfb25137bb9b0b05b1698923516725249c231aa062c909719119063be

memory/4144-45-0x00007FF74FF50000-0x00007FF7502A4000-memory.dmp

memory/1728-48-0x00007FF6796C0000-0x00007FF679A14000-memory.dmp

C:\Windows\System\RYnElAC.exe

MD5 b241363a4c0f6e58b313a4a9f3df5397
SHA1 2474fc004868412b9d1277556b05bb1e04d34ab2
SHA256 5a09c473de0f6d245cd5fb3dcbfdfb5744ac497fd1eca1077a0248fc69458b7b
SHA512 228b7075917c7e6f8bcc5c9c0c16b1a78d988efb4568e8786b58070183ccfa6bffd371882a65005fd0751fdec3ed8f0826f9ff800d176b9a6598b3e039ad5995

memory/1528-56-0x00007FF75CB40000-0x00007FF75CE94000-memory.dmp

C:\Windows\System\OHclAFi.exe

MD5 4194418d1acdd53219f1ed090865fb9f
SHA1 1a6f58d4c765e098aef3c6cf3dd79f7598f3b4e5
SHA256 2a4e65ae4af63d86193a4cdefac7ba2a2cd614900e0d368c1f2101bdd60dfaaf
SHA512 ed46419a540552a1eea0926d59777df57a75b1e9ab9d4cc31c239ae0056656212b9cf4f829feda5e67b5b4dabff4f9d3fbf55fc1e98ad545b8ebf4cdc2d556ed

memory/3964-62-0x00007FF6DD7F0000-0x00007FF6DDB44000-memory.dmp

memory/2036-72-0x00007FF658250000-0x00007FF6585A4000-memory.dmp

C:\Windows\System\zvMbsIJ.exe

MD5 11629c6159eaacfb444e402319617c29
SHA1 6fa1e5ce90f3a855b3f948a49fba9ee39135631a
SHA256 ce6fb0c5914d05c9ba12acac4af0e72fa827b6cc988ef6f766321eedb5f4accb
SHA512 f86151e1c62017ac86d357c3cbc03df20056b536a19a9f0b5ac448e068078e56c25af0abcfa1bf6d252851ec51e966acb71f252dea6fa290662f2337fafafc0e

C:\Windows\System\UMieDoB.exe

MD5 a06722bc38cf39b8cac088c07ca57157
SHA1 c9557f44a14100b7674ab8423127248f28f4887b
SHA256 e87fe78ceb986099a5927feaec0446cbc4881dd4bb037917bd382068ea6aad54
SHA512 c397cc2bb840a828ae1ff338a66e510c56472e61fd3ba8c9f8ccf9de1e19d84c6847dbb16b1b6a5dbac008e470aa72f43b92f6d8b2657f901faa6e84ed04c1aa

C:\Windows\System\gjJrfGD.exe

MD5 7ca51e40b3245d1980a172985defaa20
SHA1 3466b5a2329a38b0f204f4be90427043c09f9216
SHA256 ab769b71570408854f25dbc523b8c928d02779b9b35d94ce413be1bc136e5b96
SHA512 ed71bbf3c4df9cbf2b7d5056ac4f4df67eed625e519dc1e8ba3e0ea7958acd1df3bc5212230d642603e5539d3a5c70b98258bb9af6936233a9e3832f51ff5a7c

C:\Windows\System\RDSAQxi.exe

MD5 7cebdd2a580811ee2f2c0f206d427824
SHA1 c074eeae26161f2a6a889dfabfa050268071a737
SHA256 df574e3c943c1257c5925cef51f02e898c81eb06a88669504aa335035d038af7
SHA512 a93e6142a2ed29924f971cead0c4c9830cc5e1f0297a0cd05ca702cde60936e449d3c7c6b579b5e375c39a3b0c8cae710212be918d1176209fce6e515256c370

memory/3952-93-0x00007FF78C090000-0x00007FF78C3E4000-memory.dmp

memory/1912-98-0x00007FF7FB2F0000-0x00007FF7FB644000-memory.dmp

C:\Windows\System\mKqxQzN.exe

MD5 a9421dca4499b7b415ce29529312bd7d
SHA1 8d78b6b8d4fb7dd4754520a1ecd18c002e779631
SHA256 2ef4d38449d4e3020955df2489834137ab4993da0ed31a13de24633cee6f4e78
SHA512 b0bb60cfc3fa847ce484e83b3c0ae2c41f02a97513f3434a5a88e5ba222b1ba2a1c96e7024d0c0aca202a973a8be6843e0f05cdb97ce7f2d76476e936c9da02f

C:\Windows\System\SkUxvoM.exe

MD5 81016c9af02a7328133967a72c4cce2c
SHA1 6faf37354148d472ed68f4491369e08388371dec
SHA256 28b3f5f5d8e34e448fda84925bb49a70c5cee96de5a4185b3cac807d9edfe93c
SHA512 46a827d524b1b659013abdec7a4dc3fbef82dc9be4334621be11718c26164da5fc42331cedcc57ef6bbb2f7d3a1fc1c7bf541d697b61a14038926b186ef4dab0

memory/2508-113-0x00007FF7CA6B0000-0x00007FF7CAA04000-memory.dmp

C:\Windows\System\VxdJWLl.exe

MD5 e914cf79a8c27b7655224a33fecdcfbe
SHA1 b3fcf9bbe52dcae6db98bea3766c8aad4d1b3a55
SHA256 1b15e6d91aa51edb0674765fc983bb9aaeb0b7c9c133963f20b5a4abaffa767f
SHA512 b0a6a9e8356f5b23f4c5948b1e8ca13fa24b5306f44eb2e85d3759bdcdb1ae29561c3b98c6b22bb1afde480ad25d29a6ac29542dc8eed24f37869a568b3ff59e

memory/1656-114-0x00007FF6A75C0000-0x00007FF6A7914000-memory.dmp

memory/3908-112-0x00007FF63B130000-0x00007FF63B484000-memory.dmp

memory/1048-100-0x00007FF7C3570000-0x00007FF7C38C4000-memory.dmp

memory/4264-97-0x00007FF6F4080000-0x00007FF6F43D4000-memory.dmp

C:\Windows\System\IAydSNq.exe

MD5 caaad1bb67272113c64efa0e78ff2147
SHA1 d94d2ed4f76b8d22f21925779bce21d0220233aa
SHA256 8c4caa6bc883c6e0a70395087f0ec677117441e07915e183ecb50c98bb3d03b1
SHA512 500794d15a9a9538c2e00bd6a6a134ff8b710835b8d03f6f58553746e29b6da19efb3b92c148f20b8159872845c0e67124d0fae84756c66cf537a749bc4b695d

memory/2864-118-0x00007FF6A9950000-0x00007FF6A9CA4000-memory.dmp

memory/3276-73-0x00007FF73A2D0000-0x00007FF73A624000-memory.dmp

C:\Windows\System\hrPGDgY.exe

MD5 525151cb153234c551eb112d03bc5851
SHA1 9040e132b135c50f172084bf3417abaf1fe6bb84
SHA256 8f0616fa20921a57eb5d571d66abb9b7e7bdf41b019e979e4ed25915a8d988a2
SHA512 1c0becdc8aca7e0457c7b1df7b5bcb6156389a5f4276bb0aa0660e92944f0c0c6f18834cbafa9bb3ff003add9dd1fc494111d042b84158e800a1dd0044b2e89c

memory/5040-66-0x00007FF700D40000-0x00007FF701094000-memory.dmp

C:\Windows\System\xuibCfh.exe

MD5 646ce5239f9ec5287686ba18b59b6c4f
SHA1 e299493721345e446fb8db45c3dacfddecd9e7b3
SHA256 590ef8e4d1745293eba236c3c4bcfc3e4b4eb9c1146a81993830690ef392566c
SHA512 d1c06782da3c9ad2b0951934aa65a2e1d68622a10b468369bc70bc77023e5e35906d15685277193ab57a34dae961a82a8b389ef4b9dfbe2155c79919bab7a9e9

C:\Windows\System\octzLZU.exe

MD5 111f2538b1d81553f19fb5365e325fa2
SHA1 b3c83a29b794422bf1bd9bd6fbae221572592e4e
SHA256 abdaa2bade56dfdfba4b947023ee5f57e55d9ac48754096fd99213cbd8494313
SHA512 c95011f6dad5f2307fb4c8463271407d8be04c016b6df3194ce708c63b407e68d7d39339644c633742b7d1cf1166bad13deba49bb4600f4e03fcc84943d9da46

memory/640-128-0x00007FF603020000-0x00007FF603374000-memory.dmp

memory/4112-122-0x00007FF6A7DA0000-0x00007FF6A80F4000-memory.dmp

memory/1208-125-0x00007FF71CAB0000-0x00007FF71CE04000-memory.dmp

memory/1728-131-0x00007FF6796C0000-0x00007FF679A14000-memory.dmp

memory/2036-132-0x00007FF658250000-0x00007FF6585A4000-memory.dmp

memory/3276-133-0x00007FF73A2D0000-0x00007FF73A624000-memory.dmp

memory/1208-134-0x00007FF71CAB0000-0x00007FF71CE04000-memory.dmp

memory/640-135-0x00007FF603020000-0x00007FF603374000-memory.dmp

memory/4896-136-0x00007FF7063A0000-0x00007FF7066F4000-memory.dmp

memory/2012-137-0x00007FF766660000-0x00007FF7669B4000-memory.dmp

memory/1164-138-0x00007FF6F0B50000-0x00007FF6F0EA4000-memory.dmp

memory/3908-139-0x00007FF63B130000-0x00007FF63B484000-memory.dmp

memory/452-140-0x00007FF614600000-0x00007FF614954000-memory.dmp

memory/4112-141-0x00007FF6A7DA0000-0x00007FF6A80F4000-memory.dmp

memory/4144-142-0x00007FF74FF50000-0x00007FF7502A4000-memory.dmp

memory/1728-143-0x00007FF6796C0000-0x00007FF679A14000-memory.dmp

memory/1528-144-0x00007FF75CB40000-0x00007FF75CE94000-memory.dmp

memory/5040-145-0x00007FF700D40000-0x00007FF701094000-memory.dmp

memory/2036-146-0x00007FF658250000-0x00007FF6585A4000-memory.dmp

memory/3276-147-0x00007FF73A2D0000-0x00007FF73A624000-memory.dmp

memory/4264-148-0x00007FF6F4080000-0x00007FF6F43D4000-memory.dmp

memory/3952-149-0x00007FF78C090000-0x00007FF78C3E4000-memory.dmp

memory/1912-150-0x00007FF7FB2F0000-0x00007FF7FB644000-memory.dmp

memory/1048-151-0x00007FF7C3570000-0x00007FF7C38C4000-memory.dmp

memory/2508-152-0x00007FF7CA6B0000-0x00007FF7CAA04000-memory.dmp

memory/1656-153-0x00007FF6A75C0000-0x00007FF6A7914000-memory.dmp

memory/2864-154-0x00007FF6A9950000-0x00007FF6A9CA4000-memory.dmp

memory/1208-155-0x00007FF71CAB0000-0x00007FF71CE04000-memory.dmp

memory/640-156-0x00007FF603020000-0x00007FF603374000-memory.dmp