Malware Analysis Report

2024-10-24 18:16

Sample ID 240606-nwvp1aef46
Target 2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike
SHA256 2e17763c68edcfd13a5730fcee41ba586a5671dd08bede468d189062629beee4
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2e17763c68edcfd13a5730fcee41ba586a5671dd08bede468d189062629beee4

Threat Level: Known bad

The file 2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

xmrig

Xmrig family

XMRig Miner payload

Cobaltstrike family

UPX dump on OEP (original entry point)

Cobalt Strike reflective loader

Detects Reflective DLL injection artifacts

Cobaltstrike

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

XMRig Miner payload

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-06 11:48

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-06 11:45

Reported

2024-06-06 11:50

Platform

win7-20240215-en

Max time kernel

134s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\SfTXoam.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iGsEjLJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wJZikzw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KCShJrA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fxGCKvq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AAQyVag.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HRmxnZu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\joxWise.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\llFiCqe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jbScfee.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bIlPaot.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qZQjxBh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wolnpFn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oKmInuB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jEQPmOV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WljpwRU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\llcFyAZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sVtUyVk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XaVTnqL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qpWbFgt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BjamvPJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2388 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\XaVTnqL.exe
PID 2388 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\XaVTnqL.exe
PID 2388 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\XaVTnqL.exe
PID 2388 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\qpWbFgt.exe
PID 2388 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\qpWbFgt.exe
PID 2388 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\qpWbFgt.exe
PID 2388 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\BjamvPJ.exe
PID 2388 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\BjamvPJ.exe
PID 2388 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\BjamvPJ.exe
PID 2388 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\oKmInuB.exe
PID 2388 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\oKmInuB.exe
PID 2388 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\oKmInuB.exe
PID 2388 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\bIlPaot.exe
PID 2388 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\bIlPaot.exe
PID 2388 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\bIlPaot.exe
PID 2388 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\jEQPmOV.exe
PID 2388 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\jEQPmOV.exe
PID 2388 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\jEQPmOV.exe
PID 2388 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\WljpwRU.exe
PID 2388 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\WljpwRU.exe
PID 2388 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\WljpwRU.exe
PID 2388 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\SfTXoam.exe
PID 2388 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\SfTXoam.exe
PID 2388 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\SfTXoam.exe
PID 2388 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\iGsEjLJ.exe
PID 2388 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\iGsEjLJ.exe
PID 2388 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\iGsEjLJ.exe
PID 2388 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\qZQjxBh.exe
PID 2388 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\qZQjxBh.exe
PID 2388 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\qZQjxBh.exe
PID 2388 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\wolnpFn.exe
PID 2388 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\wolnpFn.exe
PID 2388 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\wolnpFn.exe
PID 2388 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\AAQyVag.exe
PID 2388 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\AAQyVag.exe
PID 2388 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\AAQyVag.exe
PID 2388 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\HRmxnZu.exe
PID 2388 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\HRmxnZu.exe
PID 2388 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\HRmxnZu.exe
PID 2388 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\wJZikzw.exe
PID 2388 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\wJZikzw.exe
PID 2388 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\wJZikzw.exe
PID 2388 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\llcFyAZ.exe
PID 2388 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\llcFyAZ.exe
PID 2388 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\llcFyAZ.exe
PID 2388 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\llFiCqe.exe
PID 2388 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\llFiCqe.exe
PID 2388 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\llFiCqe.exe
PID 2388 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\joxWise.exe
PID 2388 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\joxWise.exe
PID 2388 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\joxWise.exe
PID 2388 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\sVtUyVk.exe
PID 2388 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\sVtUyVk.exe
PID 2388 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\sVtUyVk.exe
PID 2388 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\KCShJrA.exe
PID 2388 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\KCShJrA.exe
PID 2388 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\KCShJrA.exe
PID 2388 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\jbScfee.exe
PID 2388 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\jbScfee.exe
PID 2388 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\jbScfee.exe
PID 2388 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\fxGCKvq.exe
PID 2388 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\fxGCKvq.exe
PID 2388 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\fxGCKvq.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\XaVTnqL.exe

C:\Windows\System\XaVTnqL.exe

C:\Windows\System\qpWbFgt.exe

C:\Windows\System\qpWbFgt.exe

C:\Windows\System\BjamvPJ.exe

C:\Windows\System\BjamvPJ.exe

C:\Windows\System\oKmInuB.exe

C:\Windows\System\oKmInuB.exe

C:\Windows\System\bIlPaot.exe

C:\Windows\System\bIlPaot.exe

C:\Windows\System\jEQPmOV.exe

C:\Windows\System\jEQPmOV.exe

C:\Windows\System\WljpwRU.exe

C:\Windows\System\WljpwRU.exe

C:\Windows\System\SfTXoam.exe

C:\Windows\System\SfTXoam.exe

C:\Windows\System\iGsEjLJ.exe

C:\Windows\System\iGsEjLJ.exe

C:\Windows\System\qZQjxBh.exe

C:\Windows\System\qZQjxBh.exe

C:\Windows\System\wolnpFn.exe

C:\Windows\System\wolnpFn.exe

C:\Windows\System\AAQyVag.exe

C:\Windows\System\AAQyVag.exe

C:\Windows\System\HRmxnZu.exe

C:\Windows\System\HRmxnZu.exe

C:\Windows\System\wJZikzw.exe

C:\Windows\System\wJZikzw.exe

C:\Windows\System\llcFyAZ.exe

C:\Windows\System\llcFyAZ.exe

C:\Windows\System\llFiCqe.exe

C:\Windows\System\llFiCqe.exe

C:\Windows\System\joxWise.exe

C:\Windows\System\joxWise.exe

C:\Windows\System\sVtUyVk.exe

C:\Windows\System\sVtUyVk.exe

C:\Windows\System\KCShJrA.exe

C:\Windows\System\KCShJrA.exe

C:\Windows\System\jbScfee.exe

C:\Windows\System\jbScfee.exe

C:\Windows\System\fxGCKvq.exe

C:\Windows\System\fxGCKvq.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2388-0-0x0000000000300000-0x0000000000310000-memory.dmp

memory/2388-1-0x000000013FDB0000-0x0000000140104000-memory.dmp

C:\Windows\system\XaVTnqL.exe

MD5 a67ec3ca969833560c3e23ece866cdd1
SHA1 0606974d4c818917dec70c46de9189b24e03f384
SHA256 5e126ad4cc3b5f5e974f2895ad4ef77953d4344018e8d0aa4b7d3e3c9b2680b4
SHA512 74d9d4a0d0a86d51e3324f587d6451e9a9ac4dd5757c4431c0a1828613d9287819f76eacb9d2a0419cafd0d74946472ac7972fb67a36eda1dbe37dc2b7c82fbf

memory/2388-8-0x00000000021C0000-0x0000000002514000-memory.dmp

C:\Windows\system\BjamvPJ.exe

MD5 980a052739cf54114cb56727c2533ff9
SHA1 d1371456e9aa1e2e0eeb9b34c6fc76314bb52275
SHA256 a74e6642dab7b24d88ae170333f6d3f6dac2328d4da8453349acd0eb68d14346
SHA512 cf2d5d29dcc4f75e4f2bf6a60818088eaedf9dc707e015d7d494c910d12eee149f0a92fdc4862648a13b418aaa891709850a59053bda88fcabb79158f38f380b

\Windows\system\qpWbFgt.exe

MD5 1f4055ba2f49e9f61c584540738933d6
SHA1 e830b0ca35a63026536d782350bdf0326993d72f
SHA256 f5b179c0bedd1ac9d85bd45a3842f044426e835dfb330ab8ae5e6c0b63dd6337
SHA512 9fedf377e45f04282160713e779854f582d839a2c1f117bcb182d6082c5d360ba3604256d6e3de83a175b1334fb9ecf4cc7f7956d29ffe1ec543532de1f25174

memory/1796-20-0x000000013F2A0000-0x000000013F5F4000-memory.dmp

memory/2388-27-0x000000013F2A0000-0x000000013F5F4000-memory.dmp

C:\Windows\system\bIlPaot.exe

MD5 77d0c9c7515457defe28c9e206d691bc
SHA1 02b9eba57792ece09913fb8191ab87fbda599a55
SHA256 25865c52e8b6cad48d63629317754642d2022d65e03dd23929974e1bf530465f
SHA512 20d319968f1baea2aeae0ff33a54bc1f595f8d469ba011759c1047aeb3c88fc872e5ac5bb5f11de2a7547a0cdbf7ab5ef77fedd81e49d9008da196145a0b2e84

memory/2388-39-0x000000013F090000-0x000000013F3E4000-memory.dmp

C:\Windows\system\jEQPmOV.exe

MD5 200c08a5064962ffa45a78119c46f112
SHA1 7e3fb26fcf0319fcb2699ebf86c34d85632ac0be
SHA256 407af22b2d0972f6b986f29ba47bde6cc3774c6dd28fb6db7818fbc5fa002640
SHA512 7349e13860b0dbcef126b0fcc2a0ffbb4cdf042cbbd9dd75d62c45126f758afee8fe6cc3882e610234ad406ac840928fdb0105776c2a8563f0d0e4157cfb810c

\Windows\system\WljpwRU.exe

MD5 9ee3e5f5c90eef8eff424ab6df5e4439
SHA1 3ea163786336c6afed5cf5c6552166fb59ceb0dd
SHA256 b460f0266f43a71aab5fe8c78318c1bb387b2553fdea58a380f20a24ec142c58
SHA512 5b93c542558d76be7c550ddb5e40a780294d444cd6e13bead49f6ced4184ab7b2b838f9eb52ad5f03aee1de93888f5dc81ab04968a231d65537c67e773b14ec5

memory/2172-32-0x000000013FEE0000-0x0000000140234000-memory.dmp

memory/2612-29-0x000000013F670000-0x000000013F9C4000-memory.dmp

memory/2388-36-0x000000013F340000-0x000000013F694000-memory.dmp

memory/2388-22-0x00000000021C0000-0x0000000002514000-memory.dmp

\Windows\system\oKmInuB.exe

MD5 ec841b94e9b0ccf9422a50c6cc63ccc4
SHA1 f8beaece84974eea01467b39a7fcd0e537b0b103
SHA256 be26140f4f4bf9b230542f455a44f0483084fd2842273932df977d9e8cb802a6
SHA512 f7a27ea4daaddabf5cb53e4afa4c8576d3cdeabc9f0c18ef9789e649cbaa3c696419658d6c56f0c32b178b30e0375a930e280f6422a390349ab70c5f07286adb

C:\Windows\system\iGsEjLJ.exe

MD5 19d8e3410deda33b8ad003946ab1887b
SHA1 fc95394da9537faf5dc24769842cbc09abb0ebf4
SHA256 422a072c26dcd3d527fc98a56b1c51af9b53099386f8e1ccc8bc14d464627991
SHA512 954f7d6f92a028b108ba79b18607e94ed00ef7d81e0242b4df76a3ea7607e81d176d88733d7bd8f0f9824e9e27c300dd5778837a00f257faf74cc57bbd447c4c

memory/2144-49-0x000000013F090000-0x000000013F3E4000-memory.dmp

C:\Windows\system\AAQyVag.exe

MD5 b3d1cb9b50d3cd62c8608adfe82d92b2
SHA1 4e96b5c6815b4522a8892741a185406d01557a45
SHA256 daf08477d4788182b321a8ba6d78b84c41de172011062f531e364f88d6958168
SHA512 601047cd24c184aa808ad0e2ffe6bda4d79ee45fb87cdef0723d19583f94cd709fadb73f3a636829392d39e1eaaf4dec4f9236e4a2226024a95b5d30cb605443

memory/2388-103-0x000000013F0B0000-0x000000013F404000-memory.dmp

memory/2388-105-0x00000000021C0000-0x0000000002514000-memory.dmp

memory/2776-106-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

memory/2388-104-0x00000000021C0000-0x0000000002514000-memory.dmp

memory/2388-102-0x000000013F430000-0x000000013F784000-memory.dmp

C:\Windows\system\llcFyAZ.exe

MD5 cd26d3504de7396293770ebda496a941
SHA1 85f76ad72f7c4c19bef2a8c3cdbf708f8ff15585
SHA256 7a04de817a7f7d4b92e06836ff74dc3a9d35a9be907da82427b3d8b52879446a
SHA512 8e25765395bffba48de66afdae459a7e1e1c0a4c7f0e0e65d42c4cbe956a344b4e6892355f296bbf2937753f2f0573990a7727ba6dff7f1c1638ba5ab9200270

C:\Windows\system\HRmxnZu.exe

MD5 dd756623a23c20d31744cb147866875a
SHA1 3fa09fe5563007fef6573c165b2549eb9dd97e95
SHA256 fcff0c178d4f225022c893a50588765e9053174bc3698f0462cfbb1a17e6375b
SHA512 4f0ccd023a27be5f7c006b0a93732efb822015f673a6aa232d5473dc5cd13d36f86f499db8dac6f38d975c2dd3c22c7da0ebb5a4f57a0f69b92071122565dd83

C:\Windows\system\joxWise.exe

MD5 db8bd90cb7a4cf076cb8c9161a74e7e4
SHA1 e04c27048f724c7c8a518f488f153f389b078550
SHA256 459548cd24b864d313bbb7e4d9a956fd76cc31606caa6435e86293eb66e362cd
SHA512 a8c0e4c1cb1c4055bde1e0c32aeab0ffff13b7a2af23dfc956f3a01731e330ffaadc2a98e7bc6701040e329c41b38f1f48cc356b66efcf7e0f05153303d49784

memory/2972-95-0x000000013F430000-0x000000013F784000-memory.dmp

C:\Windows\system\llFiCqe.exe

MD5 0b5e7d14f8499b2f1e3486fac46d9597
SHA1 1986145f49fd4e8afc13fba8cd4b7788c372cd47
SHA256 0a93792baf16a468b1ea1fb712e5d62d1233b8f0992f2d5844bd9d3e2d728410
SHA512 6033b920fa288fb916537b1b6c9a51a095d7cbe478ddd770391909bee1b36e0199b7f80fdee80256012bdea67e8b56e608fbef23df084d3409fa1daa04acc0e5

C:\Windows\system\wJZikzw.exe

MD5 4945b330e81ae99b6a4107ab9b876209
SHA1 f86ab23944574d8ee779a797d2d74d9c3968cf1b
SHA256 f4d6746b003db90813ceef39c27a3add6f462f8d9610969294471e84441ef959
SHA512 3bd229a7023055b068d065eeaf44b957f2291780fd75754c7ccd5f813523b9d3374e6652f3c07a294a5c9275156caec54b5e999baecde3c6cc7241fb3be1e768

memory/2536-91-0x000000013FAD0000-0x000000013FE24000-memory.dmp

memory/2100-82-0x000000013F9B0000-0x000000013FD04000-memory.dmp

memory/2388-75-0x000000013FA10000-0x000000013FD64000-memory.dmp

memory/2740-72-0x000000013FFF0000-0x0000000140344000-memory.dmp

memory/2476-71-0x000000013FA10000-0x000000013FD64000-memory.dmp

C:\Windows\system\wolnpFn.exe

MD5 94a5fce090c05a84f54c72d7603f54b1
SHA1 1e5b65c753394aae48b96cdf024f980fc4e5b115
SHA256 d9801b7c6635c5357e7686e905c49bbdffe1eaeeaf8048cab544f1d5b69839a3
SHA512 ca4ce80786e2af6f55f089bec2902d0bfd8528e423b63cb1ad4ce1fb0daedee4f888dfc9225efd1cdc6a44067a5dd68a74e40930de88baa1662f6cd6b2afc860

\Windows\system\qZQjxBh.exe

MD5 512892e19d9a399dd2d230f08e5f5988
SHA1 100cf3903b1e8eb15521ef7edc65437bac4ce2ab
SHA256 1dd2234ee16541f417124a340799aba4bd101c89f608e6a476790bf77b61e631
SHA512 190a2034f3647691c4d28edb5ddf87ab932c4437fa9c61e2386163f56d0408833a3f995fdfef96b62e5fe2670827fd1953b2474ee2ee8ec227b2cd15b55bf807

C:\Windows\system\sVtUyVk.exe

MD5 6485ae779ef0334a61f8c291d87e81bf
SHA1 ba512cb10d50d2c26e09c1a57d3ef4f829e12676
SHA256 7869813586f96aa0ecf30ef630cf08699a2d0d54110a36a3a664fa6ec5398db0
SHA512 43e808c3c2d2d7366a1c815fc75ea013c471ce13a4f9528864cf398bfa35823bf0375ace8f331de1c101aadb465f70982b3996262568032f3cc3268833875720

\Windows\system\fxGCKvq.exe

MD5 a103e025133b0df09b10a6ca70d6aa0b
SHA1 c748e2a26feb65b711fa9e9de551982940d71112
SHA256 b8998dfb4095ac479b709bbfad8b3fc605b7996ae7f97faaefab0eb118aa5dd5
SHA512 29f0eff5042b30e48b2094a5b57a184e25659a047abc624953f613e9788532b5fa5abc132a6cb9a82fce644c020eb4ec484c5d18431ba3d4c023bdef7a6751f0

C:\Windows\system\jbScfee.exe

MD5 6ca846b6d1cb732dcaa15026f4064380
SHA1 99eed9a74718a3854137f6bc9ecd85e365049015
SHA256 2485c1d575dae3cbe6624a35dcaffe7e7b261f1eded10b80a16e53ce588f80d2
SHA512 3adabda8d174ad5dbf8f3cf6c2858db7b58448e98f9f260d4838b3cd0dde4628ffe20bfd26972f342e89706d0d0d1e7ab837c3c0997f85937890507761b36ceb

C:\Windows\system\KCShJrA.exe

MD5 cca4a693780cd4e823275e901414333e
SHA1 50d391ce8159efb42f67d8d8fc2c56c9cc783c1d
SHA256 0829f55e1f443f8591f0877eecf6bde50cabbefa7c983e564ce2f0da0959645c
SHA512 bad0607d43777bdd52c774d51c94d32517e1a3975eea141e08dd60edbd2a65a50451825708b5252977108629ab2ee52f1f320c6e85b404548081465ed4e4d55f

\Windows\system\SfTXoam.exe

MD5 cf8eefee768288e99107c499c09410fd
SHA1 0104e07a5f8f4cfa4324694b8a3f50b6c3fe5dc1
SHA256 cb3499588d089ffd1af911b9e0d95675bffbe8f88fbdbf2814a7adcedb031027
SHA512 fa5bc51344d67b9fefdde0fcb2a0e7dfef7049d2a86d3a89e4b89f9dbd4a69fecd92651b5f2efb251692651227d597f4b6778e962bbfc4c1ace5ea68504c0f98

memory/2388-66-0x00000000021C0000-0x0000000002514000-memory.dmp

memory/2624-62-0x000000013FB10000-0x000000013FE64000-memory.dmp

memory/2620-53-0x000000013F340000-0x000000013F694000-memory.dmp

memory/1420-16-0x000000013FF30000-0x0000000140284000-memory.dmp

memory/2388-131-0x000000013FDB0000-0x0000000140104000-memory.dmp

memory/1796-132-0x000000013F2A0000-0x000000013F5F4000-memory.dmp

memory/2388-133-0x00000000021C0000-0x0000000002514000-memory.dmp

memory/2388-134-0x000000013F2A0000-0x000000013F5F4000-memory.dmp

memory/2476-135-0x000000013FA10000-0x000000013FD64000-memory.dmp

memory/2388-136-0x000000013F430000-0x000000013F784000-memory.dmp

memory/1420-137-0x000000013FF30000-0x0000000140284000-memory.dmp

memory/2612-139-0x000000013F670000-0x000000013F9C4000-memory.dmp

memory/2172-138-0x000000013FEE0000-0x0000000140234000-memory.dmp

memory/1796-140-0x000000013F2A0000-0x000000013F5F4000-memory.dmp

memory/2620-141-0x000000013F340000-0x000000013F694000-memory.dmp

memory/2144-142-0x000000013F090000-0x000000013F3E4000-memory.dmp

memory/2624-143-0x000000013FB10000-0x000000013FE64000-memory.dmp

memory/2740-144-0x000000013FFF0000-0x0000000140344000-memory.dmp

memory/2536-145-0x000000013FAD0000-0x000000013FE24000-memory.dmp

memory/2476-147-0x000000013FA10000-0x000000013FD64000-memory.dmp

memory/2100-146-0x000000013F9B0000-0x000000013FD04000-memory.dmp

memory/2972-148-0x000000013F430000-0x000000013F784000-memory.dmp

memory/2776-149-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-06 11:45

Reported

2024-06-06 11:50

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\dnRlZrw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WazBPJn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oLxkPnd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NwqkYXg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CkWoRJg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uVuUOTE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\izeCgpe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sAzXpix.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ipqAwdl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DoarYJb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RpQphqo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TLkwVsQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wStldGg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wfZrOet.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BcsswCh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oJTGydi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XHJaKzf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HSfFRvj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DByXinl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ebjqwDF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UaaUjka.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4756 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\dnRlZrw.exe
PID 4756 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\dnRlZrw.exe
PID 4756 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\XHJaKzf.exe
PID 4756 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\XHJaKzf.exe
PID 4756 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\TLkwVsQ.exe
PID 4756 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\TLkwVsQ.exe
PID 4756 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\wStldGg.exe
PID 4756 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\wStldGg.exe
PID 4756 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\HSfFRvj.exe
PID 4756 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\HSfFRvj.exe
PID 4756 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\wfZrOet.exe
PID 4756 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\wfZrOet.exe
PID 4756 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\izeCgpe.exe
PID 4756 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\izeCgpe.exe
PID 4756 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\DByXinl.exe
PID 4756 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\DByXinl.exe
PID 4756 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\ebjqwDF.exe
PID 4756 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\ebjqwDF.exe
PID 4756 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\WazBPJn.exe
PID 4756 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\WazBPJn.exe
PID 4756 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\oLxkPnd.exe
PID 4756 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\oLxkPnd.exe
PID 4756 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\sAzXpix.exe
PID 4756 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\sAzXpix.exe
PID 4756 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\UaaUjka.exe
PID 4756 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\UaaUjka.exe
PID 4756 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\BcsswCh.exe
PID 4756 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\BcsswCh.exe
PID 4756 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\ipqAwdl.exe
PID 4756 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\ipqAwdl.exe
PID 4756 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\DoarYJb.exe
PID 4756 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\DoarYJb.exe
PID 4756 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\RpQphqo.exe
PID 4756 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\RpQphqo.exe
PID 4756 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\uVuUOTE.exe
PID 4756 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\uVuUOTE.exe
PID 4756 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\oJTGydi.exe
PID 4756 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\oJTGydi.exe
PID 4756 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\NwqkYXg.exe
PID 4756 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\NwqkYXg.exe
PID 4756 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\CkWoRJg.exe
PID 4756 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe C:\Windows\System\CkWoRJg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_28bedff95ea17494ccf9de6010f2c29b_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\dnRlZrw.exe

C:\Windows\System\dnRlZrw.exe

C:\Windows\System\XHJaKzf.exe

C:\Windows\System\XHJaKzf.exe

C:\Windows\System\TLkwVsQ.exe

C:\Windows\System\TLkwVsQ.exe

C:\Windows\System\wStldGg.exe

C:\Windows\System\wStldGg.exe

C:\Windows\System\HSfFRvj.exe

C:\Windows\System\HSfFRvj.exe

C:\Windows\System\wfZrOet.exe

C:\Windows\System\wfZrOet.exe

C:\Windows\System\izeCgpe.exe

C:\Windows\System\izeCgpe.exe

C:\Windows\System\DByXinl.exe

C:\Windows\System\DByXinl.exe

C:\Windows\System\ebjqwDF.exe

C:\Windows\System\ebjqwDF.exe

C:\Windows\System\WazBPJn.exe

C:\Windows\System\WazBPJn.exe

C:\Windows\System\oLxkPnd.exe

C:\Windows\System\oLxkPnd.exe

C:\Windows\System\sAzXpix.exe

C:\Windows\System\sAzXpix.exe

C:\Windows\System\UaaUjka.exe

C:\Windows\System\UaaUjka.exe

C:\Windows\System\BcsswCh.exe

C:\Windows\System\BcsswCh.exe

C:\Windows\System\ipqAwdl.exe

C:\Windows\System\ipqAwdl.exe

C:\Windows\System\DoarYJb.exe

C:\Windows\System\DoarYJb.exe

C:\Windows\System\RpQphqo.exe

C:\Windows\System\RpQphqo.exe

C:\Windows\System\uVuUOTE.exe

C:\Windows\System\uVuUOTE.exe

C:\Windows\System\oJTGydi.exe

C:\Windows\System\oJTGydi.exe

C:\Windows\System\NwqkYXg.exe

C:\Windows\System\NwqkYXg.exe

C:\Windows\System\CkWoRJg.exe

C:\Windows\System\CkWoRJg.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 152.107.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 7.173.189.20.in-addr.arpa udp

Files

memory/4756-0-0x00007FF7797E0000-0x00007FF779B34000-memory.dmp

memory/4756-1-0x0000024F99320000-0x0000024F99330000-memory.dmp

memory/4460-8-0x00007FF73C220000-0x00007FF73C574000-memory.dmp

C:\Windows\System\XHJaKzf.exe

MD5 0628374c349921c969043e8b725a574d
SHA1 d4d4b61d7abb11c25e423140f9a833a035819e3d
SHA256 6f83751bb7dc13a49d7ca6c6a874635ca4829b15e2d7e8a8c8ddaf2890ac09c0
SHA512 2db578fa7a962b14aae5c857e6974664cd647108bf44f83523c1fc47be8f0f23756b21e5f42a2231cc51d1daf9889177945ad8eab23827274ef49200ad4dd7a1

memory/2248-14-0x00007FF6E88D0000-0x00007FF6E8C24000-memory.dmp

C:\Windows\System\wStldGg.exe

MD5 0523b1215b09aeb53a27df33d43bc147
SHA1 c30b1ba0a4ce316af2395ac6f8447e001deb7aa3
SHA256 7df202b9d75ed742265db0aeb8e847776c199a50dc30074f6afed0125db03942
SHA512 614d56f58b3ddd50af5c8d8aaab9111109b1d271face2612416cff3f647c226240fbaef2c7a08a028b06056853e888929900da9e773d57c4dac70b2beea284ea

memory/1004-20-0x00007FF722170000-0x00007FF7224C4000-memory.dmp

memory/3952-26-0x00007FF655390000-0x00007FF6556E4000-memory.dmp

C:\Windows\System\HSfFRvj.exe

MD5 d29a5cc57d5e61885779dfcc4e06ca2d
SHA1 ac323a54d614a748f03a9195b4c6ea6e2a5b7070
SHA256 0743c3a3c9b22d5b54414a206a7f0e8c946844c16528032f92d1db0e91df8f93
SHA512 e237853ae19b1f197c0dd7a55264cc8aa0f89dbae54763853a4603b806573fde7fd74a0305250436cfa5b11496810013d3e3c5cfe1e657d1415c6c0de7bce7cb

C:\Windows\System\TLkwVsQ.exe

MD5 bcf8278dd59479dcaf448170233a37bf
SHA1 ffd08718de2e466fa06acc0253ded4b955a67ae1
SHA256 98cc4eeb79b8e1ba2e8110d390b14c334bdeb7285f2799c51d99f8bfc6ad78eb
SHA512 1449fdca2eccf1572e70770be6bf64452757a4e207191af6169b6dcd433cba59b93e0c761e0db0163ad0c3d974a237502537f93dfbe3d1bc86cc1cb1cb5ebf7d

memory/5016-32-0x00007FF7C90B0000-0x00007FF7C9404000-memory.dmp

memory/1376-37-0x00007FF768780000-0x00007FF768AD4000-memory.dmp

C:\Windows\System\DByXinl.exe

MD5 ec78f24d23fe3ec693910640185e96bf
SHA1 cc61bb06d0e17c8be1bd3bf875868605e47757f2
SHA256 92e7581493442f6570fafc209416fa4093e843623dd4ba75ac5248f225867af3
SHA512 fced22c82d4098cf97850ab55789b6cdae8a3de327d4f14e5c9a7e9a6801838acacabcf8c23c80918f8e6eea28a81f04d4f17970dc8d89f3154d6922d55cddb1

memory/2044-55-0x00007FF71C370000-0x00007FF71C6C4000-memory.dmp

C:\Windows\System\ebjqwDF.exe

MD5 f6cdfb3d88537b367792cbd894bd98ed
SHA1 3d3f99c94c72c456dffcf949bc5d30603a7e936c
SHA256 05dd3d926d8f7a6b3411e38a31ef4f8229eb7d780b830e3fca3bbab5124eef86
SHA512 0da483abd45f0fc31271e46184ea3a074b58fa3e0dc6bb0072318eee13b5c0ffc1280f1aa582bb4e78cf8a2c355408182d9725282b3a73e6e2dadc9f4f43faa3

memory/3772-63-0x00007FF73DF60000-0x00007FF73E2B4000-memory.dmp

C:\Windows\System\oLxkPnd.exe

MD5 c1e64a671624c5dca27eb22a97449a5e
SHA1 2e55a3bfd80902791115abe810d5b9849f1ce1e1
SHA256 a0310c0ab56f5c0072075d57518c347b99f9a1ed2df56eeab853be300a95a727
SHA512 972bb5bc2a9227711563788cd082df44772b9dc371fab45210c4b728b4bc219408904d19b7f5d5011b21e463f572bcb8d24fa98e9304aa32bc72f6b526e08151

memory/4860-68-0x00007FF7FF0D0000-0x00007FF7FF424000-memory.dmp

C:\Windows\System\sAzXpix.exe

MD5 44f97595568890dea8bd6dced1430fd0
SHA1 4b3ccd0a16d253506041b510635c788991d5573c
SHA256 be141ca2cbdbb81b8fc69efff6694fd0bdcede7801c44651a6c7f48f5f35da65
SHA512 27357d80836bcf7f2e5d50ba780180ea0b5bbacb96c78130aeb98fe81f83018cae52a20d268858415c1db8670dd734afaee58dd57b45fbdc429eefea63689475

memory/2008-74-0x00007FF6DC490000-0x00007FF6DC7E4000-memory.dmp

C:\Windows\System\UaaUjka.exe

MD5 3d4646ab6e0b6587657a1c6026cec4cd
SHA1 a953342ecb1da36ff62c6ffeca6901e98d7569f9
SHA256 c4a186a22ffe7fae6a3301c829cfb9b851139e7f085b64d038ab38f37273d94e
SHA512 c916bee90d881fe5a84db03656cb9ce9776e0da1814addd1c7f392d8dcf7d45993d3e01628582d9e3a0a5ea6dc27412885019db0ebae582243932c6ec2920e31

memory/2524-81-0x00007FF73B2C0000-0x00007FF73B614000-memory.dmp

C:\Windows\System\BcsswCh.exe

MD5 8d115d9874da5a7f797182e772611178
SHA1 e51498cd39b104806fe3fd0117b77fd6562cbaf7
SHA256 71e62ad1381dfc8261cddbbbe9622c1229008e6f7ac326751d193a1dbcb0552b
SHA512 1ba12f8474debac5b71c36f485147819bfce6bd8ac5da6236e07ef2efac03173c3a61f2ff64910fc4d9d315e9217929089bd9c992ce93effe508f060e8c0b47f

memory/1428-86-0x00007FF7FDCC0000-0x00007FF7FE014000-memory.dmp

memory/3952-85-0x00007FF655390000-0x00007FF6556E4000-memory.dmp

C:\Windows\System\ipqAwdl.exe

MD5 911c678ccf54ed131df2754c013e2acd
SHA1 21be003a4afe500d90a9ed7e636e11ad1097a3c4
SHA256 3fff34e48ae6e543a51222bfd57abbe9adf78badd82e0566ae3c9b499c3c45be
SHA512 856be66b191d2d10f2f7a1cb561af884f69f30f76286616ca60688c963861faf2f6e793fa96ee0c7021c65e005025c4f937bb9f32369cdcbde503cfdf768d393

memory/1376-103-0x00007FF768780000-0x00007FF768AD4000-memory.dmp

C:\Windows\System\uVuUOTE.exe

MD5 c5c2140f0091288973f1cdf1a11f2ede
SHA1 72ac1ff688b6131c416a5238d0375c1ceaa4c961
SHA256 c984532ea4a94b3f4a6162b13c2eda322281ce167ec0aebabce0f9e1a85e40c6
SHA512 0a175980f7dc51a27b219bd32e2d3ac065cc78315e60a765d6695d6fe0eaadb178aa8f26414b86ef558f9fa28c0e3426c8d6a5cf03eba91be8886adb5b211994

C:\Windows\System\oJTGydi.exe

MD5 9d6406c2e6c74b926caa151156eb25b7
SHA1 74177e4438b1151d86fe1d236491aa5d2b9f70d3
SHA256 3d323ba6cc40770b392542e1cfcd1dd650a214b8bc6abf2e1ceb6a284e386d12
SHA512 3db14372b9193b8fe04365e68d8ab783191ab43182f1a20498480edceba7e3e488d0198dd8f4516944958b8d7920609f3f7f58a0694d3911ff2b367f7346d4f1

memory/3716-115-0x00007FF6D8FC0000-0x00007FF6D9314000-memory.dmp

memory/2044-123-0x00007FF71C370000-0x00007FF71C6C4000-memory.dmp

C:\Windows\System\NwqkYXg.exe

MD5 ec0a5f8b4cff0ec3e7f127026220b508
SHA1 0d3f24b57c7f7931128f216116ae007b4bcc62e3
SHA256 6824f3dc17183a0c47bf27c07abc473d2a123a8569a5622e8deb84c2f8cd8db8
SHA512 6b5a9b046282ca55e467cd696098bb42f6f8f9a15906221c04eae55be71a375d11616e73fea06118e720eb67a2fb0c4770f559a8d3d4c0f07bba022920ed7810

memory/2744-127-0x00007FF788900000-0x00007FF788C54000-memory.dmp

memory/4860-126-0x00007FF7FF0D0000-0x00007FF7FF424000-memory.dmp

C:\Windows\System\CkWoRJg.exe

MD5 302d3a64ad9f18c11ea02140e08820f0
SHA1 ead5011be35711ed177b1aa6b7b9e3868fc3cae5
SHA256 5e99dfd407afa02c8d2a45d18119edd2d43f8a0b29f3d435c2fd7495b370f96c
SHA512 49587875b93bb627f97c179b3fbab14a34bb7e73a0540aa8a026953354c2198563f160eb5ff49ddef345bcbdb1c6b8358c3b7cbe04fb35a794446c0978bc4fc1

memory/3116-134-0x00007FF6E43D0000-0x00007FF6E4724000-memory.dmp

memory/1164-125-0x00007FF659930000-0x00007FF659C84000-memory.dmp

memory/852-114-0x00007FF6C4C10000-0x00007FF6C4F64000-memory.dmp

memory/1896-109-0x00007FF690B70000-0x00007FF690EC4000-memory.dmp

memory/4608-107-0x00007FF6552A0000-0x00007FF6555F4000-memory.dmp

memory/4712-104-0x00007FF624030000-0x00007FF624384000-memory.dmp

C:\Windows\System\RpQphqo.exe

MD5 ad76e574c7bcf0a6146ee357dd9dd9ed
SHA1 4c7155a30db552e5984762dbb1fddd4b2469cd04
SHA256 3ca1c61196557dc2c9ebe63ae54a510591337a442b3759777061b47a215ded89
SHA512 925307a2ca610589fa8a1ed1fa445d0b7d1068f815258aca4342e6db90da04a92c258aabd755fb8ffd99dc918f86531ecece196524f38a6e864fd8b7fdf29694

C:\Windows\System\DoarYJb.exe

MD5 f67a3e507f56889720e7e527a38b2a8f
SHA1 b4cf23ecdd4d19ecd1a3911b4dd09c13563e04dd
SHA256 96fcec4feba9e496c31630bd7ce0350a76949f244593a88bf9de7882180397c8
SHA512 6cdf8e5994c3c25c18c6c4c14677f1bafbc8fe5f9441072505ff228549f72af8aa17adbc221a357524bab99979d3376f683acb44306abfd6f694ce49e04aef0d

memory/3480-96-0x00007FF6F8DB0000-0x00007FF6F9104000-memory.dmp

memory/4756-62-0x00007FF7797E0000-0x00007FF779B34000-memory.dmp

C:\Windows\System\WazBPJn.exe

MD5 b483cdbd5b900e97c145f2f5e0f43af4
SHA1 528c7dc9ac5f60c01173e41bd1c5a010f105f3cb
SHA256 955be391728df7b3ff8d612343d6e0e6bf4098ef972ee3584f6474429f915cf1
SHA512 56fc53e95cfcb6a9172cc274ba58376a68f32c542412405590238f9b2d22b058be805d97bd4aac67884048c8d435fb5e019ea7ef3b7251596b5574f430a1d754

memory/852-48-0x00007FF6C4C10000-0x00007FF6C4F64000-memory.dmp

C:\Windows\System\ebjqwDF.exe

MD5 829ed9d4a5dab5576799ce734bdd3ea3
SHA1 8ac6cf22fbcd928df66adf24115cfcb28c1227d3
SHA256 86a86e68a349916e73ad1f5d197d65f7af4938dfe692bd61659192fd32924b3c
SHA512 e453875e4749f717725907cb4fc7e3c389fc32abaa1b9a360ef827c0d66e054b3c796b8b9344d7e4b20be3af0f7de1a96acdd6d0e02aab9e9bbe358e63ce65fe

C:\Windows\System\izeCgpe.exe

MD5 ce0af25f5348d057170cacbd12b1ed7c
SHA1 9c1b28e6c193b912c377c43d104f20604b314ba8
SHA256 7049e53902bd90d0a2a687c343b0de76464c3a4216ca69187289bf61cbcf5296
SHA512 742574d5dfa571cebec0e2b6f12a6260f585fae010eff00f25492b58d5b66220c89db6feb00460ad45fe57f8fba9c7c2664111afb045c24856d53718bb829503

memory/1896-42-0x00007FF690B70000-0x00007FF690EC4000-memory.dmp

C:\Windows\System\wfZrOet.exe

MD5 3e04e5acfed836aa39da1d0968662074
SHA1 74dc1ef472adea18995b3ca9ad1dddac95a8ea0a
SHA256 82971320545cefe8e724688ae5d337f23be728fda5d9efc31bc91002334f1943
SHA512 186e67775ea16b1181eaa2b230caf031a338b77ee5372186a01ab6568444599388144444c2653e970c8004fefc9bd3c785565772601c23a496bcbe471567b497

C:\Windows\System\XHJaKzf.exe

MD5 3b03f7be7b6887faa7706fe8018cabd9
SHA1 343af3d37b52fa9a23b421b61b5ce0402fca1285
SHA256 f118b81fe3ad66de13141e673b235e42a9763c2f88897d7531b8a25755be3c2c
SHA512 a65de9a26736155bda84e084cf78ff406bdb7cd1489871861039560451217c9c9293032d68726d15abdb4ef60200ecf1d8c07b7dfa22314fd679c54dd73dc61a

C:\Windows\System\dnRlZrw.exe

MD5 ca47567a66febfa076b0394bb09dcb9f
SHA1 1662ac81609b31f4f52eb26add720764b6a6604d
SHA256 9d6db74539c98cb3c2c226be9c49141a5507e87fd738ab75676a90b93ce8ac6d
SHA512 c8f5f34568fe28314c176834fd075ca23dccb1be45121036087d80c667d30510fcf5515cb88298f777988ae20f4efa2a49ec9d05bbcc0b9f5633df6d4bbee811

memory/2008-135-0x00007FF6DC490000-0x00007FF6DC7E4000-memory.dmp

memory/1428-136-0x00007FF7FDCC0000-0x00007FF7FE014000-memory.dmp

memory/4608-137-0x00007FF6552A0000-0x00007FF6555F4000-memory.dmp

memory/3716-138-0x00007FF6D8FC0000-0x00007FF6D9314000-memory.dmp

memory/2744-139-0x00007FF788900000-0x00007FF788C54000-memory.dmp

memory/4460-140-0x00007FF73C220000-0x00007FF73C574000-memory.dmp

memory/2248-141-0x00007FF6E88D0000-0x00007FF6E8C24000-memory.dmp

memory/1004-142-0x00007FF722170000-0x00007FF7224C4000-memory.dmp

memory/3952-143-0x00007FF655390000-0x00007FF6556E4000-memory.dmp

memory/5016-144-0x00007FF7C90B0000-0x00007FF7C9404000-memory.dmp

memory/1376-145-0x00007FF768780000-0x00007FF768AD4000-memory.dmp

memory/852-147-0x00007FF6C4C10000-0x00007FF6C4F64000-memory.dmp

memory/2044-148-0x00007FF71C370000-0x00007FF71C6C4000-memory.dmp

memory/3772-149-0x00007FF73DF60000-0x00007FF73E2B4000-memory.dmp

memory/4860-150-0x00007FF7FF0D0000-0x00007FF7FF424000-memory.dmp

memory/1896-146-0x00007FF690B70000-0x00007FF690EC4000-memory.dmp

memory/2008-151-0x00007FF6DC490000-0x00007FF6DC7E4000-memory.dmp

memory/2524-152-0x00007FF73B2C0000-0x00007FF73B614000-memory.dmp

memory/1428-153-0x00007FF7FDCC0000-0x00007FF7FE014000-memory.dmp

memory/3480-154-0x00007FF6F8DB0000-0x00007FF6F9104000-memory.dmp

memory/4712-155-0x00007FF624030000-0x00007FF624384000-memory.dmp

memory/4608-156-0x00007FF6552A0000-0x00007FF6555F4000-memory.dmp

memory/3716-157-0x00007FF6D8FC0000-0x00007FF6D9314000-memory.dmp

memory/1164-158-0x00007FF659930000-0x00007FF659C84000-memory.dmp

memory/2744-159-0x00007FF788900000-0x00007FF788C54000-memory.dmp

memory/3116-160-0x00007FF6E43D0000-0x00007FF6E4724000-memory.dmp