Malware Analysis Report

2024-10-24 18:16

Sample ID 240606-pk183sea61
Target 2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike
SHA256 bb9c7de1b0445bf7a0b43451ab0d427e69d9a253d4182484313b3ec510c71e64
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bb9c7de1b0445bf7a0b43451ab0d427e69d9a253d4182484313b3ec510c71e64

Threat Level: Known bad

The file 2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobalt Strike reflective loader

Xmrig family

xmrig

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

Cobaltstrike

Cobaltstrike family

XMRig Miner payload

UPX dump on OEP (original entry point)

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-06 12:24

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-06 12:24

Reported

2024-06-06 12:26

Platform

win7-20240221-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\HepQXTj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CRjkjIS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KGvWsOe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LsxSEtF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mDssAJN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RvxlBVA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\inFbgmp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vzTpaDk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LMNOQiB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UrBnkWf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GGzJhKZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kCBWwpU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UHgKPts.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JEaNyWs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wHlFBFK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WELneEo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fvDQIfw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NqUrUwU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MOuVdvz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YbiGkqn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KrUZMZL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1308 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\RvxlBVA.exe
PID 1308 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\RvxlBVA.exe
PID 1308 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\RvxlBVA.exe
PID 1308 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\NqUrUwU.exe
PID 1308 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\NqUrUwU.exe
PID 1308 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\NqUrUwU.exe
PID 1308 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\MOuVdvz.exe
PID 1308 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\MOuVdvz.exe
PID 1308 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\MOuVdvz.exe
PID 1308 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\HepQXTj.exe
PID 1308 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\HepQXTj.exe
PID 1308 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\HepQXTj.exe
PID 1308 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\kCBWwpU.exe
PID 1308 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\kCBWwpU.exe
PID 1308 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\kCBWwpU.exe
PID 1308 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\inFbgmp.exe
PID 1308 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\inFbgmp.exe
PID 1308 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\inFbgmp.exe
PID 1308 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\CRjkjIS.exe
PID 1308 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\CRjkjIS.exe
PID 1308 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\CRjkjIS.exe
PID 1308 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\vzTpaDk.exe
PID 1308 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\vzTpaDk.exe
PID 1308 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\vzTpaDk.exe
PID 1308 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\KGvWsOe.exe
PID 1308 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\KGvWsOe.exe
PID 1308 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\KGvWsOe.exe
PID 1308 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\YbiGkqn.exe
PID 1308 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\YbiGkqn.exe
PID 1308 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\YbiGkqn.exe
PID 1308 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\UHgKPts.exe
PID 1308 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\UHgKPts.exe
PID 1308 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\UHgKPts.exe
PID 1308 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\JEaNyWs.exe
PID 1308 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\JEaNyWs.exe
PID 1308 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\JEaNyWs.exe
PID 1308 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\KrUZMZL.exe
PID 1308 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\KrUZMZL.exe
PID 1308 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\KrUZMZL.exe
PID 1308 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\wHlFBFK.exe
PID 1308 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\wHlFBFK.exe
PID 1308 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\wHlFBFK.exe
PID 1308 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\WELneEo.exe
PID 1308 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\WELneEo.exe
PID 1308 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\WELneEo.exe
PID 1308 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\fvDQIfw.exe
PID 1308 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\fvDQIfw.exe
PID 1308 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\fvDQIfw.exe
PID 1308 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\LsxSEtF.exe
PID 1308 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\LsxSEtF.exe
PID 1308 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\LsxSEtF.exe
PID 1308 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\mDssAJN.exe
PID 1308 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\mDssAJN.exe
PID 1308 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\mDssAJN.exe
PID 1308 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\LMNOQiB.exe
PID 1308 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\LMNOQiB.exe
PID 1308 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\LMNOQiB.exe
PID 1308 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\GGzJhKZ.exe
PID 1308 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\GGzJhKZ.exe
PID 1308 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\GGzJhKZ.exe
PID 1308 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\UrBnkWf.exe
PID 1308 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\UrBnkWf.exe
PID 1308 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\UrBnkWf.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\RvxlBVA.exe

C:\Windows\System\RvxlBVA.exe

C:\Windows\System\NqUrUwU.exe

C:\Windows\System\NqUrUwU.exe

C:\Windows\System\MOuVdvz.exe

C:\Windows\System\MOuVdvz.exe

C:\Windows\System\HepQXTj.exe

C:\Windows\System\HepQXTj.exe

C:\Windows\System\kCBWwpU.exe

C:\Windows\System\kCBWwpU.exe

C:\Windows\System\inFbgmp.exe

C:\Windows\System\inFbgmp.exe

C:\Windows\System\CRjkjIS.exe

C:\Windows\System\CRjkjIS.exe

C:\Windows\System\vzTpaDk.exe

C:\Windows\System\vzTpaDk.exe

C:\Windows\System\KGvWsOe.exe

C:\Windows\System\KGvWsOe.exe

C:\Windows\System\YbiGkqn.exe

C:\Windows\System\YbiGkqn.exe

C:\Windows\System\UHgKPts.exe

C:\Windows\System\UHgKPts.exe

C:\Windows\System\JEaNyWs.exe

C:\Windows\System\JEaNyWs.exe

C:\Windows\System\KrUZMZL.exe

C:\Windows\System\KrUZMZL.exe

C:\Windows\System\wHlFBFK.exe

C:\Windows\System\wHlFBFK.exe

C:\Windows\System\WELneEo.exe

C:\Windows\System\WELneEo.exe

C:\Windows\System\fvDQIfw.exe

C:\Windows\System\fvDQIfw.exe

C:\Windows\System\LsxSEtF.exe

C:\Windows\System\LsxSEtF.exe

C:\Windows\System\mDssAJN.exe

C:\Windows\System\mDssAJN.exe

C:\Windows\System\LMNOQiB.exe

C:\Windows\System\LMNOQiB.exe

C:\Windows\System\GGzJhKZ.exe

C:\Windows\System\GGzJhKZ.exe

C:\Windows\System\UrBnkWf.exe

C:\Windows\System\UrBnkWf.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1308-0-0x000000013F280000-0x000000013F5D4000-memory.dmp

memory/1308-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\RvxlBVA.exe

MD5 06229b0d236776f1128473ea37ce0507
SHA1 e04265353869987bf4a200b5ad8c9c846688837d
SHA256 68ae45e45b4c7626afa3363564219e75480a0a713165585d0cd705cba30b7d1e
SHA512 2e63e7dd0c780aa5f2f11fe5b2613bd3ff7450a33b9bcf49b9d11d13a98a3bb2f70fd73480812cf03dce7ef8823d6e41a1c7c9de5471bef280bc6567984c44d9

C:\Windows\system\NqUrUwU.exe

MD5 c7b921deb5f875b3a71556de27026715
SHA1 affc54e2e3dc636281b9333c9701f8c486161bb3
SHA256 5a869082889aaa968953e5ea31f81fd71a73e29d1cbe476f9ecf35660beb54f2
SHA512 b13d7e9a1a9b517129b13f400ba72299ec785cee03c9cf28959b42e769bfb6cbe5fb9a0a861c96e874f1b43ffb25a57c9b5734a56e0204928690246ff38bf07e

memory/2972-15-0x000000013F310000-0x000000013F664000-memory.dmp

memory/1308-12-0x0000000002410000-0x0000000002764000-memory.dmp

memory/2748-9-0x000000013F4C0000-0x000000013F814000-memory.dmp

C:\Windows\system\MOuVdvz.exe

MD5 1c975139e8a26cb5054721b7b134a1f7
SHA1 ec082930915c5dc6b06fb5aa6e3043fb69d99e90
SHA256 276e0cd7bee13364020c993f6028e032a18da6984ebb3e242b1fb24fe5f0a03b
SHA512 a7c5f68bfa6ce557d949a7a559432b6fb6d83ca1a76049bb178d284d67419327c3e28a26e3aa6e8c739ef7318375cb6d0e9db71b8f6e9011caeab27a1f58164e

memory/2680-21-0x000000013F2D0000-0x000000013F624000-memory.dmp

C:\Windows\system\HepQXTj.exe

MD5 8326c0a131be56b3aff6a6ed84ffb5f5
SHA1 62caf9e9528ee5e9f12f484de6bc1af1338b1e27
SHA256 4e7a8a46130c6291ed3de52105492c26480a6854b107d0b33046ad014507cea2
SHA512 042561dfe1f440233775a251f4958df55ccf78532e32402bf5355769bfd4cfe78ca9b4c22a141683bdd7758fd8715b26435e3dd1838f677772a01112177d7347

memory/2152-28-0x000000013F4F0000-0x000000013F844000-memory.dmp

\Windows\system\kCBWwpU.exe

MD5 f1eea9b5233019cc3aff395b6ff5d06e
SHA1 f2307db7aca1187bf26bcecb0d54b43912249e1a
SHA256 2dda3a5f6df6dfe8a0cae4bd8ef2a3e99d3592dd91dc9e6b30583a75b88044ab
SHA512 56a877d3e56af800e2622dad78ad15b3415ebd78518a75e5a673d15e8dc48c43a6624ea079d13c6626c099343e5a035df292bcfc99e7b9db6fd2be74dd7b06e5

memory/1308-26-0x0000000002410000-0x0000000002764000-memory.dmp

memory/2584-33-0x000000013F4F0000-0x000000013F844000-memory.dmp

memory/1308-31-0x0000000002410000-0x0000000002764000-memory.dmp

\Windows\system\inFbgmp.exe

MD5 cabcfd37e6451c0bb59f2053d2e1941b
SHA1 03cba68d38b56dadb4925d6a1eef443c7d4c0408
SHA256 4f4062133d95b6bfabe9d7e39245fd3f1d60fbf6825f608db5271b4d674521d2
SHA512 d2b7e7b069a65aa88970665cdb971b59c8f3fda347d92fc12080f568b03e7af4db5eebf5a706d985d86c3e84d868731a66dfa02905e58b4719d4ab7377ee6afc

memory/1308-41-0x000000013F280000-0x000000013F5D4000-memory.dmp

memory/1308-49-0x000000013FEB0000-0x0000000140204000-memory.dmp

C:\Windows\system\vzTpaDk.exe

MD5 b30167770e826961b43601178a55d3b1
SHA1 f1f76a12e219dcc22d705c78b0ecf148425e602b
SHA256 0055ceefdaf6eab9d0776e1b2a1f818aa1687e0055fb392e2d0e83496ccf60da
SHA512 e4357603200f9daef98fe0cf3f5a97ea09766adc45bec330b54749f35c1de492155c3a612492d51d1a76cc09c325450e415d1398f25f8e7b4bf496c689a0ecaf

memory/2424-54-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

memory/1308-46-0x0000000002410000-0x0000000002764000-memory.dmp

memory/2592-58-0x000000013FEB0000-0x0000000140204000-memory.dmp

memory/1308-57-0x0000000002410000-0x0000000002764000-memory.dmp

memory/2972-56-0x000000013F310000-0x000000013F664000-memory.dmp

memory/2616-43-0x000000013F580000-0x000000013F8D4000-memory.dmp

\Windows\system\YbiGkqn.exe

MD5 816439705b8489e8bc1f477fb26034fb
SHA1 f89fbf25e3810b07548906aa3c10d66a74535ad5
SHA256 e54083a27e3a8aebc185c72bfa865c26d6d0b93ce761a1bc8d381bd4290f92fb
SHA512 9fe7d2df573330bb0a4d2a1d459ed0e8e83f57ce075c2633e30f4ad363f8a1ee7d1a85057642918ac2083489fa53cb2ad0a4b65b8496e49e1690356499730ab4

memory/2152-68-0x000000013F4F0000-0x000000013F844000-memory.dmp

memory/2864-73-0x000000013FEF0000-0x0000000140244000-memory.dmp

memory/2844-63-0x000000013F770000-0x000000013FAC4000-memory.dmp

memory/572-81-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

memory/1400-88-0x000000013FC80000-0x000000013FFD4000-memory.dmp

\Windows\system\wHlFBFK.exe

MD5 10ffb69423ae21817c2c20c9336814fe
SHA1 1a9f856694368070367920bd5ceb5d101ab6d285
SHA256 f30db7d667e1769d01db4a5a745e0372a991460934c2b6b0d6def3cb7c30c40f
SHA512 a3d31d14864637cb712b494c94b86145f565f27ae6771fbe19913dbefab62378dd05b46ac98c9c44d1f56c78a3c797cf3ec87ee4e564e6a8cad4012405278e50

memory/904-103-0x000000013F550000-0x000000013F8A4000-memory.dmp

memory/1860-97-0x000000013FF70000-0x00000001402C4000-memory.dmp

C:\Windows\system\WELneEo.exe

MD5 5193db95e196ce8bda17bff1326b3c8e
SHA1 d8198b01d90702ade790c7f383dcbf625dfa6640
SHA256 4b7d6dfb28604c99a36549a63ed13e0e808404baee75994eb6609402ccbd729f
SHA512 8adffcf75c5b8323da50a99787aa639b8bc4c2323d36d39f932952fe99b6b9fb71fe46e324da439e24e20604bdb84ece109048287f7f691694b83ab0e968db34

C:\Windows\system\mDssAJN.exe

MD5 a01c755f3f4b69b6667e3c0dc5055e50
SHA1 c549ffedf62cc192b6e9423b06a4072c2de5ca84
SHA256 f763cc4b345ebf5e931a5e02e967cb007942a2584f799b82aa4cf0606e8225b3
SHA512 7a48b75dd74026a75d01c73df59e9ae7260ec00974693897d29158416b42b31bb9d97e9a5f9e1b22bc5702f71b04ee3171deb5b22ce3453dd6fd3186fb3a7efd

C:\Windows\system\GGzJhKZ.exe

MD5 4c88183d715b30dd333d3669d44d195e
SHA1 fc0c5d8ae140ca8f885a32c81ad70d2c4d51d7c5
SHA256 d8d77c6fbd675fde657ac5d05e96431009113aeffd0fe57858cfdb43aafdc336
SHA512 802cdaad23b445d0247170035bfa42eddbcc70ea8c028398b1cfa3512837845b2d6ead1359a647710ad490335c7d7b5ae29492d430220674d20436fe045cdd21

\Windows\system\UrBnkWf.exe

MD5 239cbf432d8696f152efcd89af8c43ad
SHA1 072a981fc05a7d536e8750ff5a2763ca440aa047
SHA256 e8e4227b2f4a1acaf6f4d7aab3e88c6f370b27f4aaec33201b4ae85d7d667260
SHA512 273dc56e614e9fca99ec9760567b856366e3e4cbaef99acb2f49d075b2d8a34e33e4b9bca524d310b681002ec4f733ec873931936571c49132a36a37589e8715

C:\Windows\system\LMNOQiB.exe

MD5 495d5811224315902966ae642e476603
SHA1 969102664dd68a9237a853b82e03489a536b162a
SHA256 e6ccd988871fae6aa97e7143f6241712f76199a630ce3767c646347dff3f0ae2
SHA512 56e97e4a911b9adacfa230bc0a2d46db634588ea3858515f30eb1f2afdaee5caf389d7cacd03500b1f75b1efbd8ca791646f40f8c7b8c9d6cabbf59df4ac1e98

memory/2864-143-0x000000013FEF0000-0x0000000140244000-memory.dmp

C:\Windows\system\LsxSEtF.exe

MD5 44d5f0eb5b817d0d2df7ffe944627afa
SHA1 1dbeba94f03fd2e6119f2d986c6fe41b75345adc
SHA256 f77af1474a989421bdfa647792299dedda4f34bbe497ae7a3583ab84e9351dc3
SHA512 7f9d254807f5e673a45222404c559e0b4c4023e1c1a3a0f5d5e0808988c9f36822ad4d0b1e7198729ff68bdcf0e143b6d0e1e12a741297d2e84a6bf14eac3623

C:\Windows\system\fvDQIfw.exe

MD5 40e704952f0553bd07bfa22f978dc0e9
SHA1 d64469822fc9c06541131f6daa0561179a68a46e
SHA256 7b154dcc4d07f09b9080d69b02a22d4e524d0914a1794008c4df663924c34ea9
SHA512 4d0a12d20eb3002368b1d8f0fbfd4ef7ea8caee04052cb48405c774a90076a8480eb4f8bcaef9c8473d9a9cabec129ebe0aa3a9a030a4eb463e19b7754bd2132

memory/1308-144-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

memory/1308-109-0x000000013FD40000-0x0000000140094000-memory.dmp

memory/1308-108-0x000000013FEF0000-0x0000000140244000-memory.dmp

memory/2592-96-0x000000013FEB0000-0x0000000140204000-memory.dmp

memory/572-145-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

C:\Windows\system\KrUZMZL.exe

MD5 77df76f76ef89f00cb46dc864e6dcde6
SHA1 ddf2038810335d7483cda3e25fdd2b1ae17b23ed
SHA256 25944d0cef7d2a35a05c57eb544f6f608fc9a7e2dfd0227c1ef64e586186b773
SHA512 c029ecd6909a978f6ab82e84df56a72bd937cd323c145c259c61cc438386d69c4139efa40577a28f56b2b83d104f360976688678bd700aeadba4758176a0a83e

memory/1308-92-0x0000000002410000-0x0000000002764000-memory.dmp

memory/2844-102-0x000000013F770000-0x000000013FAC4000-memory.dmp

memory/1308-99-0x0000000002410000-0x0000000002764000-memory.dmp

C:\Windows\system\JEaNyWs.exe

MD5 85711d8a98a7cafff0825bfd2f2bc1ad
SHA1 c9fc045c0ad75b7b6a19d9b8f6302bcb0f2ba9ee
SHA256 ad3b44437d18a4f2580e050f7f0065bade0953c1d612deeae7b4bc5172767569
SHA512 89417bd07a65ec12ef0f8d6db2feedc7fc61fbf48d83d92e0372b481ab37359daa5844bac6e0965307d6e403758d98639878d87ef01e2c42c4e7b1c900c3a093

memory/1308-85-0x000000013FC80000-0x000000013FFD4000-memory.dmp

memory/1308-80-0x000000013FEB0000-0x0000000140204000-memory.dmp

C:\Windows\system\UHgKPts.exe

MD5 c15636710041c3f44e6cf3bd9a416c20
SHA1 a49914e77fb68964b70c543aea8c0053a8e47ae5
SHA256 e9c48afc0f19ebb82029f94dcb4a09d01b236f0dd71261bbfdf92a70cb647314
SHA512 ee9473eaa308c1fad3c7dedcc41801686eb483d13088c11bdda459c91979aef73ad8572fe253a8faf55e26c8f4c02fb7359f0d89db3cc5438777fcd2ad733eb9

memory/1308-77-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

memory/2584-76-0x000000013F4F0000-0x000000013F844000-memory.dmp

C:\Windows\system\KGvWsOe.exe

MD5 23538e797b1ca6f6ab19b46f3ec9d54c
SHA1 326765f4f975382049bc20dd1ea42152b0b303cf
SHA256 21036ffa873838aaf879200ac31532f1c3513d2b45905ff0372e18b1c8c257a7
SHA512 0fec0e0619d5a1914861bfc81b5c33d18bea4b624be2e19629aa7f9158173888cc3337c0f26e77c568ece3d19c1d3f531012197933c67ac5e52bb97074038e35

memory/1308-60-0x000000013F770000-0x000000013FAC4000-memory.dmp

memory/1308-69-0x000000013FEF0000-0x0000000140244000-memory.dmp

\Windows\system\CRjkjIS.exe

MD5 90dfe84cc68813e8c7ae2e4272390afb
SHA1 57bde1920ae7edf6ded678618ee0e38d035bd74b
SHA256 ad8c85dbbb0f3af6bb36aba2dd5045145f9c9380336de8de24da8208abef9a36
SHA512 c7848690fe3ebd5b608452b0c661eb1d8f965e9c648e8d81ffe1ab17286c7f7c0d1c55c6c65c43d5e601851bf10eb4a037f91473a057fc17ad2060ec993f8366

memory/1308-53-0x0000000002410000-0x0000000002764000-memory.dmp

memory/1400-146-0x000000013FC80000-0x000000013FFD4000-memory.dmp

memory/1308-147-0x000000013FF70000-0x00000001402C4000-memory.dmp

memory/1860-148-0x000000013FF70000-0x00000001402C4000-memory.dmp

memory/1308-149-0x0000000002410000-0x0000000002764000-memory.dmp

memory/904-150-0x000000013F550000-0x000000013F8A4000-memory.dmp

memory/1308-151-0x000000013FD40000-0x0000000140094000-memory.dmp

memory/2748-152-0x000000013F4C0000-0x000000013F814000-memory.dmp

memory/2972-153-0x000000013F310000-0x000000013F664000-memory.dmp

memory/2680-154-0x000000013F2D0000-0x000000013F624000-memory.dmp

memory/2152-155-0x000000013F4F0000-0x000000013F844000-memory.dmp

memory/2584-156-0x000000013F4F0000-0x000000013F844000-memory.dmp

memory/2616-157-0x000000013F580000-0x000000013F8D4000-memory.dmp

memory/2424-158-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

memory/2844-159-0x000000013F770000-0x000000013FAC4000-memory.dmp

memory/2592-160-0x000000013FEB0000-0x0000000140204000-memory.dmp

memory/2864-161-0x000000013FEF0000-0x0000000140244000-memory.dmp

memory/572-162-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

memory/1400-163-0x000000013FC80000-0x000000013FFD4000-memory.dmp

memory/904-164-0x000000013F550000-0x000000013F8A4000-memory.dmp

memory/1860-165-0x000000013FF70000-0x00000001402C4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-06 12:24

Reported

2024-06-06 12:26

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\zWaviHE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iDpPzkH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GuMsgei.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sazpSih.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bcUVhLC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dqmsEun.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pENoboS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bdjBoRP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CfkDCSl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\Kdxygrt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\soawhvZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sLjlkTC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xEltcIq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gYhrQmq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wsHgFaf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xagCPGf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZAxAgac.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LiJaYUP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dMwAEXR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JLigfNb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NzaIuUy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4416 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\LiJaYUP.exe
PID 4416 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\LiJaYUP.exe
PID 4416 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\gYhrQmq.exe
PID 4416 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\gYhrQmq.exe
PID 4416 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\CfkDCSl.exe
PID 4416 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\CfkDCSl.exe
PID 4416 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\zWaviHE.exe
PID 4416 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\zWaviHE.exe
PID 4416 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\wsHgFaf.exe
PID 4416 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\wsHgFaf.exe
PID 4416 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\dMwAEXR.exe
PID 4416 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\dMwAEXR.exe
PID 4416 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\iDpPzkH.exe
PID 4416 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\iDpPzkH.exe
PID 4416 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\Kdxygrt.exe
PID 4416 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\Kdxygrt.exe
PID 4416 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\GuMsgei.exe
PID 4416 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\GuMsgei.exe
PID 4416 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\sazpSih.exe
PID 4416 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\sazpSih.exe
PID 4416 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\bcUVhLC.exe
PID 4416 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\bcUVhLC.exe
PID 4416 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\JLigfNb.exe
PID 4416 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\JLigfNb.exe
PID 4416 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\xagCPGf.exe
PID 4416 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\xagCPGf.exe
PID 4416 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\soawhvZ.exe
PID 4416 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\soawhvZ.exe
PID 4416 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZAxAgac.exe
PID 4416 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZAxAgac.exe
PID 4416 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\NzaIuUy.exe
PID 4416 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\NzaIuUy.exe
PID 4416 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\dqmsEun.exe
PID 4416 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\dqmsEun.exe
PID 4416 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\sLjlkTC.exe
PID 4416 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\sLjlkTC.exe
PID 4416 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\pENoboS.exe
PID 4416 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\pENoboS.exe
PID 4416 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\bdjBoRP.exe
PID 4416 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\bdjBoRP.exe
PID 4416 wrote to memory of 5616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\xEltcIq.exe
PID 4416 wrote to memory of 5616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe C:\Windows\System\xEltcIq.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_053b48eff2137a640705cbc2da392b97_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\LiJaYUP.exe

C:\Windows\System\LiJaYUP.exe

C:\Windows\System\gYhrQmq.exe

C:\Windows\System\gYhrQmq.exe

C:\Windows\System\CfkDCSl.exe

C:\Windows\System\CfkDCSl.exe

C:\Windows\System\zWaviHE.exe

C:\Windows\System\zWaviHE.exe

C:\Windows\System\wsHgFaf.exe

C:\Windows\System\wsHgFaf.exe

C:\Windows\System\dMwAEXR.exe

C:\Windows\System\dMwAEXR.exe

C:\Windows\System\iDpPzkH.exe

C:\Windows\System\iDpPzkH.exe

C:\Windows\System\Kdxygrt.exe

C:\Windows\System\Kdxygrt.exe

C:\Windows\System\GuMsgei.exe

C:\Windows\System\GuMsgei.exe

C:\Windows\System\sazpSih.exe

C:\Windows\System\sazpSih.exe

C:\Windows\System\bcUVhLC.exe

C:\Windows\System\bcUVhLC.exe

C:\Windows\System\JLigfNb.exe

C:\Windows\System\JLigfNb.exe

C:\Windows\System\xagCPGf.exe

C:\Windows\System\xagCPGf.exe

C:\Windows\System\soawhvZ.exe

C:\Windows\System\soawhvZ.exe

C:\Windows\System\ZAxAgac.exe

C:\Windows\System\ZAxAgac.exe

C:\Windows\System\NzaIuUy.exe

C:\Windows\System\NzaIuUy.exe

C:\Windows\System\dqmsEun.exe

C:\Windows\System\dqmsEun.exe

C:\Windows\System\sLjlkTC.exe

C:\Windows\System\sLjlkTC.exe

C:\Windows\System\pENoboS.exe

C:\Windows\System\pENoboS.exe

C:\Windows\System\bdjBoRP.exe

C:\Windows\System\bdjBoRP.exe

C:\Windows\System\xEltcIq.exe

C:\Windows\System\xEltcIq.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 171.117.168.52.in-addr.arpa udp

Files

memory/4416-0-0x00007FF76AD30000-0x00007FF76B084000-memory.dmp

memory/4416-1-0x000001FC71080000-0x000001FC71090000-memory.dmp

C:\Windows\System\LiJaYUP.exe

MD5 03e9eeb2db7e92a93b18655735c824d2
SHA1 c250248a83b1a0527a3fc435e32a9b543b20377a
SHA256 daf0ffd8a452d3d7eabfe3e2fb810766b520214b47411a9268bb5d08a0f676a6
SHA512 b101ef39921131e8bbb89a6a00aa38fa421fceb3306af21a900e431b1f234a7dea43ac616425145c23e5264570539b8a5f7781f8048db38c0645331a27fbfa16

C:\Windows\System\CfkDCSl.exe

MD5 922f23a8056c93378053baeed6f72029
SHA1 934e9d344970f163b17c2db6abc3e3d4d2207477
SHA256 99ee2a62716bccde5eb8803c9a26239837b0bb01fa12baeaf7c3fa994ab80f18
SHA512 533dcf722cc747af25b3361a8d63cb39242a5053198867d56d9f31a2a2b8366bd1bc76f6dfc8fb81ed7f7a5a25011b307565af4de016f4b0f453c3dc519fd94a

C:\Windows\System\gYhrQmq.exe

MD5 c4fcd3b44c54e17a81fd01047e4407ff
SHA1 c85b74c81821d5054dabad4ebefd0409f7b814d5
SHA256 01e0fa868a9db42aff71fd12cb58a3f0751b54ffa6712a96c24c3dc2aee32aa0
SHA512 d22f2d118c03ff5d54863b764e5ae7ad429cda40579992ff7f9be02ffb7e1ee54bf0db56713072f4db1ca6b78ce4d1342498821fa5b95b0aff9b910705477c14

C:\Windows\System\zWaviHE.exe

MD5 6693ab9c267e8897ec806852e7c6ab9f
SHA1 9869969d594dcf150bdc30d094f7c70fd9813e99
SHA256 25f407209af9c2b4d76fc1faedb22523080df8ca939f17577ddfb742df04d14a
SHA512 2f9359a395da0a7006acdda5132770be837323464b04c6f39fcc77a745f822f227a84bd0f28537b2d405d6335e32a10415dd8e73dded732893d52953ef26cc34

C:\Windows\System\wsHgFaf.exe

MD5 ac7be8545839c5638458b6a021cb057a
SHA1 185d93e386b78b7cdae3f3aaa0c7d4661164df0f
SHA256 bde422488e2a4d1e1df65e01ba9d82b3eb9e2a0508a2d04d65415295fcff273c
SHA512 86f8bb2ae9ca3fa7b316d3ab34e853c9b4afedf9cc0a25f4efee825bac14747e01c96686435b817011db6e33604d93b5b3de29559d3b47529397dbfbaac03596

C:\Windows\System\iDpPzkH.exe

MD5 4d4486ec79b44f2555acafdfd40589ab
SHA1 352000db992706314affdbaf4deff311c60e007f
SHA256 fdd5530c97bc8bd6c0181cce2cd6a1b3bb41f02e2dfed82b951b19bdd82ddf5a
SHA512 8da6f3b59ff7d4827ef33ae98be1aa4f1aa3e113a0e54af60a9c3ebf983206edcc734ebe228bb08e6f24057cb5530a81800b74be12ac74d4147436670c956bff

C:\Windows\System\Kdxygrt.exe

MD5 ab8bb56d005bd6c9d9b3d157e95594ef
SHA1 fd8e747a3e65e0864c7056ce1c7ba06005a64740
SHA256 5f3fa227beb219438fb7f97c62d26dd147d6292b0b5ac82d489e69bd74f1c286
SHA512 a42fe7c2e832df5c06eb039e37dda6e1df91a1064eb064662ed2f7f3e592e184c666a952c3010f77fef8b2691af2980138577327e3f2ea4a11eb534a76d17388

C:\Windows\System\JLigfNb.exe

MD5 d288620f7ede0474cf8ee7732006e6bd
SHA1 014031e2335e672116623060671fa775a9f75e75
SHA256 a781cd0857228094728f812c3e3886680265bd3a1a123c1e617242be9cb57137
SHA512 8c1291d33e32061fef89a8238feb7d1b14223676efde95c2146ee39343755d8afc1102a48ba4f660264d821fdda866c6af40391901ec865e41c40da5a6c0a35e

memory/4948-71-0x00007FF702200000-0x00007FF702554000-memory.dmp

memory/4488-72-0x00007FF776730000-0x00007FF776A84000-memory.dmp

C:\Windows\System\bcUVhLC.exe

MD5 38fbdeda41bc6e8f148bb47353f97140
SHA1 498d4ee383a0b548a6e18bc04f2cf6ee369e3794
SHA256 ff0fa1eb047e7e3df3d7cb7babec33b24d6d2c7449da1d30c81c327c015d84e1
SHA512 3db6e033eb0c45cdb7db4556a2bf894c2a383487b33b3ca81c1ca0c7cead84e7febfdeff98bc8337cccd3d512b6c46de88e18f8c58f007b27f3e7f7e8f8f8375

memory/4124-68-0x00007FF7BD9C0000-0x00007FF7BDD14000-memory.dmp

C:\Windows\System\sazpSih.exe

MD5 47fdc553f160ad2c7368e630f224e22d
SHA1 b3e6d156322a1b549a57a37dd0f374974bd4fa17
SHA256 24cb971c788d83997a96520c2f10886c62db39c2431747593e79a25b7cf89c43
SHA512 b246ec79c091f8ec1867880dfd8731414639ae63014079f0462b3b2957eac230ec4c8e34cc9b40a70e60d4d635a7e661ccb1b87c623bbb4bfdf4ede5c24a9d2b

memory/4348-63-0x00007FF773E20000-0x00007FF774174000-memory.dmp

memory/2604-60-0x00007FF715340000-0x00007FF715694000-memory.dmp

C:\Windows\System\GuMsgei.exe

MD5 a9919128e1e5ceb04b078efb19cb6261
SHA1 8a119e29a8311298eb21ee5d277438861f4efa6e
SHA256 509e027a41b3ae2cbb9ba8b9c1a9125312b87721e1c11b72aaf7d6820c26ea75
SHA512 15c45c30943b83c5201982da35118cf7d5773f03c7a3dbf98edd3f58023b9cf9053349ded6a2259dc75be6553e55b28f0e5caab4171d1285971c2723dbeda446

memory/3628-48-0x00007FF6F3D20000-0x00007FF6F4074000-memory.dmp

C:\Windows\System\dMwAEXR.exe

MD5 1c041147627f82ea041d11ee4e5e0090
SHA1 9f6600178e939ba170837406cecefd81adbc1fe7
SHA256 5fe22829b792e3a09ddffe262fd3ddc3cb52c7627e8f81f1443bf722edad77bf
SHA512 29222fe65f85fd18a608b7332b8308e173b2405be0439c5fd47c2b3c220a643167c34919528aac2e44a0b3b68552eee3341bd6d331c570e4f496cd1d27506309

memory/800-41-0x00007FF767C20000-0x00007FF767F74000-memory.dmp

memory/3412-36-0x00007FF685B00000-0x00007FF685E54000-memory.dmp

memory/1544-29-0x00007FF747A00000-0x00007FF747D54000-memory.dmp

memory/2728-23-0x00007FF60E790000-0x00007FF60EAE4000-memory.dmp

memory/3348-17-0x00007FF6ED9E0000-0x00007FF6EDD34000-memory.dmp

memory/1872-10-0x00007FF7F5AD0000-0x00007FF7F5E24000-memory.dmp

C:\Windows\System\xagCPGf.exe

MD5 098cf18f10fa99d0cdb927c192c7c7a7
SHA1 231a5379468ce2af09891ef94868029f3e19d270
SHA256 0afb13fabf495808c9cd6d06c549f965763496c0c8a447ec308b0b723e78bb2c
SHA512 b2a6adbd2d18ffee249b06cc098f5c1506ff3e83ad1b0cbfc5f0621d2fb65367eb72e35f82822c72a4af140c53b01ed8ee81446fe7f3f75143be2026c9f281bb

memory/5076-81-0x00007FF7A7170000-0x00007FF7A74C4000-memory.dmp

memory/1872-80-0x00007FF7F5AD0000-0x00007FF7F5E24000-memory.dmp

memory/4416-79-0x00007FF76AD30000-0x00007FF76B084000-memory.dmp

C:\Windows\System\soawhvZ.exe

MD5 a28cc8b397b2f463aba37ef8dcc88b68
SHA1 ba53f64b21df672b00f0b3287b69527cfc6a33bb
SHA256 8e6dea650c8e380ceb33bb3a4e564f0db1cabee1bd4aae582a1700592832315e
SHA512 21c132ba44632dd09f35003611a6b3d889e6436792291cc50ef2cd551d7c1b9cf501b0c3d4443ae150703c2d6b680665a4db805e642786a95ffa493f28b4d884

memory/3348-87-0x00007FF6ED9E0000-0x00007FF6EDD34000-memory.dmp

memory/4520-91-0x00007FF7503A0000-0x00007FF7506F4000-memory.dmp

C:\Windows\System\ZAxAgac.exe

MD5 c8c536aca406b66b1a491ae037ba0388
SHA1 55f964b6b9a95a238997773ad3b0f46eeb7f7ee3
SHA256 4a7bb2502660752ae342331aefe2051a0bf14603371da4ff5ce97570d168fbff
SHA512 59475e76eb17c223d57c40af871ced330b0da6a5b1f0dc52438cbf745c379123c8bfb6d0ca8cfc7bf102ed193f3f3c8f74bd8c01ea35e69013aeee1869000314

memory/3164-96-0x00007FF6EB4F0000-0x00007FF6EB844000-memory.dmp

memory/2728-95-0x00007FF60E790000-0x00007FF60EAE4000-memory.dmp

C:\Windows\System\NzaIuUy.exe

MD5 95993f3c4a0fcd7490ecaaaf8fb23bee
SHA1 4188d6d70e53a31de26873de5217d0df2e2237d9
SHA256 28cce7cf3aa6df52cabf097915518809d98bcf2b4b988b2700fc57552c711f77
SHA512 152e388e4cda717783c1ced25b3712f804496e8950b515786960505269d2717d2cb6b0a654429650ee1cedb6c678f9dc7756db93a35e0e109b6a53bc1b964e09

memory/4884-103-0x00007FF778260000-0x00007FF7785B4000-memory.dmp

memory/1544-102-0x00007FF747A00000-0x00007FF747D54000-memory.dmp

C:\Windows\System\dqmsEun.exe

MD5 98ecb921b856bffbc609e0f2fa960533
SHA1 5a1f19ccc17f7177d48328a83177b098cd71cad9
SHA256 466ed0e356dbb206755c181a9dc872e1e350343c2762e37b2197ada86f677579
SHA512 2395b26bee5b9b5c0c007102df020af7c1fb57a4109ea295dc006040cecc4c19266a4c4c7af464d945853818e64588cb4ba44922ad5f04b93b37392120797b8a

memory/3412-111-0x00007FF685B00000-0x00007FF685E54000-memory.dmp

C:\Windows\System\sLjlkTC.exe

MD5 5f106b104bc3ed0a131f5a45898c8fda
SHA1 d98f541b80a9533621c6ff505fb23e9957181c1e
SHA256 6d6c98fcfbe7319d681fe1790ba0ebb5bfe9df1b05b8daf5e09bc00cdd7b1150
SHA512 90a2d6c510ad76637c01cfe9fed2f766ee2bd98e72c7e50d97c7fcb0f5e31e5ac31c78162a7a7a21c3382af193755e64aaa9ab633d7aa597cf81ec7c0652f42a

C:\Windows\System\pENoboS.exe

MD5 c8ba638f4d77a3218eaa06148c5a2d9e
SHA1 ac600f58459598992ac353cbe90a4a8200889816
SHA256 3337a4ea35dd10d421ff977d2b2b312c16743598e76a18816c01d980855d9795
SHA512 6363404899292c206cf42148033997fdeee74d065f436615109a5f9c4a8cf0b31744e3bd3f74b446af964d5ef11619a236e27d2f6e3a4bf1bbcf811f8f9a0e49

C:\Windows\System\bdjBoRP.exe

MD5 f9456adafd8d3b5f0dd53c2fcbeea13d
SHA1 22c875e40b2fd39bc5d67d36730982e3301a83d3
SHA256 486d8b4373c021f9ca23e5248fdea6d02e08fbe90c68163df266ab26c2e4d0ed
SHA512 a8c544f6c89ce4a5d2481bd1eb3e46d0fb09850d8568ca776c34b535f4df15d2e0f6c5ab263bbefe38cb8e27373bac31b7e0e438347b6588bc81e44de5e52495

memory/800-128-0x00007FF767C20000-0x00007FF767F74000-memory.dmp

memory/5000-131-0x00007FF67A120000-0x00007FF67A474000-memory.dmp

C:\Windows\System\xEltcIq.exe

MD5 5695d0b9e72163defa7b6454ffd1e954
SHA1 5432d5de989d117571c4f69952f4874883af1de5
SHA256 4fc6a15818cec6e9d5342fc38bd8bac291af16136851760b8d4bab1e2c78a49c
SHA512 470ca09f7a44d815f991bf43dac9138b4fa26f3b99e8fe4961f99575a568519d2a957d33bcd30c44deaf4fc12fc9b2df0d81944d0f456e50b3ba2a066291a0e6

memory/5616-132-0x00007FF7E20F0000-0x00007FF7E2444000-memory.dmp

memory/2660-130-0x00007FF771740000-0x00007FF771A94000-memory.dmp

memory/3628-129-0x00007FF6F3D20000-0x00007FF6F4074000-memory.dmp

memory/4860-118-0x00007FF69C4F0000-0x00007FF69C844000-memory.dmp

memory/3532-112-0x00007FF7AA7F0000-0x00007FF7AAB44000-memory.dmp

memory/4348-136-0x00007FF773E20000-0x00007FF774174000-memory.dmp

memory/4948-137-0x00007FF702200000-0x00007FF702554000-memory.dmp

memory/5076-138-0x00007FF7A7170000-0x00007FF7A74C4000-memory.dmp

memory/4520-139-0x00007FF7503A0000-0x00007FF7506F4000-memory.dmp

memory/5000-140-0x00007FF67A120000-0x00007FF67A474000-memory.dmp

memory/5616-141-0x00007FF7E20F0000-0x00007FF7E2444000-memory.dmp

memory/1872-142-0x00007FF7F5AD0000-0x00007FF7F5E24000-memory.dmp

memory/3348-143-0x00007FF6ED9E0000-0x00007FF6EDD34000-memory.dmp

memory/2728-144-0x00007FF60E790000-0x00007FF60EAE4000-memory.dmp

memory/1544-145-0x00007FF747A00000-0x00007FF747D54000-memory.dmp

memory/3412-146-0x00007FF685B00000-0x00007FF685E54000-memory.dmp

memory/800-147-0x00007FF767C20000-0x00007FF767F74000-memory.dmp

memory/2604-149-0x00007FF715340000-0x00007FF715694000-memory.dmp

memory/3628-148-0x00007FF6F3D20000-0x00007FF6F4074000-memory.dmp

memory/4488-152-0x00007FF776730000-0x00007FF776A84000-memory.dmp

memory/4124-151-0x00007FF7BD9C0000-0x00007FF7BDD14000-memory.dmp

memory/4948-150-0x00007FF702200000-0x00007FF702554000-memory.dmp

memory/4348-153-0x00007FF773E20000-0x00007FF774174000-memory.dmp

memory/5076-154-0x00007FF7A7170000-0x00007FF7A74C4000-memory.dmp

memory/4520-155-0x00007FF7503A0000-0x00007FF7506F4000-memory.dmp

memory/3164-156-0x00007FF6EB4F0000-0x00007FF6EB844000-memory.dmp

memory/4884-157-0x00007FF778260000-0x00007FF7785B4000-memory.dmp

memory/3532-158-0x00007FF7AA7F0000-0x00007FF7AAB44000-memory.dmp

memory/4860-160-0x00007FF69C4F0000-0x00007FF69C844000-memory.dmp

memory/2660-159-0x00007FF771740000-0x00007FF771A94000-memory.dmp

memory/5000-161-0x00007FF67A120000-0x00007FF67A474000-memory.dmp

memory/5616-162-0x00007FF7E20F0000-0x00007FF7E2444000-memory.dmp