Malware Analysis Report

2024-10-24 18:15

Sample ID 240606-qrqllaff69
Target 2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike
SHA256 92ff9883488ebb5eaeb4acd8f90214547790e6a76dfd0c82ec676cc332271b62
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

92ff9883488ebb5eaeb4acd8f90214547790e6a76dfd0c82ec676cc332271b62

Threat Level: Known bad

The file 2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

xmrig

UPX dump on OEP (original entry point)

XMRig Miner payload

Cobalt Strike reflective loader

Detects Reflective DLL injection artifacts

Cobaltstrike family

Xmrig family

Cobaltstrike

XMRig Miner payload

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-06 13:30

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-06 13:29

Reported

2024-06-06 13:33

Platform

win7-20240221-en

Max time kernel

134s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\iQXeAlN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wWWNCPi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ofvFKMk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cvBTvqq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\afPjNFU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JJQeqUK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uZdUygO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CXqrmvg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WVPlBWu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YZHeBXq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xtNqppy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wxoWAnj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mtLgHGd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jkVcovc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZFWbUTS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OhYBvuD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aTRmiLd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ypHrebj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YZIZCqf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bvAjVGQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FXFzYLR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2792 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\OhYBvuD.exe
PID 2792 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\OhYBvuD.exe
PID 2792 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\OhYBvuD.exe
PID 2792 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\aTRmiLd.exe
PID 2792 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\aTRmiLd.exe
PID 2792 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\aTRmiLd.exe
PID 2792 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\WVPlBWu.exe
PID 2792 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\WVPlBWu.exe
PID 2792 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\WVPlBWu.exe
PID 2792 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\ypHrebj.exe
PID 2792 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\ypHrebj.exe
PID 2792 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\ypHrebj.exe
PID 2792 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\YZHeBXq.exe
PID 2792 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\YZHeBXq.exe
PID 2792 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\YZHeBXq.exe
PID 2792 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\xtNqppy.exe
PID 2792 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\xtNqppy.exe
PID 2792 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\xtNqppy.exe
PID 2792 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\YZIZCqf.exe
PID 2792 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\YZIZCqf.exe
PID 2792 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\YZIZCqf.exe
PID 2792 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\JJQeqUK.exe
PID 2792 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\JJQeqUK.exe
PID 2792 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\JJQeqUK.exe
PID 2792 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\uZdUygO.exe
PID 2792 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\uZdUygO.exe
PID 2792 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\uZdUygO.exe
PID 2792 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\iQXeAlN.exe
PID 2792 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\iQXeAlN.exe
PID 2792 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\iQXeAlN.exe
PID 2792 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\wWWNCPi.exe
PID 2792 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\wWWNCPi.exe
PID 2792 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\wWWNCPi.exe
PID 2792 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\bvAjVGQ.exe
PID 2792 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\bvAjVGQ.exe
PID 2792 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\bvAjVGQ.exe
PID 2792 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\ofvFKMk.exe
PID 2792 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\ofvFKMk.exe
PID 2792 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\ofvFKMk.exe
PID 2792 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\FXFzYLR.exe
PID 2792 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\FXFzYLR.exe
PID 2792 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\FXFzYLR.exe
PID 2792 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\wxoWAnj.exe
PID 2792 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\wxoWAnj.exe
PID 2792 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\wxoWAnj.exe
PID 2792 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\cvBTvqq.exe
PID 2792 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\cvBTvqq.exe
PID 2792 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\cvBTvqq.exe
PID 2792 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\jkVcovc.exe
PID 2792 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\jkVcovc.exe
PID 2792 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\jkVcovc.exe
PID 2792 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZFWbUTS.exe
PID 2792 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZFWbUTS.exe
PID 2792 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZFWbUTS.exe
PID 2792 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\mtLgHGd.exe
PID 2792 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\mtLgHGd.exe
PID 2792 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\mtLgHGd.exe
PID 2792 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\afPjNFU.exe
PID 2792 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\afPjNFU.exe
PID 2792 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\afPjNFU.exe
PID 2792 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\CXqrmvg.exe
PID 2792 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\CXqrmvg.exe
PID 2792 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\CXqrmvg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\OhYBvuD.exe

C:\Windows\System\OhYBvuD.exe

C:\Windows\System\aTRmiLd.exe

C:\Windows\System\aTRmiLd.exe

C:\Windows\System\WVPlBWu.exe

C:\Windows\System\WVPlBWu.exe

C:\Windows\System\ypHrebj.exe

C:\Windows\System\ypHrebj.exe

C:\Windows\System\YZHeBXq.exe

C:\Windows\System\YZHeBXq.exe

C:\Windows\System\xtNqppy.exe

C:\Windows\System\xtNqppy.exe

C:\Windows\System\YZIZCqf.exe

C:\Windows\System\YZIZCqf.exe

C:\Windows\System\JJQeqUK.exe

C:\Windows\System\JJQeqUK.exe

C:\Windows\System\uZdUygO.exe

C:\Windows\System\uZdUygO.exe

C:\Windows\System\iQXeAlN.exe

C:\Windows\System\iQXeAlN.exe

C:\Windows\System\wWWNCPi.exe

C:\Windows\System\wWWNCPi.exe

C:\Windows\System\bvAjVGQ.exe

C:\Windows\System\bvAjVGQ.exe

C:\Windows\System\ofvFKMk.exe

C:\Windows\System\ofvFKMk.exe

C:\Windows\System\FXFzYLR.exe

C:\Windows\System\FXFzYLR.exe

C:\Windows\System\wxoWAnj.exe

C:\Windows\System\wxoWAnj.exe

C:\Windows\System\cvBTvqq.exe

C:\Windows\System\cvBTvqq.exe

C:\Windows\System\jkVcovc.exe

C:\Windows\System\jkVcovc.exe

C:\Windows\System\ZFWbUTS.exe

C:\Windows\System\ZFWbUTS.exe

C:\Windows\System\mtLgHGd.exe

C:\Windows\System\mtLgHGd.exe

C:\Windows\System\afPjNFU.exe

C:\Windows\System\afPjNFU.exe

C:\Windows\System\CXqrmvg.exe

C:\Windows\System\CXqrmvg.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2792-1-0x0000000000180000-0x0000000000190000-memory.dmp

memory/2792-0-0x000000013F700000-0x000000013FA54000-memory.dmp

C:\Windows\system\OhYBvuD.exe

MD5 f884944d9ab024998642e1533971353f
SHA1 d44aa2e31dc4a2c49069ca62a9ddc93154fbaea0
SHA256 6cf3defd61e53a6d15bd2225d437ff14e79462e9a778fa7a5f313d8de48748a1
SHA512 aaecc4c3883de0a3ba9312303362658da87330754d5fb8ea8d77abbd95dea3c5b0652e88e2edc9f0f9e2f7053df0da836b7f17c16d2ad311d9ac907125577aa0

memory/2792-11-0x000000013FC50000-0x000000013FFA4000-memory.dmp

\Windows\system\aTRmiLd.exe

MD5 39d4e9b468d878f6408ddcbc43bd6738
SHA1 67aff5149a084b91951c37657248384b91f8371f
SHA256 78cb6553bc60ede55b3806c6057c1b720af1e0c2b46b92e586b4dff7dd9eb63b
SHA512 98a4d3bf98d63d8988ab4277d35939bbec25d0a30c91cccd01aca7d3e0204a38bf9a86014ed77c65a4bfcee13219469653a2702a0ae3b0b7868528e67995b3f6

memory/2792-14-0x0000000002210000-0x0000000002564000-memory.dmp

memory/2396-12-0x000000013FC50000-0x000000013FFA4000-memory.dmp

memory/1444-16-0x000000013F3D0000-0x000000013F724000-memory.dmp

memory/2792-21-0x0000000002210000-0x0000000002564000-memory.dmp

memory/2052-23-0x000000013F750000-0x000000013FAA4000-memory.dmp

C:\Windows\system\YZHeBXq.exe

MD5 16a52d6c3e2cbb536a47b5dd00887f28
SHA1 f0ea2bd0aa012e12a56cb21612ac780987862e6f
SHA256 d758b06b9c3b909e92335db508b7cdc08929e7be79fa722651f9b81d234ed786
SHA512 f0b8033e34f15834d43934d12e7174569b225582cb01a857827ab5d6eca35e70e4455d3ac77e4c66c7b628d35987655dd05e3a184c4ea593c0536336e30b213e

memory/2600-34-0x000000013F420000-0x000000013F774000-memory.dmp

C:\Windows\system\xtNqppy.exe

MD5 62668dbcc5f1e421e1d254c2422868d0
SHA1 6651f5e0fc0063edceb6d07f215fcabf39657282
SHA256 a15f96bf2a384a091b5e68f38ce778408dc7b893776a3e033af0f77a9273c4b4
SHA512 5dc1197c96a6bc547764052f0c7ea328eb8936c9629338c744521cea0e180b7358f2d98da4c439dd3a14b5ed8d42af3c98478c4520fb21f3a2ff9a8d25695485

C:\Windows\system\iQXeAlN.exe

MD5 965a1e9879b557329fc1f4a780fefd1d
SHA1 abbf1488b7503a117910ef3b27fe2f86ea16ccfe
SHA256 91cbdcd246b52296d53c4908b22be727711988ed2e0be531f58de256e1d169c6
SHA512 0e7cb4f047155395dccbdc755b89dec9aa5580e1b7281cb59bb153030b3ffbcd670a6578a6fc8de42b3fbc5f359adfabf086cfe6cccde421bd5a9bbd9275afc2

C:\Windows\system\wxoWAnj.exe

MD5 5a645b35810e1225996b4c5b3ed2a247
SHA1 0af022898732e57feba6b41c8effbbc2591c2265
SHA256 81a7093472604140a53241542e14c1f07c2819ca115bfa5ebcbad05b6d125762
SHA512 ac076a82aae445303000a3b605286b5efb2792292356dab72cdc828a37f699f7f46231b57200d90640b0b4440cc72fef35aea030e72319b11b1de91c5cfedd0c

C:\Windows\system\afPjNFU.exe

MD5 4e7b39f08aa3676682f54ea64fcce94f
SHA1 db50481cb131e5c3d481406d92bb33f03738ac8c
SHA256 2ec67e00595f0ba2396917a1451cd927491bd05df8b9cd7855ee5f0eb2374b9f
SHA512 18cbbb2cbdc35a9704cdd46378200c2eeba7ebedb2a00a779248cabe09fe90277443197a22b744a7ce1a19a7d3a7910f7ae5fc0431b7f9af9278e43e29316d15

\Windows\system\CXqrmvg.exe

MD5 3dd38b46144db5ed1b1621040fe00a39
SHA1 76b410f78d5507c3544a1bca7c3d7ad77a54fd1f
SHA256 340a856cd8c2e1678e55cad016b9d7493d72c328f05fa08cf65a05bb386098ad
SHA512 1387ccdac05b11bfdd431a475f1462c7734fc8b9f36d87ff2b59a7e6a03ae67f49d0d1faaffd10ad4d8bbdddd9dd7a6ff351622a52ddc6acc2564ab3e2654672

C:\Windows\system\mtLgHGd.exe

MD5 bf5313a34910094da95c05b52364ddf5
SHA1 5a56509ac3ce529f627a1eec00ba3112aa9871ea
SHA256 a9693f9d025a19963f2f4f75954ea93f677297506f80d478d3daf9b4a559ceae
SHA512 35e094e8c7ce200d5725b2d38b6b3f6f7caafdc30b468e7b35825228ba13c2829ec3fdf3245bf40590f43060a30969aaea28f7f91374a9ae3feb9d0dff98141d

memory/2720-115-0x000000013F7D0000-0x000000013FB24000-memory.dmp

memory/2792-117-0x0000000002210000-0x0000000002564000-memory.dmp

memory/2792-116-0x000000013FBF0000-0x000000013FF44000-memory.dmp

memory/2480-120-0x000000013F780000-0x000000013FAD4000-memory.dmp

memory/2924-121-0x000000013F7D0000-0x000000013FB24000-memory.dmp

memory/2884-127-0x000000013F3C0000-0x000000013F714000-memory.dmp

memory/2608-131-0x000000013FBF0000-0x000000013FF44000-memory.dmp

memory/2792-130-0x000000013F390000-0x000000013F6E4000-memory.dmp

memory/2896-129-0x000000013FE00000-0x0000000140154000-memory.dmp

memory/2792-128-0x000000013FE00000-0x0000000140154000-memory.dmp

memory/2512-126-0x000000013FF10000-0x0000000140264000-memory.dmp

memory/2792-125-0x000000013FF10000-0x0000000140264000-memory.dmp

memory/2440-124-0x000000013F2E0000-0x000000013F634000-memory.dmp

memory/2792-123-0x000000013F2E0000-0x000000013F634000-memory.dmp

memory/2736-122-0x000000013F830000-0x000000013FB84000-memory.dmp

memory/2792-119-0x0000000002210000-0x0000000002564000-memory.dmp

memory/2972-118-0x000000013F550000-0x000000013F8A4000-memory.dmp

C:\Windows\system\ZFWbUTS.exe

MD5 ae73653a20a8d28db75ff988ed83423c
SHA1 0148365f30e4c8197514916847ad3e23c6dd7092
SHA256 7ff6b80f9eeb9b3ab368d5eb2398f471670a3f6b6a8467bea778d18dcda43f36
SHA512 59b2be41bf85e991ff3833ef48ab580b9b85322a9c260ae1f4d1e76e8e734b329beef8ac8e3baad84708eb474166ad6bff64d9cdfb0b091aeecc15c1338f159a

C:\Windows\system\jkVcovc.exe

MD5 e5e36a356926e86cc641781e19ee4be4
SHA1 6b0b369b9ad10f8e0a87e63db8c05adb9f4887b3
SHA256 79caa475cb140cf5212287ca00724cf716aeb5cfe0f4c68b6fa8280b4aa0fb40
SHA512 7d712f9c2776e1194c94a7d249d5bb23a4ada4e3fd7bbef98cbcf1fc09643fc01d1d1741b119bdb6ca0f74f0ea82781186bab7b5ca7b16252aa515bc45da69fe

C:\Windows\system\cvBTvqq.exe

MD5 1bc6395adc900a9dd0be6a45fbe6b43b
SHA1 7f26a3fb8032a88defed3c9978fee42ba0b92ee0
SHA256 bdc09ae9d8979cd664ccf762c4345913296ce1ecca19325e35617a5d4aa5b836
SHA512 8aa2cf9ec8e508934a50e9c81952e71b3fbca186992683f793fb86bd2353f8e21d8b1f2f466edec4c12b3db65cd48038b076b53089269865365b1d614d5a42ea

C:\Windows\system\FXFzYLR.exe

MD5 851a7f688ded2c31049ad58d6f76b74f
SHA1 f73a0c5e240a3c00da94a4a1e5f53a5878808f45
SHA256 8024dd09ecf447a1edaa2374b11537500bfdcaaf71b6c4015c3956c110fe75fa
SHA512 f455746afe139628ba0b30a7f0c5636f0c143d25391cddd8d9e680aaddf2dabae6f6344b7d08ea206a7187d20486dd00af6c79f16b8085c0bc2ac901d0e74aad

C:\Windows\system\ofvFKMk.exe

MD5 ccd916bc8395b118a58b6cbb6eb99359
SHA1 d830a8d76b5cf481a591174b132e0b651f15345e
SHA256 288b3871131e2d1af18082de4c60051abf12d936c75beb18af770ec814086d67
SHA512 96f4ac0dac64beb1f0ef1392a3a9cc06eb5328db1dfbe9df38d315297e74ba2a271437149cfafc06d791295ffeb8f2e4aa0357f050fccaaaf0a7f5f395d55b32

C:\Windows\system\bvAjVGQ.exe

MD5 722c5c907993eaf24e364a0cac271297
SHA1 8bb9c10fdf98b450ae97b8a7c14a5a69e39fedfe
SHA256 6fe6783de60591343d51719e8e863b670646af640e3034b3b280fde5b9530fc4
SHA512 3b8ebf031493ff095028acc9512d495d499c437f81844c419e8b17a52d05ac6eee72ad775728379a2e3ed438964360de986dffeaf8e17430de6f45d6e5c0fd90

C:\Windows\system\wWWNCPi.exe

MD5 ec1b1b84b17d436bc3ab6e051b270c77
SHA1 dfd44671446dcb2b0937311f5811c9853df02244
SHA256 4383acd4ec8893869b87bf46d0fbd256b2cbba1c58b03c4dcd87b85acd32c9a7
SHA512 5c5ee511e2e0b1ab1f969ffdfd71c800fdc9f5183fdfb694480752c6f7f1e164ca0cde31fa38a8191e7461f7583b25f3f611bbd3a1563761e01d00c30398fb12

C:\Windows\system\uZdUygO.exe

MD5 1cdd86d55d8bbe46c3d2865e6d6a80cd
SHA1 48c77562b07aaf3d3d22d480dc2d0e677e8cf655
SHA256 f25536a3d2ba06bac8bfe0532e7f197a25a7b2d06bd7aa726479b3b804e2729c
SHA512 d1384f5c714a4b2d996c83d195ac9aca1e84a3f615525610e17c7f64c0432cb973087e6e83367c2f492965efb008aa620ca0290eb15203c69e0a0920359f6345

C:\Windows\system\JJQeqUK.exe

MD5 003bcc1f5b067574814c91fa08ee3ada
SHA1 ad9111a896f6c3451c8fae13a5781029a04199ae
SHA256 e1c857ebe8261921d7c8e7faffccf683136aa79b06a8d901fb3ad0f0d37afc9e
SHA512 7ca2b30425d0a9edbe1778be9c64382004ca56884015fac2f5d313ab789e988486557f1be8adc510d7d0bd8eeaf90ac53653e81eadfe652845cc9087dc03375b

C:\Windows\system\YZIZCqf.exe

MD5 a3814d48a5fa3c2443ceb6288cbc0975
SHA1 ed18cf2d861e30b0a3adbedba50738303f5bee65
SHA256 ad632c049960ef3d0c200f1b133a2c0f6dd0673f438191686b2a5d1f201022c5
SHA512 640721346ae8b7df8a4d7aa2a54010effd38aa139781b9b76c5a63bb340f39b0403874d74ee528608855cba8e53c5e1d953dd83181d0911b5bee24a811c0588e

memory/2792-28-0x0000000002210000-0x0000000002564000-memory.dmp

C:\Windows\system\ypHrebj.exe

MD5 bc7abb3ff9927945973096955d11f4d8
SHA1 da87ea12a84e6662cbc411bc7e404bdc67dcace4
SHA256 4a93dc45c7bd78db149416878d8f88a14f6c9152aad2da225ff9b1f9ccdd1450
SHA512 40f5226de365ded72a426e04ca3af2ab54ce9f370931bcc7082f8ca03b3c92153b0528fbec462876d415df02e5a83e056792a99d57a88c1ff191f6969bbc0aa3

C:\Windows\system\WVPlBWu.exe

MD5 4eb945a3020db7c62c129aab9eee57ce
SHA1 a7a6d437fa6e623d7df934e20af76ba020a4d1e6
SHA256 db59650b61c975033d4af6483fc0c2691b30261dc778a1e3d78da5d927e6d2e0
SHA512 9b1012e62464152aabd60185e8a46e6815bf6f7bb828d8685318a7708dbe5006f39cdfcc0cc699de0be8f9233d663dc7a35652d109ddedf3011816112155cc52

memory/2792-132-0x000000013F700000-0x000000013FA54000-memory.dmp

memory/2600-133-0x000000013F420000-0x000000013F774000-memory.dmp

memory/2720-134-0x000000013F7D0000-0x000000013FB24000-memory.dmp

memory/2396-135-0x000000013FC50000-0x000000013FFA4000-memory.dmp

memory/1444-136-0x000000013F3D0000-0x000000013F724000-memory.dmp

memory/2052-137-0x000000013F750000-0x000000013FAA4000-memory.dmp

memory/2600-138-0x000000013F420000-0x000000013F774000-memory.dmp

memory/2720-139-0x000000013F7D0000-0x000000013FB24000-memory.dmp

memory/2972-141-0x000000013F550000-0x000000013F8A4000-memory.dmp

memory/2608-140-0x000000013FBF0000-0x000000013FF44000-memory.dmp

memory/2480-142-0x000000013F780000-0x000000013FAD4000-memory.dmp

memory/2924-143-0x000000013F7D0000-0x000000013FB24000-memory.dmp

memory/2736-144-0x000000013F830000-0x000000013FB84000-memory.dmp

memory/2512-146-0x000000013FF10000-0x0000000140264000-memory.dmp

memory/2884-147-0x000000013F3C0000-0x000000013F714000-memory.dmp

memory/2896-148-0x000000013FE00000-0x0000000140154000-memory.dmp

memory/2440-145-0x000000013F2E0000-0x000000013F634000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-06 13:29

Reported

2024-06-06 13:33

Platform

win10v2004-20240426-en

Max time kernel

138s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\cEGzBUm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PwAisJM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\Nngapqm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\thuPBWX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sWMOzqM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hwAfhGA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UKqPNMi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MdAFfmj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uaMSmKk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TsNVvui.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bTyuoFw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CPzVfEy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AxApTlC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TVnyVxY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mvVnqsQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LfKnZkr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\huulBGZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RCCjAir.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YeozrOY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aAPLcGw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TOOTXsT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1664 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\YeozrOY.exe
PID 1664 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\YeozrOY.exe
PID 1664 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\bTyuoFw.exe
PID 1664 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\bTyuoFw.exe
PID 1664 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\PwAisJM.exe
PID 1664 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\PwAisJM.exe
PID 1664 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\hwAfhGA.exe
PID 1664 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\hwAfhGA.exe
PID 1664 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\UKqPNMi.exe
PID 1664 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\UKqPNMi.exe
PID 1664 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\MdAFfmj.exe
PID 1664 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\MdAFfmj.exe
PID 1664 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\CPzVfEy.exe
PID 1664 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\CPzVfEy.exe
PID 1664 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\Nngapqm.exe
PID 1664 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\Nngapqm.exe
PID 1664 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\sWMOzqM.exe
PID 1664 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\sWMOzqM.exe
PID 1664 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\aAPLcGw.exe
PID 1664 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\aAPLcGw.exe
PID 1664 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\TOOTXsT.exe
PID 1664 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\TOOTXsT.exe
PID 1664 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\TVnyVxY.exe
PID 1664 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\TVnyVxY.exe
PID 1664 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\AxApTlC.exe
PID 1664 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\AxApTlC.exe
PID 1664 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\mvVnqsQ.exe
PID 1664 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\mvVnqsQ.exe
PID 1664 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\thuPBWX.exe
PID 1664 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\thuPBWX.exe
PID 1664 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\LfKnZkr.exe
PID 1664 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\LfKnZkr.exe
PID 1664 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\huulBGZ.exe
PID 1664 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\huulBGZ.exe
PID 1664 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\RCCjAir.exe
PID 1664 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\RCCjAir.exe
PID 1664 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\uaMSmKk.exe
PID 1664 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\uaMSmKk.exe
PID 1664 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\TsNVvui.exe
PID 1664 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\TsNVvui.exe
PID 1664 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\cEGzBUm.exe
PID 1664 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe C:\Windows\System\cEGzBUm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\YeozrOY.exe

C:\Windows\System\YeozrOY.exe

C:\Windows\System\bTyuoFw.exe

C:\Windows\System\bTyuoFw.exe

C:\Windows\System\PwAisJM.exe

C:\Windows\System\PwAisJM.exe

C:\Windows\System\hwAfhGA.exe

C:\Windows\System\hwAfhGA.exe

C:\Windows\System\UKqPNMi.exe

C:\Windows\System\UKqPNMi.exe

C:\Windows\System\MdAFfmj.exe

C:\Windows\System\MdAFfmj.exe

C:\Windows\System\CPzVfEy.exe

C:\Windows\System\CPzVfEy.exe

C:\Windows\System\Nngapqm.exe

C:\Windows\System\Nngapqm.exe

C:\Windows\System\sWMOzqM.exe

C:\Windows\System\sWMOzqM.exe

C:\Windows\System\aAPLcGw.exe

C:\Windows\System\aAPLcGw.exe

C:\Windows\System\TOOTXsT.exe

C:\Windows\System\TOOTXsT.exe

C:\Windows\System\TVnyVxY.exe

C:\Windows\System\TVnyVxY.exe

C:\Windows\System\AxApTlC.exe

C:\Windows\System\AxApTlC.exe

C:\Windows\System\mvVnqsQ.exe

C:\Windows\System\mvVnqsQ.exe

C:\Windows\System\thuPBWX.exe

C:\Windows\System\thuPBWX.exe

C:\Windows\System\LfKnZkr.exe

C:\Windows\System\LfKnZkr.exe

C:\Windows\System\huulBGZ.exe

C:\Windows\System\huulBGZ.exe

C:\Windows\System\RCCjAir.exe

C:\Windows\System\RCCjAir.exe

C:\Windows\System\uaMSmKk.exe

C:\Windows\System\uaMSmKk.exe

C:\Windows\System\TsNVvui.exe

C:\Windows\System\TsNVvui.exe

C:\Windows\System\cEGzBUm.exe

C:\Windows\System\cEGzBUm.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1664-0-0x00007FF786330000-0x00007FF786684000-memory.dmp

memory/1664-1-0x000001F8F4FD0000-0x000001F8F4FE0000-memory.dmp

C:\Windows\System\bTyuoFw.exe

MD5 418f83ae5ea2e0b5fe4c811829b8f062
SHA1 01fdeded798820cb872dab13620a5bcb5840cbbe
SHA256 d31bf225864e29f96c9525831eae8f38203a523dcae1fc1e928d26934deb9f57
SHA512 5796456dd4b8a0a44001ec63fa1ecdea6edf836182f94b3e0a666548aab7f3381ae3b6ea721420ec68846bb27bd15c4cfc1eced37646c2700b3b301054c7d80e

memory/1172-8-0x00007FF632F40000-0x00007FF633294000-memory.dmp

memory/3208-14-0x00007FF6EA560000-0x00007FF6EA8B4000-memory.dmp

memory/2116-20-0x00007FF6E4470000-0x00007FF6E47C4000-memory.dmp

memory/3532-26-0x00007FF6979A0000-0x00007FF697CF4000-memory.dmp

C:\Windows\System\UKqPNMi.exe

MD5 996ca642f106d3f39dc8c9c447be3a2c
SHA1 79b3f249a5a7e05e8d883b7eb2fb96433e4459a9
SHA256 08ccd51de91657d19083f71077ec5bc44598093a7772a9a59b8432bd969fd569
SHA512 84d508a0ca1fd61bf49cc096acccb2154450db315dfe7ff87e755e02cde4925f2742aa1bdd5a66ff1b0f726425f8a60ac5321479659329c5e49fd31a589ad615

C:\Windows\System\MdAFfmj.exe

MD5 cd51c98f09683184e40180290458a855
SHA1 8415a01525d9de9f4cb96e99a8a78587cfa3b086
SHA256 4aca49a110eb96b26f22f348a56d06d746f8956acd60515a192172da92ef0173
SHA512 0dab0363d5e81df8c4b6a07ba8575e9bf7bf3804a274a8e434a205367b35135edf5f4c9f50352efb461ed368de2eaf6d0301e62fca3a379d6109358a11d220f0

C:\Windows\System\CPzVfEy.exe

MD5 7dce3258873d161bddf3f746c48390f9
SHA1 27385fabb41618fe9117928df30992057dcd0f55
SHA256 e80412530699c84949bb573527b75a64dd130520f8efe873ab27d68fa81c2efa
SHA512 a607529d1303f376222996a0b99f0db99311eb50994703566f069680f48366d17ea47d9b8730b96681b889e559f37707fb6b81c4cddc2799b38c764056c16223

memory/1968-43-0x00007FF6A56B0000-0x00007FF6A5A04000-memory.dmp

memory/4636-50-0x00007FF72C0D0000-0x00007FF72C424000-memory.dmp

C:\Windows\System\sWMOzqM.exe

MD5 00def45e72e8de6d94de222aa8e1ddda
SHA1 9c576db47b82ee26dfc810ce19dc82b10e74d93f
SHA256 17e4518d28f933e0bb511e8f21830a85e0e384c30837b5806227d7e013512f01
SHA512 560db6fbd785f03cd532245ea36cf985752e316a1ce1c73fe6a94c3ae72f20f15be7d1e4be20a5a749d15123560b432b6c67f22a3d28dece8b48779aaadcc937

memory/4152-56-0x00007FF694FF0000-0x00007FF695344000-memory.dmp

C:\Windows\System\aAPLcGw.exe

MD5 4f1cfc8762f13b9a710424a7e13c8bee
SHA1 7ef8e407fdefc1d8008fe4c2760d27e2bbcb7927
SHA256 b54363f238da4f84b6a14f04047e6c88d643ce5ad582d8561ddb5f895369474d
SHA512 85db06fef6685dfd807e722338374ea05bf218b7ebf06cbee54dba66793634a2bb4816877bd05dc8540e0093fa25f8b3ad05bf9389e5056bcd68d7fdfd93bd9c

memory/1580-63-0x00007FF7B94E0000-0x00007FF7B9834000-memory.dmp

memory/1664-62-0x00007FF786330000-0x00007FF786684000-memory.dmp

C:\Windows\System\Nngapqm.exe

MD5 e3092809317c8557f3c3e09fa68d2e26
SHA1 8eabcdca8b20c3cf06e0f9c93b88bdd948bcf834
SHA256 a0b4632b8710865a348aa785b35ebccfddd34276f9167403a934fe39c6a9834f
SHA512 4dbe98fe03a00ea5b5fa063b70c1b2db7fcba1c413044c24580e34e08625b91974e2d5a906738b4ac3fbc5ac0d98e12ebee57a73d2e9c5bc810c2c4cfd6ebed2

memory/4416-38-0x00007FF6217C0000-0x00007FF621B14000-memory.dmp

memory/4116-32-0x00007FF6CD0B0000-0x00007FF6CD404000-memory.dmp

C:\Windows\System\hwAfhGA.exe

MD5 5d8522491923d7f1a3a71e6567360226
SHA1 3d419bb67ee9d1c4b3e865dfabad7888b6e405ee
SHA256 237409a5344197e2303d8bc2d90ec0214c2f0a04a3e32b2515295ab19481cd06
SHA512 ba613d6a1997bf1ea5aabed54df96dcb4795b0a7e48516ef89b81229e5e257aa4282a5bd1a4276bb7ed9576996b450deff8c581240ac9a4517670c52ee39ef1a

C:\Windows\System\PwAisJM.exe

MD5 3a422427c8758714c40de0f192c85f55
SHA1 c1d65e43585d15e72a4a9d4a8d0872d453b1a423
SHA256 6cdf6848f4604642c3c56aefbef8f162a4f9830f1249b838f06fd6913d585575
SHA512 b095bd155dd0177b794de4e3cd3643891a734d1f7fd4beb9d0fc6e801097b759c04b633ce0b194eed22f92a432c483a07d60b3ff62bdae66f3d665ba4055e48e

C:\Windows\System\YeozrOY.exe

MD5 930ef3893b2f446a7394ac856c6fa925
SHA1 255f13c61f4a247fec16d7dfe6d4053c4051a96f
SHA256 fdef0de4df7d7f4c4a37f300e6c118b972f57bb45874b0761bccd9189437b2b0
SHA512 63261d93feaacdffe8985909301ded3b7096cac3f703b4487a4dae8dcc98a7e69e20b666c155a1b12ea83788a6f2b130839a9e0ce0019ef3206072b07e3cc931

C:\Windows\System\TOOTXsT.exe

MD5 f7f4a7b81b220f89f228578a079455e6
SHA1 39f54dc17187673b4e858c14641420b98d459800
SHA256 458eb0eca6ab28075d8ed7e36fdde35b74912eec56ad81638244c7ed61933974
SHA512 9ea5860be7e85348d0ade0a2f9f7ae261341c3785eefaf018164aab1b8ba9668a4c5862b7b30cf593afac221fb27367dcc332bad646d63cf952b1911586bb6ef

memory/3120-74-0x00007FF6BD1C0000-0x00007FF6BD514000-memory.dmp

C:\Windows\System\AxApTlC.exe

MD5 7d6366a7a68c94c15a1fe2162ec68982
SHA1 28da90a8564c4042e56c7b4b0cf5336ea7a725b4
SHA256 9e904f1c7ce84b5fbd32b74c44acdf67947d88b62760fa174cbe846d8408dedb
SHA512 bf0730ea64c2e8492585ccbd272db90cba77c2a80fbaae92f9833f463cb687991aff63e8c62a32518636f2af7b395b1c136dc41a67d594db4ad4a28424a6c99c

memory/3648-75-0x00007FF6AEE70000-0x00007FF6AF1C4000-memory.dmp

memory/808-79-0x00007FF77EE40000-0x00007FF77F194000-memory.dmp

C:\Windows\System\TVnyVxY.exe

MD5 669b055a3045e9c5676235d02a148fa1
SHA1 ab5de37bb4e5a87795f159377eb1b91d92bb6afe
SHA256 f9c3fb577acd0e6b9c5c1fdc42373023303f9cdb428a23330d22c58a86377179
SHA512 049d8af9fd252206238325fe919900ac6b7aaba336445343662454266f764ad5a2f0a3887a26e7d6d1439e9d216449235991bccad9e21461210df8433f8a17dc

C:\Windows\System\mvVnqsQ.exe

MD5 4f82ae995f3dabd7d253e82e03bf0c80
SHA1 291f5e190fa657f3e100b24120f6cbda7c55bbf1
SHA256 f0f6fcb139005f76f7b5f54d68ced40f76be79bf384b6c0a38eeffe821fb537b
SHA512 026aa39222a261ac8bde2300f61b84e46e475fe59a46723e9d0a95c6816427d018e003bff233f8ea7c4b7938a7e4dd2a4df9bc1b4aadd8ed44f7a703ac033263

memory/3272-85-0x00007FF799200000-0x00007FF799554000-memory.dmp

C:\Windows\System\thuPBWX.exe

MD5 cb27915a4f746b00e5461d77bd062c3e
SHA1 ea245aa18094b2544c9f81783cf4e9d4fa323788
SHA256 57fc38072cd13eb116c1bf247c7d414d38e5c680c1c33f2ee089c4497184c262
SHA512 860d18ea80af7076dba550f1ba16a14c883d7c11dc217c0bc0a588b6082234696f633f91910a07e29be3a9780b4d7ccd8c3fe8cce8257af1e816f526c0cf2b86

memory/3832-99-0x00007FF6DDB00000-0x00007FF6DDE54000-memory.dmp

C:\Windows\System\LfKnZkr.exe

MD5 e332eda5631d9155dc36ae6017f2d51f
SHA1 f5bc29b97d387713e6ccad845ab40b1e02d2a3e0
SHA256 02485e711b0a8d727a9c26d4713e82e0d0f54e4fe481944dff427de987afe76b
SHA512 d3df0e32cdc5cc598b0b5d328bb98efc7c97b05c4cde28ea53e1484461c79607e3735c314bc889ab2ba2b891aaae3771f8249040a64c953462d4c9c3b11e4342

memory/3932-93-0x00007FF78FE20000-0x00007FF790174000-memory.dmp

memory/1968-105-0x00007FF6A56B0000-0x00007FF6A5A04000-memory.dmp

C:\Windows\System\RCCjAir.exe

MD5 62a555ee544433e643c4190d7f06d1e8
SHA1 85535ab705eec5f5e4bfa797df82a3debe94744e
SHA256 1b936f472436216bc47d5cbc56db0f27932772030f044894e4cd5273f9275ac8
SHA512 840ca7cc11906f2b2f53e2e466c28db221a9fb7cbf5ede87361eb1c578cd29b052e6f6d7afafc01c603f61ba08663a7c5762f7bd3f7eb1e4f58af19da6ad0a08

memory/3224-111-0x00007FF6FD080000-0x00007FF6FD3D4000-memory.dmp

memory/4636-112-0x00007FF72C0D0000-0x00007FF72C424000-memory.dmp

memory/2456-113-0x00007FF680C40000-0x00007FF680F94000-memory.dmp

C:\Windows\System\huulBGZ.exe

MD5 01dda483115ff3190fcc9b2b6918a3e1
SHA1 94db78f9513f4500a5d58e936c8be7e4beea392c
SHA256 7c1d489a6ad665225f3500e4ba8a134f119175d1bd5696a3ee2dbe059f324c61
SHA512 4762651dc5d2d1f11a862f7cb84c4a7900cbfe4dbafbd80878d1701e73ed30003b80acbb363f55c2cf14a4a72288f8e75d6cd794ea48118bfc3e76317cfbdcc1

C:\Windows\System\uaMSmKk.exe

MD5 a685a9496e12ef3a1a1054c6392c7ea2
SHA1 54eefd81b2e467be375e1ce2f9ac08a475fcc324
SHA256 f91fef6c39035bdbce1de1eb8c224ac9acb9babda6ebdd5ecdc99246e648fd75
SHA512 045688905c89f2a9e7d77703a4b568e072e900fb4b83c4b3750983ddf01c194d33d98c4e0c5cf35653047270299bc4c522a9819d48d49109835f616fefec9f60

memory/3212-119-0x00007FF75DE80000-0x00007FF75E1D4000-memory.dmp

memory/4996-128-0x00007FF615F90000-0x00007FF6162E4000-memory.dmp

C:\Windows\System\cEGzBUm.exe

MD5 52f65b5bc3ae53f92851a58d3b45628e
SHA1 99153942136ee698c1466cc8031cc06ab9481863
SHA256 c51242544c01d22218eaa8a9a58f4f62507615626611377a01b84262f5ae6478
SHA512 283bfe54c42479e1aa4aa79500922cef55f38627223d9180ead942bed6ccc3d56786d0e771422514208c51614948565afcf544d39b50ada8818dbcf234f546d0

memory/3120-123-0x00007FF6BD1C0000-0x00007FF6BD514000-memory.dmp

memory/1492-127-0x00007FF71D580000-0x00007FF71D8D4000-memory.dmp

C:\Windows\System\TsNVvui.exe

MD5 5a6632276041a4dea5cca333cbdcd157
SHA1 9f10f49e8f053c0056d46a50fb28a5de9c85bca3
SHA256 81af32f4fab30d8e6d2f593bb118a1cf8be6bbb0dbdca69529694902ce5e7af0
SHA512 20aebd327dd6d12ea3ac779f04d645e4ea7d56033fbe47a58d3a3a763ca9aefa14d83af548578109a53523d5c66980e6204013ac03416431b2d13ac0b309ab66

memory/808-132-0x00007FF77EE40000-0x00007FF77F194000-memory.dmp

memory/3272-133-0x00007FF799200000-0x00007FF799554000-memory.dmp

memory/1492-134-0x00007FF71D580000-0x00007FF71D8D4000-memory.dmp

memory/4996-135-0x00007FF615F90000-0x00007FF6162E4000-memory.dmp

memory/1172-136-0x00007FF632F40000-0x00007FF633294000-memory.dmp

memory/3208-137-0x00007FF6EA560000-0x00007FF6EA8B4000-memory.dmp

memory/2116-138-0x00007FF6E4470000-0x00007FF6E47C4000-memory.dmp

memory/3532-139-0x00007FF6979A0000-0x00007FF697CF4000-memory.dmp

memory/4116-140-0x00007FF6CD0B0000-0x00007FF6CD404000-memory.dmp

memory/1968-142-0x00007FF6A56B0000-0x00007FF6A5A04000-memory.dmp

memory/4416-141-0x00007FF6217C0000-0x00007FF621B14000-memory.dmp

memory/4636-143-0x00007FF72C0D0000-0x00007FF72C424000-memory.dmp

memory/4152-144-0x00007FF694FF0000-0x00007FF695344000-memory.dmp

memory/1580-145-0x00007FF7B94E0000-0x00007FF7B9834000-memory.dmp

memory/3120-146-0x00007FF6BD1C0000-0x00007FF6BD514000-memory.dmp

memory/3648-147-0x00007FF6AEE70000-0x00007FF6AF1C4000-memory.dmp

memory/808-148-0x00007FF77EE40000-0x00007FF77F194000-memory.dmp

memory/3272-149-0x00007FF799200000-0x00007FF799554000-memory.dmp

memory/3932-150-0x00007FF78FE20000-0x00007FF790174000-memory.dmp

memory/3832-151-0x00007FF6DDB00000-0x00007FF6DDE54000-memory.dmp

memory/3224-152-0x00007FF6FD080000-0x00007FF6FD3D4000-memory.dmp

memory/2456-153-0x00007FF680C40000-0x00007FF680F94000-memory.dmp

memory/3212-154-0x00007FF75DE80000-0x00007FF75E1D4000-memory.dmp

memory/1492-155-0x00007FF71D580000-0x00007FF71D8D4000-memory.dmp

memory/4996-156-0x00007FF615F90000-0x00007FF6162E4000-memory.dmp