Malware Analysis Report

2024-10-24 18:15

Sample ID 240606-qt5hjaeg4w
Target 2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike
SHA256 48f9c7c7328b5b7f4db55a4559c819c6c30209b8ec673c11eb798dc08616d00d
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

48f9c7c7328b5b7f4db55a4559c819c6c30209b8ec673c11eb798dc08616d00d

Threat Level: Known bad

The file 2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

xmrig

Cobaltstrike

Cobaltstrike family

UPX dump on OEP (original entry point)

Cobalt Strike reflective loader

Detects Reflective DLL injection artifacts

Xmrig family

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

XMRig Miner payload

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-06 13:34

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-06 13:34

Reported

2024-06-06 13:36

Platform

win7-20240221-en

Max time kernel

138s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\DzhmvGS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BHNlZMl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tjmTybD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zVajnIx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UtNmLaV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lbXECBC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IFJMhcB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yosOpjR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OpHyXUG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iKgASBj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SECIIuI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AVbmrFo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ATkSCgM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cUENkXI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UKpGQrO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fgrDkuW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rccOsgR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NmoLYog.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GjAtZjT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oilxSba.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZYDQgEA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1848 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\SECIIuI.exe
PID 1848 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\SECIIuI.exe
PID 1848 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\SECIIuI.exe
PID 1848 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\tjmTybD.exe
PID 1848 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\tjmTybD.exe
PID 1848 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\tjmTybD.exe
PID 1848 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZYDQgEA.exe
PID 1848 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZYDQgEA.exe
PID 1848 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZYDQgEA.exe
PID 1848 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\zVajnIx.exe
PID 1848 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\zVajnIx.exe
PID 1848 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\zVajnIx.exe
PID 1848 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\UtNmLaV.exe
PID 1848 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\UtNmLaV.exe
PID 1848 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\UtNmLaV.exe
PID 1848 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\lbXECBC.exe
PID 1848 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\lbXECBC.exe
PID 1848 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\lbXECBC.exe
PID 1848 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\IFJMhcB.exe
PID 1848 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\IFJMhcB.exe
PID 1848 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\IFJMhcB.exe
PID 1848 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\rccOsgR.exe
PID 1848 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\rccOsgR.exe
PID 1848 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\rccOsgR.exe
PID 1848 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\fgrDkuW.exe
PID 1848 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\fgrDkuW.exe
PID 1848 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\fgrDkuW.exe
PID 1848 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\yosOpjR.exe
PID 1848 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\yosOpjR.exe
PID 1848 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\yosOpjR.exe
PID 1848 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\OpHyXUG.exe
PID 1848 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\OpHyXUG.exe
PID 1848 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\OpHyXUG.exe
PID 1848 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\NmoLYog.exe
PID 1848 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\NmoLYog.exe
PID 1848 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\NmoLYog.exe
PID 1848 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\GjAtZjT.exe
PID 1848 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\GjAtZjT.exe
PID 1848 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\GjAtZjT.exe
PID 1848 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\oilxSba.exe
PID 1848 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\oilxSba.exe
PID 1848 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\oilxSba.exe
PID 1848 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\DzhmvGS.exe
PID 1848 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\DzhmvGS.exe
PID 1848 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\DzhmvGS.exe
PID 1848 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\iKgASBj.exe
PID 1848 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\iKgASBj.exe
PID 1848 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\iKgASBj.exe
PID 1848 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\ATkSCgM.exe
PID 1848 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\ATkSCgM.exe
PID 1848 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\ATkSCgM.exe
PID 1848 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\cUENkXI.exe
PID 1848 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\cUENkXI.exe
PID 1848 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\cUENkXI.exe
PID 1848 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\BHNlZMl.exe
PID 1848 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\BHNlZMl.exe
PID 1848 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\BHNlZMl.exe
PID 1848 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\UKpGQrO.exe
PID 1848 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\UKpGQrO.exe
PID 1848 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\UKpGQrO.exe
PID 1848 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\AVbmrFo.exe
PID 1848 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\AVbmrFo.exe
PID 1848 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\AVbmrFo.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\SECIIuI.exe

C:\Windows\System\SECIIuI.exe

C:\Windows\System\tjmTybD.exe

C:\Windows\System\tjmTybD.exe

C:\Windows\System\ZYDQgEA.exe

C:\Windows\System\ZYDQgEA.exe

C:\Windows\System\zVajnIx.exe

C:\Windows\System\zVajnIx.exe

C:\Windows\System\UtNmLaV.exe

C:\Windows\System\UtNmLaV.exe

C:\Windows\System\lbXECBC.exe

C:\Windows\System\lbXECBC.exe

C:\Windows\System\IFJMhcB.exe

C:\Windows\System\IFJMhcB.exe

C:\Windows\System\rccOsgR.exe

C:\Windows\System\rccOsgR.exe

C:\Windows\System\fgrDkuW.exe

C:\Windows\System\fgrDkuW.exe

C:\Windows\System\yosOpjR.exe

C:\Windows\System\yosOpjR.exe

C:\Windows\System\OpHyXUG.exe

C:\Windows\System\OpHyXUG.exe

C:\Windows\System\NmoLYog.exe

C:\Windows\System\NmoLYog.exe

C:\Windows\System\GjAtZjT.exe

C:\Windows\System\GjAtZjT.exe

C:\Windows\System\oilxSba.exe

C:\Windows\System\oilxSba.exe

C:\Windows\System\DzhmvGS.exe

C:\Windows\System\DzhmvGS.exe

C:\Windows\System\iKgASBj.exe

C:\Windows\System\iKgASBj.exe

C:\Windows\System\ATkSCgM.exe

C:\Windows\System\ATkSCgM.exe

C:\Windows\System\cUENkXI.exe

C:\Windows\System\cUENkXI.exe

C:\Windows\System\BHNlZMl.exe

C:\Windows\System\BHNlZMl.exe

C:\Windows\System\UKpGQrO.exe

C:\Windows\System\UKpGQrO.exe

C:\Windows\System\AVbmrFo.exe

C:\Windows\System\AVbmrFo.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1848-0-0x000000013F820000-0x000000013FB74000-memory.dmp

memory/1848-1-0x00000000002F0000-0x0000000000300000-memory.dmp

\Windows\system\SECIIuI.exe

MD5 fd22b4a86db914933c45697eb486e51c
SHA1 1d42e87eea424010a2d11451e28bd31f09e3b40b
SHA256 72b9c32fce6394d2be2601562b2ca8248b30b9cd5b6f8e94206ba1d9cf98b5e8
SHA512 62f558d164093bb41fa93fb542e45dce3a255aeeab6eaff7c0f8f121e9c03af615b1d9b91fc94b5de1514555bb2255f6951ef84426dabcfe62e5040c3520d9e4

\Windows\system\tjmTybD.exe

MD5 77efb587944df757ced4b8f9d5bb82de
SHA1 f446d20060fe2a17b4c4c2b1b06f8276d028970d
SHA256 6c2939bb4b0ce78c9c47d185d9951955e431ae3feccded0bf0be66d398990537
SHA512 077faf411b7f3d58a9f58f60a2dae8588cdf471ab91f2fc4eb0bec582ae2f90f377d684acaa4b66b7fe40edf4b063617ca5a8d9b6ff7cc0a7d4f1cf0d3062b1f

\Windows\system\ZYDQgEA.exe

MD5 70bf511a8f6eda6d62ad88e56e7d2ddb
SHA1 2106f74fa058f697f87f4b1c23b7f4122d6dd827
SHA256 7e6c3083f05ee67ffb6638d6ff71e2b00b8eb6617f03f322d3e968eee8b23185
SHA512 aab2a4c7b92ad758d73892c7e39ae6e8a71acfa0a6bbaecbe2e73c1a60bed541371e536dcea5a5c94852e2460c01fd9b5edb7d197750df75f263ae3dbd7cf648

\Windows\system\zVajnIx.exe

MD5 2f8e13ef5976aa110d5f6cdbe19a0d49
SHA1 55f911e06a1beafaa89ca8f3cfbec392b0f13ce7
SHA256 3bc913ff9f9ca2c74a48c37f5209c8884af97f859ec810ff234edb369ddb55cf
SHA512 db75c5cbb8ad74628198e165fefa7444df54a96c2399fb25346d59f2bd7ae80d0cf578956beceefba3b2b5d14026582495eb80930738a29ff24e26c7cf5acf46

memory/1848-22-0x000000013FE60000-0x00000001401B4000-memory.dmp

memory/2612-40-0x000000013FBE0000-0x000000013FF34000-memory.dmp

\Windows\system\IFJMhcB.exe

MD5 3804321ebb73ac04e019c55fb1bfb3b4
SHA1 bda39ed644c796b73a95431633163355c5afa510
SHA256 48c55ccfbfeb8e95544c8765be3f9be6567a61e28ea230dd0d8d1fd0c08b1a28
SHA512 b804032e6f1ed015efa2f0a07ad4deb21fc0b58990c07a9cd1261fa81569986f2e4d7fb4c4006bdeeaa2e7f41c1a0941b2604e5bc520d8eb2a0f983a332ae68f

memory/1848-26-0x000000013FDA0000-0x00000001400F4000-memory.dmp

memory/2512-30-0x000000013FDA0000-0x00000001400F4000-memory.dmp

\Windows\system\UtNmLaV.exe

MD5 4a005c85c717976baddd409c7aac64dd
SHA1 48670d96aa54abf420ca54cef675fd2f5abd0438
SHA256 64e8f66f02b21ec4dce7ece79bb191bf68c1b813a4c6a79dd226d8ed6ce27517
SHA512 c446910f20b78db2fc8a77949bad201c51c40a5b2eda8f3f344fe8597747c83759a9a8a935862cce1d7eb7f358167fd473b6f34c88928d1e4db73c37ecfba4df

memory/2936-25-0x000000013FA30000-0x000000013FD84000-memory.dmp

memory/2924-24-0x000000013FE60000-0x00000001401B4000-memory.dmp

memory/1252-85-0x000000013FCE0000-0x0000000140034000-memory.dmp

memory/1244-92-0x000000013F800000-0x000000013FB54000-memory.dmp

memory/2248-97-0x000000013F5D0000-0x000000013F924000-memory.dmp

\Windows\system\ATkSCgM.exe

MD5 8e240ad5477af4539f37e330640d8c6e
SHA1 b0267ef8d7b6bb8c7e0422e4def6a8ea67dee678
SHA256 f190ee9538504f9701845c3dd70861f001bf09e2f2b5ff02337f23f1d3a37adf
SHA512 b5ab36a7ef769d6416bd09543526cf3e667a3f68115a986ef5bbc4ca0bc0cc5c9173e09c53ffbe386e78497627c584ad4d7191147c09dce9bae48c70f959c2d3

\Windows\system\UKpGQrO.exe

MD5 b34253c9dd26f430646c2755377c81e0
SHA1 9fa496c66481d3e91a229f067f9038e9ea3a82e9
SHA256 77e653ab66830599fe307e3684b822b5536ba23c06882766739a514d436fd40b
SHA512 50e5abbdfbc0c85a7845a0510515ed27ae11649098d23640ed768c11109541591c637cc2000d812f66f9a7e0ebf3aafda98f5bca5d673a28538d676dc202f8d7

\Windows\system\cUENkXI.exe

MD5 7dc21c9228d0b3b9e55de8ac36eaf669
SHA1 9d7650b9eaff1b15df447c859d874bda3c8c31fd
SHA256 1ab9b35ac982a62a0466f83d700469e9fa7499f447fdece735cf34bf1b37ea50
SHA512 b9a8c5c7294ba043f61358c7199225d0f1ca1b722c1c6a86a5135b6b3f9981983242837d109bd5201998f752bbd58a0d641c83535e49fe9f7071e601eef74b99

C:\Windows\system\AVbmrFo.exe

MD5 f3ff30bbb308d7cbfd604960c3bf8bc2
SHA1 3f172d4dca6c2098da1a9fae4054cea970bec8ed
SHA256 c012b7fa599d45828ec9eafb800fd03fdb803632c410990e57d4e6f1a2773e84
SHA512 14a149583fce96d2eb1dc766cdd5fdd04f00e5b8215c4b4d0dfef5907866717f57fc7a0f93083c2a09620bd73d95c12a6eb2b71755a6251aec6f2e579191f4fb

C:\Windows\system\iKgASBj.exe

MD5 731115c1ac9ceeec72224fc082ecbdbb
SHA1 413670dcfb95659938c0ef8ac7c37ec2d3e9f853
SHA256 802192d5607affc7068567271f785e1cf85ffdb1b152c6015a0fb6c7adfe7fcd
SHA512 df38a7bbcd22975a1600147665b29d6d064f5ea3e42ef1a9313564bbe3b4531d7a0bc7df8bdcc163e09dcce0cf01df312e09b9762d1187b5c3e612d4d23bb6ea

C:\Windows\system\BHNlZMl.exe

MD5 7e56d28eb8c378ed867f7f7a89b7b558
SHA1 b662dc34b0cb2f63aba8ba09da37d8a8584e4b88
SHA256 88cea066bd71a5beb37e9a7d4e3047e51401e5f56dd61475ebfe5bd2d68f60d4
SHA512 9e7854dad074581f4679c834ab7058d0e38d3a9e7c839426b699aab64c785cff20a07430d577a18ec740361be7db4e97bb25263c84d9916b5709bd722d2fd552

memory/1848-105-0x00000000024F0000-0x0000000002844000-memory.dmp

C:\Windows\system\DzhmvGS.exe

MD5 3655a5e275f97aafc6f7869310160a66
SHA1 331b2981975cd3c44a390580b0cf4e0194a5e7a7
SHA256 1c8c5e889ffa6a0ac4afef2ac85334b13b2a791b2a0433a10dd5ad1717c21481
SHA512 642a3efb5806f9473e08211c4ed14f6525bb60fda6749387211057edb906c9a810f08c8e89341745ebc2917aa0838a378913efbadc82859d9855a15af751a8ab

memory/1848-96-0x00000000024F0000-0x0000000002844000-memory.dmp

C:\Windows\system\oilxSba.exe

MD5 9a723c46b07a9a91766230be8f732601
SHA1 84de56b3d710fc71aa88b66a08a7d6f3f68c75ac
SHA256 1656340c744cc0ccad98a71d0237351fd106ceb500ef84bd3054dcdead305dda
SHA512 df3957e9e01e5c844e3b4660927fc4f4b852d4103b3c45bac336f7a627df27753fab9b50ee67d03d2ae06d2f9d405d39e2c6e1e21249e3973416d39ccf26e7fd

memory/2420-91-0x000000013FD70000-0x00000001400C4000-memory.dmp

memory/1848-70-0x000000013FD70000-0x00000001400C4000-memory.dmp

\Windows\system\NmoLYog.exe

MD5 2a610f42730d9f675ae4013fc2a67f8e
SHA1 de8236a4cf0f371adb76b5f05f76a34526864066
SHA256 194fc4d944f9b90445de16658f6feaa0645c19e3f0976b3c2785e99739d139ec
SHA512 39d0325e50959e37fc9451b641a346742b2ca60b6e6639bbcaf6e547bc1c8bdcfd59cb0678e74da76f5bcd5be0a3c0495b8570981ae5ca8bcec5288963e720b6

memory/1848-61-0x000000013FC60000-0x000000013FFB4000-memory.dmp

\Windows\system\yosOpjR.exe

MD5 8cee106cea82a65ac683533f21dcc015
SHA1 170ff88d32f470f4a4e518af270bd6af30a7613e
SHA256 69f598dc3f293a870fa066effa12da735cc6eb0b539410ab097d577f9e5fbb5d
SHA512 d8c1dc7be8607aa6c166339e201d3b2a07c8618769af4bd7e78525cea36e0dc153a4af6f550de27aeea32e89e57ce611276b247c96e010ca61357a0109b96e24

memory/2792-87-0x000000013FC50000-0x000000013FFA4000-memory.dmp

memory/1848-86-0x000000013FCE0000-0x0000000140034000-memory.dmp

memory/2132-84-0x000000013FF80000-0x00000001402D4000-memory.dmp

memory/1848-82-0x00000000024F0000-0x0000000002844000-memory.dmp

memory/1848-81-0x000000013FF80000-0x00000001402D4000-memory.dmp

memory/2548-80-0x000000013FF60000-0x00000001402B4000-memory.dmp

C:\Windows\system\rccOsgR.exe

MD5 5f308edb90aeb7583e85bb4f8ab245de
SHA1 8b63f30fe0e8428a514c70289dce82a946ec95c2
SHA256 ad67ea20d90e13d8faa09a21d688f74ab62b88374233052454835e8c267ede0f
SHA512 efed47aabc72a22ea4e222b86f771b4ca9e4232a41c05a0043ffdf6bf2ce9a8cc93a97f54e085003d735e678d1b8a6da431f97393a1651c9642a562ddf7d5eb4

memory/2540-76-0x000000013F210000-0x000000013F564000-memory.dmp

C:\Windows\system\GjAtZjT.exe

MD5 556a0d562ef719b230bedd60c13e7431
SHA1 2621bb440cfe39be606f1751c93e931bc4f75157
SHA256 8aed283aa566fc278723eae9ff7910a0babaa4efdf45111f10fc77473049d495
SHA512 1fbccf04a1851c8c754dc623d1ebd61a3b4c8c9ff6fc53e9c3e6e30225919cf1b535fd408251d6be967d1ea7e06f5d466ae56de142649b63d2a236a4990514db

C:\Windows\system\OpHyXUG.exe

MD5 7fd8349d442c6b165a31f1e464a298f9
SHA1 046ce3d96ae5ffab8370b33af07a6cbf4692f895
SHA256 fee1cdb0c9b8d6b5625deb44183edc8c4ef8a09af43a9289d1e5c55db6795173
SHA512 b3cd86e18e6e3b14e83ce9323df48ab3fa448bfd55be1f9805e18185703507cf9e17ba2dda383dfc1f822c282e4e252d830d0b49c36cee8ea54d7e04802a4ef8

memory/1848-65-0x000000013FC50000-0x000000013FFA4000-memory.dmp

C:\Windows\system\lbXECBC.exe

MD5 d74bd71937f099f3cf88051daac0977d
SHA1 2c492ab902dc2c6d950d342838db289f20deb22e
SHA256 138312c485851fad1640182865670b6c4cd92a47dae13bbb780b6d1e30c516c1
SHA512 d962e171f9420717dcc7b0240b92f4f247dc39bb0259f4cfa389bbbfafc49d4fb45fa380c78558e0a69bbd25950298051158c5c1fe55ed8f529b1da254a2efd3

memory/1848-56-0x000000013FF60000-0x00000001402B4000-memory.dmp

memory/1848-55-0x000000013FE50000-0x00000001401A4000-memory.dmp

memory/1848-53-0x00000000024F0000-0x0000000002844000-memory.dmp

C:\Windows\system\fgrDkuW.exe

MD5 291b5bcc64fc1f2f7d672a1adae46af3
SHA1 f73a2698781ab7d11db57296d24a7eb93b70fba5
SHA256 e9a5c80b5c29e2218aee87ff3f6381d3646d9fe8986fab02bbc55734eea19ebc
SHA512 0cd5417a33d4ad1c3f1557215511372c0702b0a1655bd8601d072c366bf724634ca5a624d753453aa1d964516cd4109d4da0ecbda431579c0c8253e7211d65b8

memory/1848-34-0x000000013FBE0000-0x000000013FF34000-memory.dmp

memory/2644-51-0x000000013FC60000-0x000000013FFB4000-memory.dmp

memory/1848-50-0x000000013F210000-0x000000013F564000-memory.dmp

memory/2496-49-0x000000013FE50000-0x00000001401A4000-memory.dmp

memory/1848-136-0x000000013F820000-0x000000013FB74000-memory.dmp

memory/1848-137-0x000000013FE60000-0x00000001401B4000-memory.dmp

memory/1848-138-0x000000013FBE0000-0x000000013FF34000-memory.dmp

memory/1848-139-0x00000000024F0000-0x0000000002844000-memory.dmp

memory/1848-140-0x000000013FC50000-0x000000013FFA4000-memory.dmp

memory/1848-141-0x000000013FF80000-0x00000001402D4000-memory.dmp

memory/2420-142-0x000000013FD70000-0x00000001400C4000-memory.dmp

memory/2248-143-0x000000013F5D0000-0x000000013F924000-memory.dmp

memory/2924-144-0x000000013FE60000-0x00000001401B4000-memory.dmp

memory/2512-146-0x000000013FDA0000-0x00000001400F4000-memory.dmp

memory/2936-145-0x000000013FA30000-0x000000013FD84000-memory.dmp

memory/2612-147-0x000000013FBE0000-0x000000013FF34000-memory.dmp

memory/2496-148-0x000000013FE50000-0x00000001401A4000-memory.dmp

memory/2644-149-0x000000013FC60000-0x000000013FFB4000-memory.dmp

memory/2540-150-0x000000013F210000-0x000000013F564000-memory.dmp

memory/2548-151-0x000000013FF60000-0x00000001402B4000-memory.dmp

memory/2132-153-0x000000013FF80000-0x00000001402D4000-memory.dmp

memory/1252-152-0x000000013FCE0000-0x0000000140034000-memory.dmp

memory/1244-155-0x000000013F800000-0x000000013FB54000-memory.dmp

memory/2792-154-0x000000013FC50000-0x000000013FFA4000-memory.dmp

memory/2248-156-0x000000013F5D0000-0x000000013F924000-memory.dmp

memory/2420-157-0x000000013FD70000-0x00000001400C4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-06 13:34

Reported

2024-06-06 13:36

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\tjmTybD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OpHyXUG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GjAtZjT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AVbmrFo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZYDQgEA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rccOsgR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cUENkXI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BHNlZMl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SECIIuI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zVajnIx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fgrDkuW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DzhmvGS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NmoLYog.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oilxSba.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iKgASBj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ATkSCgM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UtNmLaV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lbXECBC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IFJMhcB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yosOpjR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UKpGQrO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4676 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\SECIIuI.exe
PID 4676 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\SECIIuI.exe
PID 4676 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\tjmTybD.exe
PID 4676 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\tjmTybD.exe
PID 4676 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZYDQgEA.exe
PID 4676 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZYDQgEA.exe
PID 4676 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\zVajnIx.exe
PID 4676 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\zVajnIx.exe
PID 4676 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\UtNmLaV.exe
PID 4676 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\UtNmLaV.exe
PID 4676 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\lbXECBC.exe
PID 4676 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\lbXECBC.exe
PID 4676 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\IFJMhcB.exe
PID 4676 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\IFJMhcB.exe
PID 4676 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\rccOsgR.exe
PID 4676 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\rccOsgR.exe
PID 4676 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\fgrDkuW.exe
PID 4676 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\fgrDkuW.exe
PID 4676 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\yosOpjR.exe
PID 4676 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\yosOpjR.exe
PID 4676 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\OpHyXUG.exe
PID 4676 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\OpHyXUG.exe
PID 4676 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\NmoLYog.exe
PID 4676 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\NmoLYog.exe
PID 4676 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\GjAtZjT.exe
PID 4676 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\GjAtZjT.exe
PID 4676 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\oilxSba.exe
PID 4676 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\oilxSba.exe
PID 4676 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\DzhmvGS.exe
PID 4676 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\DzhmvGS.exe
PID 4676 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\iKgASBj.exe
PID 4676 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\iKgASBj.exe
PID 4676 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\ATkSCgM.exe
PID 4676 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\ATkSCgM.exe
PID 4676 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\cUENkXI.exe
PID 4676 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\cUENkXI.exe
PID 4676 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\BHNlZMl.exe
PID 4676 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\BHNlZMl.exe
PID 4676 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\UKpGQrO.exe
PID 4676 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\UKpGQrO.exe
PID 4676 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\AVbmrFo.exe
PID 4676 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe C:\Windows\System\AVbmrFo.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_2f500e16da24ea937a675bbddb29eddf_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\SECIIuI.exe

C:\Windows\System\SECIIuI.exe

C:\Windows\System\tjmTybD.exe

C:\Windows\System\tjmTybD.exe

C:\Windows\System\ZYDQgEA.exe

C:\Windows\System\ZYDQgEA.exe

C:\Windows\System\zVajnIx.exe

C:\Windows\System\zVajnIx.exe

C:\Windows\System\UtNmLaV.exe

C:\Windows\System\UtNmLaV.exe

C:\Windows\System\lbXECBC.exe

C:\Windows\System\lbXECBC.exe

C:\Windows\System\IFJMhcB.exe

C:\Windows\System\IFJMhcB.exe

C:\Windows\System\rccOsgR.exe

C:\Windows\System\rccOsgR.exe

C:\Windows\System\fgrDkuW.exe

C:\Windows\System\fgrDkuW.exe

C:\Windows\System\yosOpjR.exe

C:\Windows\System\yosOpjR.exe

C:\Windows\System\OpHyXUG.exe

C:\Windows\System\OpHyXUG.exe

C:\Windows\System\NmoLYog.exe

C:\Windows\System\NmoLYog.exe

C:\Windows\System\GjAtZjT.exe

C:\Windows\System\GjAtZjT.exe

C:\Windows\System\oilxSba.exe

C:\Windows\System\oilxSba.exe

C:\Windows\System\DzhmvGS.exe

C:\Windows\System\DzhmvGS.exe

C:\Windows\System\iKgASBj.exe

C:\Windows\System\iKgASBj.exe

C:\Windows\System\ATkSCgM.exe

C:\Windows\System\ATkSCgM.exe

C:\Windows\System\cUENkXI.exe

C:\Windows\System\cUENkXI.exe

C:\Windows\System\BHNlZMl.exe

C:\Windows\System\BHNlZMl.exe

C:\Windows\System\UKpGQrO.exe

C:\Windows\System\UKpGQrO.exe

C:\Windows\System\AVbmrFo.exe

C:\Windows\System\AVbmrFo.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
BE 88.221.83.243:443 www.bing.com tcp
US 8.8.8.8:53 243.83.221.88.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 104.193.132.51.in-addr.arpa udp

Files

memory/4676-0-0x00007FF63E3E0000-0x00007FF63E734000-memory.dmp

memory/4676-1-0x0000022D57DE0000-0x0000022D57DF0000-memory.dmp

C:\Windows\System\SECIIuI.exe

MD5 fd22b4a86db914933c45697eb486e51c
SHA1 1d42e87eea424010a2d11451e28bd31f09e3b40b
SHA256 72b9c32fce6394d2be2601562b2ca8248b30b9cd5b6f8e94206ba1d9cf98b5e8
SHA512 62f558d164093bb41fa93fb542e45dce3a255aeeab6eaff7c0f8f121e9c03af615b1d9b91fc94b5de1514555bb2255f6951ef84426dabcfe62e5040c3520d9e4

memory/4544-6-0x00007FF6F55A0000-0x00007FF6F58F4000-memory.dmp

C:\Windows\System\ZYDQgEA.exe

MD5 70bf511a8f6eda6d62ad88e56e7d2ddb
SHA1 2106f74fa058f697f87f4b1c23b7f4122d6dd827
SHA256 7e6c3083f05ee67ffb6638d6ff71e2b00b8eb6617f03f322d3e968eee8b23185
SHA512 aab2a4c7b92ad758d73892c7e39ae6e8a71acfa0a6bbaecbe2e73c1a60bed541371e536dcea5a5c94852e2460c01fd9b5edb7d197750df75f263ae3dbd7cf648

memory/2064-14-0x00007FF666480000-0x00007FF6667D4000-memory.dmp

C:\Windows\System\tjmTybD.exe

MD5 77efb587944df757ced4b8f9d5bb82de
SHA1 f446d20060fe2a17b4c4c2b1b06f8276d028970d
SHA256 6c2939bb4b0ce78c9c47d185d9951955e431ae3feccded0bf0be66d398990537
SHA512 077faf411b7f3d58a9f58f60a2dae8588cdf471ab91f2fc4eb0bec582ae2f90f377d684acaa4b66b7fe40edf4b063617ca5a8d9b6ff7cc0a7d4f1cf0d3062b1f

C:\Windows\System\zVajnIx.exe

MD5 2f8e13ef5976aa110d5f6cdbe19a0d49
SHA1 55f911e06a1beafaa89ca8f3cfbec392b0f13ce7
SHA256 3bc913ff9f9ca2c74a48c37f5209c8884af97f859ec810ff234edb369ddb55cf
SHA512 db75c5cbb8ad74628198e165fefa7444df54a96c2399fb25346d59f2bd7ae80d0cf578956beceefba3b2b5d14026582495eb80930738a29ff24e26c7cf5acf46

C:\Windows\System\UtNmLaV.exe

MD5 4a005c85c717976baddd409c7aac64dd
SHA1 48670d96aa54abf420ca54cef675fd2f5abd0438
SHA256 64e8f66f02b21ec4dce7ece79bb191bf68c1b813a4c6a79dd226d8ed6ce27517
SHA512 c446910f20b78db2fc8a77949bad201c51c40a5b2eda8f3f344fe8597747c83759a9a8a935862cce1d7eb7f358167fd473b6f34c88928d1e4db73c37ecfba4df

memory/1580-28-0x00007FF6BD420000-0x00007FF6BD774000-memory.dmp

memory/5024-20-0x00007FF7791A0000-0x00007FF7794F4000-memory.dmp

memory/4892-32-0x00007FF76D500000-0x00007FF76D854000-memory.dmp

C:\Windows\System\lbXECBC.exe

MD5 d74bd71937f099f3cf88051daac0977d
SHA1 2c492ab902dc2c6d950d342838db289f20deb22e
SHA256 138312c485851fad1640182865670b6c4cd92a47dae13bbb780b6d1e30c516c1
SHA512 d962e171f9420717dcc7b0240b92f4f247dc39bb0259f4cfa389bbbfafc49d4fb45fa380c78558e0a69bbd25950298051158c5c1fe55ed8f529b1da254a2efd3

memory/4384-38-0x00007FF6F0F80000-0x00007FF6F12D4000-memory.dmp

memory/1808-43-0x00007FF74D3F0000-0x00007FF74D744000-memory.dmp

C:\Windows\System\rccOsgR.exe

MD5 5f308edb90aeb7583e85bb4f8ab245de
SHA1 8b63f30fe0e8428a514c70289dce82a946ec95c2
SHA256 ad67ea20d90e13d8faa09a21d688f74ab62b88374233052454835e8c267ede0f
SHA512 efed47aabc72a22ea4e222b86f771b4ca9e4232a41c05a0043ffdf6bf2ce9a8cc93a97f54e085003d735e678d1b8a6da431f97393a1651c9642a562ddf7d5eb4

C:\Windows\System\IFJMhcB.exe

MD5 3804321ebb73ac04e019c55fb1bfb3b4
SHA1 bda39ed644c796b73a95431633163355c5afa510
SHA256 48c55ccfbfeb8e95544c8765be3f9be6567a61e28ea230dd0d8d1fd0c08b1a28
SHA512 b804032e6f1ed015efa2f0a07ad4deb21fc0b58990c07a9cd1261fa81569986f2e4d7fb4c4006bdeeaa2e7f41c1a0941b2604e5bc520d8eb2a0f983a332ae68f

memory/2564-50-0x00007FF6E10D0000-0x00007FF6E1424000-memory.dmp

C:\Windows\System\fgrDkuW.exe

MD5 291b5bcc64fc1f2f7d672a1adae46af3
SHA1 f73a2698781ab7d11db57296d24a7eb93b70fba5
SHA256 e9a5c80b5c29e2218aee87ff3f6381d3646d9fe8986fab02bbc55734eea19ebc
SHA512 0cd5417a33d4ad1c3f1557215511372c0702b0a1655bd8601d072c366bf724634ca5a624d753453aa1d964516cd4109d4da0ecbda431579c0c8253e7211d65b8

memory/4020-56-0x00007FF763EB0000-0x00007FF764204000-memory.dmp

C:\Windows\System\yosOpjR.exe

MD5 8cee106cea82a65ac683533f21dcc015
SHA1 170ff88d32f470f4a4e518af270bd6af30a7613e
SHA256 69f598dc3f293a870fa066effa12da735cc6eb0b539410ab097d577f9e5fbb5d
SHA512 d8c1dc7be8607aa6c166339e201d3b2a07c8618769af4bd7e78525cea36e0dc153a4af6f550de27aeea32e89e57ce611276b247c96e010ca61357a0109b96e24

C:\Windows\System\OpHyXUG.exe

MD5 7fd8349d442c6b165a31f1e464a298f9
SHA1 046ce3d96ae5ffab8370b33af07a6cbf4692f895
SHA256 fee1cdb0c9b8d6b5625deb44183edc8c4ef8a09af43a9289d1e5c55db6795173
SHA512 b3cd86e18e6e3b14e83ce9323df48ab3fa448bfd55be1f9805e18185703507cf9e17ba2dda383dfc1f822c282e4e252d830d0b49c36cee8ea54d7e04802a4ef8

memory/3488-71-0x00007FF7D03F0000-0x00007FF7D0744000-memory.dmp

C:\Windows\System\NmoLYog.exe

MD5 2a610f42730d9f675ae4013fc2a67f8e
SHA1 de8236a4cf0f371adb76b5f05f76a34526864066
SHA256 194fc4d944f9b90445de16658f6feaa0645c19e3f0976b3c2785e99739d139ec
SHA512 39d0325e50959e37fc9451b641a346742b2ca60b6e6639bbcaf6e547bc1c8bdcfd59cb0678e74da76f5bcd5be0a3c0495b8570981ae5ca8bcec5288963e720b6

memory/4544-69-0x00007FF6F55A0000-0x00007FF6F58F4000-memory.dmp

memory/4612-62-0x00007FF773FE0000-0x00007FF774334000-memory.dmp

memory/4676-61-0x00007FF63E3E0000-0x00007FF63E734000-memory.dmp

C:\Windows\System\GjAtZjT.exe

MD5 556a0d562ef719b230bedd60c13e7431
SHA1 2621bb440cfe39be606f1751c93e931bc4f75157
SHA256 8aed283aa566fc278723eae9ff7910a0babaa4efdf45111f10fc77473049d495
SHA512 1fbccf04a1851c8c754dc623d1ebd61a3b4c8c9ff6fc53e9c3e6e30225919cf1b535fd408251d6be967d1ea7e06f5d466ae56de142649b63d2a236a4990514db

memory/4372-84-0x00007FF7E6E40000-0x00007FF7E7194000-memory.dmp

C:\Windows\System\oilxSba.exe

MD5 9a723c46b07a9a91766230be8f732601
SHA1 84de56b3d710fc71aa88b66a08a7d6f3f68c75ac
SHA256 1656340c744cc0ccad98a71d0237351fd106ceb500ef84bd3054dcdead305dda
SHA512 df3957e9e01e5c844e3b4660927fc4f4b852d4103b3c45bac336f7a627df27753fab9b50ee67d03d2ae06d2f9d405d39e2c6e1e21249e3973416d39ccf26e7fd

memory/3724-76-0x00007FF6BF150000-0x00007FF6BF4A4000-memory.dmp

memory/4416-88-0x00007FF625410000-0x00007FF625764000-memory.dmp

C:\Windows\System\DzhmvGS.exe

MD5 3655a5e275f97aafc6f7869310160a66
SHA1 331b2981975cd3c44a390580b0cf4e0194a5e7a7
SHA256 1c8c5e889ffa6a0ac4afef2ac85334b13b2a791b2a0433a10dd5ad1717c21481
SHA512 642a3efb5806f9473e08211c4ed14f6525bb60fda6749387211057edb906c9a810f08c8e89341745ebc2917aa0838a378913efbadc82859d9855a15af751a8ab

memory/1868-94-0x00007FF7AD9F0000-0x00007FF7ADD44000-memory.dmp

C:\Windows\System\iKgASBj.exe

MD5 731115c1ac9ceeec72224fc082ecbdbb
SHA1 413670dcfb95659938c0ef8ac7c37ec2d3e9f853
SHA256 802192d5607affc7068567271f785e1cf85ffdb1b152c6015a0fb6c7adfe7fcd
SHA512 df38a7bbcd22975a1600147665b29d6d064f5ea3e42ef1a9313564bbe3b4531d7a0bc7df8bdcc163e09dcce0cf01df312e09b9762d1187b5c3e612d4d23bb6ea

C:\Windows\System\ATkSCgM.exe

MD5 8e240ad5477af4539f37e330640d8c6e
SHA1 b0267ef8d7b6bb8c7e0422e4def6a8ea67dee678
SHA256 f190ee9538504f9701845c3dd70861f001bf09e2f2b5ff02337f23f1d3a37adf
SHA512 b5ab36a7ef769d6416bd09543526cf3e667a3f68115a986ef5bbc4ca0bc0cc5c9173e09c53ffbe386e78497627c584ad4d7191147c09dce9bae48c70f959c2d3

memory/3308-105-0x00007FF6E9530000-0x00007FF6E9884000-memory.dmp

memory/1808-104-0x00007FF74D3F0000-0x00007FF74D744000-memory.dmp

memory/1948-100-0x00007FF6A62C0000-0x00007FF6A6614000-memory.dmp

C:\Windows\System\cUENkXI.exe

MD5 7dc21c9228d0b3b9e55de8ac36eaf669
SHA1 9d7650b9eaff1b15df447c859d874bda3c8c31fd
SHA256 1ab9b35ac982a62a0466f83d700469e9fa7499f447fdece735cf34bf1b37ea50
SHA512 b9a8c5c7294ba043f61358c7199225d0f1ca1b722c1c6a86a5135b6b3f9981983242837d109bd5201998f752bbd58a0d641c83535e49fe9f7071e601eef74b99

memory/4268-113-0x00007FF65E680000-0x00007FF65E9D4000-memory.dmp

C:\Windows\System\UKpGQrO.exe

MD5 b34253c9dd26f430646c2755377c81e0
SHA1 9fa496c66481d3e91a229f067f9038e9ea3a82e9
SHA256 77e653ab66830599fe307e3684b822b5536ba23c06882766739a514d436fd40b
SHA512 50e5abbdfbc0c85a7845a0510515ed27ae11649098d23640ed768c11109541591c637cc2000d812f66f9a7e0ebf3aafda98f5bca5d673a28538d676dc202f8d7

memory/1388-120-0x00007FF751B50000-0x00007FF751EA4000-memory.dmp

memory/4612-124-0x00007FF773FE0000-0x00007FF774334000-memory.dmp

C:\Windows\System\AVbmrFo.exe

MD5 f3ff30bbb308d7cbfd604960c3bf8bc2
SHA1 3f172d4dca6c2098da1a9fae4054cea970bec8ed
SHA256 c012b7fa599d45828ec9eafb800fd03fdb803632c410990e57d4e6f1a2773e84
SHA512 14a149583fce96d2eb1dc766cdd5fdd04f00e5b8215c4b4d0dfef5907866717f57fc7a0f93083c2a09620bd73d95c12a6eb2b71755a6251aec6f2e579191f4fb

memory/3624-127-0x00007FF6474E0000-0x00007FF647834000-memory.dmp

C:\Windows\System\BHNlZMl.exe

MD5 7e56d28eb8c378ed867f7f7a89b7b558
SHA1 b662dc34b0cb2f63aba8ba09da37d8a8584e4b88
SHA256 88cea066bd71a5beb37e9a7d4e3047e51401e5f56dd61475ebfe5bd2d68f60d4
SHA512 9e7854dad074581f4679c834ab7058d0e38d3a9e7c839426b699aab64c785cff20a07430d577a18ec740361be7db4e97bb25263c84d9916b5709bd722d2fd552

memory/312-131-0x00007FF783320000-0x00007FF783674000-memory.dmp

memory/3308-132-0x00007FF6E9530000-0x00007FF6E9884000-memory.dmp

memory/4268-133-0x00007FF65E680000-0x00007FF65E9D4000-memory.dmp

memory/2064-135-0x00007FF666480000-0x00007FF6667D4000-memory.dmp

memory/4544-134-0x00007FF6F55A0000-0x00007FF6F58F4000-memory.dmp

memory/5024-136-0x00007FF7791A0000-0x00007FF7794F4000-memory.dmp

memory/1580-137-0x00007FF6BD420000-0x00007FF6BD774000-memory.dmp

memory/4892-138-0x00007FF76D500000-0x00007FF76D854000-memory.dmp

memory/4384-139-0x00007FF6F0F80000-0x00007FF6F12D4000-memory.dmp

memory/1808-140-0x00007FF74D3F0000-0x00007FF74D744000-memory.dmp

memory/2564-141-0x00007FF6E10D0000-0x00007FF6E1424000-memory.dmp

memory/4020-142-0x00007FF763EB0000-0x00007FF764204000-memory.dmp

memory/4612-143-0x00007FF773FE0000-0x00007FF774334000-memory.dmp

memory/3488-144-0x00007FF7D03F0000-0x00007FF7D0744000-memory.dmp

memory/3724-145-0x00007FF6BF150000-0x00007FF6BF4A4000-memory.dmp

memory/4372-146-0x00007FF7E6E40000-0x00007FF7E7194000-memory.dmp

memory/4416-147-0x00007FF625410000-0x00007FF625764000-memory.dmp

memory/1868-148-0x00007FF7AD9F0000-0x00007FF7ADD44000-memory.dmp

memory/1948-149-0x00007FF6A62C0000-0x00007FF6A6614000-memory.dmp

memory/3308-150-0x00007FF6E9530000-0x00007FF6E9884000-memory.dmp

memory/1388-152-0x00007FF751B50000-0x00007FF751EA4000-memory.dmp

memory/4268-151-0x00007FF65E680000-0x00007FF65E9D4000-memory.dmp

memory/312-153-0x00007FF783320000-0x00007FF783674000-memory.dmp

memory/3624-154-0x00007FF6474E0000-0x00007FF647834000-memory.dmp