Malware Analysis Report

2024-10-24 18:16

Sample ID 240606-qy11xafg67
Target 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike
SHA256 01e3cf22bd114a497ceb52897d54fe8bccc7bf701e8ea108db17fad28f426a2a
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

01e3cf22bd114a497ceb52897d54fe8bccc7bf701e8ea108db17fad28f426a2a

Threat Level: Known bad

The file 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Detects Reflective DLL injection artifacts

Xmrig family

Cobaltstrike

xmrig

UPX dump on OEP (original entry point)

Cobaltstrike family

XMRig Miner payload

Cobalt Strike reflective loader

Detects Reflective DLL injection artifacts

XMRig Miner payload

UPX dump on OEP (original entry point)

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-06 13:40

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-06 13:40

Reported

2024-06-06 13:43

Platform

win7-20240508-en

Max time kernel

142s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\ZULYpBh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\stsNZCT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UtkCAsd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ssSRkvk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IsyTiWu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LKMLfnY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ilHtwQR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ifXJFoG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XuHHsVB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AwGQqYl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZPkWfnd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sgSRCiP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TPuwYLG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nkHYLYA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AkxKWTX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XSKqKip.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ysvBiTa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TJXHSeB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LPfparq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tyXFxAw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BmZvnBB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1796 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\stsNZCT.exe
PID 1796 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\stsNZCT.exe
PID 1796 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\stsNZCT.exe
PID 1796 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\LPfparq.exe
PID 1796 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\LPfparq.exe
PID 1796 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\LPfparq.exe
PID 1796 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\UtkCAsd.exe
PID 1796 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\UtkCAsd.exe
PID 1796 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\UtkCAsd.exe
PID 1796 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\XuHHsVB.exe
PID 1796 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\XuHHsVB.exe
PID 1796 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\XuHHsVB.exe
PID 1796 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\AwGQqYl.exe
PID 1796 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\AwGQqYl.exe
PID 1796 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\AwGQqYl.exe
PID 1796 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ssSRkvk.exe
PID 1796 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ssSRkvk.exe
PID 1796 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ssSRkvk.exe
PID 1796 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\IsyTiWu.exe
PID 1796 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\IsyTiWu.exe
PID 1796 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\IsyTiWu.exe
PID 1796 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZPkWfnd.exe
PID 1796 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZPkWfnd.exe
PID 1796 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZPkWfnd.exe
PID 1796 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\nkHYLYA.exe
PID 1796 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\nkHYLYA.exe
PID 1796 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\nkHYLYA.exe
PID 1796 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\LKMLfnY.exe
PID 1796 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\LKMLfnY.exe
PID 1796 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\LKMLfnY.exe
PID 1796 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\sgSRCiP.exe
PID 1796 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\sgSRCiP.exe
PID 1796 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\sgSRCiP.exe
PID 1796 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\AkxKWTX.exe
PID 1796 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\AkxKWTX.exe
PID 1796 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\AkxKWTX.exe
PID 1796 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\tyXFxAw.exe
PID 1796 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\tyXFxAw.exe
PID 1796 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\tyXFxAw.exe
PID 1796 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\TPuwYLG.exe
PID 1796 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\TPuwYLG.exe
PID 1796 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\TPuwYLG.exe
PID 1796 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\XSKqKip.exe
PID 1796 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\XSKqKip.exe
PID 1796 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\XSKqKip.exe
PID 1796 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ilHtwQR.exe
PID 1796 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ilHtwQR.exe
PID 1796 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ilHtwQR.exe
PID 1796 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ifXJFoG.exe
PID 1796 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ifXJFoG.exe
PID 1796 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ifXJFoG.exe
PID 1796 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ysvBiTa.exe
PID 1796 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ysvBiTa.exe
PID 1796 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ysvBiTa.exe
PID 1796 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\TJXHSeB.exe
PID 1796 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\TJXHSeB.exe
PID 1796 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\TJXHSeB.exe
PID 1796 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\BmZvnBB.exe
PID 1796 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\BmZvnBB.exe
PID 1796 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\BmZvnBB.exe
PID 1796 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZULYpBh.exe
PID 1796 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZULYpBh.exe
PID 1796 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZULYpBh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\stsNZCT.exe

C:\Windows\System\stsNZCT.exe

C:\Windows\System\LPfparq.exe

C:\Windows\System\LPfparq.exe

C:\Windows\System\UtkCAsd.exe

C:\Windows\System\UtkCAsd.exe

C:\Windows\System\XuHHsVB.exe

C:\Windows\System\XuHHsVB.exe

C:\Windows\System\AwGQqYl.exe

C:\Windows\System\AwGQqYl.exe

C:\Windows\System\ssSRkvk.exe

C:\Windows\System\ssSRkvk.exe

C:\Windows\System\IsyTiWu.exe

C:\Windows\System\IsyTiWu.exe

C:\Windows\System\ZPkWfnd.exe

C:\Windows\System\ZPkWfnd.exe

C:\Windows\System\nkHYLYA.exe

C:\Windows\System\nkHYLYA.exe

C:\Windows\System\LKMLfnY.exe

C:\Windows\System\LKMLfnY.exe

C:\Windows\System\sgSRCiP.exe

C:\Windows\System\sgSRCiP.exe

C:\Windows\System\AkxKWTX.exe

C:\Windows\System\AkxKWTX.exe

C:\Windows\System\tyXFxAw.exe

C:\Windows\System\tyXFxAw.exe

C:\Windows\System\TPuwYLG.exe

C:\Windows\System\TPuwYLG.exe

C:\Windows\System\XSKqKip.exe

C:\Windows\System\XSKqKip.exe

C:\Windows\System\ilHtwQR.exe

C:\Windows\System\ilHtwQR.exe

C:\Windows\System\ifXJFoG.exe

C:\Windows\System\ifXJFoG.exe

C:\Windows\System\ysvBiTa.exe

C:\Windows\System\ysvBiTa.exe

C:\Windows\System\TJXHSeB.exe

C:\Windows\System\TJXHSeB.exe

C:\Windows\System\BmZvnBB.exe

C:\Windows\System\BmZvnBB.exe

C:\Windows\System\ZULYpBh.exe

C:\Windows\System\ZULYpBh.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1796-0-0x000000013F500000-0x000000013F854000-memory.dmp

memory/1796-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\stsNZCT.exe

MD5 3dc5b5db48b16012afa27e17a57d6a3e
SHA1 5f9cd444d94443c0db48feb51132b0d474a2a15c
SHA256 164c1cfdcffa03baca591a8986b7034a58a69f1d84374113c66f42737b5e9ade
SHA512 6474f7c83c03ea29cec78ea907b2f4f600a6005d7a464190a1ed94f0b5495abd1e2764530852f820fed57a0c372af90bb0819e1aaaf8cb92c454c9942b7b554a

memory/1796-6-0x00000000022A0000-0x00000000025F4000-memory.dmp

\Windows\system\LPfparq.exe

MD5 9816b8cc5cdd7a65eb8b89ef98826d11
SHA1 0363f60850bdd6c88799bbc45001e17010df0d87
SHA256 6b1a7539689e86b26290d47762c7298627d07b2c4ca78a73c36d4ce112cdc4c9
SHA512 43c28ce67b1bb29c38c39f80d6404a2e6f7268de5f39b08bb000925a699685a5acc0d65829687305b9421a98646acb7228ba1af2d96d97dd78df2b94b1a8c370

memory/2236-13-0x000000013F1E0000-0x000000013F534000-memory.dmp

memory/2004-16-0x000000013FB50000-0x000000013FEA4000-memory.dmp

memory/1796-15-0x000000013FB50000-0x000000013FEA4000-memory.dmp

C:\Windows\system\UtkCAsd.exe

MD5 cc2cbefd688894b23cb3e6f34c25f21c
SHA1 5466d1e91136b9e96c50f8a2d208b4fdea1413ab
SHA256 2ea746daf90c97b0e3a04a78cace32e07044dc6f30a6cdc124df8f2b11e91cb8
SHA512 7a4044e26634f4e414f9f7d574ecb88e5279b38ab3252839452417f8a03051454c63887d5ce0eee3e635334d03b9a882994abc02af7386dea72de340539c1725

memory/1992-22-0x000000013F3D0000-0x000000013F724000-memory.dmp

C:\Windows\system\XuHHsVB.exe

MD5 84a0325dfa6ae96fc46b698c5b5a3aa1
SHA1 e0c801d8134857676741f1c6405a9b2352ba542d
SHA256 ceabf20c4b4eebaee9e0c40c446f71f056cb1c0bce378c802547927f0368e5ce
SHA512 f97721d02e019b1514e559c7cb6af90bf0118700e82b7a07a112a343262930b04c5b76bc3c7a085bc077642059fad5c9370e9fb3af4ea55548fa1a5e180dcbb4

memory/1796-28-0x00000000022A0000-0x00000000025F4000-memory.dmp

memory/2724-29-0x000000013F830000-0x000000013FB84000-memory.dmp

\Windows\system\AwGQqYl.exe

MD5 d1954a63b3d9a6a0d6dcaa196e40f316
SHA1 4ca0fd5dbbc36652d6ef9711848231e8fd62ee8d
SHA256 9e141e5c445e2bfc5ac643e0a0910ed0f8f34213030e40c7f46d897a8e7d88eb
SHA512 ef28da11f7ac02af7ab503228482f56a4f09dfb8498c4b61f31fc8def2df177a3b9183559c16dbbeb6fec2d56b2b535f63a642d72d914c76bc1b38a67a3545d3

memory/2636-36-0x000000013F600000-0x000000013F954000-memory.dmp

memory/1796-33-0x00000000022A0000-0x00000000025F4000-memory.dmp

\Windows\system\ssSRkvk.exe

MD5 89f9c382cda4d76059ec7f8d21a27986
SHA1 e9b619f78f3707bb1ac5419f5b7d2adfe530a130
SHA256 b56ff2fbb12cd66765c9228eecc8eebfb51056ce7eb45c1a9942c15f8c95eb0b
SHA512 e165b0455d73cd9baa5942846f9c02c81ff49d6a002b309db7bb2eee0e9602a755cd99a788ad8207dd7aca9f8f4fddb9e81d417b40682c00d70c802ed7cf32ce

memory/1796-41-0x00000000022A0000-0x00000000025F4000-memory.dmp

\Windows\system\IsyTiWu.exe

MD5 870cbd2ca13366137bd6dca72095742c
SHA1 acfeae3a7dea3a627db0c39a42dcc9bbe3c6f1a7
SHA256 cf9da6e877c578b22f776ed5a2a9eecbd4abf0b6235b3eed48219f9c3f062857
SHA512 a68962809626f53274d8fea2b8a084d7772981968e063e65642e3e6b1851bbbafe7cb4e2277924639e913d4bbcd29ae19b3c18e112057659f85fc09cc66886e2

memory/2648-49-0x000000013F580000-0x000000013F8D4000-memory.dmp

memory/1796-48-0x00000000022A0000-0x00000000025F4000-memory.dmp

\Windows\system\ZPkWfnd.exe

MD5 5a436a91f1640ab06c82a90481a4297d
SHA1 cf0f06c8a89accb1918ad4d9968af5d7eada02be
SHA256 bbd0142fbe6a3b6b41b312f4cc4b1b185e42dedf0f38a17f6901279e13b44dc3
SHA512 0a06ca12e0b270964104cc12d88e96a7f2e30357d3dec7bebf4b0f8f3dea12edbb4487b72f5f2d969a0e57d12245eab4a4b6823df73a7fa3106c0425e5c304ea

memory/1796-54-0x00000000022A0000-0x00000000025F4000-memory.dmp

memory/2568-56-0x000000013F410000-0x000000013F764000-memory.dmp

\Windows\system\nkHYLYA.exe

MD5 6fe5b3464666935105209ce57d57fcac
SHA1 ecc78cfb715eb25a119e2c078a414dba781fac94
SHA256 61445a7d5d7094637ddd1cead767c6eff636edbca9ad1ebf93e240e32605d7b6
SHA512 2f72033d04bc2d382ae1e0eba6d097eb9a18f4a2ebf3f4b343730211dd19a65c2ca479f28d579f72f86305ec7ad3e7d135af142c73b3f4afd3da3a905aaa1ae3

memory/2576-63-0x000000013F800000-0x000000013FB54000-memory.dmp

memory/1796-62-0x000000013F500000-0x000000013F854000-memory.dmp

\Windows\system\LKMLfnY.exe

MD5 a914e26892b025486abb31a18b2f8aec
SHA1 d05f9f674bf16897f7d28f688ff96733a79d1e78
SHA256 ed60aad90a9094535f7ef259eec1f18d5264074f9294de5c6f4b15ecba448459
SHA512 7a0383a2f76cb67e6fc89dbaa6265d9c7c5bce809cab96447d8155252c5263a3c27249b88c6dda9502bd82b399f8bb05a9f690a2d2fbbe8092c1f413ac389aa2

C:\Windows\system\AkxKWTX.exe

MD5 1aca1d85a423ead488b749ce232225ff
SHA1 f0cea1ebfd051f488d3dde756e3ad33e7f6983e1
SHA256 a4f41c4cb6102e0cc1a7828025b85909b026d06f757c03fa6dabe6f77f9bf702
SHA512 6c3a774c750154c2913d3189ed743f06305b9df5a1534885d02b9d13648a3c7448e06b3b764a0862d7d34a8c1f12009a5141ec7a7027728a494efad47b98c4f7

memory/1796-77-0x000000013FB50000-0x000000013FEA4000-memory.dmp

memory/2236-79-0x000000013F1E0000-0x000000013F534000-memory.dmp

memory/1652-80-0x000000013F650000-0x000000013F9A4000-memory.dmp

C:\Windows\system\sgSRCiP.exe

MD5 cb58d94d9dfeae4c319f8e4f9d3d1d35
SHA1 7133a952f15c46286d28c0dd3343fc1a11e119f6
SHA256 74a9a0a45343dc8bd15059d7c6ec3a60c1db0a30430a5e3d5a765dc7b37e1c4c
SHA512 7bf70b21d392ced63b9fecd45b6bbc1def173ca87e3577af2f1b10a4d949a1d40937c5ee53502db4c88431748ed339bb61ad349aaa6261e178cb85f161592fc5

memory/1992-82-0x000000013F3D0000-0x000000013F724000-memory.dmp

memory/2108-84-0x000000013FB50000-0x000000013FEA4000-memory.dmp

memory/3036-78-0x000000013F510000-0x000000013F864000-memory.dmp

\Windows\system\tyXFxAw.exe

MD5 ea73d2f9647662be744a917da561e750
SHA1 03abb6161db56d98fe377461d23f6408b3e8be5d
SHA256 6716ff65e9446f8bfb4c34774cf911b984de9c191c02fe09f8430e14559a5d72
SHA512 b2daa9f07a95c146f7073d72bdc47a793c091a30100bfdc37a319285d394b48b4e585e6eafa8971a465ea61543acd66801b7a7452d78872ff905346c69b2874f

memory/2900-91-0x000000013FEA0000-0x00000001401F4000-memory.dmp

memory/1796-90-0x00000000022A0000-0x00000000025F4000-memory.dmp

C:\Windows\system\TPuwYLG.exe

MD5 f7d858dc8fe898246ae4a22ccabbae98
SHA1 e27e3e0c5b80a61076ce56e08ab8ca882b100e41
SHA256 a468810f06f8c4b4e98247a7db49ed183ed5092490d5676bac827f6f9c00ca27
SHA512 ce0ffffa991d46dc618bbe2ebee77e4b9ac36d9217d7c3fb2fdbb38cac822b0c3d94ef62964ee8078050fd9201a2a80a22f1b53a0985ea2d0686d8566246680d

memory/2476-98-0x000000013F610000-0x000000013F964000-memory.dmp

memory/1796-97-0x00000000022A0000-0x00000000025F4000-memory.dmp

\Windows\system\XSKqKip.exe

MD5 3e4aa9448e419a1b0c78cf41ef6ff784
SHA1 16457008a264e611ea8386886726ffdf1f5c8507
SHA256 565799724f1d0a8709ccf1aa083500a1aae00da83a1c8351a8dce7320bec61ca
SHA512 e8a1f176b674e56bdf94fb0c8d0c9b995da8c3228fb8aa4b437f837500771d59aa6bb03d80292b0ff4fe3bb696f68bc058b378e202b695e351e270c0d5a4910b

\Windows\system\ilHtwQR.exe

MD5 babe325dd7d52907435a4c50060b482e
SHA1 f25bfbad87611fb63f9fc5ff2866ae7ca2ac7dd4
SHA256 99203576285266f6f230d58b789b0684b4cb877f254407c4c8e9f2fa920c5470
SHA512 53968d80320bcdcf0fee5c37d0be16d7aadae2938b9b9002cf56c0eb3c403b76f74dff6ea2ae44a37616cc307c97fb20f75a0537fe38a93afa435d77ff51fe04

C:\Windows\system\ifXJFoG.exe

MD5 5a65fb49bdf331b72398cd5ffad2500e
SHA1 c902379c158f9dc61a3443f36164838b0bbac041
SHA256 3962cec8b6e5ac72389f162901a4aa228d74a340cfdf909a1484b801dbb9b70d
SHA512 f30e93088e773ad1f3e7bea8270016e46d79dde67d887a080377c970e6cc289bfed2b195f45dbd4f7a9f1daa647e4eeed39834c0edc95fcc3af4f76c1984ab47

C:\Windows\system\ysvBiTa.exe

MD5 c0bc1d06a5dfa2c7f51abdec1311f48c
SHA1 eabb89d4b59b9be94dfdc78d66015ee88e8b192a
SHA256 7ddb947b4285e8209ecb32f81e8c0a20332f9162332dab1ec84fc00442352fe2
SHA512 61cc421d07fa57f12d2c36cd58507b004dba880f3753d41a33136da80cf20b86a732aa323be903530855cdcda126652703430225b5b24357ff228d46a6ac3c6a

\Windows\system\TJXHSeB.exe

MD5 ef163fb6261345a5d1511d938e28406b
SHA1 51f91004c35aff8971a23a37ca5c89a8eb2c6c3c
SHA256 e9ec6813e4f6a008b0f1791f31681f6e72c8bd7b9457eb2b4df5d91ab797e27f
SHA512 6ba82108f558c421b85660b898fe48349cb94cc6bd85074c49bc5bd48844d1b684e352a28002da315a5c2ea5da1fb175d9558c7b33c0daf26350198a11dceec7

\Windows\system\BmZvnBB.exe

MD5 5542509da3ea7192615c3fcd57d5dc09
SHA1 e5b3cd83b307d98c6563f8d0bfd9e5d60de9e0f9
SHA256 675d893e887cd51095107bd84e9bb1c0fd1754b642a59a1b71fdda0d549222ac
SHA512 f7b2cbeca577886832c60d35937a6ae29c36ee6d1039d0c9e01ec390db498f5b5ebbf8881e95d46aef92d4e8aad208b5c42aa095f2e84cbe428abe5712ac6288

C:\Windows\system\ZULYpBh.exe

MD5 5824adffb437c8b8af60082d79376d88
SHA1 4c7ecec1bac4128d886028711b7a7c88b5a64d30
SHA256 d1091bfd4ec2935e4daa9b044ba35eaa92422ed537d0ea74a3df2d5dfdbcff64
SHA512 092d476e651421e358e05ead147cf979b34d1dd908dc8a81ce4dd7bfc55aeb555652b055cb079512e2964fd731c6fee7df02384c60e4bb7363bb75b61953922e

memory/2800-134-0x000000013F3D0000-0x000000013F724000-memory.dmp

memory/1796-133-0x00000000022A0000-0x00000000025F4000-memory.dmp

memory/1796-135-0x00000000022A0000-0x00000000025F4000-memory.dmp

memory/2568-136-0x000000013F410000-0x000000013F764000-memory.dmp

memory/2108-137-0x000000013FB50000-0x000000013FEA4000-memory.dmp

memory/1796-138-0x000000013FEA0000-0x00000001401F4000-memory.dmp

memory/2236-139-0x000000013F1E0000-0x000000013F534000-memory.dmp

memory/2004-140-0x000000013FB50000-0x000000013FEA4000-memory.dmp

memory/1992-141-0x000000013F3D0000-0x000000013F724000-memory.dmp

memory/2724-142-0x000000013F830000-0x000000013FB84000-memory.dmp

memory/2636-143-0x000000013F600000-0x000000013F954000-memory.dmp

memory/2800-144-0x000000013F3D0000-0x000000013F724000-memory.dmp

memory/2648-145-0x000000013F580000-0x000000013F8D4000-memory.dmp

memory/2568-146-0x000000013F410000-0x000000013F764000-memory.dmp

memory/2576-147-0x000000013F800000-0x000000013FB54000-memory.dmp

memory/3036-148-0x000000013F510000-0x000000013F864000-memory.dmp

memory/1652-149-0x000000013F650000-0x000000013F9A4000-memory.dmp

memory/2108-150-0x000000013FB50000-0x000000013FEA4000-memory.dmp

memory/2900-151-0x000000013FEA0000-0x00000001401F4000-memory.dmp

memory/2476-152-0x000000013F610000-0x000000013F964000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-06 13:40

Reported

2024-06-06 13:43

Platform

win10v2004-20240426-en

Max time kernel

138s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\vwaBqsg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xutRNxm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fseTprB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sKtACtG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lOTvxMy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gxYpcSf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YfDDMFg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vJwFGdw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sWVScqy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PsyppdK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sHoQRGi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zgdAbJm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QeGZkxG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vdUssdL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SVvDaMD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pVyvryu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vVAberV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WqvoNwZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rJvxEAU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ErXTJxS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DlThRDh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4460 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\vdUssdL.exe
PID 4460 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\vdUssdL.exe
PID 4460 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\gxYpcSf.exe
PID 4460 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\gxYpcSf.exe
PID 4460 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\DlThRDh.exe
PID 4460 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\DlThRDh.exe
PID 4460 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\xutRNxm.exe
PID 4460 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\xutRNxm.exe
PID 4460 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\YfDDMFg.exe
PID 4460 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\YfDDMFg.exe
PID 4460 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\vJwFGdw.exe
PID 4460 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\vJwFGdw.exe
PID 4460 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\SVvDaMD.exe
PID 4460 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\SVvDaMD.exe
PID 4460 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\sWVScqy.exe
PID 4460 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\sWVScqy.exe
PID 4460 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\pVyvryu.exe
PID 4460 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\pVyvryu.exe
PID 4460 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\fseTprB.exe
PID 4460 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\fseTprB.exe
PID 4460 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\PsyppdK.exe
PID 4460 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\PsyppdK.exe
PID 4460 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\sKtACtG.exe
PID 4460 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\sKtACtG.exe
PID 4460 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\sHoQRGi.exe
PID 4460 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\sHoQRGi.exe
PID 4460 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\vVAberV.exe
PID 4460 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\vVAberV.exe
PID 4460 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\WqvoNwZ.exe
PID 4460 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\WqvoNwZ.exe
PID 4460 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\rJvxEAU.exe
PID 4460 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\rJvxEAU.exe
PID 4460 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\zgdAbJm.exe
PID 4460 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\zgdAbJm.exe
PID 4460 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\vwaBqsg.exe
PID 4460 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\vwaBqsg.exe
PID 4460 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ErXTJxS.exe
PID 4460 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ErXTJxS.exe
PID 4460 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\QeGZkxG.exe
PID 4460 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\QeGZkxG.exe
PID 4460 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\lOTvxMy.exe
PID 4460 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe C:\Windows\System\lOTvxMy.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\vdUssdL.exe

C:\Windows\System\vdUssdL.exe

C:\Windows\System\gxYpcSf.exe

C:\Windows\System\gxYpcSf.exe

C:\Windows\System\DlThRDh.exe

C:\Windows\System\DlThRDh.exe

C:\Windows\System\xutRNxm.exe

C:\Windows\System\xutRNxm.exe

C:\Windows\System\YfDDMFg.exe

C:\Windows\System\YfDDMFg.exe

C:\Windows\System\vJwFGdw.exe

C:\Windows\System\vJwFGdw.exe

C:\Windows\System\SVvDaMD.exe

C:\Windows\System\SVvDaMD.exe

C:\Windows\System\sWVScqy.exe

C:\Windows\System\sWVScqy.exe

C:\Windows\System\pVyvryu.exe

C:\Windows\System\pVyvryu.exe

C:\Windows\System\fseTprB.exe

C:\Windows\System\fseTprB.exe

C:\Windows\System\PsyppdK.exe

C:\Windows\System\PsyppdK.exe

C:\Windows\System\sKtACtG.exe

C:\Windows\System\sKtACtG.exe

C:\Windows\System\sHoQRGi.exe

C:\Windows\System\sHoQRGi.exe

C:\Windows\System\vVAberV.exe

C:\Windows\System\vVAberV.exe

C:\Windows\System\WqvoNwZ.exe

C:\Windows\System\WqvoNwZ.exe

C:\Windows\System\rJvxEAU.exe

C:\Windows\System\rJvxEAU.exe

C:\Windows\System\zgdAbJm.exe

C:\Windows\System\zgdAbJm.exe

C:\Windows\System\vwaBqsg.exe

C:\Windows\System\vwaBqsg.exe

C:\Windows\System\ErXTJxS.exe

C:\Windows\System\ErXTJxS.exe

C:\Windows\System\QeGZkxG.exe

C:\Windows\System\QeGZkxG.exe

C:\Windows\System\lOTvxMy.exe

C:\Windows\System\lOTvxMy.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4460-0-0x00007FF6E4140000-0x00007FF6E4494000-memory.dmp

memory/4460-1-0x00000191388F0000-0x0000019138900000-memory.dmp

C:\Windows\System\vdUssdL.exe

MD5 fa561f4311db50a7e2045731e8cee63b
SHA1 6ee1998cad8a129e5fc2dea46fd6e8f5ebc55800
SHA256 b0fb8cd28fba2aa91f62f2924ed28aecc4ff3c5741bf0a723c611b8f0aea2bcd
SHA512 1745a28d577cbcd57bde07e6744e133d8cc081eac5b29296ca19def804efbfd7913da5000eda739476645fd57459fb38100fe5c345af1f0fb93aa131de7adb30

memory/3172-6-0x00007FF7AAC30000-0x00007FF7AAF84000-memory.dmp

C:\Windows\System\DlThRDh.exe

MD5 2231597e57feb8a233fbb968d57f3720
SHA1 425fdeb23a0256b978cc500ae5f3b74ebe160d3d
SHA256 39845203d1e6dbc622bf0d5c4fcf781155343780824ee89bb13a96e348327c25
SHA512 4cf51f3f273b9433136fd5474c8888d27e91e6e9218e66507493f12b163a8aaf989f573bb9a0bd5863d3b733cb405de68951976161a63f8a085a4863d19637bc

C:\Windows\System\gxYpcSf.exe

MD5 8af1fd4c70955bdec1e762c443223a4b
SHA1 3ba404c1b8266d8495796230d56ae14e7774a122
SHA256 29708cd2a9dfd7e30642eeb5de364bdb220805d2b0f5b6ab363e7adb158c2d17
SHA512 2b589f01bb01ed86fcc8e0f77d79b0075185f5b132fae6c1aa320ed2ecc84d0db919d8336c37488610c0b4e201db465a26f586c9c7c1a6dd6a8117ed8cb70536

C:\Windows\System\xutRNxm.exe

MD5 2bf782fccfd1a0f6b8a204008084ebed
SHA1 cb345f7dd0bbcd9ae3dc8391e2a437b0aed55c41
SHA256 01e29a0031b505e9977f670c42f3f60c5d48de2c0f3de78d37a7d65c371f6ca3
SHA512 c6ed1945381d237794e254133fe8476a11c6a35fe9e5efb3a15b811cce938a802f960e409e2f436d4a58533c51fe77ccfb1bc0f6204d733fcad88f45e097dcd5

C:\Windows\System\YfDDMFg.exe

MD5 3a462c499b2cf535427aeb772b5369d3
SHA1 f663af86d1f2d5ce8dd6a88daacdadf5e92a8581
SHA256 61a36703b45465a949b65881c5502216057db680c3eec9e6424078f32195336c
SHA512 5c1d8bdcf7164391b47ebfee6e90055e000c376e009eb7fd2d71390fafc63fc6b98542ebcea69a2818d403d42689c5fc1211fd7911626cd0c77bb97baab2f1a0

memory/2888-28-0x00007FF6DAA00000-0x00007FF6DAD54000-memory.dmp

memory/4760-30-0x00007FF7C25E0000-0x00007FF7C2934000-memory.dmp

memory/4012-22-0x00007FF7A5A70000-0x00007FF7A5DC4000-memory.dmp

memory/2188-16-0x00007FF60B480000-0x00007FF60B7D4000-memory.dmp

C:\Windows\System\vJwFGdw.exe

MD5 19a6d52673402f36a3b3d09d2e7344f9
SHA1 58ffea198a82fe12418572e720766ddb97d91096
SHA256 1c84acfc6606fef09441740f2812cde7dd59189b072f691cf66971de6350d9ed
SHA512 c686f5aa6173f4bbcb2849e7b8a6e6730018166028cea37e65a66c15ddcd1dab94d776987449f0f08cf0fa8025235ed8dc42d8a97718877fa782e220abee96ee

C:\Windows\System\SVvDaMD.exe

MD5 9a00210335ac0033fa88110510a3fbf8
SHA1 70d2738cbe422787c3da2b6b1af78961a3d090b9
SHA256 e9df31aabec2e8b0084a678db1d38ffe7049a3bcfcd4acddf4678ce66cfcfb9d
SHA512 ae7817c8e152dcb03577616ec1be3ed19a41b1ec209d67a1c4f455cb1ef2b9fc8e6d68e30073be70ba23062c36a41eead02eee5724fdd740e084cc56a57d3384

memory/1576-44-0x00007FF7B6910000-0x00007FF7B6C64000-memory.dmp

memory/1200-38-0x00007FF7C6C00000-0x00007FF7C6F54000-memory.dmp

C:\Windows\System\sWVScqy.exe

MD5 09dadc8f391e26ad032ad944b27a6221
SHA1 647374df394c87709e716ed644be479168bd2f44
SHA256 7a993fe4a6f4c733c28e8bef405e65d501fe38ee29bca327dcf30dd15c24fcba
SHA512 0333f8376dc987e54765a29674651afeaf359315f91a34b2e809037a87241ba6831fb4bbf3cdacd8a71e3ca2044979601fdc862da54002c0ac4bf48c313209a4

C:\Windows\System\fseTprB.exe

MD5 3abb5219d003fcb03bac0efb04a675f2
SHA1 612a040853b7e4f86cfe986c7e1bc4d9f874dad7
SHA256 fdbeb7b7c338a85511af0e0c7a4dd4900db25ded716bd33327459ca84e44d3b7
SHA512 caecd961864b6641e6d4f4c47fdd0248887b6e51b51c8eb81db6d05c388df7d8d5ec473480e83394976f9aa4c69c8854f350dcd12b72964ef73d799ad6343ff6

C:\Windows\System\vVAberV.exe

MD5 1f50b63a2f39d14f30f59ffa57c06d0e
SHA1 5978b2bf6928796d41d5c00e2bc5485b83db31f0
SHA256 761da31816d532e40a6532bbf574204ae148f5d0bccaa9bdbc595a8fa061ca2d
SHA512 5b4b40986ea7b94f16735b3ac1e8b21c2530e90024604f3fd8e1545eed7aec51253e7cace323db18d99623ca1a517986f688f123eb471e93f3b82df4a85ff951

memory/3168-82-0x00007FF686470000-0x00007FF6867C4000-memory.dmp

memory/2404-88-0x00007FF764920000-0x00007FF764C74000-memory.dmp

C:\Windows\System\rJvxEAU.exe

MD5 cae22c5f2640020437c8ba554be44d14
SHA1 e0aa3ada2b3f3d661725189821d946b9325cbe4d
SHA256 eaa6103f27f69fc188e245812760eb5ece3edf5dbdcb9db36dd970b7fe58f344
SHA512 0cf72a70710c9f08403e8b78050c224cb4512a22cd4796fa3da89413f7dfa26a4207751a4f48aa0e7fecb272de1ed375901baae2d3cbd19b5669aeb718ccc869

memory/2972-99-0x00007FF78A530000-0x00007FF78A884000-memory.dmp

memory/3172-98-0x00007FF7AAC30000-0x00007FF7AAF84000-memory.dmp

memory/2248-97-0x00007FF623360000-0x00007FF6236B4000-memory.dmp

C:\Windows\System\WqvoNwZ.exe

MD5 d3bd0aa58444d424c46589e62072c4a4
SHA1 226f403d3b1b8f862f56b0b704fd0e930d55098b
SHA256 e9aa4301591a0c612d5cba38cd13ae7b8ae5a2dd028cce5acc5087ffa8c213c1
SHA512 95dbca750a1f5f57e326d5cc81b024bcea533e960b8ea4b3d8b2ea9b357ca278f66c3888f26141db8c74d61bdfbcf0307cf02b90ec8cb0c6e0b4b3a8cb245f69

memory/4220-91-0x00007FF7B6130000-0x00007FF7B6484000-memory.dmp

memory/4540-90-0x00007FF754010000-0x00007FF754364000-memory.dmp

memory/860-87-0x00007FF7A1870000-0x00007FF7A1BC4000-memory.dmp

C:\Windows\System\zgdAbJm.exe

MD5 a767f9c18fc537734a1e80d5524e9844
SHA1 380236d7d155d7387ca355b03e53f505b1cdd367
SHA256 174ce41f0e317c97e9a160421f61aaeb287fc18c725b06f22d26ca841bd64ac3
SHA512 f815fa4e06c8ec62c292b749966b997c8f3a5270d191023ab4c71aca964cbd22c8a4bec4def95bba7213a0723c7dd0cbf8e8a9c788e85ce3503a1fa4c654ebac

C:\Windows\System\ErXTJxS.exe

MD5 c08aa019a190b5279287200a275baac4
SHA1 d54badf8bf9a2776e70415fec251360bd29989a7
SHA256 1960a31afe0916146f5697da283025a6833c61e7b0c9a6876c167ed88092f404
SHA512 d0ca2d525296a6923db909426e9b951f0f17b7faac1bd40d4c4a1dae717cb4630132a66c42d0b4ff75b5d687be0d6b4cd61e60abb15643320360c39bef577572

C:\Windows\System\lOTvxMy.exe

MD5 0ca86e25339c832a5e9b310dd5d38a35
SHA1 2ff2fee6305cbfe77f90d1c33d0103330afdb99d
SHA256 f693291509ca5553527585a957f8990adda13453bd9471d19b88fa5c851c75ad
SHA512 3405e33e5014022f07c64702c446c258f7f93e7729c70013051ece5df6d02464eac3dd1cd921e4ae76cbb183c6d1e89595ad7caad5a10691e5733e924c8c5b9b

C:\Windows\System\QeGZkxG.exe

MD5 7259a135a0e49abed350859f8caab80e
SHA1 91d224f92c6f505fc3ce655b2aec129cadc555ab
SHA256 f13928f35178e211481742970c65a98f4f6f2e67695c512acccc82286fc137d6
SHA512 1a014ab1cd8d4bc78dc691e96f57b5ac407949b645908fb06c65fb56b09977975f839ff32a86129a735e98724a476696ff648b9b7e0081b3a6e9930872203331

C:\Windows\System\vwaBqsg.exe

MD5 327db16860d02f743d88a49cc5edec78
SHA1 19aa5bd5274c77d4f9cbcd8bb1716b4712a3d5b5
SHA256 a3ad12e213ceb4e608b1a01ad7bbdbcd3effbb67fc91eafe04640ff6ae478c05
SHA512 166a9da2181dbdf4d827df27250cf6ea1740ed97a88a52653f065c80ed826a79c676aff0d67f71453564d146c4046a84ded6d930ee3b5484ef2679c445b71fc1

C:\Windows\System\sHoQRGi.exe

MD5 bbbe14287bb54ae1d4d8492148479910
SHA1 ff5550f813b3b0f6f261cba3cce095f7e0978903
SHA256 df69d2416adacd8791cbeb70c66234d2b66cc2b556ae88f2b7b7eeb6b60af35b
SHA512 efaf942cfc593459a7f57b91f2a0c701c4d8f7e43573e8258718143b13d6b1e4effb49a424ed327986185edc2b6b875f52b9e18943b03d11062aace3a2cdd929

memory/4460-81-0x00007FF6E4140000-0x00007FF6E4494000-memory.dmp

C:\Windows\System\sKtACtG.exe

MD5 8b97a488fa03a806567f0b178a29e103
SHA1 6f85dfe57f16c25d3f8d6b4dcc258671405e4e8e
SHA256 8caf01a2f08a3bfe5f9996ce9d0c2bf6e8b6ef0551b36d4151682c143d826a2f
SHA512 fae4b46c34e6e4f4f7c90ddaea16ce94e0d93db3ec14d347128b2cd599b17aa636a164f313bb890482d4fb3cd27c6b9c403ebc578a5cd80857078ddc5784ee9f

C:\Windows\System\PsyppdK.exe

MD5 073f9740f714f4aefc53b1b9ac659dc0
SHA1 28f0d4eba7567576f0001fc0537075cf1a9f08ef
SHA256 10474bca45e442d4abefcd03f49dc837612254f8396cffac2050f034289e8a28
SHA512 c82436465892d4409245be314c56ff8936b7d39766eada0b60c869f041739ac8ea2c9b346e1171d2c0b46eb92a8664ac12e33b9dbcb06a40db9e617d8c7a19e3

C:\Windows\System\pVyvryu.exe

MD5 9208b32cca0e3d4335ef7ccd2d83c671
SHA1 9c28d1b24a68293531766dfe031365bfc1847036
SHA256 2b9f8bb4c88bb541727d09d7c0601696dbf00629aa68c1a54fdd481cbfa81cb3
SHA512 290735ffc381f435f544848c0943e5b0b6c4d6094196af94997bc40c45b6749d22a13706bdd9090bf9974af33cb0d255f1fb8eb89549034362d013c04881b728

memory/2516-52-0x00007FF7D88E0000-0x00007FF7D8C34000-memory.dmp

memory/2964-48-0x00007FF77CBF0000-0x00007FF77CF44000-memory.dmp

memory/4904-124-0x00007FF75C110000-0x00007FF75C464000-memory.dmp

memory/4996-127-0x00007FF7AF920000-0x00007FF7AFC74000-memory.dmp

memory/2916-128-0x00007FF7E1D30000-0x00007FF7E2084000-memory.dmp

memory/1048-126-0x00007FF6AD6C0000-0x00007FF6ADA14000-memory.dmp

memory/4944-125-0x00007FF67E270000-0x00007FF67E5C4000-memory.dmp

memory/2888-130-0x00007FF6DAA00000-0x00007FF6DAD54000-memory.dmp

memory/4760-131-0x00007FF7C25E0000-0x00007FF7C2934000-memory.dmp

memory/2964-132-0x00007FF77CBF0000-0x00007FF77CF44000-memory.dmp

memory/2516-133-0x00007FF7D88E0000-0x00007FF7D8C34000-memory.dmp

memory/2404-134-0x00007FF764920000-0x00007FF764C74000-memory.dmp

memory/4540-135-0x00007FF754010000-0x00007FF754364000-memory.dmp

memory/3172-136-0x00007FF7AAC30000-0x00007FF7AAF84000-memory.dmp

memory/2188-137-0x00007FF60B480000-0x00007FF60B7D4000-memory.dmp

memory/4012-138-0x00007FF7A5A70000-0x00007FF7A5DC4000-memory.dmp

memory/2888-139-0x00007FF6DAA00000-0x00007FF6DAD54000-memory.dmp

memory/4760-140-0x00007FF7C25E0000-0x00007FF7C2934000-memory.dmp

memory/1200-141-0x00007FF7C6C00000-0x00007FF7C6F54000-memory.dmp

memory/1576-142-0x00007FF7B6910000-0x00007FF7B6C64000-memory.dmp

memory/2964-143-0x00007FF77CBF0000-0x00007FF77CF44000-memory.dmp

memory/2516-144-0x00007FF7D88E0000-0x00007FF7D8C34000-memory.dmp

memory/3168-145-0x00007FF686470000-0x00007FF6867C4000-memory.dmp

memory/860-146-0x00007FF7A1870000-0x00007FF7A1BC4000-memory.dmp

memory/4220-147-0x00007FF7B6130000-0x00007FF7B6484000-memory.dmp

memory/2248-148-0x00007FF623360000-0x00007FF6236B4000-memory.dmp

memory/2972-149-0x00007FF78A530000-0x00007FF78A884000-memory.dmp

memory/4540-150-0x00007FF754010000-0x00007FF754364000-memory.dmp

memory/4904-151-0x00007FF75C110000-0x00007FF75C464000-memory.dmp

memory/4944-152-0x00007FF67E270000-0x00007FF67E5C4000-memory.dmp

memory/1048-153-0x00007FF6AD6C0000-0x00007FF6ADA14000-memory.dmp

memory/4996-154-0x00007FF7AF920000-0x00007FF7AFC74000-memory.dmp

memory/2916-155-0x00007FF7E1D30000-0x00007FF7E2084000-memory.dmp

memory/2404-156-0x00007FF764920000-0x00007FF764C74000-memory.dmp