Malware Analysis Report

2024-10-24 18:15

Sample ID 240606-rwpersfd8z
Target 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike
SHA256 3aad0af3bf85b006f9b859e3ccdfb7ff233b3fbfd95fb1227d8eeb46cb57df99
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3aad0af3bf85b006f9b859e3ccdfb7ff233b3fbfd95fb1227d8eeb46cb57df99

Threat Level: Known bad

The file 2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Cobaltstrike family

Xmrig family

Cobalt Strike reflective loader

Detects Reflective DLL injection artifacts

Cobaltstrike

UPX dump on OEP (original entry point)

xmrig

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

XMRig Miner payload

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-06 14:32

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-06 14:32

Reported

2024-06-06 14:35

Platform

win7-20240220-en

Max time kernel

136s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\THsfzmp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ULnIwZq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eWlKuUw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tCuEaLa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\euEXSVI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\riZTMEp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bjywSbF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZQSWJWM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gqlyPNC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KwhzLOi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fQQJFtm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YcwrfBK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lHeMGvb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qETdfOk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LnnKxkw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GohwhZx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qcbliwa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tHTeaqT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rMAFwHQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WBoUYvR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AQxHoYR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2192 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\AQxHoYR.exe
PID 2192 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\AQxHoYR.exe
PID 2192 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\AQxHoYR.exe
PID 2192 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\rMAFwHQ.exe
PID 2192 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\rMAFwHQ.exe
PID 2192 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\rMAFwHQ.exe
PID 2192 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\fQQJFtm.exe
PID 2192 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\fQQJFtm.exe
PID 2192 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\fQQJFtm.exe
PID 2192 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\riZTMEp.exe
PID 2192 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\riZTMEp.exe
PID 2192 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\riZTMEp.exe
PID 2192 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\tHTeaqT.exe
PID 2192 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\tHTeaqT.exe
PID 2192 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\tHTeaqT.exe
PID 2192 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\WBoUYvR.exe
PID 2192 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\WBoUYvR.exe
PID 2192 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\WBoUYvR.exe
PID 2192 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\YcwrfBK.exe
PID 2192 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\YcwrfBK.exe
PID 2192 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\YcwrfBK.exe
PID 2192 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\euEXSVI.exe
PID 2192 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\euEXSVI.exe
PID 2192 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\euEXSVI.exe
PID 2192 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\lHeMGvb.exe
PID 2192 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\lHeMGvb.exe
PID 2192 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\lHeMGvb.exe
PID 2192 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\bjywSbF.exe
PID 2192 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\bjywSbF.exe
PID 2192 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\bjywSbF.exe
PID 2192 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\qETdfOk.exe
PID 2192 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\qETdfOk.exe
PID 2192 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\qETdfOk.exe
PID 2192 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZQSWJWM.exe
PID 2192 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZQSWJWM.exe
PID 2192 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZQSWJWM.exe
PID 2192 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\LnnKxkw.exe
PID 2192 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\LnnKxkw.exe
PID 2192 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\LnnKxkw.exe
PID 2192 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\THsfzmp.exe
PID 2192 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\THsfzmp.exe
PID 2192 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\THsfzmp.exe
PID 2192 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\ULnIwZq.exe
PID 2192 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\ULnIwZq.exe
PID 2192 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\ULnIwZq.exe
PID 2192 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\eWlKuUw.exe
PID 2192 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\eWlKuUw.exe
PID 2192 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\eWlKuUw.exe
PID 2192 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\tCuEaLa.exe
PID 2192 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\tCuEaLa.exe
PID 2192 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\tCuEaLa.exe
PID 2192 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\GohwhZx.exe
PID 2192 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\GohwhZx.exe
PID 2192 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\GohwhZx.exe
PID 2192 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\gqlyPNC.exe
PID 2192 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\gqlyPNC.exe
PID 2192 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\gqlyPNC.exe
PID 2192 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\qcbliwa.exe
PID 2192 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\qcbliwa.exe
PID 2192 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\qcbliwa.exe
PID 2192 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\KwhzLOi.exe
PID 2192 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\KwhzLOi.exe
PID 2192 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\KwhzLOi.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\AQxHoYR.exe

C:\Windows\System\AQxHoYR.exe

C:\Windows\System\rMAFwHQ.exe

C:\Windows\System\rMAFwHQ.exe

C:\Windows\System\fQQJFtm.exe

C:\Windows\System\fQQJFtm.exe

C:\Windows\System\riZTMEp.exe

C:\Windows\System\riZTMEp.exe

C:\Windows\System\tHTeaqT.exe

C:\Windows\System\tHTeaqT.exe

C:\Windows\System\WBoUYvR.exe

C:\Windows\System\WBoUYvR.exe

C:\Windows\System\YcwrfBK.exe

C:\Windows\System\YcwrfBK.exe

C:\Windows\System\euEXSVI.exe

C:\Windows\System\euEXSVI.exe

C:\Windows\System\lHeMGvb.exe

C:\Windows\System\lHeMGvb.exe

C:\Windows\System\bjywSbF.exe

C:\Windows\System\bjywSbF.exe

C:\Windows\System\qETdfOk.exe

C:\Windows\System\qETdfOk.exe

C:\Windows\System\ZQSWJWM.exe

C:\Windows\System\ZQSWJWM.exe

C:\Windows\System\LnnKxkw.exe

C:\Windows\System\LnnKxkw.exe

C:\Windows\System\THsfzmp.exe

C:\Windows\System\THsfzmp.exe

C:\Windows\System\ULnIwZq.exe

C:\Windows\System\ULnIwZq.exe

C:\Windows\System\eWlKuUw.exe

C:\Windows\System\eWlKuUw.exe

C:\Windows\System\tCuEaLa.exe

C:\Windows\System\tCuEaLa.exe

C:\Windows\System\GohwhZx.exe

C:\Windows\System\GohwhZx.exe

C:\Windows\System\gqlyPNC.exe

C:\Windows\System\gqlyPNC.exe

C:\Windows\System\qcbliwa.exe

C:\Windows\System\qcbliwa.exe

C:\Windows\System\KwhzLOi.exe

C:\Windows\System\KwhzLOi.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2192-0-0x00000000002F0000-0x0000000000300000-memory.dmp

memory/2192-1-0x000000013F150000-0x000000013F4A4000-memory.dmp

\Windows\system\AQxHoYR.exe

MD5 6e866f380fa41dc76616efafff8e235a
SHA1 3090f34486bc41de8dc7cd457f522a6a915d8f70
SHA256 1a04c59793c81e611d41909a8079cd018ed7a320f46e8ba28cb3aa9b3daef2db
SHA512 ab0e053eb00742fc9f5ede60fb840b8116256e334436deed5d0e920558043c94c00b3eb64758083035914511d229748a609478ad34b8181083af7d00ab4d0333

memory/1788-8-0x000000013FC50000-0x000000013FFA4000-memory.dmp

\Windows\system\rMAFwHQ.exe

MD5 0991882a009703c19fbd00959f5fdd2a
SHA1 a2f7b01f9c6bc629051241635c92378c60e5fdeb
SHA256 4599a819dd1a64e05780135151954760f0cd7da72ceff494cdaa23626dd1ace0
SHA512 29663f7e5e300c2488ab17a96cc3242ecb1ba824263694f387fc96c2789560f867cb215b72a8ffd177e14284db0861c4965eab0f849df0d19993ae8d496f2cb2

\Windows\system\fQQJFtm.exe

MD5 c5a2cb7a1c3f5988ad32fcb84b0e940a
SHA1 78bc9244c2ea8f621b129551d838e215f0be3c1f
SHA256 5866f9028ea038c55bcbd41355f8623082aa00df275166175a1bf4d70ec30566
SHA512 dddf68a081b145016e78e9421fcb83eb2c8c7c9d7f0992dd4d27c3faf0beab9ee95278984e0b7f822dc2bbf8ccc57927e540a5e21ff3624e72335f17c0f99672

memory/2984-18-0x000000013FC50000-0x000000013FFA4000-memory.dmp

memory/2192-12-0x000000013FB50000-0x000000013FEA4000-memory.dmp

memory/2476-20-0x000000013FB50000-0x000000013FEA4000-memory.dmp

C:\Windows\system\riZTMEp.exe

MD5 53c98b2869214f870dc48cd2d8fe5f76
SHA1 6d16cccbee3d841d3f68f4d26d118c53d3ceed09
SHA256 b0686a3b685aeb6208f14657d9d20d8be6242362ebdb5b892a2b15171b339cb8
SHA512 ca1bfbec3eb10ddd9b1f90c45c1a7df66fbf5c78b2cf8794efe62af5aaead66a375bde49faf96738b8f9f4713c831eb752a6b2bac2b1e6ec91d167f2ff6fa6b0

memory/2600-28-0x000000013F5B0000-0x000000013F904000-memory.dmp

memory/2192-25-0x000000013F5B0000-0x000000013F904000-memory.dmp

\Windows\system\WBoUYvR.exe

MD5 02511534d1f0c68052e07b24e7e0d538
SHA1 f7b0bef0ad0fe35592fcd94cb119d4dff4bcaeb9
SHA256 eb8283cfc743899b0baf8b9ee5fe9dc490426f09e1a3d2ae01f1de6ee48c967d
SHA512 4565e6db2374e3ae7718ede79da3042940c683c00652260b3afc5692163ef77fbd9db663e86f946007f8afedd87d45b67e15154519d2056d9923ebace3d53776

C:\Windows\system\tHTeaqT.exe

MD5 ce07c93c75dff7a92ec1296bfb3fdabd
SHA1 7d79d978a1e1a2fcfee7922f7ca93abfb5259c01
SHA256 b6c2323f9926d0e8d92594de77797dda75d7229f98b944662940412cf44e7432
SHA512 910fca4eb18c46cd8ba02b44499684f56d887c84601f3bee5e23f479ad588491f9703083a50a0f935dfed6fc030d6775ecb97d775453290f86c1e48f2c5bd005

memory/2192-39-0x000000013F150000-0x000000013F4A4000-memory.dmp

memory/2192-37-0x000000013FFD0000-0x0000000140324000-memory.dmp

memory/2660-40-0x000000013FFD0000-0x0000000140324000-memory.dmp

memory/2512-35-0x000000013F0B0000-0x000000013F404000-memory.dmp

\Windows\system\YcwrfBK.exe

MD5 02e80e2e087b178ca9bf391459eef256
SHA1 de1e3b71e8cb5a70d7cde96f1de3c2e8fb5f81e5
SHA256 76258342d3c22a839e22e77c5d593876da62d055dd41a0b4a08e056b394777b5
SHA512 9e257cea5412fab8d385974a20cdbca0e4fd46310c8f54a4713524ed3f2036830012a869a07908a5af89ed2d00038e2bd8220cc5e46f323fc3c15a3ce1946ca9

C:\Windows\system\euEXSVI.exe

MD5 3ed58b0a0865f64926b19ad4363dafcc
SHA1 e196d688500431bdd5b9f1db24682529da3593b2
SHA256 312f81ab7612d84fe05158d73807ce6e09a496fa1ffce4a54145ffe4babaecab
SHA512 dbef5632b4960a0417c7d545415572cbd402d2ce708b088a0f526d6a479d67da3d157e719a1a2e7e48b09db0b2ca682676c25ca6116d12bd7896b0a0f086b4e7

memory/2448-47-0x000000013F1D0000-0x000000013F524000-memory.dmp

memory/2404-56-0x000000013FA10000-0x000000013FD64000-memory.dmp

memory/2192-46-0x0000000002460000-0x00000000027B4000-memory.dmp

memory/2192-54-0x000000013FB50000-0x000000013FEA4000-memory.dmp

memory/2864-70-0x000000013FEA0000-0x00000001401F4000-memory.dmp

memory/2192-69-0x000000013FEA0000-0x00000001401F4000-memory.dmp

C:\Windows\system\ZQSWJWM.exe

MD5 b525b5a6463fd1688eb4aef1a6581ba6
SHA1 ab4f3b8b2cbdf486a31e0bdbf9337cf0e9136658
SHA256 f3b4241db761fb0e04e1ca09d1c73b919c02ffcfeb6ded98173779abbc0b46ef
SHA512 37dfd45d327bc34cc76611df04574b1cdb01a4bdd840aa19683a5ec8ebaa29e3472fba2c24bfa6d8993371f102ddaf378b82b5d3d3cfac6f144d8db9ae6fc26e

memory/2640-86-0x000000013FED0000-0x0000000140224000-memory.dmp

C:\Windows\system\THsfzmp.exe

MD5 632af46332d3a819c99267ce065ef96e
SHA1 06e8cb68c24043f801dfdda21814709d8a1ed1a8
SHA256 5bf77b946069bedaca18fd4055310ba733607af0c8bfa0cd5d40ea8bc1b081f2
SHA512 aee7b4f421a7a5b9e72ed4511ca033f366343390d82afb18b1f54b8d8cb90eef716a0dbd999ea840689cf2937e3426cba7e9572afca4de2402a4600333634b59

C:\Windows\system\qcbliwa.exe

MD5 e3860b7f5f3f291b57c51dbf1f6ac746
SHA1 5de754ee16ad12f40b463b810c57881e4f449ff8
SHA256 155d9c8abb5b00c1dc89ae360f01b1d1d2ddee9ede71f46c532511f8f85eec4d
SHA512 9d88302643034a82ee5f115732f06d7e3ce05b154b402d6157ed42eca50cc6f99d2073faaeb9adfc6c085f3b8ccdd217e92effdcf34fb95ee940817db6cc008e

\Windows\system\KwhzLOi.exe

MD5 b00dd81c5b8dbcbda1ec3c34b6c1380b
SHA1 1fc54012c433a1a66d7df76c220c1f825f5428af
SHA256 8b530a6adb03610bc3ba10d469c72d4f6a00bf67d6c027d7fb55561f578e5694
SHA512 5e35491dfba712dcf50b5af4182a3aa3e136a162270dc7fa536911457dde49ba33fe1fc722afea9c4f52ba73b7d916ab5be7cd2c4d017a812ba39f4a5517a807

C:\Windows\system\gqlyPNC.exe

MD5 4c6dc55ac1a1afb29b8afda37e174388
SHA1 1481d9c830d9784850c8e4f1be760221482c3985
SHA256 9182a335b50d042524e4533a72f56bdb51e0feb5a92cb1d79413fdc3f2ba5f98
SHA512 0640e6fbea85d79723bc0b113dcd209245ff147b6f05ed372490768cf7df37561862cccd40f2102ac589cf9e6aeab4ba38206f1e8b7d53c548bd68139b5c2fcf

C:\Windows\system\GohwhZx.exe

MD5 8201f60366b58ca5e3c27de050db4107
SHA1 fb4537af0c04c496ac85ec335686115fe54efd90
SHA256 553262e2f1c913571b3189da05122c87349e6f12d059a79e4fab873345a264e8
SHA512 80e7af1ba118a71d684c83ac7121f0f0645a6ce030274970605a7209cdac1a316285758ef3de10c0e5842bea17df2bf8fbfddf4d4945bd494444b11fb9220843

C:\Windows\system\tCuEaLa.exe

MD5 575bc57cf00b28e5fc86ef00a96b54a9
SHA1 9d7f87a40da32a42040df9e881afc468a581e9d2
SHA256 49ceb941cd965f9ac8a5e463bd198702bc9a6b8a18fecd104f2b8d0376e4e9ff
SHA512 95caf032c30c027ca6cde123947bebe0ba00b48ac07c0cc5e73705f0ceac2f8d09a8250a1199b4782bebbf52a26d498b497ceb7c3362926dd3f5a9bdbc728115

C:\Windows\system\eWlKuUw.exe

MD5 84695b42b75ace417fa6b5fcddc8eca9
SHA1 72ddaf9d9d590b3343c7b3a69adfbf17a0977c37
SHA256 037fb13da6460e3cddf732c5c62fc30efc126511199b9035426575c71df36d5c
SHA512 41a1f0e50422fb5fbf1ec17e0e00667c754b4937e57c388e84a855f22bd9f0c13976bafdcc0382ae5e90d4d1125839f4df232daeec65e9013e48a1bdfe5c5146

memory/2192-104-0x0000000002460000-0x00000000027B4000-memory.dmp

C:\Windows\system\ULnIwZq.exe

MD5 36f695a3f4d33d9b5b7a2510393c6c65
SHA1 f13e01e88926f3f63ce3964a22d254628eaa4e26
SHA256 010c6762a347d80e1d6af530578be22a8f3985f38ccbd1ab0b1e2609c81bc68e
SHA512 7cdad55b95fa57b8c08ecd539c681dde1c4994cf21d4381537fd2382524fa67ab92b1ecdfd77aa43e1c4773735c450483253396a415ed93e8a9763a141e496f6

memory/2844-99-0x000000013F250000-0x000000013F5A4000-memory.dmp

memory/2820-93-0x000000013FF00000-0x0000000140254000-memory.dmp

memory/2192-92-0x000000013FF00000-0x0000000140254000-memory.dmp

memory/2600-91-0x000000013F5B0000-0x000000013F904000-memory.dmp

C:\Windows\system\LnnKxkw.exe

MD5 f300f4ec2c3c3149846e79a45b9aa607
SHA1 77796be619439d28e40bb9ed54e5098296e8c743
SHA256 0fb3034731e7c7a9fed7ef0ad0f344c847e0c783276b982a0d28018ec8bae975
SHA512 a9aa2c8473b98d44aa86f312df889f9c01495984cd758d37283805ed9d6b49578fd89e11f510eb791aa8bfa4cfe60d1700ced4be0a3d8141b80018cd7938f1d1

memory/2192-85-0x000000013FED0000-0x0000000140224000-memory.dmp

memory/2476-84-0x000000013FB50000-0x000000013FEA4000-memory.dmp

memory/2044-77-0x000000013F0B0000-0x000000013F404000-memory.dmp

memory/2192-76-0x0000000002460000-0x00000000027B4000-memory.dmp

memory/2984-75-0x000000013FC50000-0x000000013FFA4000-memory.dmp

C:\Windows\system\qETdfOk.exe

MD5 868b2e8b4453c3bed6d30d9bc91b7a2b
SHA1 3101e7ef6e640a7c44fc9953715e72bfbb27bbd6
SHA256 600892c2ee1c53976b53096b1d0521065a3d04b07746b9396aca0a5f5eac676a
SHA512 d10a4093e1e62b6eb643c33bbee655ee370798dc9e605d9edf59916290851736dc4701448ba5af8866f0b7796505bda48020738c51efd85ad8ec75308a6256e6

memory/2660-136-0x000000013FFD0000-0x0000000140324000-memory.dmp

C:\Windows\system\bjywSbF.exe

MD5 42227e40c23b12fefe00607a5c21861f
SHA1 7f1e35b0aac5fbc2628bf4ce125c8d9ec13ac64d
SHA256 b117345dd357ad728950579464e913754c8a61f361c4fbc032b419a257285f55
SHA512 04e520ca40342f9a152069c9bea110b575a043aad1625b13c0d12ceded82657d98a9e8e17eaa22aab213a396b4b82eb815f8986898b3e9206a791ed08eb0e7ab

memory/2856-62-0x000000013FF30000-0x0000000140284000-memory.dmp

memory/2192-61-0x000000013FF30000-0x0000000140284000-memory.dmp

C:\Windows\system\lHeMGvb.exe

MD5 fd758c80ca265ba8f9d2fd0144aa6b0f
SHA1 895b1e1e9a93e3e913171721b2c9ff891adf7c9a
SHA256 f604756d2e40cfd0b3d712355b43993c1f422b78c9047adbb2016a2d6c618b07
SHA512 b5a10f8bcf8826388f91c22a268a76d2d8d49384056278789e61ec9c8ca95b7ca0c56c4bfefe089f64fa3d4546def5f9686c7317405a0d23cbf48653d14bc69f

memory/2448-137-0x000000013F1D0000-0x000000013F524000-memory.dmp

memory/2192-138-0x000000013FF30000-0x0000000140284000-memory.dmp

memory/2856-139-0x000000013FF30000-0x0000000140284000-memory.dmp

memory/2192-140-0x0000000002460000-0x00000000027B4000-memory.dmp

memory/2044-141-0x000000013F0B0000-0x000000013F404000-memory.dmp

memory/2192-142-0x000000013FED0000-0x0000000140224000-memory.dmp

memory/2192-143-0x000000013FF00000-0x0000000140254000-memory.dmp

memory/2820-144-0x000000013FF00000-0x0000000140254000-memory.dmp

memory/2844-145-0x000000013F250000-0x000000013F5A4000-memory.dmp

memory/1788-146-0x000000013FC50000-0x000000013FFA4000-memory.dmp

memory/2984-147-0x000000013FC50000-0x000000013FFA4000-memory.dmp

memory/2476-148-0x000000013FB50000-0x000000013FEA4000-memory.dmp

memory/2600-149-0x000000013F5B0000-0x000000013F904000-memory.dmp

memory/2512-150-0x000000013F0B0000-0x000000013F404000-memory.dmp

memory/2660-151-0x000000013FFD0000-0x0000000140324000-memory.dmp

memory/2404-152-0x000000013FA10000-0x000000013FD64000-memory.dmp

memory/2448-153-0x000000013F1D0000-0x000000013F524000-memory.dmp

memory/2856-154-0x000000013FF30000-0x0000000140284000-memory.dmp

memory/2864-155-0x000000013FEA0000-0x00000001401F4000-memory.dmp

memory/2044-156-0x000000013F0B0000-0x000000013F404000-memory.dmp

memory/2640-157-0x000000013FED0000-0x0000000140224000-memory.dmp

memory/2820-158-0x000000013FF00000-0x0000000140254000-memory.dmp

memory/2844-159-0x000000013F250000-0x000000013F5A4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-06 14:32

Reported

2024-06-06 14:35

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\TsYFzga.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JDAvwoF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OIroWEp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aFtbXjT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FJpbPfe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RvDWRqi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VppWLZz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nsecmVd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MQzCSBf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RqOFpEC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nuROKDz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xNJPeAf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DBRmGrK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RiDdZoi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nSPNcgi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RYlKGgT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DkMvpyD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DvuFyiF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JiQRnYN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YTSIudd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wUxKFRM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4772 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\DBRmGrK.exe
PID 4772 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\DBRmGrK.exe
PID 4772 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\DvuFyiF.exe
PID 4772 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\DvuFyiF.exe
PID 4772 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\OIroWEp.exe
PID 4772 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\OIroWEp.exe
PID 4772 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\RiDdZoi.exe
PID 4772 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\RiDdZoi.exe
PID 4772 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\JiQRnYN.exe
PID 4772 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\JiQRnYN.exe
PID 4772 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\YTSIudd.exe
PID 4772 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\YTSIudd.exe
PID 4772 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\aFtbXjT.exe
PID 4772 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\aFtbXjT.exe
PID 4772 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\FJpbPfe.exe
PID 4772 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\FJpbPfe.exe
PID 4772 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\nsecmVd.exe
PID 4772 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\nsecmVd.exe
PID 4772 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\nSPNcgi.exe
PID 4772 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\nSPNcgi.exe
PID 4772 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\MQzCSBf.exe
PID 4772 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\MQzCSBf.exe
PID 4772 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\RqOFpEC.exe
PID 4772 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\RqOFpEC.exe
PID 4772 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\RvDWRqi.exe
PID 4772 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\RvDWRqi.exe
PID 4772 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\wUxKFRM.exe
PID 4772 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\wUxKFRM.exe
PID 4772 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\TsYFzga.exe
PID 4772 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\TsYFzga.exe
PID 4772 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\nuROKDz.exe
PID 4772 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\nuROKDz.exe
PID 4772 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\JDAvwoF.exe
PID 4772 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\JDAvwoF.exe
PID 4772 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\DkMvpyD.exe
PID 4772 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\DkMvpyD.exe
PID 4772 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\RYlKGgT.exe
PID 4772 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\RYlKGgT.exe
PID 4772 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\xNJPeAf.exe
PID 4772 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\xNJPeAf.exe
PID 4772 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\VppWLZz.exe
PID 4772 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe C:\Windows\System\VppWLZz.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ee1c10495cb52bf410da9d5444d96a_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\DBRmGrK.exe

C:\Windows\System\DBRmGrK.exe

C:\Windows\System\DvuFyiF.exe

C:\Windows\System\DvuFyiF.exe

C:\Windows\System\OIroWEp.exe

C:\Windows\System\OIroWEp.exe

C:\Windows\System\RiDdZoi.exe

C:\Windows\System\RiDdZoi.exe

C:\Windows\System\JiQRnYN.exe

C:\Windows\System\JiQRnYN.exe

C:\Windows\System\YTSIudd.exe

C:\Windows\System\YTSIudd.exe

C:\Windows\System\aFtbXjT.exe

C:\Windows\System\aFtbXjT.exe

C:\Windows\System\FJpbPfe.exe

C:\Windows\System\FJpbPfe.exe

C:\Windows\System\nsecmVd.exe

C:\Windows\System\nsecmVd.exe

C:\Windows\System\nSPNcgi.exe

C:\Windows\System\nSPNcgi.exe

C:\Windows\System\MQzCSBf.exe

C:\Windows\System\MQzCSBf.exe

C:\Windows\System\RqOFpEC.exe

C:\Windows\System\RqOFpEC.exe

C:\Windows\System\RvDWRqi.exe

C:\Windows\System\RvDWRqi.exe

C:\Windows\System\wUxKFRM.exe

C:\Windows\System\wUxKFRM.exe

C:\Windows\System\TsYFzga.exe

C:\Windows\System\TsYFzga.exe

C:\Windows\System\nuROKDz.exe

C:\Windows\System\nuROKDz.exe

C:\Windows\System\JDAvwoF.exe

C:\Windows\System\JDAvwoF.exe

C:\Windows\System\DkMvpyD.exe

C:\Windows\System\DkMvpyD.exe

C:\Windows\System\RYlKGgT.exe

C:\Windows\System\RYlKGgT.exe

C:\Windows\System\xNJPeAf.exe

C:\Windows\System\xNJPeAf.exe

C:\Windows\System\VppWLZz.exe

C:\Windows\System\VppWLZz.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
NL 23.62.61.73:443 www.bing.com tcp
US 8.8.8.8:53 73.61.62.23.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4772-0-0x00007FF777740000-0x00007FF777A94000-memory.dmp

memory/4772-1-0x00000248A6A50000-0x00000248A6A60000-memory.dmp

C:\Windows\System\DBRmGrK.exe

MD5 aa2aa2ab4c353b49fe61cd9578e9cad8
SHA1 f10c83373fe7f8b8f8d88c260a46931216fab054
SHA256 62cb4715b1d520b9d16b42b224f02c7744d4716129df41f1a374dccde0ebeb1b
SHA512 d87af411a459dd1de351f8ded0da255cd191ae7935439fa61a9fa0e62f6502c3b03e2cf349ffc637be7962b5f439d07d77bac02adabacd3b65f6042443722894

memory/212-8-0x00007FF78FE70000-0x00007FF7901C4000-memory.dmp

C:\Windows\System\DvuFyiF.exe

MD5 f024d18a9da2e3b0ae8a72f4cd37784f
SHA1 1f24ae508f863841a961ccecc1c35826568e4083
SHA256 a364b7c74c33973e21da020c1d8520e35f3f00800aabfd485f7723e6e36b5ff2
SHA512 340ed9f12f363c69fcbe5bd3aefa2d7766f9230c8a4a00ebb84b262aef20c7b835036b7a357d6ec33da71ff453fd37947a2e7a1bea877fc050d692cad9455def

C:\Windows\System\OIroWEp.exe

MD5 a9b9af2594e6de1344d7c3c5e5456581
SHA1 49cdf69a95bd0b8064f03b6e00199bfa68fc2d5b
SHA256 c32f7408e9db6c65cfbead436a9a48da0475453a385f51ac3509f300e75e5e01
SHA512 d42ecc98102b5469db26f94baf19bb2fc20f12254237b1de0d7af96084f7fc2b055d88d171854bac0111d9cf7a1072f7dc6d5c7ec3d32db4f08773c527bb5690

memory/3844-14-0x00007FF72C480000-0x00007FF72C7D4000-memory.dmp

memory/776-20-0x00007FF61AFA0000-0x00007FF61B2F4000-memory.dmp

C:\Windows\System\RiDdZoi.exe

MD5 569a73e855fbc0417c1a9237534055a4
SHA1 351324fe7fc41ea762def83d0024821ecc7ee9b2
SHA256 ae39014a991a0564c1936e2a6ff7322c64d9bee14705559e6edcdbd4e5a2a297
SHA512 30b8a2a592aa7b7f035977dd100dab0c3200d50203434052cd15a3147ee0dbd9c45b084ce7c9029885ca62f2bef31d29ab24acc122c3a303436babeb352a999f

C:\Windows\System\JiQRnYN.exe

MD5 a893cb8e158ab3d2f51c18993a909d53
SHA1 840ef551967d1c71790ebbea3be1558ea3bfc1e2
SHA256 da48e55a17794b8a9ed0d1146e3844b3dff8b77c713fbf0e7429112ec92c9788
SHA512 de72714bd1f65e69b7a7fe6ecc8ce98d5f4d2f532efd9cb27ee560a92c18b8f9df2870fc76819e3a0edb9db7eb25dd20f13b20763f905e7ce7f93c17362ad42f

memory/3388-28-0x00007FF6B54E0000-0x00007FF6B5834000-memory.dmp

C:\Windows\System\YTSIudd.exe

MD5 fde2f9df8545e859072cba253a1d4874
SHA1 99c15bd29d919200ae78fd1c48edc3b77259f0d4
SHA256 4b3b48045261b9ca5c420f4c737b87665f9252d4dfa186e736030a798e76b426
SHA512 246897a946595aaa1941dc4a31665fa7b2eb78252b419ce862bf8a68553b24110c240a8e135ec0743fab7a91cd236d83537fd815a9c6733f2a9da89960f7f574

C:\Windows\System\aFtbXjT.exe

MD5 40a0f1e0ff37179f126cd25771c3f7f2
SHA1 de4635558fbcc300b7d529058f588b792a905613
SHA256 cb3baea58c1be9831bb4a247f3b1d8603543c94daae4995a6fac9db9883adf08
SHA512 666d879d7f79a6c666b89a51579c0f274a7fa4164a8ccbf9b700323acf6837c9842a7263fe8008f24ec024b2663608508e1dc13f3ec1f150026908511e8ff58e

memory/2476-36-0x00007FF737E50000-0x00007FF7381A4000-memory.dmp

memory/1852-43-0x00007FF609C10000-0x00007FF609F64000-memory.dmp

memory/384-35-0x00007FF68C590000-0x00007FF68C8E4000-memory.dmp

C:\Windows\System\FJpbPfe.exe

MD5 a93acec8a942b86f978446a7e59601b9
SHA1 b7b80ebebb9161923619fa81cd0a1a477333e1b5
SHA256 60fdb08ea16466273f224f5d54edd2c21f12dff686243b4cff19179df50e9d58
SHA512 5e85063e762da18ac4e99846ce21e83cf9c1a07125cfc1bea932c8e5cb939885c9a7ea35857bb7b056e9df21a96180a682dc22f0e3a57f860bcc1559240a549a

memory/464-50-0x00007FF6B0170000-0x00007FF6B04C4000-memory.dmp

C:\Windows\System\nsecmVd.exe

MD5 dd631c9e213e21fa478fbf03d9c96a76
SHA1 a7ed86d836b2a49ea7b473bf6775715b18c2eee2
SHA256 d551955c65134bf5d240a212ded0a4706d1041777355d1e0ac496eb73ec447a6
SHA512 bae505d772cfd06f6a2927d2cd9cd694da53583c40cc6ad7e42f35559dae393e984facbf231c4ba232b4f1c5e14490301f46fdb949f8781acf8471ce61cb695a

memory/4536-56-0x00007FF6483D0000-0x00007FF648724000-memory.dmp

C:\Windows\System\nSPNcgi.exe

MD5 6c5badbc54934af8cdcda256f1a59c07
SHA1 80ea14a03cd81e710145eb987e8f2441207bdcbf
SHA256 2d64ea5282e8e14a7c9b205318c42e0c752a29fdc0f61cf87d620d9106bc6213
SHA512 c5950eb5a5365c52197784075050e2ac91490406f190e56a088d6a658749d41c252d5dd27d3e4e32c1bcfd292495b4b57fa0fb5b0467622dd0d98b1966974caf

memory/4796-63-0x00007FF6D3820000-0x00007FF6D3B74000-memory.dmp

memory/4772-62-0x00007FF777740000-0x00007FF777A94000-memory.dmp

memory/2108-70-0x00007FF6312C0000-0x00007FF631614000-memory.dmp

memory/212-68-0x00007FF78FE70000-0x00007FF7901C4000-memory.dmp

C:\Windows\System\MQzCSBf.exe

MD5 301249e60730e7a79bdb085b63fc1192
SHA1 39a74ee3723186c0d8e62dcbc671d312dd414d0f
SHA256 22da3a917b585ad64bf71316a906d5f71ec661bdebde82305b152cace127bba9
SHA512 5114146747005ac77c5f8e8595e502be84e7a170d15fdfd42ae0a27fd483ddd9b28ad41f4cb6f0aa90374dbee4a8444efafd1fd226be1012165b38f90dce3f31

C:\Windows\System\RqOFpEC.exe

MD5 345df1684408c79a18483b29e7b081c0
SHA1 4bf62b47e562d2e84954c0103b3aa494414c826b
SHA256 a2df4dee51e1ab35a9a0fb68f9e6e49e94b83edf359fe970933d745b740dc2ab
SHA512 683225c6499359de4bad5342398159708a93c189584e19a6ecd0162bedc22fc8075b08a7e96915352a2cd6f54ae94b893b70e9942dbd9a0a4849315b502c7079

memory/2240-74-0x00007FF715DC0000-0x00007FF716114000-memory.dmp

C:\Windows\System\RvDWRqi.exe

MD5 6eef4ca720bc71d5c2a1b73ecbdfbd71
SHA1 c82ec93607b450187bcf7873371ad5f54c45af87
SHA256 20f27ef321db6e4dd7561bcdafd57127933dd7164e83143fab2175546a64e7bf
SHA512 9c5f248691f3801a71614b7fc1c7fd9ec699a91de738e3ec7c5b747a54317bb15277a06f0862912e4bdc21591ce11960314ad254cdfe6781c2ad54cbd719d628

memory/1548-82-0x00007FF7670E0000-0x00007FF767434000-memory.dmp

C:\Windows\System\wUxKFRM.exe

MD5 4f16543e7a94840b470de3918a620eb7
SHA1 0e2844f9ee923dcf8e1cd54a1eac032646832a1b
SHA256 e02e7c9a707119e5cb853eebde45d84bf5dc47f7c65bf7d36e83cd139c9fc090
SHA512 ec7c13be1dff33a37e99383ccf0f2f161604a4b9c91e518ec7f4f9e53cd4aeb767239d461d1c911095ada7491e03759a63c9e17bb3e208831a05769c5f7de7c9

memory/4080-88-0x00007FF634970000-0x00007FF634CC4000-memory.dmp

C:\Windows\System\TsYFzga.exe

MD5 12cb8e8ca58c02c3e13e1c4fc731e795
SHA1 2dd04067665aaf039a590cce28555b36506382d1
SHA256 33b7ac9234e385ca13c963405c52e031b213bfb13c3ebdfeccaa40e35aede202
SHA512 9787c5fdd82472e9086c3a877ca587167948f9a74972c416adf737daa50d9e1367cd721809d6405f8ccd1240fcb1c196a7267106637eefd21ce3830bdbdb9471

memory/3600-94-0x00007FF79AB90000-0x00007FF79AEE4000-memory.dmp

memory/2476-98-0x00007FF737E50000-0x00007FF7381A4000-memory.dmp

C:\Windows\System\nuROKDz.exe

MD5 6a2c4d84a2f4c7a3b1fa85a862280392
SHA1 a57663f2c8f384533f61217af1af29e3e15d0eeb
SHA256 577772741514f0f53be0602f8c23ce4e67233001682059c1f08bc2d520b40112
SHA512 1c64068379b721bb727ff9aa9ed9c661965f52614087711ea7ba66555382539af7860f537f980b2f05047c8bf170a7cf615f55a5f506c2b3ab9de2b61983520f

C:\Windows\System\JDAvwoF.exe

MD5 fb0fd11bcacd55b52c963e879b50774b
SHA1 c0b0d802f7381227c7f4e72e62537a257be2b6da
SHA256 c786b3aeb391a465816555698eed1532ad0d496e5077fad70caba2c202b9669f
SHA512 59d7b75cc1fe342dca1b3368d1491c21310104cacae7acd8b24112745c6f5e0a2c411bd8c87a90eefc656890ee124d406e99a41a3bf21a979fbed3088f0db5e1

memory/3660-99-0x00007FF68D410000-0x00007FF68D764000-memory.dmp

memory/1852-107-0x00007FF609C10000-0x00007FF609F64000-memory.dmp

C:\Windows\System\DkMvpyD.exe

MD5 0e7e3f437d4617666a254917ffbdd233
SHA1 193255140dba4d1acfbe73a159b819e0433f1937
SHA256 f5bee43a4f812de68c0e88e4022d362ca225ec93fee4370a0d955b84d6c89426
SHA512 410c1f23c027a08f93c858cd88dd6310af094049393c465a1464bcf80e1029de44f4717b40df33928e97522b3913b9cd39419690fe8ec1b244553c1a4d9ffdf4

memory/2600-108-0x00007FF73A6B0000-0x00007FF73AA04000-memory.dmp

memory/2156-113-0x00007FF68C700000-0x00007FF68CA54000-memory.dmp

memory/464-112-0x00007FF6B0170000-0x00007FF6B04C4000-memory.dmp

C:\Windows\System\xNJPeAf.exe

MD5 d999eeb0dbbfe9871618fb8fff69a346
SHA1 3b49c03f05973447d7fd1bc20400fb287c628013
SHA256 bbd32cf24a137ee27050d6c0af1bb440e32a38cdb54adc61e1cdf19319f35645
SHA512 6940cdcc93ad6174fa13485c98ce105ca7a1de710971309c2f70385dbe95152443f10e87bf178c3032b6bd8d8fee0cced8daee3ec1fbc23ebe1b73407b86519c

C:\Windows\System\RYlKGgT.exe

MD5 6b447926854f41475b34d9d2ada010e5
SHA1 caa338bc81c32aa72b2128f06875ab0eb06e38c6
SHA256 81799970aef7b67295d8dd5fc25b3eb42ea4cf4eaaf8ca7a0279a30ea3470d99
SHA512 1ef2d836341f65b1780e1bd96673ded3291910ec4fde3cf964f0b1f2c2818cbbf23ab4d87f7b85b7fee424ecd50175930ec14661ad304b773c311d87845aed19

memory/4536-126-0x00007FF6483D0000-0x00007FF648724000-memory.dmp

memory/1044-127-0x00007FF7B2830000-0x00007FF7B2B84000-memory.dmp

memory/3172-129-0x00007FF628220000-0x00007FF628574000-memory.dmp

C:\Windows\System\VppWLZz.exe

MD5 40d05f41ea5d424cdd78828b97ca8704
SHA1 f608b1bb9e1d0679da024af07222d197ace4ea17
SHA256 644ba547fcf4568033c0fbdf63e4ae19733ae5426a29b7c45298e6bec9fe3cec
SHA512 afc4b4a574830777cc95f52b95a0d23d739261c37cbe676a173b4f7c147875d406dee732b86a776a02d11b9f0d01681c7226c344286fb788e15e7755626d88cd

memory/1484-133-0x00007FF636260000-0x00007FF6365B4000-memory.dmp

memory/2240-134-0x00007FF715DC0000-0x00007FF716114000-memory.dmp

memory/3660-135-0x00007FF68D410000-0x00007FF68D764000-memory.dmp

memory/2156-136-0x00007FF68C700000-0x00007FF68CA54000-memory.dmp

memory/1484-137-0x00007FF636260000-0x00007FF6365B4000-memory.dmp

memory/212-138-0x00007FF78FE70000-0x00007FF7901C4000-memory.dmp

memory/3844-139-0x00007FF72C480000-0x00007FF72C7D4000-memory.dmp

memory/776-140-0x00007FF61AFA0000-0x00007FF61B2F4000-memory.dmp

memory/3388-141-0x00007FF6B54E0000-0x00007FF6B5834000-memory.dmp

memory/384-142-0x00007FF68C590000-0x00007FF68C8E4000-memory.dmp

memory/2476-143-0x00007FF737E50000-0x00007FF7381A4000-memory.dmp

memory/1852-144-0x00007FF609C10000-0x00007FF609F64000-memory.dmp

memory/464-145-0x00007FF6B0170000-0x00007FF6B04C4000-memory.dmp

memory/4536-146-0x00007FF6483D0000-0x00007FF648724000-memory.dmp

memory/4796-147-0x00007FF6D3820000-0x00007FF6D3B74000-memory.dmp

memory/2108-148-0x00007FF6312C0000-0x00007FF631614000-memory.dmp

memory/2240-149-0x00007FF715DC0000-0x00007FF716114000-memory.dmp

memory/1548-150-0x00007FF7670E0000-0x00007FF767434000-memory.dmp

memory/4080-151-0x00007FF634970000-0x00007FF634CC4000-memory.dmp

memory/3600-152-0x00007FF79AB90000-0x00007FF79AEE4000-memory.dmp

memory/2600-154-0x00007FF73A6B0000-0x00007FF73AA04000-memory.dmp

memory/3660-153-0x00007FF68D410000-0x00007FF68D764000-memory.dmp

memory/1044-155-0x00007FF7B2830000-0x00007FF7B2B84000-memory.dmp

memory/2156-156-0x00007FF68C700000-0x00007FF68CA54000-memory.dmp

memory/3172-157-0x00007FF628220000-0x00007FF628574000-memory.dmp

memory/1484-158-0x00007FF636260000-0x00007FF6365B4000-memory.dmp