Malware Analysis Report

2024-10-24 18:16

Sample ID 240606-w27kraba37
Target 2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike
SHA256 a87aee5308f8cd80e372e6080c2d2205416adc353a4366d19f9e19894e29833b
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a87aee5308f8cd80e372e6080c2d2205416adc353a4366d19f9e19894e29833b

Threat Level: Known bad

The file 2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobaltstrike family

Cobalt Strike reflective loader

xmrig

Cobaltstrike

XMRig Miner payload

Xmrig family

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

XMRig Miner payload

Detects Reflective DLL injection artifacts

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-06 18:26

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-06 18:26

Reported

2024-06-06 18:29

Platform

win7-20231129-en

Max time kernel

137s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\wBzXAsr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pSDMCei.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uzPKCFI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PNfzQTz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oEkQltv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KkGxvbU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cnFZSiN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ltrszQf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XyeVUPQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nrGVCHm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lPQuYoe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QkGbwKL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WIGOAgE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WvRESix.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SfbSlCL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PCkuouv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fssZGBv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SAKlEpJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KKLvPXB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZrKfPeP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KMXyOmU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3004 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\WvRESix.exe
PID 3004 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\WvRESix.exe
PID 3004 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\WvRESix.exe
PID 3004 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\KkGxvbU.exe
PID 3004 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\KkGxvbU.exe
PID 3004 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\KkGxvbU.exe
PID 3004 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\XyeVUPQ.exe
PID 3004 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\XyeVUPQ.exe
PID 3004 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\XyeVUPQ.exe
PID 3004 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\cnFZSiN.exe
PID 3004 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\cnFZSiN.exe
PID 3004 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\cnFZSiN.exe
PID 3004 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\SfbSlCL.exe
PID 3004 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\SfbSlCL.exe
PID 3004 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\SfbSlCL.exe
PID 3004 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZrKfPeP.exe
PID 3004 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZrKfPeP.exe
PID 3004 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZrKfPeP.exe
PID 3004 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\lPQuYoe.exe
PID 3004 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\lPQuYoe.exe
PID 3004 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\lPQuYoe.exe
PID 3004 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\KMXyOmU.exe
PID 3004 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\KMXyOmU.exe
PID 3004 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\KMXyOmU.exe
PID 3004 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\wBzXAsr.exe
PID 3004 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\wBzXAsr.exe
PID 3004 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\wBzXAsr.exe
PID 3004 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\pSDMCei.exe
PID 3004 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\pSDMCei.exe
PID 3004 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\pSDMCei.exe
PID 3004 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\nrGVCHm.exe
PID 3004 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\nrGVCHm.exe
PID 3004 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\nrGVCHm.exe
PID 3004 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\QkGbwKL.exe
PID 3004 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\QkGbwKL.exe
PID 3004 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\QkGbwKL.exe
PID 3004 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\PCkuouv.exe
PID 3004 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\PCkuouv.exe
PID 3004 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\PCkuouv.exe
PID 3004 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\ltrszQf.exe
PID 3004 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\ltrszQf.exe
PID 3004 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\ltrszQf.exe
PID 3004 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\fssZGBv.exe
PID 3004 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\fssZGBv.exe
PID 3004 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\fssZGBv.exe
PID 3004 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\uzPKCFI.exe
PID 3004 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\uzPKCFI.exe
PID 3004 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\uzPKCFI.exe
PID 3004 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\WIGOAgE.exe
PID 3004 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\WIGOAgE.exe
PID 3004 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\WIGOAgE.exe
PID 3004 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\SAKlEpJ.exe
PID 3004 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\SAKlEpJ.exe
PID 3004 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\SAKlEpJ.exe
PID 3004 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\PNfzQTz.exe
PID 3004 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\PNfzQTz.exe
PID 3004 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\PNfzQTz.exe
PID 3004 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\oEkQltv.exe
PID 3004 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\oEkQltv.exe
PID 3004 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\oEkQltv.exe
PID 3004 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\KKLvPXB.exe
PID 3004 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\KKLvPXB.exe
PID 3004 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\KKLvPXB.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\WvRESix.exe

C:\Windows\System\WvRESix.exe

C:\Windows\System\KkGxvbU.exe

C:\Windows\System\KkGxvbU.exe

C:\Windows\System\XyeVUPQ.exe

C:\Windows\System\XyeVUPQ.exe

C:\Windows\System\cnFZSiN.exe

C:\Windows\System\cnFZSiN.exe

C:\Windows\System\SfbSlCL.exe

C:\Windows\System\SfbSlCL.exe

C:\Windows\System\ZrKfPeP.exe

C:\Windows\System\ZrKfPeP.exe

C:\Windows\System\lPQuYoe.exe

C:\Windows\System\lPQuYoe.exe

C:\Windows\System\KMXyOmU.exe

C:\Windows\System\KMXyOmU.exe

C:\Windows\System\wBzXAsr.exe

C:\Windows\System\wBzXAsr.exe

C:\Windows\System\pSDMCei.exe

C:\Windows\System\pSDMCei.exe

C:\Windows\System\nrGVCHm.exe

C:\Windows\System\nrGVCHm.exe

C:\Windows\System\QkGbwKL.exe

C:\Windows\System\QkGbwKL.exe

C:\Windows\System\PCkuouv.exe

C:\Windows\System\PCkuouv.exe

C:\Windows\System\ltrszQf.exe

C:\Windows\System\ltrszQf.exe

C:\Windows\System\fssZGBv.exe

C:\Windows\System\fssZGBv.exe

C:\Windows\System\uzPKCFI.exe

C:\Windows\System\uzPKCFI.exe

C:\Windows\System\WIGOAgE.exe

C:\Windows\System\WIGOAgE.exe

C:\Windows\System\SAKlEpJ.exe

C:\Windows\System\SAKlEpJ.exe

C:\Windows\System\PNfzQTz.exe

C:\Windows\System\PNfzQTz.exe

C:\Windows\System\oEkQltv.exe

C:\Windows\System\oEkQltv.exe

C:\Windows\System\KKLvPXB.exe

C:\Windows\System\KKLvPXB.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3004-1-0x00000000000F0000-0x0000000000100000-memory.dmp

memory/3004-0-0x000000013FB20000-0x000000013FE74000-memory.dmp

C:\Windows\system\KkGxvbU.exe

MD5 ca566a3166959ce4a3ca9ab8b0afd3e4
SHA1 b83bda7eb4a64f0e1e68ebe6408228ae60a23c9d
SHA256 69ad44b8676cad71bdfb77470abb70fbf628a50c6a369839766871c0fbd6d5f9
SHA512 e1e5ade875a6b72d3701b76d88cf294c061e1add42bcea477fd574cad846e6d84b6328165a36a0c49a70c8a6434343b89dc7587d28494d3df32c9bf0c4827cb0

memory/2656-25-0x000000013F700000-0x000000013FA54000-memory.dmp

memory/3004-32-0x000000013FE80000-0x00000001401D4000-memory.dmp

memory/2664-40-0x000000013FE80000-0x00000001401D4000-memory.dmp

C:\Windows\system\wBzXAsr.exe

MD5 9e31e2d931f7f443c119ee77df9ddf78
SHA1 8eef4cce49339f3ffb197e5ce37fd23e150a0db2
SHA256 8c43cdb97d856fda4e5eb7de527026ec0e14dd9b54ac4872c46d8cb501137d4b
SHA512 aa150d85526753abe890c48457b1610e151286f01f67e0194ddddbc1f200955ef0a4f322e806deeae4c409e08a3fdab1ba587a8cb838ee9be33159be4930983f

\Windows\system\KMXyOmU.exe

MD5 38b6b422e8588d63cf6345f17b8ffd55
SHA1 a223c54ed8480cd5573a28eba063c9e7f81141a5
SHA256 4b71c9ca63230be5382c36b6c992e491e0eb7b89a746c5bbf19319e036ac2d17
SHA512 9be5148803032875b173dda7e8b7c92754c231061e485fc22816c4689f151313cda13246d385190cd6f97d4369e038f2122f09a5718057eba008277ed8397a58

memory/2476-62-0x000000013FFC0000-0x0000000140314000-memory.dmp

memory/2776-63-0x000000013F700000-0x000000013FA54000-memory.dmp

memory/3004-68-0x000000013F290000-0x000000013F5E4000-memory.dmp

memory/2648-70-0x000000013F290000-0x000000013F5E4000-memory.dmp

memory/3004-75-0x00000000023D0000-0x0000000002724000-memory.dmp

memory/2968-77-0x000000013FCE0000-0x0000000140034000-memory.dmp

C:\Windows\system\nrGVCHm.exe

MD5 1ede9bc1c5e34410bf0b6c6f5d3a5722
SHA1 457820a20785136508d114737a23d9692f8005e8
SHA256 0b1a359887213d01706caf0570e195c8fb27fcaee40f3d5c90bae7e2f74b7b46
SHA512 34aaf71e9d3a26cb147e7532d8a77e7848ede9e868318a1d964bd407dacb0d7134848b973d92efbc3171a86adeaf246931e8d20d8a78b70637882bca1d09e2ab

C:\Windows\system\QkGbwKL.exe

MD5 f2b62a051e67cec046a5b6beaaefc867
SHA1 0b3f206b338d65789eb3a94730377b2b3d99812d
SHA256 69b333059617ed2d8e0066c78c91e077720ef1afc1fb4180f871790fe2ec2f4d
SHA512 703ae3263aa8928086aedfe3b70b1491fa3db752197092757848020c6d1a58e032740a8488dfb0d7355bf6a47f9a66de06d61a3973aea3ef02e97c4837c1aea3

memory/536-82-0x000000013F160000-0x000000013F4B4000-memory.dmp

memory/3004-89-0x000000013F1B0000-0x000000013F504000-memory.dmp

memory/3004-92-0x000000013F2A0000-0x000000013F5F4000-memory.dmp

\Windows\system\ltrszQf.exe

MD5 a978b35ce520d17be377bfeb3ba5e622
SHA1 091421fed0c6febf76a6ae925598f23f1d3814a2
SHA256 8b27946fd13723aac998b3bbed6ccf96b945c4180386a7551361f6e37ef3509d
SHA512 62f815d14c9900a616bd47f0cb6d4856d1b23adc48d5aa605684caba213d72ba9452b13bda460741c72d6dc903c65d86159ca1aefcd39e8c7bbb501fdc4ce79f

memory/784-90-0x000000013F1B0000-0x000000013F504000-memory.dmp

C:\Windows\system\PCkuouv.exe

MD5 73a95c034a5e948a4b8895f38ffb9138
SHA1 c8f1f2745061443c2e9f58842ce21ff4300a07dc
SHA256 cbcdb2371267a0b08e787c1aa41ad02a40e378183fd4e8479bb02a7ada86044f
SHA512 292cb0fb67627c9a6fbd8f84615ad4d887831f4c5603074c53795533851fe313778dae98b061b21bda13edad7db8e8a830ad692b7699bf87296dc375d4b738f1

memory/3004-69-0x00000000023D0000-0x0000000002724000-memory.dmp

memory/3004-67-0x000000013F700000-0x000000013FA54000-memory.dmp

memory/2268-66-0x000000013F1E0000-0x000000013F534000-memory.dmp

memory/3004-65-0x000000013F1E0000-0x000000013F534000-memory.dmp

memory/2756-64-0x000000013FB70000-0x000000013FEC4000-memory.dmp

memory/1060-96-0x000000013F2A0000-0x000000013F5F4000-memory.dmp

\Windows\system\fssZGBv.exe

MD5 ef9fa413cbf21a8690036633a622b904
SHA1 084cae4ee3207b9124d87f6e562aed3d9478d6b2
SHA256 3f73b642fb1b0c66ec944823845bfbfed3e07148b04829b3135d27cea32a631b
SHA512 f3e4998b44816baa3bb458d3a76bc97c066d422b26c10e44b54dc9c24e528c48ab910d69bbfe140d486903de4e7838eb0dd8a7d498d322c357503cd6ca5af42e

C:\Windows\system\uzPKCFI.exe

MD5 ba0f4d2a5390060d92bb83eee75d2689
SHA1 9572a0602d0b0ebec6cafc428c574ba57fa68d40
SHA256 870939d47dd84e55bf481da9e93e2447ced9f81a9de06ebe7ec9551b67e3e4a9
SHA512 ccb6d2f79d49d11e90ce26a40fc27f1550c92d4f65f97d39d62ebef8a70c8af3e45f41963f1445d49a8402ba7d8ed993f22db80325053bc276dbc04bee801e22

C:\Windows\system\KKLvPXB.exe

MD5 2e0034ce9bb3ea359612c829f789cbea
SHA1 b6697694547ca3dc38709778c2ab15d365aa71ee
SHA256 2eb26ec5fbefa34d201dc41c62e5b6de0ca6e3baba6c4059b9e16e149e0c22f6
SHA512 2b8f528507dd703cc2085663aa8903b462fe5ed7e5c1583eae37dfe9407dfd3e40a3c5e2d961e91d2665e7323571ca4b8e7d04190740a49fef42904783bc857a

C:\Windows\system\oEkQltv.exe

MD5 79cabda8feb180281e62ce74cd717ea0
SHA1 5d3142952f3d37b586ce4e1bb6ea9871f24d8bf1
SHA256 e87604b50d7a22e477a952639047c2250f85fc1045b4ec21a830736dd1aafc28
SHA512 160b13d4411fd633af648b21f409a5efbb3eb9da2fa613b5841f5d51464bb346352571949a54034f0abd3a1dd0431a7c2732f8670deb657daa4b1eea7e386116

C:\Windows\system\SAKlEpJ.exe

MD5 33681d4c819e4ce13510e2c763db35f7
SHA1 ba640777724418d191d5517775ef8166fe112e0f
SHA256 91cb8c1d53109a046b4a725a4f8a3ac315b538a4c9e24b7eb32ef2a72837b1d6
SHA512 10508a4452e783976af3eecad9190af651b191fc131b91473560511ec859c7be32df347d958b8877f7db6db2f47ffbbe51ffdf02ef117d849f74643259904789

C:\Windows\system\PNfzQTz.exe

MD5 13173673d0b02d6784fd1cdb138a064f
SHA1 8af5b58eb722e41f5e480483f7fb47852bb50dea
SHA256 3c94bd5d2f6ad6dca3f386d9e412483a6b2231f78fd2cfdc21e38c36c17a2a5f
SHA512 c8a965e6d5334a221af348c3b0e8bc7b6bd44b4b5770057ecd3e92f49b1e29fbcd9e4da7042d71617ba5e9f7abc4a5c7913b86180d47248b60a975f32252c834

C:\Windows\system\WIGOAgE.exe

MD5 fb79176b0a1e9d876ede79e65c79eb00
SHA1 7b3952fe82bde07421d44dde204f5fdf317e274b
SHA256 aa5e33c181f8fdbef8fb64a277ab6c183097ab581de3637ac7992d6715543b69
SHA512 0d3ac852045b1641374a3cb77f8058fedd2d6f6fbbc01c54f1255bde0f98082ca0dc8ad96c8169a3b98e905e22a8165b2eeb9ad5f47d9ba8a5290c63c7154c60

C:\Windows\system\pSDMCei.exe

MD5 d0d4b3d80abc297fc1e85ebc63ca6ffa
SHA1 df230c5dd0c6e085c655ddfee330d4a499bb86e8
SHA256 cd59b6a69805e69d4a9fc37001f7978fde90479dc1866ba7fbd4be4116a690c8
SHA512 a0c6de26464b4056edf9832c674e7cc51487e9e43af9f7e005b8f9f94a9d72d19152403647c4c6b2ce8b92420d6e86af5e05864884956aa791c4a3d87e96e66c

memory/3004-45-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

C:\Windows\system\lPQuYoe.exe

MD5 466727dc66e574e69b9051ab36b69a17
SHA1 c537a7fe54b57de03f2361848be4aa82d722eb75
SHA256 be9b5ee098160db2bbf5739b7db719ba53c3b026d4460859453663d571ef8366
SHA512 0eba0116c7cc1ef21c07cdc68fc2641b90563f4016f4b294d37a8c82e81436158197ad2936a45e464c542fabd96d4420345145a8be8b0f0623a5c39b732b560f

memory/3004-39-0x00000000023D0000-0x0000000002724000-memory.dmp

C:\Windows\system\ZrKfPeP.exe

MD5 d1c19db3170c421e28978bc6e36c7a06
SHA1 4e7273e05d9cbe68d21b656104a0d12a2560ae82
SHA256 fb6308163915e045e94a5c0fc4d950454363ae32e42430c026337644e607558a
SHA512 97d374a1f0ab7eeebd4039282befb543413d1d53f95733ffbe8e1487d2fe8977805f766e328e9f9ce87f107b993c4be1ebe6a0005f3634f34092b7c17c36db1b

memory/2892-33-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

memory/2576-30-0x000000013FDC0000-0x0000000140114000-memory.dmp

C:\Windows\system\SfbSlCL.exe

MD5 a9ac47597c004bd88a04208a32dbb314
SHA1 5f177ff36b6974e9b507d158836fcc967acc403f
SHA256 6d53f35d415018e28b2598eec3eb10e2d7802874d452384bbb04ce5cb41ce948
SHA512 0e4ec3941f11a91c185c8713695724e615ed6bfa52d542af4809e206855c2b858a581d0e37962a0d867fb0bf8286f19b0ad3f9a7034920282d569287af282ee5

\Windows\system\cnFZSiN.exe

MD5 12e3127811cbe41201470838e666b38f
SHA1 f2ed7b4f8d5b236ebef6e5eebb6827bf6cd10a13
SHA256 e8b9f85b5c4b426598039a4f12888b9582953d26c64bedde1ad8ae4c41c225c7
SHA512 5ea73ec2192b03b0f86e9571aaaa673e5d0a1bd70334c8164aad058e15186e3d351ee9d219f5038dbc0ef8bf9f4844a22eb7ab187fe1b08171dc820e23b79b55

memory/2784-18-0x000000013F4D0000-0x000000013F824000-memory.dmp

memory/3004-126-0x000000013FB20000-0x000000013FE74000-memory.dmp

C:\Windows\system\XyeVUPQ.exe

MD5 b5b8502991ae567eed8240fe1c28efd5
SHA1 62d4f2092fa25c10907c06c3c2ce6363181d2b04
SHA256 b5c4d960732e23018abd02b7bd90373ed2ad882ea91ba16270a73be69239111d
SHA512 f7ec6e096eb7c7b97a38e8735fc2a00bfe4b688c608f9730abefcb07879b38ced0dcbf1245edbaf6e6be592c5cbdaaec406af55c2d24a4b652aba1d4d4b2431e

memory/3004-12-0x000000013F4D0000-0x000000013F824000-memory.dmp

C:\Windows\system\WvRESix.exe

MD5 8783ac76802a2c648278d16157a8651a
SHA1 f32a73379c47fdf37988b79ae02113e269bf4946
SHA256 4f3194abc62422c91c6c128a4d0117580a2a11f3a502a71e733041436e008999
SHA512 2bd21a9df9abb46546724a5c910b1abaff3a260dfc748122e5778adf093701c722e3f5bc34008f32d564eb1501161ace42a212bb84775f9eb1959797d1ac7927

memory/3004-134-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

memory/3004-133-0x000000013FE80000-0x00000001401D4000-memory.dmp

memory/3004-135-0x00000000023D0000-0x0000000002724000-memory.dmp

memory/2968-136-0x000000013FCE0000-0x0000000140034000-memory.dmp

memory/536-138-0x000000013F160000-0x000000013F4B4000-memory.dmp

memory/3004-137-0x000000013F160000-0x000000013F4B4000-memory.dmp

memory/2784-139-0x000000013F4D0000-0x000000013F824000-memory.dmp

memory/2892-143-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

memory/2476-144-0x000000013FFC0000-0x0000000140314000-memory.dmp

memory/2268-147-0x000000013F1E0000-0x000000013F534000-memory.dmp

memory/2648-148-0x000000013F290000-0x000000013F5E4000-memory.dmp

memory/2756-146-0x000000013FB70000-0x000000013FEC4000-memory.dmp

memory/2968-149-0x000000013FCE0000-0x0000000140034000-memory.dmp

memory/2776-145-0x000000013F700000-0x000000013FA54000-memory.dmp

memory/784-151-0x000000013F1B0000-0x000000013F504000-memory.dmp

memory/536-150-0x000000013F160000-0x000000013F4B4000-memory.dmp

memory/2664-142-0x000000013FE80000-0x00000001401D4000-memory.dmp

memory/2576-141-0x000000013FDC0000-0x0000000140114000-memory.dmp

memory/2656-140-0x000000013F700000-0x000000013FA54000-memory.dmp

memory/1060-152-0x000000013F2A0000-0x000000013F5F4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-06 18:26

Reported

2024-06-06 18:29

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\uzPKCFI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SAKlEpJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PNfzQTz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oEkQltv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lPQuYoe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nrGVCHm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KMXyOmU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pSDMCei.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XyeVUPQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SfbSlCL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QkGbwKL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ltrszQf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fssZGBv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WIGOAgE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WvRESix.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cnFZSiN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wBzXAsr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PCkuouv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KKLvPXB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KkGxvbU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZrKfPeP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 380 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\WvRESix.exe
PID 380 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\WvRESix.exe
PID 380 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\KkGxvbU.exe
PID 380 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\KkGxvbU.exe
PID 380 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\XyeVUPQ.exe
PID 380 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\XyeVUPQ.exe
PID 380 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\cnFZSiN.exe
PID 380 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\cnFZSiN.exe
PID 380 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\SfbSlCL.exe
PID 380 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\SfbSlCL.exe
PID 380 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZrKfPeP.exe
PID 380 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZrKfPeP.exe
PID 380 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\lPQuYoe.exe
PID 380 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\lPQuYoe.exe
PID 380 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\KMXyOmU.exe
PID 380 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\KMXyOmU.exe
PID 380 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\wBzXAsr.exe
PID 380 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\wBzXAsr.exe
PID 380 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\pSDMCei.exe
PID 380 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\pSDMCei.exe
PID 380 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\nrGVCHm.exe
PID 380 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\nrGVCHm.exe
PID 380 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\QkGbwKL.exe
PID 380 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\QkGbwKL.exe
PID 380 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\PCkuouv.exe
PID 380 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\PCkuouv.exe
PID 380 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\ltrszQf.exe
PID 380 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\ltrszQf.exe
PID 380 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\fssZGBv.exe
PID 380 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\fssZGBv.exe
PID 380 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\uzPKCFI.exe
PID 380 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\uzPKCFI.exe
PID 380 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\WIGOAgE.exe
PID 380 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\WIGOAgE.exe
PID 380 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\SAKlEpJ.exe
PID 380 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\SAKlEpJ.exe
PID 380 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\PNfzQTz.exe
PID 380 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\PNfzQTz.exe
PID 380 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\oEkQltv.exe
PID 380 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\oEkQltv.exe
PID 380 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\KKLvPXB.exe
PID 380 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\KKLvPXB.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_6264c40fdf329d7befd5a624f7d6a8e2_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\WvRESix.exe

C:\Windows\System\WvRESix.exe

C:\Windows\System\KkGxvbU.exe

C:\Windows\System\KkGxvbU.exe

C:\Windows\System\XyeVUPQ.exe

C:\Windows\System\XyeVUPQ.exe

C:\Windows\System\cnFZSiN.exe

C:\Windows\System\cnFZSiN.exe

C:\Windows\System\SfbSlCL.exe

C:\Windows\System\SfbSlCL.exe

C:\Windows\System\ZrKfPeP.exe

C:\Windows\System\ZrKfPeP.exe

C:\Windows\System\lPQuYoe.exe

C:\Windows\System\lPQuYoe.exe

C:\Windows\System\KMXyOmU.exe

C:\Windows\System\KMXyOmU.exe

C:\Windows\System\wBzXAsr.exe

C:\Windows\System\wBzXAsr.exe

C:\Windows\System\pSDMCei.exe

C:\Windows\System\pSDMCei.exe

C:\Windows\System\nrGVCHm.exe

C:\Windows\System\nrGVCHm.exe

C:\Windows\System\QkGbwKL.exe

C:\Windows\System\QkGbwKL.exe

C:\Windows\System\PCkuouv.exe

C:\Windows\System\PCkuouv.exe

C:\Windows\System\ltrszQf.exe

C:\Windows\System\ltrszQf.exe

C:\Windows\System\fssZGBv.exe

C:\Windows\System\fssZGBv.exe

C:\Windows\System\uzPKCFI.exe

C:\Windows\System\uzPKCFI.exe

C:\Windows\System\WIGOAgE.exe

C:\Windows\System\WIGOAgE.exe

C:\Windows\System\SAKlEpJ.exe

C:\Windows\System\SAKlEpJ.exe

C:\Windows\System\PNfzQTz.exe

C:\Windows\System\PNfzQTz.exe

C:\Windows\System\oEkQltv.exe

C:\Windows\System\oEkQltv.exe

C:\Windows\System\KKLvPXB.exe

C:\Windows\System\KKLvPXB.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp

Files

memory/380-0-0x00007FF646170000-0x00007FF6464C4000-memory.dmp

memory/380-1-0x00000259EC040000-0x00000259EC050000-memory.dmp

C:\Windows\System\WvRESix.exe

MD5 8783ac76802a2c648278d16157a8651a
SHA1 f32a73379c47fdf37988b79ae02113e269bf4946
SHA256 4f3194abc62422c91c6c128a4d0117580a2a11f3a502a71e733041436e008999
SHA512 2bd21a9df9abb46546724a5c910b1abaff3a260dfc748122e5778adf093701c722e3f5bc34008f32d564eb1501161ace42a212bb84775f9eb1959797d1ac7927

C:\Windows\System\KkGxvbU.exe

MD5 ca566a3166959ce4a3ca9ab8b0afd3e4
SHA1 b83bda7eb4a64f0e1e68ebe6408228ae60a23c9d
SHA256 69ad44b8676cad71bdfb77470abb70fbf628a50c6a369839766871c0fbd6d5f9
SHA512 e1e5ade875a6b72d3701b76d88cf294c061e1add42bcea477fd574cad846e6d84b6328165a36a0c49a70c8a6434343b89dc7587d28494d3df32c9bf0c4827cb0

C:\Windows\System\XyeVUPQ.exe

MD5 b5b8502991ae567eed8240fe1c28efd5
SHA1 62d4f2092fa25c10907c06c3c2ce6363181d2b04
SHA256 b5c4d960732e23018abd02b7bd90373ed2ad882ea91ba16270a73be69239111d
SHA512 f7ec6e096eb7c7b97a38e8735fc2a00bfe4b688c608f9730abefcb07879b38ced0dcbf1245edbaf6e6be592c5cbdaaec406af55c2d24a4b652aba1d4d4b2431e

C:\Windows\System\cnFZSiN.exe

MD5 12e3127811cbe41201470838e666b38f
SHA1 f2ed7b4f8d5b236ebef6e5eebb6827bf6cd10a13
SHA256 e8b9f85b5c4b426598039a4f12888b9582953d26c64bedde1ad8ae4c41c225c7
SHA512 5ea73ec2192b03b0f86e9571aaaa673e5d0a1bd70334c8164aad058e15186e3d351ee9d219f5038dbc0ef8bf9f4844a22eb7ab187fe1b08171dc820e23b79b55

memory/4420-27-0x00007FF6EE560000-0x00007FF6EE8B4000-memory.dmp

C:\Windows\System\SfbSlCL.exe

MD5 a9ac47597c004bd88a04208a32dbb314
SHA1 5f177ff36b6974e9b507d158836fcc967acc403f
SHA256 6d53f35d415018e28b2598eec3eb10e2d7802874d452384bbb04ce5cb41ce948
SHA512 0e4ec3941f11a91c185c8713695724e615ed6bfa52d542af4809e206855c2b858a581d0e37962a0d867fb0bf8286f19b0ad3f9a7034920282d569287af282ee5

C:\Windows\System\ZrKfPeP.exe

MD5 d1c19db3170c421e28978bc6e36c7a06
SHA1 4e7273e05d9cbe68d21b656104a0d12a2560ae82
SHA256 fb6308163915e045e94a5c0fc4d950454363ae32e42430c026337644e607558a
SHA512 97d374a1f0ab7eeebd4039282befb543413d1d53f95733ffbe8e1487d2fe8977805f766e328e9f9ce87f107b993c4be1ebe6a0005f3634f34092b7c17c36db1b

C:\Windows\System\lPQuYoe.exe

MD5 466727dc66e574e69b9051ab36b69a17
SHA1 c537a7fe54b57de03f2361848be4aa82d722eb75
SHA256 be9b5ee098160db2bbf5739b7db719ba53c3b026d4460859453663d571ef8366
SHA512 0eba0116c7cc1ef21c07cdc68fc2641b90563f4016f4b294d37a8c82e81436158197ad2936a45e464c542fabd96d4420345145a8be8b0f0623a5c39b732b560f

C:\Windows\System\wBzXAsr.exe

MD5 9e31e2d931f7f443c119ee77df9ddf78
SHA1 8eef4cce49339f3ffb197e5ce37fd23e150a0db2
SHA256 8c43cdb97d856fda4e5eb7de527026ec0e14dd9b54ac4872c46d8cb501137d4b
SHA512 aa150d85526753abe890c48457b1610e151286f01f67e0194ddddbc1f200955ef0a4f322e806deeae4c409e08a3fdab1ba587a8cb838ee9be33159be4930983f

C:\Windows\System\pSDMCei.exe

MD5 d0d4b3d80abc297fc1e85ebc63ca6ffa
SHA1 df230c5dd0c6e085c655ddfee330d4a499bb86e8
SHA256 cd59b6a69805e69d4a9fc37001f7978fde90479dc1866ba7fbd4be4116a690c8
SHA512 a0c6de26464b4056edf9832c674e7cc51487e9e43af9f7e005b8f9f94a9d72d19152403647c4c6b2ce8b92420d6e86af5e05864884956aa791c4a3d87e96e66c

C:\Windows\System\nrGVCHm.exe

MD5 1ede9bc1c5e34410bf0b6c6f5d3a5722
SHA1 457820a20785136508d114737a23d9692f8005e8
SHA256 0b1a359887213d01706caf0570e195c8fb27fcaee40f3d5c90bae7e2f74b7b46
SHA512 34aaf71e9d3a26cb147e7532d8a77e7848ede9e868318a1d964bd407dacb0d7134848b973d92efbc3171a86adeaf246931e8d20d8a78b70637882bca1d09e2ab

C:\Windows\System\QkGbwKL.exe

MD5 f2b62a051e67cec046a5b6beaaefc867
SHA1 0b3f206b338d65789eb3a94730377b2b3d99812d
SHA256 69b333059617ed2d8e0066c78c91e077720ef1afc1fb4180f871790fe2ec2f4d
SHA512 703ae3263aa8928086aedfe3b70b1491fa3db752197092757848020c6d1a58e032740a8488dfb0d7355bf6a47f9a66de06d61a3973aea3ef02e97c4837c1aea3

C:\Windows\System\fssZGBv.exe

MD5 ef9fa413cbf21a8690036633a622b904
SHA1 084cae4ee3207b9124d87f6e562aed3d9478d6b2
SHA256 3f73b642fb1b0c66ec944823845bfbfed3e07148b04829b3135d27cea32a631b
SHA512 f3e4998b44816baa3bb458d3a76bc97c066d422b26c10e44b54dc9c24e528c48ab910d69bbfe140d486903de4e7838eb0dd8a7d498d322c357503cd6ca5af42e

C:\Windows\System\uzPKCFI.exe

MD5 ba0f4d2a5390060d92bb83eee75d2689
SHA1 9572a0602d0b0ebec6cafc428c574ba57fa68d40
SHA256 870939d47dd84e55bf481da9e93e2447ced9f81a9de06ebe7ec9551b67e3e4a9
SHA512 ccb6d2f79d49d11e90ce26a40fc27f1550c92d4f65f97d39d62ebef8a70c8af3e45f41963f1445d49a8402ba7d8ed993f22db80325053bc276dbc04bee801e22

memory/2932-92-0x00007FF68B1E0000-0x00007FF68B534000-memory.dmp

C:\Windows\System\WIGOAgE.exe

MD5 fb79176b0a1e9d876ede79e65c79eb00
SHA1 7b3952fe82bde07421d44dde204f5fdf317e274b
SHA256 aa5e33c181f8fdbef8fb64a277ab6c183097ab581de3637ac7992d6715543b69
SHA512 0d3ac852045b1641374a3cb77f8058fedd2d6f6fbbc01c54f1255bde0f98082ca0dc8ad96c8169a3b98e905e22a8165b2eeb9ad5f47d9ba8a5290c63c7154c60

memory/1208-111-0x00007FF711410000-0x00007FF711764000-memory.dmp

C:\Windows\System\SAKlEpJ.exe

MD5 33681d4c819e4ce13510e2c763db35f7
SHA1 ba640777724418d191d5517775ef8166fe112e0f
SHA256 91cb8c1d53109a046b4a725a4f8a3ac315b538a4c9e24b7eb32ef2a72837b1d6
SHA512 10508a4452e783976af3eecad9190af651b191fc131b91473560511ec859c7be32df347d958b8877f7db6db2f47ffbbe51ffdf02ef117d849f74643259904789

C:\Windows\System\PNfzQTz.exe

MD5 13173673d0b02d6784fd1cdb138a064f
SHA1 8af5b58eb722e41f5e480483f7fb47852bb50dea
SHA256 3c94bd5d2f6ad6dca3f386d9e412483a6b2231f78fd2cfdc21e38c36c17a2a5f
SHA512 c8a965e6d5334a221af348c3b0e8bc7b6bd44b4b5770057ecd3e92f49b1e29fbcd9e4da7042d71617ba5e9f7abc4a5c7913b86180d47248b60a975f32252c834

C:\Windows\System\oEkQltv.exe

MD5 79cabda8feb180281e62ce74cd717ea0
SHA1 5d3142952f3d37b586ce4e1bb6ea9871f24d8bf1
SHA256 e87604b50d7a22e477a952639047c2250f85fc1045b4ec21a830736dd1aafc28
SHA512 160b13d4411fd633af648b21f409a5efbb3eb9da2fa613b5841f5d51464bb346352571949a54034f0abd3a1dd0431a7c2732f8670deb657daa4b1eea7e386116

C:\Windows\System\KKLvPXB.exe

MD5 2e0034ce9bb3ea359612c829f789cbea
SHA1 b6697694547ca3dc38709778c2ab15d365aa71ee
SHA256 2eb26ec5fbefa34d201dc41c62e5b6de0ca6e3baba6c4059b9e16e149e0c22f6
SHA512 2b8f528507dd703cc2085663aa8903b462fe5ed7e5c1583eae37dfe9407dfd3e40a3c5e2d961e91d2665e7323571ca4b8e7d04190740a49fef42904783bc857a

memory/2948-126-0x00007FF7164E0000-0x00007FF716834000-memory.dmp

memory/4420-125-0x00007FF6EE560000-0x00007FF6EE8B4000-memory.dmp

memory/2208-118-0x00007FF6948F0000-0x00007FF694C44000-memory.dmp

memory/2820-115-0x00007FF69BBF0000-0x00007FF69BF44000-memory.dmp

memory/4636-132-0x00007FF781190000-0x00007FF7814E4000-memory.dmp

memory/2960-114-0x00007FF76F340000-0x00007FF76F694000-memory.dmp

memory/1088-112-0x00007FF624D00000-0x00007FF625054000-memory.dmp

memory/4824-102-0x00007FF6EB4D0000-0x00007FF6EB824000-memory.dmp

memory/1676-101-0x00007FF7C6890000-0x00007FF7C6BE4000-memory.dmp

memory/2740-94-0x00007FF6893A0000-0x00007FF6896F4000-memory.dmp

memory/380-93-0x00007FF646170000-0x00007FF6464C4000-memory.dmp

C:\Windows\System\ltrszQf.exe

MD5 a978b35ce520d17be377bfeb3ba5e622
SHA1 091421fed0c6febf76a6ae925598f23f1d3814a2
SHA256 8b27946fd13723aac998b3bbed6ccf96b945c4180386a7551361f6e37ef3509d
SHA512 62f815d14c9900a616bd47f0cb6d4856d1b23adc48d5aa605684caba213d72ba9452b13bda460741c72d6dc903c65d86159ca1aefcd39e8c7bbb501fdc4ce79f

memory/1360-89-0x00007FF616F20000-0x00007FF617274000-memory.dmp

memory/784-87-0x00007FF7AA6B0000-0x00007FF7AAA04000-memory.dmp

memory/816-86-0x00007FF688680000-0x00007FF6889D4000-memory.dmp

memory/3628-81-0x00007FF7463B0000-0x00007FF746704000-memory.dmp

C:\Windows\System\PCkuouv.exe

MD5 73a95c034a5e948a4b8895f38ffb9138
SHA1 c8f1f2745061443c2e9f58842ce21ff4300a07dc
SHA256 cbcdb2371267a0b08e787c1aa41ad02a40e378183fd4e8479bb02a7ada86044f
SHA512 292cb0fb67627c9a6fbd8f84615ad4d887831f4c5603074c53795533851fe313778dae98b061b21bda13edad7db8e8a830ad692b7699bf87296dc375d4b738f1

memory/3404-67-0x00007FF691250000-0x00007FF6915A4000-memory.dmp

memory/1748-57-0x00007FF78A0A0000-0x00007FF78A3F4000-memory.dmp

C:\Windows\System\KMXyOmU.exe

MD5 38b6b422e8588d63cf6345f17b8ffd55
SHA1 a223c54ed8480cd5573a28eba063c9e7f81141a5
SHA256 4b71c9ca63230be5382c36b6c992e491e0eb7b89a746c5bbf19319e036ac2d17
SHA512 9be5148803032875b173dda7e8b7c92754c231061e485fc22816c4689f151313cda13246d385190cd6f97d4369e038f2122f09a5718057eba008277ed8397a58

memory/2420-48-0x00007FF6C0A50000-0x00007FF6C0DA4000-memory.dmp

memory/4796-39-0x00007FF7A7C50000-0x00007FF7A7FA4000-memory.dmp

memory/2972-29-0x00007FF648890000-0x00007FF648BE4000-memory.dmp

memory/2820-21-0x00007FF69BBF0000-0x00007FF69BF44000-memory.dmp

memory/1208-16-0x00007FF711410000-0x00007FF711764000-memory.dmp

memory/4824-7-0x00007FF6EB4D0000-0x00007FF6EB824000-memory.dmp

memory/2972-133-0x00007FF648890000-0x00007FF648BE4000-memory.dmp

memory/4796-134-0x00007FF7A7C50000-0x00007FF7A7FA4000-memory.dmp

memory/3404-135-0x00007FF691250000-0x00007FF6915A4000-memory.dmp

memory/2932-136-0x00007FF68B1E0000-0x00007FF68B534000-memory.dmp

memory/1676-137-0x00007FF7C6890000-0x00007FF7C6BE4000-memory.dmp

memory/2960-138-0x00007FF76F340000-0x00007FF76F694000-memory.dmp

memory/2208-139-0x00007FF6948F0000-0x00007FF694C44000-memory.dmp

memory/2948-140-0x00007FF7164E0000-0x00007FF716834000-memory.dmp

memory/4824-141-0x00007FF6EB4D0000-0x00007FF6EB824000-memory.dmp

memory/2972-145-0x00007FF648890000-0x00007FF648BE4000-memory.dmp

memory/4796-146-0x00007FF7A7C50000-0x00007FF7A7FA4000-memory.dmp

memory/2420-147-0x00007FF6C0A50000-0x00007FF6C0DA4000-memory.dmp

memory/1748-148-0x00007FF78A0A0000-0x00007FF78A3F4000-memory.dmp

memory/4420-144-0x00007FF6EE560000-0x00007FF6EE8B4000-memory.dmp

memory/784-150-0x00007FF7AA6B0000-0x00007FF7AAA04000-memory.dmp

memory/816-149-0x00007FF688680000-0x00007FF6889D4000-memory.dmp

memory/3404-151-0x00007FF691250000-0x00007FF6915A4000-memory.dmp

memory/1360-153-0x00007FF616F20000-0x00007FF617274000-memory.dmp

memory/3628-152-0x00007FF7463B0000-0x00007FF746704000-memory.dmp

memory/2820-143-0x00007FF69BBF0000-0x00007FF69BF44000-memory.dmp

memory/1208-142-0x00007FF711410000-0x00007FF711764000-memory.dmp

memory/2740-154-0x00007FF6893A0000-0x00007FF6896F4000-memory.dmp

memory/2932-156-0x00007FF68B1E0000-0x00007FF68B534000-memory.dmp

memory/1088-157-0x00007FF624D00000-0x00007FF625054000-memory.dmp

memory/1676-155-0x00007FF7C6890000-0x00007FF7C6BE4000-memory.dmp

memory/2960-158-0x00007FF76F340000-0x00007FF76F694000-memory.dmp

memory/2208-159-0x00007FF6948F0000-0x00007FF694C44000-memory.dmp

memory/4636-160-0x00007FF781190000-0x00007FF7814E4000-memory.dmp

memory/2948-161-0x00007FF7164E0000-0x00007FF716834000-memory.dmp