Malware Analysis Report

2024-10-24 18:15

Sample ID 240606-wgxvtahe4s
Target 2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike
SHA256 b1720b46bc2d1325a59aef9ddf3a0b1ca27ba6831191a9ad9a565bfe339d9a00
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b1720b46bc2d1325a59aef9ddf3a0b1ca27ba6831191a9ad9a565bfe339d9a00

Threat Level: Known bad

The file 2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

UPX dump on OEP (original entry point)

Cobalt Strike reflective loader

Xmrig family

Cobaltstrike

Detects Reflective DLL injection artifacts

XMRig Miner payload

xmrig

Cobaltstrike family

Detects Reflective DLL injection artifacts

XMRig Miner payload

UPX dump on OEP (original entry point)

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-06 17:54

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-06 17:54

Reported

2024-06-06 17:57

Platform

win7-20231129-en

Max time kernel

133s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\DFjiWdv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\droSepl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GhcQpio.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eMjeMPe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lfbbVRU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rlrnQeV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LwFKJRb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sjBVXex.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FiosYAC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gNhCHBF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pfVQHdl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wXaxoUr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hVkvOlp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vziioPw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jRfmNFb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yXLoVcX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FOnSPRT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ooJfaKa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XJAqpqz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tVfOgfy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rgOuOdL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2044 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\pfVQHdl.exe
PID 2044 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\pfVQHdl.exe
PID 2044 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\pfVQHdl.exe
PID 2044 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\yXLoVcX.exe
PID 2044 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\yXLoVcX.exe
PID 2044 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\yXLoVcX.exe
PID 2044 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\FOnSPRT.exe
PID 2044 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\FOnSPRT.exe
PID 2044 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\FOnSPRT.exe
PID 2044 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\wXaxoUr.exe
PID 2044 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\wXaxoUr.exe
PID 2044 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\wXaxoUr.exe
PID 2044 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\lfbbVRU.exe
PID 2044 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\lfbbVRU.exe
PID 2044 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\lfbbVRU.exe
PID 2044 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\ooJfaKa.exe
PID 2044 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\ooJfaKa.exe
PID 2044 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\ooJfaKa.exe
PID 2044 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\rlrnQeV.exe
PID 2044 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\rlrnQeV.exe
PID 2044 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\rlrnQeV.exe
PID 2044 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\XJAqpqz.exe
PID 2044 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\XJAqpqz.exe
PID 2044 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\XJAqpqz.exe
PID 2044 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\LwFKJRb.exe
PID 2044 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\LwFKJRb.exe
PID 2044 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\LwFKJRb.exe
PID 2044 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\DFjiWdv.exe
PID 2044 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\DFjiWdv.exe
PID 2044 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\DFjiWdv.exe
PID 2044 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\droSepl.exe
PID 2044 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\droSepl.exe
PID 2044 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\droSepl.exe
PID 2044 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\vziioPw.exe
PID 2044 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\vziioPw.exe
PID 2044 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\vziioPw.exe
PID 2044 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\GhcQpio.exe
PID 2044 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\GhcQpio.exe
PID 2044 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\GhcQpio.exe
PID 2044 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\hVkvOlp.exe
PID 2044 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\hVkvOlp.exe
PID 2044 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\hVkvOlp.exe
PID 2044 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\tVfOgfy.exe
PID 2044 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\tVfOgfy.exe
PID 2044 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\tVfOgfy.exe
PID 2044 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\jRfmNFb.exe
PID 2044 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\jRfmNFb.exe
PID 2044 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\jRfmNFb.exe
PID 2044 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\rgOuOdL.exe
PID 2044 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\rgOuOdL.exe
PID 2044 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\rgOuOdL.exe
PID 2044 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\sjBVXex.exe
PID 2044 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\sjBVXex.exe
PID 2044 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\sjBVXex.exe
PID 2044 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\FiosYAC.exe
PID 2044 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\FiosYAC.exe
PID 2044 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\FiosYAC.exe
PID 2044 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\gNhCHBF.exe
PID 2044 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\gNhCHBF.exe
PID 2044 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\gNhCHBF.exe
PID 2044 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\eMjeMPe.exe
PID 2044 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\eMjeMPe.exe
PID 2044 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\eMjeMPe.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\pfVQHdl.exe

C:\Windows\System\pfVQHdl.exe

C:\Windows\System\yXLoVcX.exe

C:\Windows\System\yXLoVcX.exe

C:\Windows\System\FOnSPRT.exe

C:\Windows\System\FOnSPRT.exe

C:\Windows\System\wXaxoUr.exe

C:\Windows\System\wXaxoUr.exe

C:\Windows\System\lfbbVRU.exe

C:\Windows\System\lfbbVRU.exe

C:\Windows\System\ooJfaKa.exe

C:\Windows\System\ooJfaKa.exe

C:\Windows\System\rlrnQeV.exe

C:\Windows\System\rlrnQeV.exe

C:\Windows\System\XJAqpqz.exe

C:\Windows\System\XJAqpqz.exe

C:\Windows\System\LwFKJRb.exe

C:\Windows\System\LwFKJRb.exe

C:\Windows\System\DFjiWdv.exe

C:\Windows\System\DFjiWdv.exe

C:\Windows\System\droSepl.exe

C:\Windows\System\droSepl.exe

C:\Windows\System\vziioPw.exe

C:\Windows\System\vziioPw.exe

C:\Windows\System\GhcQpio.exe

C:\Windows\System\GhcQpio.exe

C:\Windows\System\hVkvOlp.exe

C:\Windows\System\hVkvOlp.exe

C:\Windows\System\tVfOgfy.exe

C:\Windows\System\tVfOgfy.exe

C:\Windows\System\jRfmNFb.exe

C:\Windows\System\jRfmNFb.exe

C:\Windows\System\rgOuOdL.exe

C:\Windows\System\rgOuOdL.exe

C:\Windows\System\sjBVXex.exe

C:\Windows\System\sjBVXex.exe

C:\Windows\System\FiosYAC.exe

C:\Windows\System\FiosYAC.exe

C:\Windows\System\gNhCHBF.exe

C:\Windows\System\gNhCHBF.exe

C:\Windows\System\eMjeMPe.exe

C:\Windows\System\eMjeMPe.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2044-0-0x000000013FCD0000-0x0000000140024000-memory.dmp

memory/2044-1-0x0000000000580000-0x0000000000590000-memory.dmp

\Windows\system\wXaxoUr.exe

MD5 06f067e5e53cceeea22b4b815b147423
SHA1 df033b82848f07537a8abec1a17506ac92f0d9ab
SHA256 997d4f65e8f0cf24bde481efc49f16e3168807af969ec22ccff42020e06c2928
SHA512 b5f8e8505994b8684f6ddfecb72e102d67f4660e66c2625669f4d7afef85c43a1b1b7f9cfa498d8771370525ad656348b54ff4a6ebbe55718225e9737fbb569f

memory/2044-24-0x000000013F730000-0x000000013FA84000-memory.dmp

\Windows\system\lfbbVRU.exe

MD5 a39aadcc26ea53529a3a32e5fc0ee120
SHA1 9d39511301c23227a141bfd4d0dfb59e118f653c
SHA256 df7b7f3e7b58e6d0f2f858eed567d595ae052ae550b0c5426f15afa57ae95517
SHA512 607153fc270a21d502373fbe71f557f47ce3aa73ddcd32f76cde26b5dcd8c73cdf7f3530fa7f5444583674d5c9bf8c3c019181a1a978b34d1bdd39ab16689fdf

memory/2000-18-0x000000013FAC0000-0x000000013FE14000-memory.dmp

memory/2044-42-0x000000013F300000-0x000000013F654000-memory.dmp

memory/2588-43-0x000000013FDD0000-0x0000000140124000-memory.dmp

memory/2684-41-0x000000013F920000-0x000000013FC74000-memory.dmp

memory/2044-48-0x0000000002260000-0x00000000025B4000-memory.dmp

memory/2044-51-0x0000000002260000-0x00000000025B4000-memory.dmp

memory/2572-50-0x000000013FC50000-0x000000013FFA4000-memory.dmp

C:\Windows\system\XJAqpqz.exe

MD5 8bc77e794c83ed02519d7faaa0fc299f
SHA1 5e7f2c7c0c37248a918d40d59521acf0ed1a3500
SHA256 b72cd05956270ff3da595aed0d34091d07fef59c555b0e9e979645adc9e677e8
SHA512 261b6b9fc0542316a3b501752eb6db2adafb20a897dcd2a22bf9da51def603813a91648a0697a2d5f27e0aaad9d3b33f125e2c254adff32f8a7e16a810a6a0f7

\Windows\system\LwFKJRb.exe

MD5 eeee13763c75c6097ea1209cec7f8406
SHA1 6aec426b51f68873cd14a94b7917d3c09d8eca69
SHA256 f4e9a4525e893c5ab8a15aef20d3b4b8af0dc1db7edbcbfd1dea0127b537e94e
SHA512 ad8886a03bbd1da36fccb916283882be91033979263dd0270ff27614c0f7cfaaddbf4aae055356f4287bd8f07fdb64d21834aba3ddc9e0387bb2eda6d1d3acec

\Windows\system\DFjiWdv.exe

MD5 c04f00445ec438ba9e5e292b322f69fc
SHA1 8f08f131135e66824c89e46a29ec5212235f8410
SHA256 bfeace8c643db85f3b7025d545e44df25f4b277862814c4d62482c1b72f8e789
SHA512 73a4b1e9a35cd08bccc0833cb85af1690795849e5f6af5970d75ecaa8eb8485501cc948c0990cf504ec863c59310d9821b12b21af14da31576cd54a964d959e5

\Windows\system\droSepl.exe

MD5 9de12147732824a92c00ff514e86b1db
SHA1 cf533d2008957e2f74a21687e066b13c60216917
SHA256 b28ec1c30b9e8b44f601b614abe9442c5290bd79c75aa1da4306ba9d41d2ee6c
SHA512 9b08f112f883728297a12941a65ebb0a6af981d2e59972c7c954c13933ea5884766fe243328d0fce15f1b54a3a463650db68e78d7e172cdaa57da926b0d7107f

C:\Windows\system\jRfmNFb.exe

MD5 5344fadff4cd814279024d1d6291bfb4
SHA1 71ab34b14d4d1c87ca1a8e3be41918bfda162ad3
SHA256 bacf3d928b8e051d6c7bf7526828166d1f8d88b7fc4699def2caa586db39fb6f
SHA512 af62e9584584ecabbefad7946b00705e3401df6949adb02930ffa47855574cd0574051eb3ddb5e40a7b24dccb228722f430ff7ce59df56d50dbe585251535dc7

C:\Windows\system\rgOuOdL.exe

MD5 0b4411eb454a98e2e7f63672d5de0ab4
SHA1 4fef0b417a3f0fe12b54178ae70fd5e3e0c0d099
SHA256 7acf14e37f004fd70c915850d4bd37f17385d9c6f7f18177e4bf7258266bba51
SHA512 785f50fae126d312a95af5931248f72f7b0fe4d30e7f1ebbd02c8f2fa88ea5524a5d252e68799b348b4cdd280fdebe3e95fe805e64ffb7ddba7aa960d77eb4c2

memory/2044-115-0x0000000002260000-0x00000000025B4000-memory.dmp

memory/2044-125-0x000000013F280000-0x000000013F5D4000-memory.dmp

memory/2044-130-0x000000013F4E0000-0x000000013F834000-memory.dmp

memory/1236-124-0x000000013FAF0000-0x000000013FE44000-memory.dmp

\Windows\system\eMjeMPe.exe

MD5 27e9f9ca391183a1e3403016caf290fb
SHA1 a304bc72a76848d50456cedb88b47b0a4c4102f0
SHA256 34e8d2e33d19a703ae6d4d347a76bfeb5fa786bbaee4f21349f6414da9f2a4a1
SHA512 75ccad9bda316388d02d350eb7a692206e7bf863a7dd9149d2dbc04ead1a46bd080fdac93d69ca0d7b617cffc108648e028dbc07461c914a78605d05b547a755

memory/2592-133-0x000000013FA30000-0x000000013FD84000-memory.dmp

memory/2044-132-0x0000000002260000-0x00000000025B4000-memory.dmp

memory/2484-131-0x000000013F4E0000-0x000000013F834000-memory.dmp

memory/2044-129-0x000000013F5D0000-0x000000013F924000-memory.dmp

memory/2712-128-0x000000013F390000-0x000000013F6E4000-memory.dmp

memory/2044-127-0x000000013F390000-0x000000013F6E4000-memory.dmp

memory/1924-126-0x000000013F280000-0x000000013F5D4000-memory.dmp

memory/2044-120-0x0000000002260000-0x00000000025B4000-memory.dmp

C:\Windows\system\FiosYAC.exe

MD5 675a7c2a480063eeb3402191e12b2a95
SHA1 3d36fc23ffe4d941a16b1f7370f9573ef533fa93
SHA256 244257a97f63e721a7e83a0fb290c057544eb981e7d400b76e5ae1b8bf3238a8
SHA512 0c2f3e6824f1313040b7dc700467d4e0ebe37cc244b0743e720effc187f12719c7f4517e3721dcede5c04e96aa856ed623efa2e38eca73d2eb1bf5da2f35fa9f

memory/2236-116-0x000000013FC60000-0x000000013FFB4000-memory.dmp

C:\Windows\system\gNhCHBF.exe

MD5 5de827543aa6a81c97d1d4c2de7b0058
SHA1 c2e2441145f9804903809b555e953843c6838825
SHA256 eb7f9de09ddacdc3f60a4e514280fe01644d5ee64c4fa3b6bf25285857ae4e4f
SHA512 d5e7d37383190e26fdd29793611f0fce429610c9a5e799d65985a6676e76cfce4aad9840f4c4a01df75f1464e7ff15ababaf153486bce34e1bd26e0cd19f11f7

C:\Windows\system\sjBVXex.exe

MD5 624c68b9f754b17d9ccdafc417f47485
SHA1 5d2df3e2cdd8eb6af6a248de5699e3164e334628
SHA256 e0ca9c6b3c90c1cb7ee143d2101db81421410ebd2845a3494f1817243e1c196c
SHA512 e804a496544ea38df65e79d461ea1aaa3d048d4d5f48488fd9bb1b6b67e45cbe19d8340d278ea53aba5df699aa64f8c38e86b55277f68acc117b5413a56d11c0

C:\Windows\system\tVfOgfy.exe

MD5 b11176e6c989c8aae9af9a209398dc56
SHA1 852dc2949009b815034bd02d48f14bb9a78f099c
SHA256 fe615218be8529221aeb3e3a65e67d3cfb04417b453efd282a195b3afd89fc5f
SHA512 e5a23fba7c92a0e3caa1d7042f70a76d926a7154157cb8e95eac4ad4b319ed45bbaa761fb6b19617934d7a2bdfd01fc71cae1abdb34c7ae298797b367f47f87b

C:\Windows\system\GhcQpio.exe

MD5 df0a7836d953b170ae502e5652c707d6
SHA1 6e0dcabcc048460b3d55224fba56b3eb49888589
SHA256 4c55471ea2908d0d3721df1865b9cac9c06636b480f118bee53c87b30cc192d6
SHA512 3ded6adf8663a35cf7507ff01875367a9c0253d007aab4d8c4e474941503d43fb348393c647cb4227ec96d3a6ea10395c1020d4a1f1dfd7f3b5a19f32e4c2070

C:\Windows\system\hVkvOlp.exe

MD5 51811ec79e5d13ea950dc611e2a6d417
SHA1 cdd47d6c5c3e30107abd74c0caf4dcdf8b12d891
SHA256 2adc005590ba88a77e454f648d532795b375218a74715232db6c3fda59780eac
SHA512 5522e61e28d69ee57e422d5251af5f1c1ac75599a4d1cf085400f0f377fd1101e2db40a9891174a1859b8d12fe96abdd5bb1ce7e854fb06b7b2531a014c4915e

C:\Windows\system\vziioPw.exe

MD5 f8bd3ec9e121be4400aeca931d8883b6
SHA1 0c18449607b194f5bd8b6b2f337840a7c4832e5a
SHA256 d448eec2216d0c4307adf393e59fb9e724b2194083cb5e5f97a94c2a80d2d443
SHA512 9d5fb1041e3fdf1189dbfb8a97b5e234a887366827023f7ed791fded5bca28658bb34c860aed16b49a282072a0017dd9880c76ba4f090473241b298735069628

memory/2764-67-0x000000013FBC0000-0x000000013FF14000-memory.dmp

memory/2044-62-0x0000000002260000-0x00000000025B4000-memory.dmp

C:\Windows\system\rlrnQeV.exe

MD5 b5b7309e3b6345ad437e9c5d67736474
SHA1 772592f720c3d574efc0a9b8de0cc6041570ff96
SHA256 c9e2e93466d5b44d5c290cbbe109ddacec1eda811a5c3ec58acd93a0b71ec74d
SHA512 cb4f4e62311f80dfc604d56ca796c81cc9dc40c0fdda42635c539d4cb909b3a87f564ac3363b664e1e4669f7c2d55709a3105679f8fb40baf1c50ab247c42eba

memory/1156-40-0x000000013FEF0000-0x0000000140244000-memory.dmp

C:\Windows\system\ooJfaKa.exe

MD5 007c0e40755976cfa49e893b8915f68e
SHA1 954bcdeece8f8b765a47891b55bcdee49c0e96f5
SHA256 5759663996621c68bf288d5dfd1d79cfe733aac455766df7421b456b0175279c
SHA512 83bce4bdfa4d2bcdb2c88dd82b02faf5a8a1f94ea542fe139f461d0fdb614122ba6a1a69bbb432dba0ab98cc4c465e2c76f6343ab35cd725d5c79527feec3d56

memory/2044-34-0x0000000002260000-0x00000000025B4000-memory.dmp

memory/2904-33-0x000000013F300000-0x000000013F654000-memory.dmp

memory/2044-32-0x000000013F920000-0x000000013FC74000-memory.dmp

memory/2612-31-0x000000013F730000-0x000000013FA84000-memory.dmp

C:\Windows\system\FOnSPRT.exe

MD5 ff60e49435d81cd8b58d2353e6fcff04
SHA1 1be44c990db708bb102a147da82ada4a91133521
SHA256 9077f37ba4f82bbd9daa5decbb58a7028a5288b7628c98a44e2148561da48643
SHA512 fb42031ebc87fcc1d0a7486fdde6419dfba0ba752a29e44737a35eb2a311ecc4ec4aa29335c067be7cec384ef60dd20748925253a5921efddd8a178388530bec

C:\Windows\system\yXLoVcX.exe

MD5 8d0c7d649feea21c75f9a4b2b38c00a7
SHA1 50b6b0fe5631337c48d4894f2723342264b1b5b9
SHA256 13ae55739fb92423ce70b470459184cfc34bc9b497eecd3fb7b44a95f56c6e5d
SHA512 44965aaed51d7975eadc7e09d1baedc3b213ac8ef0de43297b12ac74f6acebe21ce463c111807bc1cf7a76661085f320faf00b7aa54be4bb047356f166b3b4de

memory/2044-10-0x0000000002260000-0x00000000025B4000-memory.dmp

C:\Windows\system\pfVQHdl.exe

MD5 271330b58dc8cb19a3239780c4cd4aa5
SHA1 f20493ac1fcf0937328b0094dc2ddff7527fe6d5
SHA256 ed842f1e04ff746762484b468505a0c8d40d42362806acb63648d37da6dabc38
SHA512 aae0be4f9743bb352036e16fbfaf72d0cd6a69517738db97c376bc85a66f21303b4f3a65f3480981e751311b43992cdd557e3d385fece32841b4d506627dbf9d

memory/2044-136-0x000000013FCD0000-0x0000000140024000-memory.dmp

memory/1156-138-0x000000013FEF0000-0x0000000140244000-memory.dmp

memory/2684-140-0x000000013F920000-0x000000013FC74000-memory.dmp

memory/2612-139-0x000000013F730000-0x000000013FA84000-memory.dmp

memory/2000-137-0x000000013FAC0000-0x000000013FE14000-memory.dmp

memory/2904-141-0x000000013F300000-0x000000013F654000-memory.dmp

memory/2588-142-0x000000013FDD0000-0x0000000140124000-memory.dmp

memory/2572-143-0x000000013FC50000-0x000000013FFA4000-memory.dmp

memory/2764-144-0x000000013FBC0000-0x000000013FF14000-memory.dmp

memory/2484-145-0x000000013F4E0000-0x000000013F834000-memory.dmp

memory/1924-148-0x000000013F280000-0x000000013F5D4000-memory.dmp

memory/2236-150-0x000000013FC60000-0x000000013FFB4000-memory.dmp

memory/2712-149-0x000000013F390000-0x000000013F6E4000-memory.dmp

memory/1236-147-0x000000013FAF0000-0x000000013FE44000-memory.dmp

memory/2592-146-0x000000013FA30000-0x000000013FD84000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-06 17:54

Reported

2024-06-06 17:57

Platform

win10v2004-20240426-en

Max time kernel

141s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\lfbbVRU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LwFKJRb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jRfmNFb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FiosYAC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pfVQHdl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FOnSPRT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rlrnQeV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XJAqpqz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\droSepl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vziioPw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tVfOgfy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yXLoVcX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wXaxoUr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hVkvOlp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rgOuOdL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sjBVXex.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gNhCHBF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ooJfaKa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DFjiWdv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GhcQpio.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eMjeMPe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4408 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\pfVQHdl.exe
PID 4408 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\pfVQHdl.exe
PID 4408 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\yXLoVcX.exe
PID 4408 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\yXLoVcX.exe
PID 4408 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\FOnSPRT.exe
PID 4408 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\FOnSPRT.exe
PID 4408 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\wXaxoUr.exe
PID 4408 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\wXaxoUr.exe
PID 4408 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\lfbbVRU.exe
PID 4408 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\lfbbVRU.exe
PID 4408 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\ooJfaKa.exe
PID 4408 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\ooJfaKa.exe
PID 4408 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\rlrnQeV.exe
PID 4408 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\rlrnQeV.exe
PID 4408 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\XJAqpqz.exe
PID 4408 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\XJAqpqz.exe
PID 4408 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\LwFKJRb.exe
PID 4408 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\LwFKJRb.exe
PID 4408 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\DFjiWdv.exe
PID 4408 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\DFjiWdv.exe
PID 4408 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\droSepl.exe
PID 4408 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\droSepl.exe
PID 4408 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\vziioPw.exe
PID 4408 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\vziioPw.exe
PID 4408 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\GhcQpio.exe
PID 4408 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\GhcQpio.exe
PID 4408 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\hVkvOlp.exe
PID 4408 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\hVkvOlp.exe
PID 4408 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\tVfOgfy.exe
PID 4408 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\tVfOgfy.exe
PID 4408 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\jRfmNFb.exe
PID 4408 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\jRfmNFb.exe
PID 4408 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\rgOuOdL.exe
PID 4408 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\rgOuOdL.exe
PID 4408 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\sjBVXex.exe
PID 4408 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\sjBVXex.exe
PID 4408 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\FiosYAC.exe
PID 4408 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\FiosYAC.exe
PID 4408 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\gNhCHBF.exe
PID 4408 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\gNhCHBF.exe
PID 4408 wrote to memory of 180 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\eMjeMPe.exe
PID 4408 wrote to memory of 180 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe C:\Windows\System\eMjeMPe.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_17ed11d3bfcddbf9027f5c23c2d1caf2_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\pfVQHdl.exe

C:\Windows\System\pfVQHdl.exe

C:\Windows\System\yXLoVcX.exe

C:\Windows\System\yXLoVcX.exe

C:\Windows\System\FOnSPRT.exe

C:\Windows\System\FOnSPRT.exe

C:\Windows\System\wXaxoUr.exe

C:\Windows\System\wXaxoUr.exe

C:\Windows\System\lfbbVRU.exe

C:\Windows\System\lfbbVRU.exe

C:\Windows\System\ooJfaKa.exe

C:\Windows\System\ooJfaKa.exe

C:\Windows\System\rlrnQeV.exe

C:\Windows\System\rlrnQeV.exe

C:\Windows\System\XJAqpqz.exe

C:\Windows\System\XJAqpqz.exe

C:\Windows\System\LwFKJRb.exe

C:\Windows\System\LwFKJRb.exe

C:\Windows\System\DFjiWdv.exe

C:\Windows\System\DFjiWdv.exe

C:\Windows\System\droSepl.exe

C:\Windows\System\droSepl.exe

C:\Windows\System\vziioPw.exe

C:\Windows\System\vziioPw.exe

C:\Windows\System\GhcQpio.exe

C:\Windows\System\GhcQpio.exe

C:\Windows\System\hVkvOlp.exe

C:\Windows\System\hVkvOlp.exe

C:\Windows\System\tVfOgfy.exe

C:\Windows\System\tVfOgfy.exe

C:\Windows\System\jRfmNFb.exe

C:\Windows\System\jRfmNFb.exe

C:\Windows\System\rgOuOdL.exe

C:\Windows\System\rgOuOdL.exe

C:\Windows\System\sjBVXex.exe

C:\Windows\System\sjBVXex.exe

C:\Windows\System\FiosYAC.exe

C:\Windows\System\FiosYAC.exe

C:\Windows\System\gNhCHBF.exe

C:\Windows\System\gNhCHBF.exe

C:\Windows\System\eMjeMPe.exe

C:\Windows\System\eMjeMPe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4408-0-0x00007FF618DD0000-0x00007FF619124000-memory.dmp

memory/4408-1-0x00000217BDE80000-0x00000217BDE90000-memory.dmp

C:\Windows\System\pfVQHdl.exe

MD5 271330b58dc8cb19a3239780c4cd4aa5
SHA1 f20493ac1fcf0937328b0094dc2ddff7527fe6d5
SHA256 ed842f1e04ff746762484b468505a0c8d40d42362806acb63648d37da6dabc38
SHA512 aae0be4f9743bb352036e16fbfaf72d0cd6a69517738db97c376bc85a66f21303b4f3a65f3480981e751311b43992cdd557e3d385fece32841b4d506627dbf9d

memory/3632-12-0x00007FF71E820000-0x00007FF71EB74000-memory.dmp

C:\Windows\System\FOnSPRT.exe

MD5 ff60e49435d81cd8b58d2353e6fcff04
SHA1 1be44c990db708bb102a147da82ada4a91133521
SHA256 9077f37ba4f82bbd9daa5decbb58a7028a5288b7628c98a44e2148561da48643
SHA512 fb42031ebc87fcc1d0a7486fdde6419dfba0ba752a29e44737a35eb2a311ecc4ec4aa29335c067be7cec384ef60dd20748925253a5921efddd8a178388530bec

C:\Windows\System\yXLoVcX.exe

MD5 8d0c7d649feea21c75f9a4b2b38c00a7
SHA1 50b6b0fe5631337c48d4894f2723342264b1b5b9
SHA256 13ae55739fb92423ce70b470459184cfc34bc9b497eecd3fb7b44a95f56c6e5d
SHA512 44965aaed51d7975eadc7e09d1baedc3b213ac8ef0de43297b12ac74f6acebe21ce463c111807bc1cf7a76661085f320faf00b7aa54be4bb047356f166b3b4de

C:\Windows\System\wXaxoUr.exe

MD5 06f067e5e53cceeea22b4b815b147423
SHA1 df033b82848f07537a8abec1a17506ac92f0d9ab
SHA256 997d4f65e8f0cf24bde481efc49f16e3168807af969ec22ccff42020e06c2928
SHA512 b5f8e8505994b8684f6ddfecb72e102d67f4660e66c2625669f4d7afef85c43a1b1b7f9cfa498d8771370525ad656348b54ff4a6ebbe55718225e9737fbb569f

memory/1516-21-0x00007FF613840000-0x00007FF613B94000-memory.dmp

memory/4860-8-0x00007FF727910000-0x00007FF727C64000-memory.dmp

C:\Windows\System\lfbbVRU.exe

MD5 a39aadcc26ea53529a3a32e5fc0ee120
SHA1 9d39511301c23227a141bfd4d0dfb59e118f653c
SHA256 df7b7f3e7b58e6d0f2f858eed567d595ae052ae550b0c5426f15afa57ae95517
SHA512 607153fc270a21d502373fbe71f557f47ce3aa73ddcd32f76cde26b5dcd8c73cdf7f3530fa7f5444583674d5c9bf8c3c019181a1a978b34d1bdd39ab16689fdf

C:\Windows\System\rlrnQeV.exe

MD5 b5b7309e3b6345ad437e9c5d67736474
SHA1 772592f720c3d574efc0a9b8de0cc6041570ff96
SHA256 c9e2e93466d5b44d5c290cbbe109ddacec1eda811a5c3ec58acd93a0b71ec74d
SHA512 cb4f4e62311f80dfc604d56ca796c81cc9dc40c0fdda42635c539d4cb909b3a87f564ac3363b664e1e4669f7c2d55709a3105679f8fb40baf1c50ab247c42eba

C:\Windows\System\ooJfaKa.exe

MD5 007c0e40755976cfa49e893b8915f68e
SHA1 954bcdeece8f8b765a47891b55bcdee49c0e96f5
SHA256 5759663996621c68bf288d5dfd1d79cfe733aac455766df7421b456b0175279c
SHA512 83bce4bdfa4d2bcdb2c88dd82b02faf5a8a1f94ea542fe139f461d0fdb614122ba6a1a69bbb432dba0ab98cc4c465e2c76f6343ab35cd725d5c79527feec3d56

memory/5012-34-0x00007FF669C00000-0x00007FF669F54000-memory.dmp

memory/2596-26-0x00007FF6B3820000-0x00007FF6B3B74000-memory.dmp

C:\Windows\System\XJAqpqz.exe

MD5 8bc77e794c83ed02519d7faaa0fc299f
SHA1 5e7f2c7c0c37248a918d40d59521acf0ed1a3500
SHA256 b72cd05956270ff3da595aed0d34091d07fef59c555b0e9e979645adc9e677e8
SHA512 261b6b9fc0542316a3b501752eb6db2adafb20a897dcd2a22bf9da51def603813a91648a0697a2d5f27e0aaad9d3b33f125e2c254adff32f8a7e16a810a6a0f7

C:\Windows\System\LwFKJRb.exe

MD5 eeee13763c75c6097ea1209cec7f8406
SHA1 6aec426b51f68873cd14a94b7917d3c09d8eca69
SHA256 f4e9a4525e893c5ab8a15aef20d3b4b8af0dc1db7edbcbfd1dea0127b537e94e
SHA512 ad8886a03bbd1da36fccb916283882be91033979263dd0270ff27614c0f7cfaaddbf4aae055356f4287bd8f07fdb64d21834aba3ddc9e0387bb2eda6d1d3acec

memory/1480-65-0x00007FF7072B0000-0x00007FF707604000-memory.dmp

memory/4408-64-0x00007FF618DD0000-0x00007FF619124000-memory.dmp

C:\Windows\System\droSepl.exe

MD5 9de12147732824a92c00ff514e86b1db
SHA1 cf533d2008957e2f74a21687e066b13c60216917
SHA256 b28ec1c30b9e8b44f601b614abe9442c5290bd79c75aa1da4306ba9d41d2ee6c
SHA512 9b08f112f883728297a12941a65ebb0a6af981d2e59972c7c954c13933ea5884766fe243328d0fce15f1b54a3a463650db68e78d7e172cdaa57da926b0d7107f

C:\Windows\System\tVfOgfy.exe

MD5 b11176e6c989c8aae9af9a209398dc56
SHA1 852dc2949009b815034bd02d48f14bb9a78f099c
SHA256 fe615218be8529221aeb3e3a65e67d3cfb04417b453efd282a195b3afd89fc5f
SHA512 e5a23fba7c92a0e3caa1d7042f70a76d926a7154157cb8e95eac4ad4b319ed45bbaa761fb6b19617934d7a2bdfd01fc71cae1abdb34c7ae298797b367f47f87b

C:\Windows\System\eMjeMPe.exe

MD5 27e9f9ca391183a1e3403016caf290fb
SHA1 a304bc72a76848d50456cedb88b47b0a4c4102f0
SHA256 34e8d2e33d19a703ae6d4d347a76bfeb5fa786bbaee4f21349f6414da9f2a4a1
SHA512 75ccad9bda316388d02d350eb7a692206e7bf863a7dd9149d2dbc04ead1a46bd080fdac93d69ca0d7b617cffc108648e028dbc07461c914a78605d05b547a755

C:\Windows\System\gNhCHBF.exe

MD5 5de827543aa6a81c97d1d4c2de7b0058
SHA1 c2e2441145f9804903809b555e953843c6838825
SHA256 eb7f9de09ddacdc3f60a4e514280fe01644d5ee64c4fa3b6bf25285857ae4e4f
SHA512 d5e7d37383190e26fdd29793611f0fce429610c9a5e799d65985a6676e76cfce4aad9840f4c4a01df75f1464e7ff15ababaf153486bce34e1bd26e0cd19f11f7

C:\Windows\System\FiosYAC.exe

MD5 675a7c2a480063eeb3402191e12b2a95
SHA1 3d36fc23ffe4d941a16b1f7370f9573ef533fa93
SHA256 244257a97f63e721a7e83a0fb290c057544eb981e7d400b76e5ae1b8bf3238a8
SHA512 0c2f3e6824f1313040b7dc700467d4e0ebe37cc244b0743e720effc187f12719c7f4517e3721dcede5c04e96aa856ed623efa2e38eca73d2eb1bf5da2f35fa9f

C:\Windows\System\sjBVXex.exe

MD5 624c68b9f754b17d9ccdafc417f47485
SHA1 5d2df3e2cdd8eb6af6a248de5699e3164e334628
SHA256 e0ca9c6b3c90c1cb7ee143d2101db81421410ebd2845a3494f1817243e1c196c
SHA512 e804a496544ea38df65e79d461ea1aaa3d048d4d5f48488fd9bb1b6b67e45cbe19d8340d278ea53aba5df699aa64f8c38e86b55277f68acc117b5413a56d11c0

C:\Windows\System\rgOuOdL.exe

MD5 0b4411eb454a98e2e7f63672d5de0ab4
SHA1 4fef0b417a3f0fe12b54178ae70fd5e3e0c0d099
SHA256 7acf14e37f004fd70c915850d4bd37f17385d9c6f7f18177e4bf7258266bba51
SHA512 785f50fae126d312a95af5931248f72f7b0fe4d30e7f1ebbd02c8f2fa88ea5524a5d252e68799b348b4cdd280fdebe3e95fe805e64ffb7ddba7aa960d77eb4c2

C:\Windows\System\jRfmNFb.exe

MD5 5344fadff4cd814279024d1d6291bfb4
SHA1 71ab34b14d4d1c87ca1a8e3be41918bfda162ad3
SHA256 bacf3d928b8e051d6c7bf7526828166d1f8d88b7fc4699def2caa586db39fb6f
SHA512 af62e9584584ecabbefad7946b00705e3401df6949adb02930ffa47855574cd0574051eb3ddb5e40a7b24dccb228722f430ff7ce59df56d50dbe585251535dc7

C:\Windows\System\hVkvOlp.exe

MD5 51811ec79e5d13ea950dc611e2a6d417
SHA1 cdd47d6c5c3e30107abd74c0caf4dcdf8b12d891
SHA256 2adc005590ba88a77e454f648d532795b375218a74715232db6c3fda59780eac
SHA512 5522e61e28d69ee57e422d5251af5f1c1ac75599a4d1cf085400f0f377fd1101e2db40a9891174a1859b8d12fe96abdd5bb1ce7e854fb06b7b2531a014c4915e

C:\Windows\System\GhcQpio.exe

MD5 df0a7836d953b170ae502e5652c707d6
SHA1 6e0dcabcc048460b3d55224fba56b3eb49888589
SHA256 4c55471ea2908d0d3721df1865b9cac9c06636b480f118bee53c87b30cc192d6
SHA512 3ded6adf8663a35cf7507ff01875367a9c0253d007aab4d8c4e474941503d43fb348393c647cb4227ec96d3a6ea10395c1020d4a1f1dfd7f3b5a19f32e4c2070

C:\Windows\System\vziioPw.exe

MD5 f8bd3ec9e121be4400aeca931d8883b6
SHA1 0c18449607b194f5bd8b6b2f337840a7c4832e5a
SHA256 d448eec2216d0c4307adf393e59fb9e724b2194083cb5e5f97a94c2a80d2d443
SHA512 9d5fb1041e3fdf1189dbfb8a97b5e234a887366827023f7ed791fded5bca28658bb34c860aed16b49a282072a0017dd9880c76ba4f090473241b298735069628

C:\Windows\System\DFjiWdv.exe

MD5 c04f00445ec438ba9e5e292b322f69fc
SHA1 8f08f131135e66824c89e46a29ec5212235f8410
SHA256 bfeace8c643db85f3b7025d545e44df25f4b277862814c4d62482c1b72f8e789
SHA512 73a4b1e9a35cd08bccc0833cb85af1690795849e5f6af5970d75ecaa8eb8485501cc948c0990cf504ec863c59310d9821b12b21af14da31576cd54a964d959e5

memory/2120-61-0x00007FF77F870000-0x00007FF77FBC4000-memory.dmp

memory/464-57-0x00007FF6B1890000-0x00007FF6B1BE4000-memory.dmp

memory/3668-52-0x00007FF7FA030000-0x00007FF7FA384000-memory.dmp

memory/4248-48-0x00007FF675850000-0x00007FF675BA4000-memory.dmp

memory/1068-44-0x00007FF73C160000-0x00007FF73C4B4000-memory.dmp

memory/3440-120-0x00007FF630910000-0x00007FF630C64000-memory.dmp

memory/3028-121-0x00007FF79C210000-0x00007FF79C564000-memory.dmp

memory/3952-122-0x00007FF610DE0000-0x00007FF611134000-memory.dmp

memory/4860-119-0x00007FF727910000-0x00007FF727C64000-memory.dmp

memory/816-123-0x00007FF69BB40000-0x00007FF69BE94000-memory.dmp

memory/3620-125-0x00007FF77C5D0000-0x00007FF77C924000-memory.dmp

memory/3284-126-0x00007FF7A0920000-0x00007FF7A0C74000-memory.dmp

memory/1836-124-0x00007FF6A1700000-0x00007FF6A1A54000-memory.dmp

memory/2528-127-0x00007FF7910D0000-0x00007FF791424000-memory.dmp

memory/3836-128-0x00007FF6DE560000-0x00007FF6DE8B4000-memory.dmp

memory/180-129-0x00007FF635480000-0x00007FF6357D4000-memory.dmp

memory/3632-130-0x00007FF71E820000-0x00007FF71EB74000-memory.dmp

memory/5012-131-0x00007FF669C00000-0x00007FF669F54000-memory.dmp

memory/3668-132-0x00007FF7FA030000-0x00007FF7FA384000-memory.dmp

memory/464-133-0x00007FF6B1890000-0x00007FF6B1BE4000-memory.dmp

memory/2120-134-0x00007FF77F870000-0x00007FF77FBC4000-memory.dmp

memory/1480-135-0x00007FF7072B0000-0x00007FF707604000-memory.dmp

memory/4860-136-0x00007FF727910000-0x00007FF727C64000-memory.dmp

memory/3632-137-0x00007FF71E820000-0x00007FF71EB74000-memory.dmp

memory/1516-138-0x00007FF613840000-0x00007FF613B94000-memory.dmp

memory/2596-139-0x00007FF6B3820000-0x00007FF6B3B74000-memory.dmp

memory/4248-142-0x00007FF675850000-0x00007FF675BA4000-memory.dmp

memory/1068-141-0x00007FF73C160000-0x00007FF73C4B4000-memory.dmp

memory/5012-140-0x00007FF669C00000-0x00007FF669F54000-memory.dmp

memory/3668-143-0x00007FF7FA030000-0x00007FF7FA384000-memory.dmp

memory/464-144-0x00007FF6B1890000-0x00007FF6B1BE4000-memory.dmp

memory/2120-145-0x00007FF77F870000-0x00007FF77FBC4000-memory.dmp

memory/3440-147-0x00007FF630910000-0x00007FF630C64000-memory.dmp

memory/1480-146-0x00007FF7072B0000-0x00007FF707604000-memory.dmp

memory/3952-149-0x00007FF610DE0000-0x00007FF611134000-memory.dmp

memory/816-150-0x00007FF69BB40000-0x00007FF69BE94000-memory.dmp

memory/1836-151-0x00007FF6A1700000-0x00007FF6A1A54000-memory.dmp

memory/3620-152-0x00007FF77C5D0000-0x00007FF77C924000-memory.dmp

memory/3284-153-0x00007FF7A0920000-0x00007FF7A0C74000-memory.dmp

memory/3836-155-0x00007FF6DE560000-0x00007FF6DE8B4000-memory.dmp

memory/2528-156-0x00007FF7910D0000-0x00007FF791424000-memory.dmp

memory/180-154-0x00007FF635480000-0x00007FF6357D4000-memory.dmp

memory/3028-148-0x00007FF79C210000-0x00007FF79C564000-memory.dmp