Malware Analysis Report

2024-10-16 03:06

Sample ID 240608-1mlrysgg9z
Target 2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike
SHA256 a06c2ba756a1b9b97c23bd01bf3b1f31c145ca088937cded4bcca7a3a9a76c25
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a06c2ba756a1b9b97c23bd01bf3b1f31c145ca088937cded4bcca7a3a9a76c25

Threat Level: Known bad

The file 2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Xmrig family

Detects Reflective DLL injection artifacts

Cobaltstrike

Cobaltstrike family

UPX dump on OEP (original entry point)

Cobalt Strike reflective loader

xmrig

XMRig Miner payload

UPX dump on OEP (original entry point)

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-08 21:46

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-08 21:46

Reported

2024-06-08 21:48

Platform

win7-20240508-en

Max time kernel

142s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\eGAotxT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YhWFlJy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hGikHtz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ArDAfPa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\grTBVrl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vetqunu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GDqBmsZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BEeyIRz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WSdsLgZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VwWoZsM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sZVZpjA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yEDrLnA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hmYGqUE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WsmVkbh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\klnPSyj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yyROZKH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vQgNOuz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oJmTejv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LNIhQiV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UHkGdTv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mgKygoY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1368 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\sZVZpjA.exe
PID 1368 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\sZVZpjA.exe
PID 1368 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\sZVZpjA.exe
PID 1368 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\yEDrLnA.exe
PID 1368 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\yEDrLnA.exe
PID 1368 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\yEDrLnA.exe
PID 1368 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\LNIhQiV.exe
PID 1368 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\LNIhQiV.exe
PID 1368 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\LNIhQiV.exe
PID 1368 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\eGAotxT.exe
PID 1368 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\eGAotxT.exe
PID 1368 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\eGAotxT.exe
PID 1368 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\vetqunu.exe
PID 1368 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\vetqunu.exe
PID 1368 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\vetqunu.exe
PID 1368 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\UHkGdTv.exe
PID 1368 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\UHkGdTv.exe
PID 1368 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\UHkGdTv.exe
PID 1368 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\mgKygoY.exe
PID 1368 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\mgKygoY.exe
PID 1368 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\mgKygoY.exe
PID 1368 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\WsmVkbh.exe
PID 1368 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\WsmVkbh.exe
PID 1368 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\WsmVkbh.exe
PID 1368 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\GDqBmsZ.exe
PID 1368 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\GDqBmsZ.exe
PID 1368 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\GDqBmsZ.exe
PID 1368 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\BEeyIRz.exe
PID 1368 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\BEeyIRz.exe
PID 1368 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\BEeyIRz.exe
PID 1368 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\klnPSyj.exe
PID 1368 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\klnPSyj.exe
PID 1368 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\klnPSyj.exe
PID 1368 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\yyROZKH.exe
PID 1368 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\yyROZKH.exe
PID 1368 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\yyROZKH.exe
PID 1368 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\hmYGqUE.exe
PID 1368 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\hmYGqUE.exe
PID 1368 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\hmYGqUE.exe
PID 1368 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\ArDAfPa.exe
PID 1368 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\ArDAfPa.exe
PID 1368 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\ArDAfPa.exe
PID 1368 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\WSdsLgZ.exe
PID 1368 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\WSdsLgZ.exe
PID 1368 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\WSdsLgZ.exe
PID 1368 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\vQgNOuz.exe
PID 1368 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\vQgNOuz.exe
PID 1368 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\vQgNOuz.exe
PID 1368 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\oJmTejv.exe
PID 1368 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\oJmTejv.exe
PID 1368 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\oJmTejv.exe
PID 1368 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\YhWFlJy.exe
PID 1368 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\YhWFlJy.exe
PID 1368 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\YhWFlJy.exe
PID 1368 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\hGikHtz.exe
PID 1368 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\hGikHtz.exe
PID 1368 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\hGikHtz.exe
PID 1368 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\grTBVrl.exe
PID 1368 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\grTBVrl.exe
PID 1368 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\grTBVrl.exe
PID 1368 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\VwWoZsM.exe
PID 1368 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\VwWoZsM.exe
PID 1368 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\VwWoZsM.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\sZVZpjA.exe

C:\Windows\System\sZVZpjA.exe

C:\Windows\System\yEDrLnA.exe

C:\Windows\System\yEDrLnA.exe

C:\Windows\System\LNIhQiV.exe

C:\Windows\System\LNIhQiV.exe

C:\Windows\System\eGAotxT.exe

C:\Windows\System\eGAotxT.exe

C:\Windows\System\vetqunu.exe

C:\Windows\System\vetqunu.exe

C:\Windows\System\UHkGdTv.exe

C:\Windows\System\UHkGdTv.exe

C:\Windows\System\mgKygoY.exe

C:\Windows\System\mgKygoY.exe

C:\Windows\System\WsmVkbh.exe

C:\Windows\System\WsmVkbh.exe

C:\Windows\System\GDqBmsZ.exe

C:\Windows\System\GDqBmsZ.exe

C:\Windows\System\BEeyIRz.exe

C:\Windows\System\BEeyIRz.exe

C:\Windows\System\klnPSyj.exe

C:\Windows\System\klnPSyj.exe

C:\Windows\System\yyROZKH.exe

C:\Windows\System\yyROZKH.exe

C:\Windows\System\hmYGqUE.exe

C:\Windows\System\hmYGqUE.exe

C:\Windows\System\ArDAfPa.exe

C:\Windows\System\ArDAfPa.exe

C:\Windows\System\WSdsLgZ.exe

C:\Windows\System\WSdsLgZ.exe

C:\Windows\System\vQgNOuz.exe

C:\Windows\System\vQgNOuz.exe

C:\Windows\System\oJmTejv.exe

C:\Windows\System\oJmTejv.exe

C:\Windows\System\YhWFlJy.exe

C:\Windows\System\YhWFlJy.exe

C:\Windows\System\hGikHtz.exe

C:\Windows\System\hGikHtz.exe

C:\Windows\System\grTBVrl.exe

C:\Windows\System\grTBVrl.exe

C:\Windows\System\VwWoZsM.exe

C:\Windows\System\VwWoZsM.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1368-0-0x000000013F9B0000-0x000000013FD04000-memory.dmp

memory/1368-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\sZVZpjA.exe

MD5 35f665ec35e811277a6b46001a7c5cf0
SHA1 571b496d5cf5d36634e1578685a876bfd6f2c77d
SHA256 f4cc52063603c730a6f36ee379d17941aa1640945662e43c15f470bfdd3b9ff1
SHA512 9ba48f116dd30a36f0c4c47c7643946d50010612d2f264966046928b1d699497c860469eea3f70c99730bbd4395db497ec91624d1fa11534588d871ed7a57cb8

C:\Windows\system\eGAotxT.exe

MD5 abd25403c195d1b5988669c2d4b0ff24
SHA1 1f15187830b68ddea3c66416aac3c175c60c5638
SHA256 66d3fe285696e95dea47087a5e82e4a2b971e67ce185bfdc68b4f53ed8b8a398
SHA512 864d00f2991610d46451ca6b5a64e13632800cdb3455efe7ae7a0d9e86e30d059c9f2d9dc2f1dc21d2acfda539cfbb0d2c33ed66f0c9f1e68e4a716580377f07

C:\Windows\system\LNIhQiV.exe

MD5 4541c5ca1018bd1e7bffaac23e7648c9
SHA1 be158d16e415e0cc65f5d1cbe597db884152f59b
SHA256 b377dfd928dd02e839abe91cbfcf4c3f8c51b02fbc19c1d0459add4c4bfce374
SHA512 1815af87898d2945dd320a2ddbd1b00437cd0f261bcf7e1cc65b58f0b8d86ef471e546137f5403f4b1fd7da2ee0028c526e2f9015853b023ef78fb1e76505887

C:\Windows\system\vetqunu.exe

MD5 f6beed8914622616a13633181462a418
SHA1 abc60960871b5ab10bdec29b560983690ea7ca4c
SHA256 ebd59ab80b6b6d08449b1f31fcb3013836ee4d4afc8d323a143a3143f796639f
SHA512 f1a6ff1cb562272f364021299bb572bbd4063ba8637db3dda94065b9633f8ba76b5fc12242c36592ad69889be3129cde47cf0133340b0fbb294073c0a558afb2

C:\Windows\system\mgKygoY.exe

MD5 11ffad1f03f95e12bd591681e10094bf
SHA1 88dad4bf59f99bbb6c6f8b7717ed48ab5b601a3a
SHA256 e5717e51ed8f0865533c00d5f800c89e26b575606afd435d7a589e60dda8b783
SHA512 fde5c610784d9b80a000148530bef245e876679d5b6467b6c67cdeecceced9f4f701c94941a5d5cc976e34767cf25f4a2842ede15663e63dd2b145a1d8945519

C:\Windows\system\GDqBmsZ.exe

MD5 7e400828642807ed2e50fe5d50310fcc
SHA1 ac585d408af15e10c8de64a67329ce2e1ecb5101
SHA256 87312b396a4a20d3820575abd7ffa74a31b130a5f1ebe38998db3cbed2ae597c
SHA512 fce774bc6d72c9c193f5121e43cff77a55d0ac0dac8f8178ccb926780f427c5be91a34680338827c1db9387a301223886b19ad391c6dfb1efa3348d0027f9fbe

\Windows\system\BEeyIRz.exe

MD5 54c1bfe55318a8a3a809c3a4ea9c0f3e
SHA1 22875a7959ea4b1abc645f9ffe351b055ca7fdb9
SHA256 510476ea43ce0c25ef4b491f9f98a7344dac9a70e1805094418a09042c7a6942
SHA512 41e37df9752708790a4564e636a610965d5db742b8c14affae7e515897ec918bf3ee067daa36d90c91d364cfefea9a1da9f17e55ceddf6e6e463b6b6fd9548fa

C:\Windows\system\yyROZKH.exe

MD5 673fbb1ec1c75932e792b34dddd2b911
SHA1 0c28188a6f1636e8aa24c46a7021b339cc91c826
SHA256 52406be79f44c7d0200f258d5f546b20ada9067d6d481ae1f0fa981332a7fe5a
SHA512 c32c8234ef8cb9671f3e04e6e6f5ccd2d91ceb7da087d158a87cc18ea9be3e0c5d148f1538836b7f23a61ba03b86c2a87758803bc6ebeeddc35f91bbfe064fdf

C:\Windows\system\ArDAfPa.exe

MD5 8e2ec35eb4882e2f57636d3d7ac0950b
SHA1 2ac349ea0e39d06af254b3a179774553f40e4683
SHA256 557e3c58d8483b2222d493b418dfc48a54027b1e042b1586d567ac23cfa5ed40
SHA512 b2e74053aac293185c793b68afe95a167e5fba2ab85adc16ce97aa39e0234e415e49e116c8265418a591591053c1506ee89b25df80e90d63aa3b9cab4c70622b

\Windows\system\hGikHtz.exe

MD5 88363164f8756b977edd83b066063e3c
SHA1 aae02ebeffe0ec02018f510b547b35868fb40c95
SHA256 de819b02bd895fe0199b889a1b296f0b671cb73cfaa883c4c49925b6b93acc4e
SHA512 a85fccaa9f7c9f2452156b0b80f8ccfcb141a4908216a0608b681e28299d6aee1d9cdef4d6868e8b9957f38804b603111198b02430df867f6474add3cc03434b

\Windows\system\grTBVrl.exe

MD5 464a915005ba053c36ed207338245409
SHA1 8115408ad65c9969aed87f91f2ca4f14e8d3a8dc
SHA256 63fdfeef8944e50588389b619b068d66f99941ec7a418517fc5c0cd7bd653c7f
SHA512 e82b8d93f3e12326a86e2758bf3c64ffc083fd9c7d919f5912681fe7d2721a07c3b16cb188e7a7ed79ddc97809c965249205abe6844b80c545100378131116d7

C:\Windows\system\VwWoZsM.exe

MD5 03de81f873311f9e5716c68a46b6530a
SHA1 70dc1da1d97f57ac3a36d14159d1997977df41c2
SHA256 7abcea3345f688f9757ded292f5d8cad0dec2678a736bfcb94f448c86a22e4a1
SHA512 100cea0017c721eea973ee9dd16fdfbc30c3e879416ab9f1d4d0b7009c660ef4cd84d1b2095ff27ec78ebfb92b86f7d004bca32cc50fcc290b694ce31b156fe8

\Windows\system\YhWFlJy.exe

MD5 ea831433df3eab359e8a1a54b7e2245f
SHA1 93612e5f0dee953a8b1ee64c72228088fd8f21e4
SHA256 223179a7882f67f3880f33c4b1f6de1c2ceaf1a6b71f97cfd7c267ae1cdca33a
SHA512 3df91e9302f9f532f9cf4da98d032ec9c4f3ae9ebc9641222a1d5424952cc87f283ecd91ed5382bcb507d22ccc4b217bf6ed7a889f36d9e75bef61ec1f47b4be

\Windows\system\vQgNOuz.exe

MD5 5ef53ffdbabe16ea4fbfd20fe795c74c
SHA1 6b12897e0dc0175e3dcafbc6853bddb9d22726d6
SHA256 a3b13fa96350d4acccfc321550afd91140ad7617bacd60e58e1757c26ec919d9
SHA512 cfcf76658cdd3e25997cde751784950faeb830e306696ed45e0466e69e70ede08a7656ea7f344f8e5727ccb471e6040f2dd0864f6bc73d815cc8872a15d0da10

C:\Windows\system\oJmTejv.exe

MD5 929beaec6555c839d42a927ba55d6b99
SHA1 f7d8e348b602320111d92cf4018d117498173b73
SHA256 98ec0ebbebc6997a67180d177d95cfcf83afd6b06b969dd76bdcf8de0848e185
SHA512 cda8662d05c5d530b713ffbbffe850b303dadb4fabd85087a0ccb1155fa3aeec28352c83e8bc0e8cf8de429225a57645d6642972f2d56a710e7fecb0849243dd

C:\Windows\system\WSdsLgZ.exe

MD5 da1c1a1ece14982c73ad7d070ada38ea
SHA1 8898ce1bcb8e16414172ac62db09e56a5a1d0add
SHA256 8bba2058cf8de54523285766304d788dd05273fd8e35509ded7b5be527f52348
SHA512 8870a6f5834403391aec7d46de2e44aa856987e9a96750edc5f8889f604d992bb6d5925ab95e0586d469bb614b30db7ae884734295103ea6f7ab0c7544171097

C:\Windows\system\hmYGqUE.exe

MD5 d677acabad86c08ff2c8c5b49566f24f
SHA1 fa63332160b6d73a31ce19299be2044387c7e31d
SHA256 3123eb1716d2493d8b208e122fe7050429fcc40bc5d944474a0e36a82006eee9
SHA512 8b410a40658600deb98ea8ec51c97c91f7038630929842bbf1e0f8270894b0fa50c9a7784e0d082e1bceb353652750401014fa5ec2cd5414272280df4684b7c2

C:\Windows\system\klnPSyj.exe

MD5 9ed233250e3538c3ad0aebabe5707c03
SHA1 9273b275648432fa9f20936c8382cd0a792272b0
SHA256 f2df9eed3a6ff3241c2fe8b695d589e571b72ba94c0b450b7254e13246b1cc1f
SHA512 88b1c8601bab01da389829d109cb18e1b8707d885b8cf496c1c271fd3512075ca8e2b19e18e0708c2fd9ac90619c891062b0203e17ac44187e818de65351d2f4

C:\Windows\system\WsmVkbh.exe

MD5 9aa3469346b163c77e1d1de586c92373
SHA1 fdd60db07fdbb2b98cb1b79b2f4815bfe16a0be0
SHA256 4cab1c00f968c21e72fbd9a787242d5b35a2ecbd7801e0e93565d9bae5b184b5
SHA512 95e3e405d85882f24bf2bbd69e4f3ee99e1cc46005d4f709c9a03d0f14f12405b02aabf9a2c45683fb8474d17eb6d81e7b403dd8e4002633ac32386c530ae27c

C:\Windows\system\UHkGdTv.exe

MD5 6ef663838a108250177869580e572ce7
SHA1 70c95d039ebf4fd1770b44ddee3f7b00994ce957
SHA256 f252383af3d8ec41f1739f8cd600c810b7823f0f7c0d46816db68bea6727f451
SHA512 1e92013a8ce6408e4c5ba39695a7f33eda3660cc46747669841a102f1d1c5a5b3d3b4087cfdabc9f17957f079c99ea07b3a85d7824a57e49057749819b1bfa52

memory/1368-16-0x000000013F070000-0x000000013F3C4000-memory.dmp

C:\Windows\system\yEDrLnA.exe

MD5 039eaf6da51072b56ef53a629672670f
SHA1 935e47e07a2c4707b7504c609c9882e8265f10c8
SHA256 119c307f875d8767f95fa478c69e80e15941a07ce1b1c164cfa3450b9968fb2b
SHA512 69de1a78d4e7f1caae224e74ed77590b3fb98a63d2f03843bdb21bf8b9ca8e9f611a9abf5d0cb2a00cbf27497dec9722b80c99ff5836b1ed0e20878eaacdfef6

memory/2688-8-0x000000013F0D0000-0x000000013F424000-memory.dmp

memory/3044-109-0x000000013F070000-0x000000013F3C4000-memory.dmp

memory/1368-110-0x00000000023E0000-0x0000000002734000-memory.dmp

memory/2756-111-0x000000013F740000-0x000000013FA94000-memory.dmp

memory/2640-113-0x000000013F3F0000-0x000000013F744000-memory.dmp

memory/1368-112-0x000000013F3F0000-0x000000013F744000-memory.dmp

memory/2392-114-0x000000013F720000-0x000000013FA74000-memory.dmp

memory/2792-115-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

memory/1368-116-0x000000013FD50000-0x00000001400A4000-memory.dmp

memory/2832-117-0x000000013FD50000-0x00000001400A4000-memory.dmp

memory/2636-118-0x000000013F6B0000-0x000000013FA04000-memory.dmp

memory/1368-120-0x000000013FDB0000-0x0000000140104000-memory.dmp

memory/2500-119-0x000000013FBE0000-0x000000013FF34000-memory.dmp

memory/1552-123-0x000000013F0E0000-0x000000013F434000-memory.dmp

memory/1368-122-0x000000013F0E0000-0x000000013F434000-memory.dmp

memory/2548-121-0x000000013FDB0000-0x0000000140104000-memory.dmp

memory/1724-124-0x000000013F990000-0x000000013FCE4000-memory.dmp

memory/2216-125-0x000000013FAF0000-0x000000013FE44000-memory.dmp

memory/2628-127-0x000000013F580000-0x000000013F8D4000-memory.dmp

memory/1368-126-0x000000013F580000-0x000000013F8D4000-memory.dmp

memory/1368-128-0x000000013F9B0000-0x000000013FD04000-memory.dmp

memory/1368-129-0x000000013F0D0000-0x000000013F424000-memory.dmp

memory/2688-130-0x000000013F0D0000-0x000000013F424000-memory.dmp

memory/3044-131-0x000000013F070000-0x000000013F3C4000-memory.dmp

memory/2688-132-0x000000013F0D0000-0x000000013F424000-memory.dmp

memory/2628-133-0x000000013F580000-0x000000013F8D4000-memory.dmp

memory/3044-134-0x000000013F070000-0x000000013F3C4000-memory.dmp

memory/2640-135-0x000000013F3F0000-0x000000013F744000-memory.dmp

memory/2756-136-0x000000013F740000-0x000000013FA94000-memory.dmp

memory/2392-137-0x000000013F720000-0x000000013FA74000-memory.dmp

memory/2792-138-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

memory/2636-140-0x000000013F6B0000-0x000000013FA04000-memory.dmp

memory/2548-142-0x000000013FDB0000-0x0000000140104000-memory.dmp

memory/2500-141-0x000000013FBE0000-0x000000013FF34000-memory.dmp

memory/2832-139-0x000000013FD50000-0x00000001400A4000-memory.dmp

memory/1724-144-0x000000013F990000-0x000000013FCE4000-memory.dmp

memory/1552-143-0x000000013F0E0000-0x000000013F434000-memory.dmp

memory/2216-145-0x000000013FAF0000-0x000000013FE44000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-08 21:46

Reported

2024-06-08 21:48

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\cVhCGXS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DdsZnRD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\peNqzNW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XmsuISx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mksJHLw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XIgkIOQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lVKrJEL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wGWeYVi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cvNWoyX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EbylySX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OZHyfLo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yYWXtkZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\poBuXIH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XexVZkE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KCPZSho.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fvwwYNA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SpGSPmj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\adIuOOS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\Tlzxdls.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ohiXRai.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QzlXgvg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5040 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\poBuXIH.exe
PID 5040 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\poBuXIH.exe
PID 5040 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\lVKrJEL.exe
PID 5040 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\lVKrJEL.exe
PID 5040 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\cVhCGXS.exe
PID 5040 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\cVhCGXS.exe
PID 5040 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\wGWeYVi.exe
PID 5040 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\wGWeYVi.exe
PID 5040 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\fvwwYNA.exe
PID 5040 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\fvwwYNA.exe
PID 5040 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\SpGSPmj.exe
PID 5040 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\SpGSPmj.exe
PID 5040 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\cvNWoyX.exe
PID 5040 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\cvNWoyX.exe
PID 5040 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\DdsZnRD.exe
PID 5040 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\DdsZnRD.exe
PID 5040 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\EbylySX.exe
PID 5040 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\EbylySX.exe
PID 5040 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\peNqzNW.exe
PID 5040 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\peNqzNW.exe
PID 5040 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\OZHyfLo.exe
PID 5040 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\OZHyfLo.exe
PID 5040 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\yYWXtkZ.exe
PID 5040 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\yYWXtkZ.exe
PID 5040 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\adIuOOS.exe
PID 5040 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\adIuOOS.exe
PID 5040 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\XexVZkE.exe
PID 5040 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\XexVZkE.exe
PID 5040 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\XmsuISx.exe
PID 5040 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\XmsuISx.exe
PID 5040 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\mksJHLw.exe
PID 5040 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\mksJHLw.exe
PID 5040 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\XIgkIOQ.exe
PID 5040 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\XIgkIOQ.exe
PID 5040 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\Tlzxdls.exe
PID 5040 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\Tlzxdls.exe
PID 5040 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\ohiXRai.exe
PID 5040 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\ohiXRai.exe
PID 5040 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\QzlXgvg.exe
PID 5040 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\QzlXgvg.exe
PID 5040 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\KCPZSho.exe
PID 5040 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\KCPZSho.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\poBuXIH.exe

C:\Windows\System\poBuXIH.exe

C:\Windows\System\lVKrJEL.exe

C:\Windows\System\lVKrJEL.exe

C:\Windows\System\cVhCGXS.exe

C:\Windows\System\cVhCGXS.exe

C:\Windows\System\wGWeYVi.exe

C:\Windows\System\wGWeYVi.exe

C:\Windows\System\fvwwYNA.exe

C:\Windows\System\fvwwYNA.exe

C:\Windows\System\SpGSPmj.exe

C:\Windows\System\SpGSPmj.exe

C:\Windows\System\cvNWoyX.exe

C:\Windows\System\cvNWoyX.exe

C:\Windows\System\DdsZnRD.exe

C:\Windows\System\DdsZnRD.exe

C:\Windows\System\EbylySX.exe

C:\Windows\System\EbylySX.exe

C:\Windows\System\peNqzNW.exe

C:\Windows\System\peNqzNW.exe

C:\Windows\System\OZHyfLo.exe

C:\Windows\System\OZHyfLo.exe

C:\Windows\System\yYWXtkZ.exe

C:\Windows\System\yYWXtkZ.exe

C:\Windows\System\adIuOOS.exe

C:\Windows\System\adIuOOS.exe

C:\Windows\System\XexVZkE.exe

C:\Windows\System\XexVZkE.exe

C:\Windows\System\XmsuISx.exe

C:\Windows\System\XmsuISx.exe

C:\Windows\System\mksJHLw.exe

C:\Windows\System\mksJHLw.exe

C:\Windows\System\XIgkIOQ.exe

C:\Windows\System\XIgkIOQ.exe

C:\Windows\System\Tlzxdls.exe

C:\Windows\System\Tlzxdls.exe

C:\Windows\System\ohiXRai.exe

C:\Windows\System\ohiXRai.exe

C:\Windows\System\QzlXgvg.exe

C:\Windows\System\QzlXgvg.exe

C:\Windows\System\KCPZSho.exe

C:\Windows\System\KCPZSho.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/5040-0-0x00007FF78B9B0000-0x00007FF78BD04000-memory.dmp

memory/5040-1-0x000002465C520000-0x000002465C530000-memory.dmp

C:\Windows\System\poBuXIH.exe

MD5 6c7c54fc7596ac36ebabe616e1acab74
SHA1 609056fd3693ef7fd7e9f1e8c10aa181281d16e7
SHA256 e4db06a59fd3cc9514e59878fe9b09d31917ad1a7e375db7e06641a21fc8c8fd
SHA512 76e2c9e6de5d7c4e7e0c8db64320202d88658e96d928a0b556a9ed4ae17d19cbe05a75206683a348ad04cdfdbba3ef35a09d7d39d9d16b4d3396e1006ea30c52

memory/3952-7-0x00007FF7BF700000-0x00007FF7BFA54000-memory.dmp

C:\Windows\System\cVhCGXS.exe

MD5 f67e7ec5ee2cf2822c516358ffc30898
SHA1 89464b8465e2c4d98839ce961ddd21a114e918fc
SHA256 87cedcba39ce902ca0e54c424e977360e18f698dd9ceb5322f90c8fd537ea643
SHA512 ca93407bcc0dcc5723b6178e310f8721148fc364433cb232e18aff41f0080bdd07dc953653b02e81649358631d6dff8717fbf408b9eb4b85274c290af8f38788

C:\Windows\System\lVKrJEL.exe

MD5 a05094a827954988c46f8b24a0995497
SHA1 6c63b4e2f23504d322e28189ba9c047495d32c65
SHA256 4eb2e24cc0eac430b187f1753e6b51f2a4919aad592ec55269f280fedb3379fa
SHA512 660bc0fd405fd38693ad489ed2acdc6e1b59ea5690fac3a095e57e249a2f2643bc3a35f0e9b4f6c2c5f82031d9a64a7a9735ef97aa9da659c30181d8576b8ffb

memory/2180-19-0x00007FF7C67E0000-0x00007FF7C6B34000-memory.dmp

memory/4820-25-0x00007FF6D2830000-0x00007FF6D2B84000-memory.dmp

C:\Windows\System\wGWeYVi.exe

MD5 2074e717177d2e10031f90fad1a4f11e
SHA1 6df61141c4256e5b6690008c411f25f89d8db376
SHA256 7de7618b67f5e0ed4862ed8269779b0f197505771872999dbd779a1acb338fa0
SHA512 473e52f9736900cb3164c604fd3391cb5e2245e6d327450abd7ec4526ea3f7ce9d8ee3f7f6054cefb17f872168f09e9021f49cf46c619f411e2b2f6859fb9606

C:\Windows\System\fvwwYNA.exe

MD5 12f6fc3ad9968d1ed33dac050d797fc9
SHA1 c0c7d858bf97d66d106878fcf866b7608b422b4e
SHA256 088f5011d5f33a2662a76523350a9c1cbecf6dd32be6cda4c594becf94a1a24a
SHA512 73849ed2f4686791610146f38dc89eccccab49cf7016a36028f46864a046774272e653d593631c1fac2bf02e333ae81d65b5e62697638c827d717a18e6bbc8be

C:\Windows\System\cvNWoyX.exe

MD5 54fea8a3e237007fe4619e41e80123a3
SHA1 5cfe8e4defe0e1aa39277d51daf68e0aa6413f24
SHA256 14da0d381389ce7cdb276b6cdb1f634bfa015dc90b4f504e356ff794a4ca451c
SHA512 66592f3ee46d3f20cf55c84cac81e25f57d9760d419c3941dd4660651976a55cb24d1a66c61f3eb165274cd2eaea48a8cf4471d47326562e04d07ec6c362a91f

C:\Windows\System\SpGSPmj.exe

MD5 fc411931e25866f9df62ee848f39cbb8
SHA1 37041617f3dea5763b37ea72cf656f4e3d566267
SHA256 e1283259f2f18bad05da2e6df83eff8213fae9d0d83183829a559cdae2dd74da
SHA512 ad6a5c9c2f6456b45b63b84af478d1348380e4fe7a0c273b3d0e149968b1e96a46d1c8247bb7bcf6978e5627f230e5ccc68727e023458884d969841487d4fab5

C:\Windows\System\EbylySX.exe

MD5 0a912f24c43ca8a7eff2a3ac82796af9
SHA1 73138a4c3847a5c8afdf6430e6d2dca1c7c8075b
SHA256 59dd6e03058485f95610dbc4e74873aae378189a0e3301a0883dc888993b0b38
SHA512 6501d5816a10b5b5a6fbe9d0e6b1fca9bba47098ccd686c4435450a9cc3bbc9e78613371ba46fdb6e70c6afdff95a8e30a50e65d0a4e7d0b4f5d8b49c96ac18a

memory/224-55-0x00007FF70F3D0000-0x00007FF70F724000-memory.dmp

memory/1468-60-0x00007FF6C0DF0000-0x00007FF6C1144000-memory.dmp

memory/3680-61-0x00007FF750D70000-0x00007FF7510C4000-memory.dmp

C:\Windows\System\peNqzNW.exe

MD5 1f4d06f1978e5494b038bbdfb8101d29
SHA1 11b6600a28ccf5e02bdae13d31d2d8e21c4c62f7
SHA256 3a08f83dcb2269d396a0f01e24d7b7b8fd9cf0e9116de2bd1caaf5c3def16764
SHA512 5b8b1b7ad77f2ef05f6562a136d88c15c6a2d17715df183b0b91a85ff1cf4dbcdd897eb94f2c26ec6c00e693b4232715f769b844595c939148c81d2e1fb1e029

memory/1176-53-0x00007FF797B30000-0x00007FF797E84000-memory.dmp

C:\Windows\System\DdsZnRD.exe

MD5 af5799954cb0e6f08c53f806f0f79fdc
SHA1 85038ce28daa2ab43c22087b2f58d40abb6003a0
SHA256 63009dded9d4b8b1adeb935f2b1fee8fe60fa61e65837cea7d73c2a325d321fa
SHA512 936be2d0dc4a6288567b0894b330c342c63f3f07d14c78e3e001070238e286b7e8fbef75dc6060b60dc4cab58b5aeb46e437dd8060080009c4e80c2da479d6e9

memory/3648-48-0x00007FF7A3730000-0x00007FF7A3A84000-memory.dmp

memory/3136-30-0x00007FF68B5A0000-0x00007FF68B8F4000-memory.dmp

memory/2940-29-0x00007FF7AA230000-0x00007FF7AA584000-memory.dmp

C:\Windows\System\OZHyfLo.exe

MD5 16e8180c5f3c22dd67a81ae5cb87ffc8
SHA1 6b9586d7bffd482ef445f720e638d271a8cb6876
SHA256 ddb86af11ad81dce14df5d94a66d22bfb76284864bd0a0b273d2b21fff0392af
SHA512 db3549dbdc52ad2d70b6321164a56a0b43d7a54bbed3940e27b9534bf3e20cff9bb0f7b1577532b77abb3fd6e926168c5c4ff97b1828e88bd2748be227745a0d

memory/1704-70-0x00007FF7F8100000-0x00007FF7F8454000-memory.dmp

C:\Windows\System\yYWXtkZ.exe

MD5 31bc6db4ab0d212af9b267734f9a596a
SHA1 274a4c5dc55995249d3ded97e324fde8f650973b
SHA256 9bd10c5afedcc43c3d39c98ce1ff46fa42a97adb808dafd9d5509f6d09d809f3
SHA512 7f3d40f871ab4e0408a679ca385f9cdceec3ff8a045f233024ebf9c1b8d4e3e299b7e73448d9d8922d21b87550acda1310b1f93846e17640303d2aa90417b461

memory/3256-72-0x00007FF6CFB00000-0x00007FF6CFE54000-memory.dmp

C:\Windows\System\adIuOOS.exe

MD5 909865b2425a92f99dcd3ea26f196ca2
SHA1 d3c960c2310adda17f91aeeeffd0ea0990eb0523
SHA256 3af8b9b119789eb0f38a3c15366484097d65181c4734b9228beecf7b49bd834d
SHA512 e057d879373d8129206f71c6f5278d2179280d3ad31c227d44e0abfc309924b8b7862737bb7269beb02307aa45ca22342e113492e19c5bed93ad2df9f55fc803

memory/3952-80-0x00007FF7BF700000-0x00007FF7BFA54000-memory.dmp

C:\Windows\System\mksJHLw.exe

MD5 2edf846e9574015709e403870bdc4635
SHA1 396f9cd1d9b4bcc33a78119f961527c755f81cc3
SHA256 a981f5bff3a2ac3040d02387409f8eff0bf343ea828f9b8a186559db5f27a021
SHA512 b5e63c185ee3c307ec908c0fdee1626073546f219693b1f9bc6c21a34aec29c42ac913480eb585562b9541d3c42a20d43683fbe850262afc51bb44ca7234f266

C:\Windows\System\XmsuISx.exe

MD5 beb7924e83c0f8128849eb367d44bc06
SHA1 7cf7962a7f6c34451f41f16e27278eebe2ba920b
SHA256 f9fb2282d64bbf6bf547047823153ea73ab3844fc7f836a6cdfe10446769b98f
SHA512 5d5d9a3b1ccd7482ade2393a825e9005ca8be95fd4abe3defb8e3b06ebc9023f6d33717edff5e7d46dd42dff879af356ebe8de4b4bc7a5b0249e879a538cb963

memory/5040-96-0x00007FF78B9B0000-0x00007FF78BD04000-memory.dmp

memory/2180-106-0x00007FF7C67E0000-0x00007FF7C6B34000-memory.dmp

C:\Windows\System\Tlzxdls.exe

MD5 49acb00e15228ca264dad06bcae33de9
SHA1 d7b874ba7a8a11f0d60b614e2e43692e7e859ac1
SHA256 39340cec9fd66e5e8be95d67a048258dddd05caed84740e0162d647300760ca1
SHA512 b2fd4781ce365e5e399b88b7ad81f8d583af26d1a3159c5bcffa351da8982baf1831b448fba373f3b665861504d01ff56924413ccbea4f3df9450649aa211cf2

memory/1416-109-0x00007FF6571F0000-0x00007FF657544000-memory.dmp

C:\Windows\System\XIgkIOQ.exe

MD5 ac7f0a6f4337572c6bc1c0733778b89a
SHA1 549034a92bf310f28b25cb7ce4d9ddc1e55adc8f
SHA256 32484918e9a497c34dabcd0cfc3de396196eda82b999af2a848dfa3041177535
SHA512 365721c5ac9ca3ae2711a57dc607d425314b51d65bc307c9a211081de4f6622865cbe40071b27365ac5ce1ce0b7e06c23d7f8f2f3f82917dbd5ce53baac3aac0

memory/3304-99-0x00007FF626D10000-0x00007FF627064000-memory.dmp

memory/3348-98-0x00007FF7815F0000-0x00007FF781944000-memory.dmp

memory/1820-91-0x00007FF6886E0000-0x00007FF688A34000-memory.dmp

C:\Windows\System\XexVZkE.exe

MD5 1339f635c94f37ff7af48305643fce84
SHA1 c2d7aa902992a563b177588ee5522359b54650c2
SHA256 03e6b0b413bafae370b34bfba1e10775e41551548c557b6ca4d0ae8f97260452
SHA512 f3b237fa041766a366501af963b0d7bbb32b6b46fa9201ed7312bd4233fa994c96b195ca3f25829a410b96cf9d422f7463d0dbf5dd679c4b051fbf6f4145c516

memory/2948-85-0x00007FF69C9F0000-0x00007FF69CD44000-memory.dmp

C:\Windows\System\ohiXRai.exe

MD5 f0cb0eb24a12de035e05a7c76a6ab31f
SHA1 e4d073c069cae9ef9cccaad8b3c55132f9dfceac
SHA256 7edcec4b39c9794b68a9b8209105e9ced2ffaa3b0ccb4c1c7389cb958d8923a8
SHA512 a30a093df36eef61a833812fb2ca752fbe8bb4e1f6f1cf60a62f34bf6c8bcd2e1b6af42991862a86f7153e0effd77af7b9de90ff8bd6195b0703c8655f5ff6ed

C:\Windows\System\QzlXgvg.exe

MD5 314886c33da669835c4193c7a0b8357c
SHA1 c48b93aa29fc9d3df77c31dedbfd263efa243588
SHA256 41a5211356a3f6e2eb0bfd1c78a844b961f8571383dde9d8318af82b8765d972
SHA512 906149e6f2b92e988a0443ff8d32b66042895b4834c97af551f4b92242f8684a4b4b5f8e03f22d562053e248acf9ac1082f801d91af79b83a34c102b3ce4580d

memory/4820-123-0x00007FF6D2830000-0x00007FF6D2B84000-memory.dmp

C:\Windows\System\KCPZSho.exe

MD5 70d7393fbc8bc3579915a73d25f9bb38
SHA1 9af8f983065150f09ae9d11c3afebd9c3dceb26f
SHA256 36967c88bd53308585a607ca860050bddecad5e9e9bc7692d2e5a61c231ba6ac
SHA512 52933c8ad1a52411e26cc88bfb661d47dde150acaa43fac4f494864c91cf1a0a938981661fb17e6b86c04c85a401061339214e9f21e8704eb38c026c4e054944

memory/3760-126-0x00007FF62C000000-0x00007FF62C354000-memory.dmp

memory/4828-124-0x00007FF602AF0000-0x00007FF602E44000-memory.dmp

memory/1240-130-0x00007FF782650000-0x00007FF7829A4000-memory.dmp

memory/2940-131-0x00007FF7AA230000-0x00007FF7AA584000-memory.dmp

memory/2104-132-0x00007FF7DF230000-0x00007FF7DF584000-memory.dmp

memory/3256-133-0x00007FF6CFB00000-0x00007FF6CFE54000-memory.dmp

memory/1820-134-0x00007FF6886E0000-0x00007FF688A34000-memory.dmp

memory/3304-135-0x00007FF626D10000-0x00007FF627064000-memory.dmp

memory/3952-136-0x00007FF7BF700000-0x00007FF7BFA54000-memory.dmp

memory/2180-137-0x00007FF7C67E0000-0x00007FF7C6B34000-memory.dmp

memory/4820-138-0x00007FF6D2830000-0x00007FF6D2B84000-memory.dmp

memory/3136-139-0x00007FF68B5A0000-0x00007FF68B8F4000-memory.dmp

memory/2940-142-0x00007FF7AA230000-0x00007FF7AA584000-memory.dmp

memory/224-140-0x00007FF70F3D0000-0x00007FF70F724000-memory.dmp

memory/3648-141-0x00007FF7A3730000-0x00007FF7A3A84000-memory.dmp

memory/1176-143-0x00007FF797B30000-0x00007FF797E84000-memory.dmp

memory/1468-144-0x00007FF6C0DF0000-0x00007FF6C1144000-memory.dmp

memory/3680-145-0x00007FF750D70000-0x00007FF7510C4000-memory.dmp

memory/1704-146-0x00007FF7F8100000-0x00007FF7F8454000-memory.dmp

memory/3256-147-0x00007FF6CFB00000-0x00007FF6CFE54000-memory.dmp

memory/2948-148-0x00007FF69C9F0000-0x00007FF69CD44000-memory.dmp

memory/1820-150-0x00007FF6886E0000-0x00007FF688A34000-memory.dmp

memory/3348-149-0x00007FF7815F0000-0x00007FF781944000-memory.dmp

memory/1416-152-0x00007FF6571F0000-0x00007FF657544000-memory.dmp

memory/3304-151-0x00007FF626D10000-0x00007FF627064000-memory.dmp

memory/4828-153-0x00007FF602AF0000-0x00007FF602E44000-memory.dmp

memory/3760-154-0x00007FF62C000000-0x00007FF62C354000-memory.dmp

memory/1240-155-0x00007FF782650000-0x00007FF7829A4000-memory.dmp

memory/2104-156-0x00007FF7DF230000-0x00007FF7DF584000-memory.dmp