Malware Analysis Report

2024-10-16 03:08

Sample ID 240608-2xcsgaad47
Target 2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike
SHA256 78fcbd8cbefe908d6c6f73a0b8e7829af328edeb872d0401d791b57c52a370ab
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

78fcbd8cbefe908d6c6f73a0b8e7829af328edeb872d0401d791b57c52a370ab

Threat Level: Known bad

The file 2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Cobaltstrike

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

Cobalt Strike reflective loader

xmrig

Xmrig family

Cobaltstrike family

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

XMRig Miner payload

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-08 22:58

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-08 22:57

Reported

2024-06-08 23:00

Platform

win7-20240508-en

Max time kernel

142s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\AsZScSZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qnJVCYb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BtcNOie.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UhilpgV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wAoaaAc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HlHgsqQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\agtEfcE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KdOPoZZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PwGDnEk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HMwOZKS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WfQeQSX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FnSjCJZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cPlOvMM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SiZsUHe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NJUXlze.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pFeorvu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lsfOWFQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mSpXwwS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mwUsmsu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QgrikdM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\klKvZIR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1684 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\lsfOWFQ.exe
PID 1684 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\lsfOWFQ.exe
PID 1684 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\lsfOWFQ.exe
PID 1684 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\HMwOZKS.exe
PID 1684 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\HMwOZKS.exe
PID 1684 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\HMwOZKS.exe
PID 1684 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\FnSjCJZ.exe
PID 1684 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\FnSjCJZ.exe
PID 1684 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\FnSjCJZ.exe
PID 1684 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\mSpXwwS.exe
PID 1684 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\mSpXwwS.exe
PID 1684 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\mSpXwwS.exe
PID 1684 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\UhilpgV.exe
PID 1684 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\UhilpgV.exe
PID 1684 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\UhilpgV.exe
PID 1684 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\mwUsmsu.exe
PID 1684 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\mwUsmsu.exe
PID 1684 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\mwUsmsu.exe
PID 1684 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\wAoaaAc.exe
PID 1684 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\wAoaaAc.exe
PID 1684 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\wAoaaAc.exe
PID 1684 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\HlHgsqQ.exe
PID 1684 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\HlHgsqQ.exe
PID 1684 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\HlHgsqQ.exe
PID 1684 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\WfQeQSX.exe
PID 1684 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\WfQeQSX.exe
PID 1684 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\WfQeQSX.exe
PID 1684 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\QgrikdM.exe
PID 1684 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\QgrikdM.exe
PID 1684 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\QgrikdM.exe
PID 1684 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\klKvZIR.exe
PID 1684 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\klKvZIR.exe
PID 1684 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\klKvZIR.exe
PID 1684 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\agtEfcE.exe
PID 1684 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\agtEfcE.exe
PID 1684 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\agtEfcE.exe
PID 1684 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\KdOPoZZ.exe
PID 1684 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\KdOPoZZ.exe
PID 1684 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\KdOPoZZ.exe
PID 1684 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\AsZScSZ.exe
PID 1684 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\AsZScSZ.exe
PID 1684 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\AsZScSZ.exe
PID 1684 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\qnJVCYb.exe
PID 1684 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\qnJVCYb.exe
PID 1684 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\qnJVCYb.exe
PID 1684 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\BtcNOie.exe
PID 1684 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\BtcNOie.exe
PID 1684 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\BtcNOie.exe
PID 1684 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\NJUXlze.exe
PID 1684 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\NJUXlze.exe
PID 1684 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\NJUXlze.exe
PID 1684 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\cPlOvMM.exe
PID 1684 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\cPlOvMM.exe
PID 1684 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\cPlOvMM.exe
PID 1684 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\SiZsUHe.exe
PID 1684 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\SiZsUHe.exe
PID 1684 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\SiZsUHe.exe
PID 1684 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\PwGDnEk.exe
PID 1684 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\PwGDnEk.exe
PID 1684 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\PwGDnEk.exe
PID 1684 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\pFeorvu.exe
PID 1684 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\pFeorvu.exe
PID 1684 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\pFeorvu.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\lsfOWFQ.exe

C:\Windows\System\lsfOWFQ.exe

C:\Windows\System\HMwOZKS.exe

C:\Windows\System\HMwOZKS.exe

C:\Windows\System\FnSjCJZ.exe

C:\Windows\System\FnSjCJZ.exe

C:\Windows\System\mSpXwwS.exe

C:\Windows\System\mSpXwwS.exe

C:\Windows\System\UhilpgV.exe

C:\Windows\System\UhilpgV.exe

C:\Windows\System\mwUsmsu.exe

C:\Windows\System\mwUsmsu.exe

C:\Windows\System\wAoaaAc.exe

C:\Windows\System\wAoaaAc.exe

C:\Windows\System\HlHgsqQ.exe

C:\Windows\System\HlHgsqQ.exe

C:\Windows\System\WfQeQSX.exe

C:\Windows\System\WfQeQSX.exe

C:\Windows\System\QgrikdM.exe

C:\Windows\System\QgrikdM.exe

C:\Windows\System\klKvZIR.exe

C:\Windows\System\klKvZIR.exe

C:\Windows\System\agtEfcE.exe

C:\Windows\System\agtEfcE.exe

C:\Windows\System\KdOPoZZ.exe

C:\Windows\System\KdOPoZZ.exe

C:\Windows\System\AsZScSZ.exe

C:\Windows\System\AsZScSZ.exe

C:\Windows\System\qnJVCYb.exe

C:\Windows\System\qnJVCYb.exe

C:\Windows\System\BtcNOie.exe

C:\Windows\System\BtcNOie.exe

C:\Windows\System\NJUXlze.exe

C:\Windows\System\NJUXlze.exe

C:\Windows\System\cPlOvMM.exe

C:\Windows\System\cPlOvMM.exe

C:\Windows\System\SiZsUHe.exe

C:\Windows\System\SiZsUHe.exe

C:\Windows\System\PwGDnEk.exe

C:\Windows\System\PwGDnEk.exe

C:\Windows\System\pFeorvu.exe

C:\Windows\System\pFeorvu.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1684-0-0x000000013F240000-0x000000013F594000-memory.dmp

memory/1684-1-0x00000000001F0000-0x0000000000200000-memory.dmp

\Windows\system\lsfOWFQ.exe

MD5 0161c02e29aaa37126e9f49c7cc256a8
SHA1 183080b4a6ca192c4f2b6705f683441c8ac53c53
SHA256 d80631dc2c8580acb520a6615c8d36ff15885774c94325d51ca6063c5b4b63bd
SHA512 810b4822e7824d90eee3680066217399dee3c00cb8f58dca99646deffdc38a354f755ac4e3900522e8acec1714728dc38c6e5709911016799d24330cbcb9b8bb

C:\Windows\system\HMwOZKS.exe

MD5 f86fa47acd0c7111789e1994a0da66ac
SHA1 9adbe746ef5d779c4c3253f3b141de8985575496
SHA256 fe38779d2ee22cb1849df83a74ac7e43a97d61a73fcc14dfed0a244620eec553
SHA512 16fb896b506ea58efe18f79db67fddfd7fcb5ac2bb18fc488eaec59a149e50bb93e14a49f9528241268fcf0d25e6664d2e74bfe90b97f0ade5d206a282d6330b

\Windows\system\FnSjCJZ.exe

MD5 776bcdfbc39c30efb953ad4f4ea686b4
SHA1 d80ff38ebf4e8405803b274a157dbcbceffdd2a0
SHA256 c32a76fb8d87796013ec6c5653163994bbdd16d3434a29968938daff22e98715
SHA512 8b4f3705114711d9114d4c495775d217cee0fdee44d47f19664d857786f0bb529406e757b6520769315a4a232bc40c323997834f367e533e49d5b2f1957c95a8

\Windows\system\mSpXwwS.exe

MD5 e3343a4359a25f17ac1b447b991b1e14
SHA1 d23d75509e642bab72c9f8de028950bc78a82493
SHA256 1aaa15013216b9f27f7f0fce70bfb149f88d7594258765e74a5926e8b299cf8d
SHA512 b652f4be270a420f62ff8f81be336b03780fc2213ba2dabd6e3d6e2ce1cd9a4ee315f236525763d36231d387c4d6f9808e8d32888a646dffba29585e52ffd627

memory/2148-21-0x000000013F760000-0x000000013FAB4000-memory.dmp

memory/2128-28-0x000000013F020000-0x000000013F374000-memory.dmp

\Windows\system\wAoaaAc.exe

MD5 368ea77c28b28ffc6f6c91bb282a7504
SHA1 232dba8cec47d983ad396b41713bb5eac77b7082
SHA256 e5921cc1afc15cb9c5905770b69cc90d97e75159a1da5a92d91d6f2876654ec4
SHA512 878c2b8a3f0778202a3087865802fd02a0bd9063997129431883b862ff6828e38482aa15a103609f32afd5db154c08684d2f50115804ea3b6d1c80dde0c160fc

C:\Windows\system\WfQeQSX.exe

MD5 91102aa4b066f5aa2bb58c2da2222b9d
SHA1 5e74951e958a96fcccfbe5c7c6b0d1df03237bd4
SHA256 0739a0138e3a03cb9b999f64c0e1957b17b43532a2ebd7bda2b0d4030c05713e
SHA512 d799506b1f2a66b0a6b287ca103a10558cf6b2423d66a81294f2a762b7a2e510c6bb4839fbaffaa034d5c7bff086bea7ad6c92fd5f59b46c5d75799d1088f0d9

\Windows\system\SiZsUHe.exe

MD5 f51376e041cda28100d1814e5b2d4eb4
SHA1 36cd09b34fa887f21baf8f9d08f2813544050608
SHA256 6f10055b4f6b1360ef622ae838566d5e82880e9eac4bdecd713a797b2fcb1e5f
SHA512 a93b2e8aac3ffe76e639e79015de52bce7e3d21e24a0b3698e6b95a77688b1fe3b877de5a06dde649780d4f811dfd3461cf6420bb8ad33a7fb296f320c37d30a

C:\Windows\system\QgrikdM.exe

MD5 28192e0987d8fa7dd1788afc3727b55e
SHA1 dc26b93fa11b0fbab748d9ac9d7165ffdf977ca5
SHA256 20f96a548047378384ad5c41d925f3810f960025ad9a3bfce19513b523610cf6
SHA512 9a4220cd59d3099cef61098513dec07423e5bd5fe34f6a8271368634d73211af8d6632a375e33979c1a601abd8bc413ad3b2ea11a10a4bc406acda257bcae8c5

\Windows\system\PwGDnEk.exe

MD5 e59f4b7fe10c2d2b6a6a5f149aad3cb0
SHA1 82cccb0fbe70fc62400be6375500a882c57e741f
SHA256 7780f5415ed29f66fff79e3596455f2bdf6fb5c2c4315f478049d74f9fbe783f
SHA512 bce99248b9d537238fd149df0686762a879426da857afd6a1c9dad5b6c55179b36fa6a269023fb87eab524e3e7ed1dec2ce881f396e504924bc82407ec6ee7e3

C:\Windows\system\NJUXlze.exe

MD5 1f5e7dceaaf3c995f6e79ebd7990f121
SHA1 c5954f64063e8d3f286bda17aa623d44b7c2fa42
SHA256 c69d464347fbb31284edf45597388d3116d06825c02a893321c0328dd1543724
SHA512 473ce0329d41944cdbc23b0da2309c32a62879119419aae990d66ab4a5dee2d35744bd4c3011030ad489e6ee043e0f6b88b48d7672f75bb3ec5601f23e39bf9f

\Windows\system\cPlOvMM.exe

MD5 44ce388f66972e1af9015f4dfbfc6fc7
SHA1 b4b36aff7271ca13daa29921c528d801ecfbb559
SHA256 1e01a7719fe3848a48a8ff11e5107bf39eb7cac8f306696a595475652e05195b
SHA512 9797fff76d0eb5342fdafc1d94850dc406bd458f714129c694414629051e667addcd436b9776c784fc43cc0c6a0693f9bf1e1781bde3d04e86dab23de7ee1b82

\Windows\system\BtcNOie.exe

MD5 3ab63152b2c900b2f899fb0891537f1b
SHA1 3966090ce466b642bbf8efad43eb3aa7acf51d5c
SHA256 637b193887a99af2a47ced42ea04f151048f6d4be7ef3bb34f6018f5d3ab9ecc
SHA512 241bcba13496269ae885864fe78b3ad425e3fbad1dd0e5d886d71b27186b8203833f01abdcd14b6caa43841126474b9b558b1835173fef978c076310f9a2e28f

\Windows\system\AsZScSZ.exe

MD5 28964b676fbc088a42a7f11cd3acfbeb
SHA1 c60a542cef263d96441a813a9da06cc37347ce60
SHA256 02b0863a4b7b7de13e9a125459cdb2f5019d05879d8effbd94f86dbde7568fbd
SHA512 4331ccb07106efd4f1260f0903db197c9c6938a97358ec30a358f242c8a85cbae8090805eb8c500aa26cf36ed5d6ce9a84cd28a07eb29283caa1898490921314

\Windows\system\agtEfcE.exe

MD5 2b280d1ccbc0be1152c8e9ce881565f1
SHA1 92a08e354ced5c522f25d349ff2ca7f9af1f4abf
SHA256 2ffe8804171f075362ba25811b1e9c3fb9088715cb30c597a488c02aaa616560
SHA512 508d758a8b8db9c34aceaf16250aa39d08ac6971d7e32eba08940c890c85278010107565291407c018991739c23bb691f3a0c0b7418a773bf30678c0a71738e7

memory/1684-122-0x0000000002220000-0x0000000002574000-memory.dmp

memory/2776-121-0x000000013FEF0000-0x0000000140244000-memory.dmp

memory/1684-120-0x000000013FEF0000-0x0000000140244000-memory.dmp

memory/1684-119-0x000000013FA40000-0x000000013FD94000-memory.dmp

memory/2044-118-0x000000013FBB0000-0x000000013FF04000-memory.dmp

memory/1684-117-0x000000013FBB0000-0x000000013FF04000-memory.dmp

memory/1684-116-0x000000013FC60000-0x000000013FFB4000-memory.dmp

memory/3040-115-0x000000013F920000-0x000000013FC74000-memory.dmp

C:\Windows\system\pFeorvu.exe

MD5 3bc1e9134a1519ff2bfd067c6dabd273
SHA1 54c349f4f0ad30dfb2082bba74348ee81e838910
SHA256 ade3c600669e2cb40835e51f83d2b8cdf238d0297adaa856ea992990aa03784e
SHA512 592f629ab0b62ff72c5b4137a111c8613596a03d7e67ecd803d32a97ac097eeda0bf84aa6ef1a27d36be8d452755848720e21d5532144b0181e17e542d133554

memory/1684-113-0x000000013F920000-0x000000013FC74000-memory.dmp

memory/2580-112-0x000000013FE00000-0x0000000140154000-memory.dmp

memory/1684-111-0x000000013FE00000-0x0000000140154000-memory.dmp

C:\Windows\system\qnJVCYb.exe

MD5 88b45e9fe12548341e737d53d28e1beb
SHA1 3f640187e5ceaf25b5966380e20165c00aa10d2a
SHA256 5ad54c09e5f1597722aef69ea2a4c58b8c66a2bc7ce429346f3ff2f96f2b4658
SHA512 73c1d48e970a128a12bb002e0a7398ff5c7d8857d047b5bb99d012614d91abc4351b6c454d00ba70107f1c4a1f3c0d5fcba5e97861bd888b9302b3c649519f01

memory/1684-135-0x000000013F240000-0x000000013F594000-memory.dmp

C:\Windows\system\KdOPoZZ.exe

MD5 1a37a6dcd045b1102bf253959d45437d
SHA1 bcad682ee8bf8f0f3cd60750f7ceab6f0758b4ef
SHA256 6a125340e7cd3f9d8ef83ac3221e98950c681c16e381307fc0dcc9417c1cffd5
SHA512 5f479e131cb5a3d40baa52bc5139fb0b685219bbdb88e0ff1283da178e585d9f97e84c04dac8623709aebfa53af0d270bdae452cfc97fba688a777bdfcf53b94

C:\Windows\system\klKvZIR.exe

MD5 d62805b7748fe925ad5feea84d5c1fcc
SHA1 b7a4ec8c33c0705b46fea6061a3334739de6dacc
SHA256 9d2597b831899fa007bb4160570a061e1e7692e64fc072ddb417a5c6ea34bee0
SHA512 f5ef5042e1bb0be08321d9f260cb1e9c04fa36fb7eae832ab28a3341ed2f8ef4dc1a4f0c79f6a398f9b8ffa5f56ef3710d12a0d40118f474e69fa4e7a70f5cb2

memory/2508-63-0x000000013F3E0000-0x000000013F734000-memory.dmp

memory/1684-62-0x0000000002220000-0x0000000002574000-memory.dmp

memory/2772-57-0x000000013FF00000-0x0000000140254000-memory.dmp

memory/2936-56-0x000000013F380000-0x000000013F6D4000-memory.dmp

memory/2724-55-0x000000013F8B0000-0x000000013FC04000-memory.dmp

C:\Windows\system\HlHgsqQ.exe

MD5 e78f41432ba19925d021746529dd75a3
SHA1 17324759f4e8a5c8de8320dcff8edc8238ff6fcd
SHA256 98c4916ab02a4ef284768ba401d9050a90ba7622a89717559a3e6050eee19843
SHA512 363dfcb863d5276f4a2ac026410ab7e25f33aee6b69d98cb6dbae140c7f15f6e80f75c57732e38bcf3fbbdf88fffa1a136660e9fc99b5f9359181a54ffcf1000

C:\Windows\system\mwUsmsu.exe

MD5 470f503fdacf95aaa0381d08e76350b8
SHA1 8689df4da12ea71d195f7a0b86883034954f2ec3
SHA256 6880f96b4e4a0f9fbf5cac206552b03de32a54457d9250a5b3c804c210083813
SHA512 fd64655365e3e1bf51d0c46c5b9b05651a88882aac2d04f384308b75efd19be841f1aef5eab9336be338a7e392345fff03f72b4a3a832bb7191d529c69cbbdcf

memory/1684-48-0x000000013FF00000-0x0000000140254000-memory.dmp

memory/1684-47-0x000000013F8B0000-0x000000013FC04000-memory.dmp

memory/1684-46-0x0000000002220000-0x0000000002574000-memory.dmp

memory/2612-39-0x000000013F6B0000-0x000000013FA04000-memory.dmp

memory/1684-27-0x000000013FE90000-0x00000001401E4000-memory.dmp

memory/1684-26-0x0000000002220000-0x0000000002574000-memory.dmp

memory/3068-25-0x000000013F3F0000-0x000000013F744000-memory.dmp

memory/1684-34-0x000000013F6B0000-0x000000013FA04000-memory.dmp

C:\Windows\system\UhilpgV.exe

MD5 dd43b2d0b92be2f9ed4e43c04199a70c
SHA1 30181a4a5892bd4eb8fc926f8e47162ec32145cb
SHA256 4b940748395cd26fbada154e0876b104df4a56bc130e590bc55e1cd564472841
SHA512 6ebbb8a5a54c08eaa84594c5a287019fe0861f2071ab94b259eeab6dbd64b7ed97fdb690fa9fd8f1e3c08a966186cd73ffd121679107c91834e8aa3be7d8c6a6

memory/1684-24-0x0000000002220000-0x0000000002574000-memory.dmp

memory/2332-23-0x000000013FE90000-0x00000001401E4000-memory.dmp

memory/2128-137-0x000000013F020000-0x000000013F374000-memory.dmp

memory/1684-136-0x000000013FE90000-0x00000001401E4000-memory.dmp

memory/1684-138-0x0000000002220000-0x0000000002574000-memory.dmp

memory/2508-139-0x000000013F3E0000-0x000000013F734000-memory.dmp

memory/2148-140-0x000000013F760000-0x000000013FAB4000-memory.dmp

memory/3068-141-0x000000013F3F0000-0x000000013F744000-memory.dmp

memory/2332-142-0x000000013FE90000-0x00000001401E4000-memory.dmp

memory/2612-143-0x000000013F6B0000-0x000000013FA04000-memory.dmp

memory/2128-144-0x000000013F020000-0x000000013F374000-memory.dmp

memory/2936-145-0x000000013F380000-0x000000013F6D4000-memory.dmp

memory/2724-147-0x000000013F8B0000-0x000000013FC04000-memory.dmp

memory/2772-146-0x000000013FF00000-0x0000000140254000-memory.dmp

memory/3040-150-0x000000013F920000-0x000000013FC74000-memory.dmp

memory/2508-149-0x000000013F3E0000-0x000000013F734000-memory.dmp

memory/2044-152-0x000000013FBB0000-0x000000013FF04000-memory.dmp

memory/2776-151-0x000000013FEF0000-0x0000000140244000-memory.dmp

memory/2580-148-0x000000013FE00000-0x0000000140154000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-08 22:57

Reported

2024-06-08 23:01

Platform

win10v2004-20240426-en

Max time kernel

136s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\qmQejWP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YpiSdUZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iLGWsBX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BCAXvaW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HyXiURx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cZqgwfG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RzXszbd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mZJjVqq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LeSExwU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fmTxNuA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xltclRj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nZShWGB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ejAIPSJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ccdBudi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kUNGGKm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WFTWrZE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xkLLsbK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FHQjMxD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tNSrmtG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AIPzULs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CXGiOvk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1452 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\BCAXvaW.exe
PID 1452 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\BCAXvaW.exe
PID 1452 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\qmQejWP.exe
PID 1452 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\qmQejWP.exe
PID 1452 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\HyXiURx.exe
PID 1452 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\HyXiURx.exe
PID 1452 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\cZqgwfG.exe
PID 1452 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\cZqgwfG.exe
PID 1452 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\xkLLsbK.exe
PID 1452 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\xkLLsbK.exe
PID 1452 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\FHQjMxD.exe
PID 1452 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\FHQjMxD.exe
PID 1452 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\tNSrmtG.exe
PID 1452 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\tNSrmtG.exe
PID 1452 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\xltclRj.exe
PID 1452 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\xltclRj.exe
PID 1452 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\YpiSdUZ.exe
PID 1452 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\YpiSdUZ.exe
PID 1452 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\nZShWGB.exe
PID 1452 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\nZShWGB.exe
PID 1452 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\AIPzULs.exe
PID 1452 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\AIPzULs.exe
PID 1452 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\RzXszbd.exe
PID 1452 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\RzXszbd.exe
PID 1452 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\iLGWsBX.exe
PID 1452 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\iLGWsBX.exe
PID 1452 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\ejAIPSJ.exe
PID 1452 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\ejAIPSJ.exe
PID 1452 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\ccdBudi.exe
PID 1452 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\ccdBudi.exe
PID 1452 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\CXGiOvk.exe
PID 1452 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\CXGiOvk.exe
PID 1452 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\kUNGGKm.exe
PID 1452 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\kUNGGKm.exe
PID 1452 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\WFTWrZE.exe
PID 1452 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\WFTWrZE.exe
PID 1452 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\LeSExwU.exe
PID 1452 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\LeSExwU.exe
PID 1452 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\fmTxNuA.exe
PID 1452 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\fmTxNuA.exe
PID 1452 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\mZJjVqq.exe
PID 1452 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe C:\Windows\System\mZJjVqq.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\BCAXvaW.exe

C:\Windows\System\BCAXvaW.exe

C:\Windows\System\qmQejWP.exe

C:\Windows\System\qmQejWP.exe

C:\Windows\System\HyXiURx.exe

C:\Windows\System\HyXiURx.exe

C:\Windows\System\cZqgwfG.exe

C:\Windows\System\cZqgwfG.exe

C:\Windows\System\xkLLsbK.exe

C:\Windows\System\xkLLsbK.exe

C:\Windows\System\FHQjMxD.exe

C:\Windows\System\FHQjMxD.exe

C:\Windows\System\tNSrmtG.exe

C:\Windows\System\tNSrmtG.exe

C:\Windows\System\xltclRj.exe

C:\Windows\System\xltclRj.exe

C:\Windows\System\YpiSdUZ.exe

C:\Windows\System\YpiSdUZ.exe

C:\Windows\System\nZShWGB.exe

C:\Windows\System\nZShWGB.exe

C:\Windows\System\AIPzULs.exe

C:\Windows\System\AIPzULs.exe

C:\Windows\System\RzXszbd.exe

C:\Windows\System\RzXszbd.exe

C:\Windows\System\iLGWsBX.exe

C:\Windows\System\iLGWsBX.exe

C:\Windows\System\ejAIPSJ.exe

C:\Windows\System\ejAIPSJ.exe

C:\Windows\System\ccdBudi.exe

C:\Windows\System\ccdBudi.exe

C:\Windows\System\CXGiOvk.exe

C:\Windows\System\CXGiOvk.exe

C:\Windows\System\kUNGGKm.exe

C:\Windows\System\kUNGGKm.exe

C:\Windows\System\WFTWrZE.exe

C:\Windows\System\WFTWrZE.exe

C:\Windows\System\LeSExwU.exe

C:\Windows\System\LeSExwU.exe

C:\Windows\System\fmTxNuA.exe

C:\Windows\System\fmTxNuA.exe

C:\Windows\System\mZJjVqq.exe

C:\Windows\System\mZJjVqq.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1452-0-0x00007FF623990000-0x00007FF623CE4000-memory.dmp

memory/1452-1-0x0000017F229D0000-0x0000017F229E0000-memory.dmp

C:\Windows\System\BCAXvaW.exe

MD5 95c7b08890678ef3487c6d9a1b2919da
SHA1 5d7dc3f123030b243ac89a67e530be3fe371f65e
SHA256 0f3a46434d3312a1494342329d2ab659a099a333e5214ad21e591c5a203e2de5
SHA512 0063f14a4d8432a0825cc03dcdd6f2a770d3327dc0990760d7438503c100623cee8ccf16b193f0f4385f6d906da35354ea80c6b7e0f8fc3ceef861ceb1c159d0

memory/760-7-0x00007FF697860000-0x00007FF697BB4000-memory.dmp

C:\Windows\System\qmQejWP.exe

MD5 0ff2c64b7e9e6475c703eb2aa38a7371
SHA1 5ad0f723337d5aa68ef23c2d8377ed826556451e
SHA256 d0428b1d16d48388d07c80b89a549f3bb01be93420c9a37c942d7ca5174af1b7
SHA512 ca149fcfacf00a8b25e380bb5fe636ccfbd57c5dad4ef587483199ae6c82e74007499d1e81a41bf1feef7f4df1a3c36b1dc90f453bcc883b8d09fec1d02d5d3c

memory/3968-15-0x00007FF73C110000-0x00007FF73C464000-memory.dmp

memory/3152-22-0x00007FF70D020000-0x00007FF70D374000-memory.dmp

memory/2308-25-0x00007FF7EC1E0000-0x00007FF7EC534000-memory.dmp

C:\Windows\System\cZqgwfG.exe

MD5 366568313d2761295f4beb70c8ed5269
SHA1 abe7c8071dd95a765c13d397eb3b45786fd95eb5
SHA256 3faf68a15b98929554b55ecc3f2e5c6fb66f1d71c71763f7b065dd1f7680aa2d
SHA512 788acfb73a40fab31c6f0cf43190026a1e81cb1a90dd1960ec239c2e4e9a0f82d8523b79d3a3a118a3daee178984269135d8b04c3a75a16a6ff886400ff9ab58

C:\Windows\System\xkLLsbK.exe

MD5 69628d43bf2d4448671e3cd1f33591bb
SHA1 97b878f33780c7b1cef79040471ecfcb8f49803b
SHA256 1e1cb4545bc0688805a7fdd23dccc31fc7a7ca2073c86c998cad4b1b0e1dd9ea
SHA512 7a9e261c69fec03036eb8488a90e65c945df2a8e4a40cdd1fba33e143bd5826c2c577ac1b3fae34a8d655ea37aada6549c624c44d9821ea963250c040044c677

memory/1412-38-0x00007FF7227B0000-0x00007FF722B04000-memory.dmp

C:\Windows\System\FHQjMxD.exe

MD5 792cf92512a40fbba88808bc12d458fd
SHA1 a9afa3e25850aad33e7d8429629433e27dd1bca1
SHA256 ae677fc187a0b3235903051fdf33d270edf14fb15ee85d01ab26c8cf35d8a248
SHA512 55f6a7217aaf63a1347c43b0f8e77e29d6036a65c5254f19417aa1b03d194c63867ab0da4e3b7d2d20c87cc4ea1d17c76a0f9e7c3ac7584c4ebe9738bfd087c9

memory/2480-32-0x00007FF73B250000-0x00007FF73B5A4000-memory.dmp

C:\Windows\System\HyXiURx.exe

MD5 5b73c7883aca7c7f22d93a7549f14a96
SHA1 2b2dd082faf2b22c04707b29f415578ea6bd8538
SHA256 5abcebe77a7b0bfe1319e1b3d252bf22bc2d79de0b6c3c090dec8e5b4db710b6
SHA512 16ae8e57247e4201c816e2d12bdf1e7c17985b11413b5e8c7deca8f0545c148756b8af81ba1c6199c8edc59094d5601415f022dffd2ca61006b4a1ed5cb80c03

C:\Windows\System\tNSrmtG.exe

MD5 56ab41bc574fdc887c17f1aca1c4767d
SHA1 4c2b92a6eaa00ad925f6abce879453ec5560b8ac
SHA256 0d7323f1103fbd4f6eadb8c1429707d058703db787e17a48557263ae8006cc8e
SHA512 f3e451e224a7c80f6c37dffe9c432f365075e12617bee3dfe6a7cd9932967c07cf703edf388358165fed9c45adca0a2b35b34f2f5a73c8bb2c4e3760466cd4f1

C:\Windows\System\xltclRj.exe

MD5 9bba1f6dec15a8bc96eb88a9828f4ab1
SHA1 4d26ae195ce5ae88db7f1d6d6a53d40603e9e1e6
SHA256 3c5d57ef30d75b984f6a0b388967cbba65ec27fd2a1b13296c4aeb6a510e1622
SHA512 749f81be2eefc5f932c3c198317098874aace1c8c2449d44f9d99e25eca751644d665fdf592827b7c7433f8f2ebeed959ca0645fcb2ef6f6149e011ed4f2764c

C:\Windows\System\YpiSdUZ.exe

MD5 ddf8da26b0b21508dc64d4864501d760
SHA1 0236a4728e30977de1121f83cc6321b28c5e6a31
SHA256 32137fe60a1e8f6e55182c74de545cb951c3157cb37d305cc553ce72d82ddd3a
SHA512 7be354c1fca9c0d81bb531f6163e4b3bf52719f2c6614f3915b09685757150acbaf6691b5ca06933dce98ceb6ef7ea68a890f98fdfaffd3c40b68bda137f6eb2

memory/1728-56-0x00007FF777AB0000-0x00007FF777E04000-memory.dmp

memory/1016-52-0x00007FF7966B0000-0x00007FF796A04000-memory.dmp

memory/1008-46-0x00007FF7B4290000-0x00007FF7B45E4000-memory.dmp

C:\Windows\System\nZShWGB.exe

MD5 e1841de9adc3d5a75cd7ee653779188d
SHA1 b4eb2abd7768286163e810a1436d6b3b8c1e938a
SHA256 5bc364588ed0b7ee648bbab9a04dfa32affcc3497274eb845afbcb9e4a633f71
SHA512 ab3b9449acbeda476e60a5d45e40da2e8bfd080ccbc9921918661359c28c950dfe37eb0cff143c0df6dd4f0c8a29674bcbe30736f4f87847053e29c38d3e0cd2

C:\Windows\System\RzXszbd.exe

MD5 91937a045f1752b390236ec63d8d6b66
SHA1 8e7fe3b9cea82921e8240eabbe439eb11c31e0e0
SHA256 bd86403b49c1819392f7248398a48208ade8692b7809fc1fc938d053ea17838d
SHA512 1bbaf65beefb8b13aea0b720f4b33e5c370be467424b6cf1f9b1b66e7c786eac7054848f9317cf97b46070628848af0a5bcbf407ee8314f7ac6df4d1c4921520

memory/3096-72-0x00007FF672BF0000-0x00007FF672F44000-memory.dmp

memory/2116-74-0x00007FF62AC00000-0x00007FF62AF54000-memory.dmp

memory/760-73-0x00007FF697860000-0x00007FF697BB4000-memory.dmp

memory/440-71-0x00007FF72E460000-0x00007FF72E7B4000-memory.dmp

memory/1452-66-0x00007FF623990000-0x00007FF623CE4000-memory.dmp

C:\Windows\System\AIPzULs.exe

MD5 15530965d2cf01c2d1d175e3db759fb6
SHA1 2a79f23a19bcd35bde065aae7ba79346f1cd6df1
SHA256 92d56f4432f4345ae465489ca5e13b6d2c8a5229094fae152ec4a3647033b135
SHA512 9a48664fcb0e11d177c7d44777535fd2bdb03a00893ae30ee2a50d6fc1e379d0b02a6999cc06717435a20a3ba93b65eb6f310d16fba425adf5cfa32e59fcc6a9

memory/3968-84-0x00007FF73C110000-0x00007FF73C464000-memory.dmp

C:\Windows\System\ejAIPSJ.exe

MD5 9a15c356e98789abfc34c3e0ae1b883a
SHA1 0d6ffb36469635e9ac5db4c1fa460d172e025b44
SHA256 fbb5466335fc71d64ce548958c3aa2599587ac502fb9dbd36b52ec436c9cfa7a
SHA512 ebabbd56c95d7cdb07de0dc83807fbf3394ee0f6f31ea15ed87013d5ead98e6e34e46e440eec47b4410129de85a94f02e0ab36c14aa45688b100ce6e6a431cae

C:\Windows\System\ccdBudi.exe

MD5 941a427ae9f0bc0b49a780a6d2ee2730
SHA1 051d81a822bd4dab22fd6310e72abf706b67ef5f
SHA256 aa0610d4e4a5835a092d70c35503b8eb9b664a573374f6179cc7d9b5f71a34eb
SHA512 02b5db70e64f8799c4476b0c2c281059182d363919897de527992d54ca9c2415d8c55a36aebfe2a4303dacb520f7699f7f2e953791a2101a91bb249722223e46

memory/2988-91-0x00007FF7F9F70000-0x00007FF7FA2C4000-memory.dmp

memory/2308-90-0x00007FF7EC1E0000-0x00007FF7EC534000-memory.dmp

memory/4652-87-0x00007FF7BF080000-0x00007FF7BF3D4000-memory.dmp

memory/3152-85-0x00007FF70D020000-0x00007FF70D374000-memory.dmp

C:\Windows\System\iLGWsBX.exe

MD5 b197abe43df5488fc52cdba0fec952d0
SHA1 af43ca114d1c7dcf96a945d0e76aee48c15f0160
SHA256 b4da76d33578678d6c51c15788ee0b70042b0598b1626668425cbcb865df0b0a
SHA512 9b58491e11787e8737550fef06ad4f650aa86ba5eff71f8854258459db13e11f9f73d5441032e3b7f8f2649b2993d99f6d8accda11262ea512c1a615561d0941

C:\Windows\System\CXGiOvk.exe

MD5 3841d3131bdc70a1cf74942213460680
SHA1 e066ede4ce1cfdb2ea8111ae73f718eb8b157bd9
SHA256 b4d269eec56539100336c47edcf07ade25ee028ddd2f468b5ccafc2495eaa0a4
SHA512 77b6c9843e542c6ef34515300b738e90e6b505a929acee13a482482161e043ddee1028dddba920c8c9ca07a42160a603ae89b3ec75270ab6e028949695a5b7fe

C:\Windows\System\CXGiOvk.exe

MD5 ddf1ed73b9403678fb76d893152912d5
SHA1 e3f0c5585eb013ee7e86e7e59e665d6494cbc7b9
SHA256 777128d5472c29c07089a948f8e09ec3428363543775a541ff05067c892c8974
SHA512 aa6b8921324dae635b68de5d393daf5de48b8f9955094a5044c26bd8aa77e32a5a9b0c082f708aedc074137e3fa1c13005430fa7133f4254cf86c79f4f76bbee

C:\Windows\System\WFTWrZE.exe

MD5 6581aebb54c9ccf3aaf9c03af0320fd3
SHA1 dbd2b49e32876cc4390f1036fab524e4722a75fe
SHA256 f00a8f1554106511760a97bdefd81236d00006f2964fd75756f00d4959f764a0
SHA512 9fc3158eec502ed07f26f2aa9f7e27a2a06c116033c7e7ac321bd44bb6789bfa5bb3469ec4c9453c8bbcf9707b6d0753bc65ab5758ef4244b774f594984f7359

C:\Windows\System\mZJjVqq.exe

MD5 a30309fab83eaa4a0c44e47c883f646f
SHA1 dd2d41e93a97a2f2a379142bd7b77878a1cabdb1
SHA256 01e09cbf813ead4fbce1b8fc54072249be65d4d5b98bf3361ee866f607c85ece
SHA512 d0001fc28c9ce59101ab06ca39249a48e6fea1d5fc61476d1ecf0984a379073408e2ccfd5c7e35345eef338af16498be76c31198bc892a27a28616249c194468

C:\Windows\System\fmTxNuA.exe

MD5 0c52b043d74b54e4c2f15cd415f302c6
SHA1 f21234df7543c8a5cfbe527506ed59c37afb7d97
SHA256 155eb5cd60e4a57edde50394ecc5c6ee542aa60d14c70472bf1552aa23f41e08
SHA512 6958fe215ff20bdb18027407cadb7270ce8e7e9223896db495e9bf5a907cb7c4d414990090c61b6774675d1d81008ffc7eb399c8e6b233338374ada7780d0253

C:\Windows\System\mZJjVqq.exe

MD5 e8e2c7d4940db305f2e2c3aa9e70de3b
SHA1 a427c715f2f5d3f4634f8ad03fcbf1e3afb1961c
SHA256 de2668cd3fb6085f7643a8d9aedc2205b4122fe842bbcb60b9de094281ff5157
SHA512 a0de6b918179206bccecf25ee037c7060d724d35e6213109ff80aaefd25225ab1ecdaf0b2f7a40c8fd67a00694b5788392b94fb4a0d7e0b1b83abebd34fdde17

C:\Windows\System\LeSExwU.exe

MD5 aabe5dffdfecb8d2bdc128c9795ed991
SHA1 cdc278cf1a3d3a036b94d7ecc0319705df19a311
SHA256 69bd823d7d2d1bde169c5502e9e49466e049c48dc9e80b4ab5cd3bfa9cb6d082
SHA512 a7f57b740477bc77efa780db1a068ebb12ea6ce9a4fee903525c94846f6d7bb8d8724164ace4620e19c4051efe0e7bc2797aa7290deefddb26af26c0eefbdeda

memory/3216-124-0x00007FF714940000-0x00007FF714C94000-memory.dmp

memory/5080-120-0x00007FF666B70000-0x00007FF666EC4000-memory.dmp

memory/3080-117-0x00007FF78E310000-0x00007FF78E664000-memory.dmp

memory/1412-115-0x00007FF7227B0000-0x00007FF722B04000-memory.dmp

C:\Windows\System\kUNGGKm.exe

MD5 21547154e771af6da85392dde8ea1992
SHA1 72df5acd5cecc72873fc41992e526e6b67e31ed9
SHA256 0fbc7af09b3865925425657f371b37b4d07c651ed28f0f1d721c2ed2d4c0b3b4
SHA512 2c796da96b3b31f4218248eb10220502cf5d42701518b3b18f558fd42e755c8bc8f5423911d575c8fde236e46ddde0dcc7e324c955765efbe267c6e08ef79ea4

memory/1272-106-0x00007FF77E2B0000-0x00007FF77E604000-memory.dmp

memory/2480-101-0x00007FF73B250000-0x00007FF73B5A4000-memory.dmp

memory/2260-99-0x00007FF755D60000-0x00007FF7560B4000-memory.dmp

memory/4020-136-0x00007FF7A04F0000-0x00007FF7A0844000-memory.dmp

memory/2424-135-0x00007FF7D0A90000-0x00007FF7D0DE4000-memory.dmp

memory/1016-134-0x00007FF7966B0000-0x00007FF796A04000-memory.dmp

memory/1008-133-0x00007FF7B4290000-0x00007FF7B45E4000-memory.dmp

memory/2116-137-0x00007FF62AC00000-0x00007FF62AF54000-memory.dmp

memory/2988-138-0x00007FF7F9F70000-0x00007FF7FA2C4000-memory.dmp

memory/3216-140-0x00007FF714940000-0x00007FF714C94000-memory.dmp

memory/5080-139-0x00007FF666B70000-0x00007FF666EC4000-memory.dmp

memory/760-141-0x00007FF697860000-0x00007FF697BB4000-memory.dmp

memory/3968-142-0x00007FF73C110000-0x00007FF73C464000-memory.dmp

memory/2308-143-0x00007FF7EC1E0000-0x00007FF7EC534000-memory.dmp

memory/1412-146-0x00007FF7227B0000-0x00007FF722B04000-memory.dmp

memory/2480-145-0x00007FF73B250000-0x00007FF73B5A4000-memory.dmp

memory/3152-144-0x00007FF70D020000-0x00007FF70D374000-memory.dmp

memory/1008-147-0x00007FF7B4290000-0x00007FF7B45E4000-memory.dmp

memory/1016-149-0x00007FF7966B0000-0x00007FF796A04000-memory.dmp

memory/1728-148-0x00007FF777AB0000-0x00007FF777E04000-memory.dmp

memory/440-151-0x00007FF72E460000-0x00007FF72E7B4000-memory.dmp

memory/3096-150-0x00007FF672BF0000-0x00007FF672F44000-memory.dmp

memory/2116-152-0x00007FF62AC00000-0x00007FF62AF54000-memory.dmp

memory/4652-153-0x00007FF7BF080000-0x00007FF7BF3D4000-memory.dmp

memory/2260-155-0x00007FF755D60000-0x00007FF7560B4000-memory.dmp

memory/2988-154-0x00007FF7F9F70000-0x00007FF7FA2C4000-memory.dmp

memory/1272-156-0x00007FF77E2B0000-0x00007FF77E604000-memory.dmp

memory/3080-157-0x00007FF78E310000-0x00007FF78E664000-memory.dmp

memory/4020-161-0x00007FF7A04F0000-0x00007FF7A0844000-memory.dmp

memory/3216-160-0x00007FF714940000-0x00007FF714C94000-memory.dmp

memory/2424-159-0x00007FF7D0A90000-0x00007FF7D0DE4000-memory.dmp

memory/5080-158-0x00007FF666B70000-0x00007FF666EC4000-memory.dmp