Malware Analysis Report

2024-10-16 03:08

Sample ID 240608-esvq6agh2s
Target 2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike
SHA256 b53e744188b53ef6158c9c543d739155cf618f05e276d9286c3f4af740d6e50c
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b53e744188b53ef6158c9c543d739155cf618f05e276d9286c3f4af740d6e50c

Threat Level: Known bad

The file 2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

XMRig Miner payload

Cobaltstrike

UPX dump on OEP (original entry point)

xmrig

Detects Reflective DLL injection artifacts

Cobalt Strike reflective loader

Xmrig family

Cobaltstrike family

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-08 04:13

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-08 04:12

Reported

2024-06-08 04:16

Platform

win7-20240221-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\pUASgdb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TAbAtWi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SScRjrn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pYfRthh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mTgDOEv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xrvuozV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AlNhrog.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CLcPTVa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pSnGpfS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rwDMPNJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EjLmkis.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\Cpqzhww.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EUdMUYG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HSDdDvI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IppVTKm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oeoIbsP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GvOksbN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OidjXlw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OQZkZzL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dVVjRNP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pQOaDiD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1284 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\xrvuozV.exe
PID 1284 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\xrvuozV.exe
PID 1284 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\xrvuozV.exe
PID 1284 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\pUASgdb.exe
PID 1284 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\pUASgdb.exe
PID 1284 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\pUASgdb.exe
PID 1284 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\GvOksbN.exe
PID 1284 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\GvOksbN.exe
PID 1284 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\GvOksbN.exe
PID 1284 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\OidjXlw.exe
PID 1284 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\OidjXlw.exe
PID 1284 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\OidjXlw.exe
PID 1284 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\OQZkZzL.exe
PID 1284 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\OQZkZzL.exe
PID 1284 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\OQZkZzL.exe
PID 1284 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\dVVjRNP.exe
PID 1284 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\dVVjRNP.exe
PID 1284 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\dVVjRNP.exe
PID 1284 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\AlNhrog.exe
PID 1284 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\AlNhrog.exe
PID 1284 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\AlNhrog.exe
PID 1284 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\EjLmkis.exe
PID 1284 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\EjLmkis.exe
PID 1284 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\EjLmkis.exe
PID 1284 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\CLcPTVa.exe
PID 1284 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\CLcPTVa.exe
PID 1284 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\CLcPTVa.exe
PID 1284 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\Cpqzhww.exe
PID 1284 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\Cpqzhww.exe
PID 1284 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\Cpqzhww.exe
PID 1284 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\TAbAtWi.exe
PID 1284 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\TAbAtWi.exe
PID 1284 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\TAbAtWi.exe
PID 1284 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\SScRjrn.exe
PID 1284 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\SScRjrn.exe
PID 1284 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\SScRjrn.exe
PID 1284 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\pQOaDiD.exe
PID 1284 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\pQOaDiD.exe
PID 1284 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\pQOaDiD.exe
PID 1284 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\pYfRthh.exe
PID 1284 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\pYfRthh.exe
PID 1284 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\pYfRthh.exe
PID 1284 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\EUdMUYG.exe
PID 1284 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\EUdMUYG.exe
PID 1284 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\EUdMUYG.exe
PID 1284 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\mTgDOEv.exe
PID 1284 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\mTgDOEv.exe
PID 1284 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\mTgDOEv.exe
PID 1284 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\pSnGpfS.exe
PID 1284 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\pSnGpfS.exe
PID 1284 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\pSnGpfS.exe
PID 1284 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\IppVTKm.exe
PID 1284 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\IppVTKm.exe
PID 1284 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\IppVTKm.exe
PID 1284 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\rwDMPNJ.exe
PID 1284 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\rwDMPNJ.exe
PID 1284 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\rwDMPNJ.exe
PID 1284 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\HSDdDvI.exe
PID 1284 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\HSDdDvI.exe
PID 1284 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\HSDdDvI.exe
PID 1284 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\oeoIbsP.exe
PID 1284 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\oeoIbsP.exe
PID 1284 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\oeoIbsP.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\xrvuozV.exe

C:\Windows\System\xrvuozV.exe

C:\Windows\System\pUASgdb.exe

C:\Windows\System\pUASgdb.exe

C:\Windows\System\GvOksbN.exe

C:\Windows\System\GvOksbN.exe

C:\Windows\System\OidjXlw.exe

C:\Windows\System\OidjXlw.exe

C:\Windows\System\OQZkZzL.exe

C:\Windows\System\OQZkZzL.exe

C:\Windows\System\dVVjRNP.exe

C:\Windows\System\dVVjRNP.exe

C:\Windows\System\AlNhrog.exe

C:\Windows\System\AlNhrog.exe

C:\Windows\System\EjLmkis.exe

C:\Windows\System\EjLmkis.exe

C:\Windows\System\CLcPTVa.exe

C:\Windows\System\CLcPTVa.exe

C:\Windows\System\Cpqzhww.exe

C:\Windows\System\Cpqzhww.exe

C:\Windows\System\TAbAtWi.exe

C:\Windows\System\TAbAtWi.exe

C:\Windows\System\SScRjrn.exe

C:\Windows\System\SScRjrn.exe

C:\Windows\System\pQOaDiD.exe

C:\Windows\System\pQOaDiD.exe

C:\Windows\System\pYfRthh.exe

C:\Windows\System\pYfRthh.exe

C:\Windows\System\EUdMUYG.exe

C:\Windows\System\EUdMUYG.exe

C:\Windows\System\mTgDOEv.exe

C:\Windows\System\mTgDOEv.exe

C:\Windows\System\pSnGpfS.exe

C:\Windows\System\pSnGpfS.exe

C:\Windows\System\IppVTKm.exe

C:\Windows\System\IppVTKm.exe

C:\Windows\System\rwDMPNJ.exe

C:\Windows\System\rwDMPNJ.exe

C:\Windows\System\HSDdDvI.exe

C:\Windows\System\HSDdDvI.exe

C:\Windows\System\oeoIbsP.exe

C:\Windows\System\oeoIbsP.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1284-0-0x000000013F800000-0x000000013FB54000-memory.dmp

memory/1284-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\xrvuozV.exe

MD5 00d0c92e805809aa0cc96203fd656736
SHA1 e789b7d661eeae07bad84bef4f8d938bd5c2086f
SHA256 a3152773f8f61acbe3bd49f8966d401adfbd00eb7473dccde59f481bbb09b1e7
SHA512 148084e8f270a743e2550bd024e9e7d3d8b1ffc1ec60adc9bfb41ec060cb5c05ae6eb99edb2f455db4120628a96880f5cf7841b5f9f0d28e8c8ae00775780e27

\Windows\system\pUASgdb.exe

MD5 7411c355dd7ba052d9267c9c73b7e453
SHA1 e69703558416bead1df649d541f8a4382364db70
SHA256 5e84329449eb7106ee1535e663ac48c0951252627a0af4c6af841668dd5f81c4
SHA512 5e486d669844fa2a07d99dce14ba7d04656a32f3c24e2419910dae7357618b0b484f40bbcbcd895f1cc085088c2a623f6b63284b1add360664640a21078179c2

memory/112-9-0x000000013F750000-0x000000013FAA4000-memory.dmp

memory/2156-15-0x000000013F100000-0x000000013F454000-memory.dmp

C:\Windows\system\GvOksbN.exe

MD5 2ac86b9a717833c6ea85485204ee9f6d
SHA1 1adf06cb577a6dbdf9a0348ed40af724e4ba947f
SHA256 f21523f792233bc85c3d29bf2604c4474dff830df343eef3942f5e842b57ff12
SHA512 5afa4aa96abea68fc71a1f4e00b51e1b57ca85455e255b3cb67fce1a5d7a5bfb7b103a6649606d628ee4f889b28e1caf92f046ad767f2d52a35da85dffe893b9

memory/1284-14-0x000000013F100000-0x000000013F454000-memory.dmp

memory/1284-8-0x0000000002400000-0x0000000002754000-memory.dmp

memory/2684-22-0x000000013F920000-0x000000013FC74000-memory.dmp

memory/1284-20-0x0000000002400000-0x0000000002754000-memory.dmp

\Windows\system\OidjXlw.exe

MD5 32b6bb397f556e14f1e7f3f19c4cc18b
SHA1 8b844e7e6cb5ef8dbc24787418fd7af908d26cf4
SHA256 bff17795f7a97412ee64f483f38963850c0c2b6ab326d403da990848280ad8b6
SHA512 7837acfb30df7734545561be1b110cd6a406a19db4965b32e70ddcaddbd64f2b5c675056dedfb69ec25237104477a2fe40bb698d27d303a4d5e4d6bdeb450ec7

memory/2776-33-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

memory/2708-35-0x000000013F670000-0x000000013F9C4000-memory.dmp

C:\Windows\system\OQZkZzL.exe

MD5 c930f57c7cbddb2f6e654a7d0afce154
SHA1 d0aff8ce2b7f25449561a37e5d382de83959b85c
SHA256 a153064eb16b72e6bec8c0598e11adcf2588d1b922ca60c3b3add46508904242
SHA512 883763592925c2fa1f9528fa2a69de332895a798fee774f9a87f8f3db43b0e3a341506d3899d20e9c9a9f849bfe631513b30d2d331088404d6c3bfcfc0a3619c

memory/1284-36-0x0000000002400000-0x0000000002754000-memory.dmp

\Windows\system\dVVjRNP.exe

MD5 ce0a542bf31a6578e926a5f54e2edb7c
SHA1 69bd578f492a63dc17c699ec555cdb8d262515ed
SHA256 1372d1de01c5b9329c066f46a664cdcede6491e82d3f9762d4c9d3fe5d17185b
SHA512 58d3cf15ea7867bbfb37e659eece62d9223cbc918cdcd3bc5cc98b227fa354afd06179502bfc5994a9d253793379fdcd141dd9632345d1e1ec716a13f10163b9

\Windows\system\EjLmkis.exe

MD5 c83b629797e9d27783285d3088040064
SHA1 4bfc47cf52476d2a83df7e0ac1b1c3a7ba8024b0
SHA256 a637516c62f49fc3d7bdd440101132ba0d82f6b9a32bc07396d8f7a4f9d1a5e1
SHA512 12aecbb81d86457f8bd48ee0652aecf1276a967ea8527c33fb102aab4da9a665730acae589b3aadf7f9c58ddb39e8f1a74c9bff8368faa8078bc3e3d932e20d6

\Windows\system\Cpqzhww.exe

MD5 11b3ac72d4712705aae5c9a31af60c36
SHA1 56e28f966588eb8cc9cbf51203ebe3693a60a1c3
SHA256 9d8fe48e3934c40c5b1331295ea4f2018bcee5815ebad3dd6eec50ecf10436cd
SHA512 0d865c87678df3f9f2ce845252f14756b8c9928247b0554cf985772ca1f9a0c1640e577c9833e5a3d9d25dd033c66cffd22a72c422d84ef62196f8177c9d55fe

memory/1284-58-0x000000013FE40000-0x0000000140194000-memory.dmp

C:\Windows\system\SScRjrn.exe

MD5 f4ae7050b53d8f2cd83d5e778989e036
SHA1 a738d8f695e42604ad23db37d792ba880e5257d3
SHA256 e1bc726e41c9c020724299fdb4f520f43bd5bae2b52367ba14002bdf01f4852a
SHA512 056ca7fe9e7822a03e6be2baade937d17a626bc415a88dc6e64cfe0d499ce13d6bceba582031e439152099c6de916530dce4c635a9e93fef3a4697fe2d3a02b3

memory/1284-72-0x0000000002400000-0x0000000002754000-memory.dmp

memory/1284-70-0x0000000002400000-0x0000000002754000-memory.dmp

\Windows\system\AlNhrog.exe

MD5 e333276683ead5f19e71f1b786d3fab3
SHA1 e6eaa5e1af92eead8ea4cdfb559ded0567d4a6ac
SHA256 10e94d0c0c2ea7fc62ec8c493014af52bdb0b8f9457564bc3121e90176fd49c6
SHA512 dccd5b489342094016fc8d6e7af2d86c3cd4772c1d3713e1547a8f64126970a6780c54dcf91cc41999be90204a92d9406a3e086ad1b60ce52c3e5a1099b40cbb

C:\Windows\system\pYfRthh.exe

MD5 a75064e8efbfce6ff0a33d7cd89a0cc9
SHA1 50de5d0beda26d290f0ed4e8b49d571588c625f4
SHA256 d2c4283f85694e3f0190492f4aa19d76af271678c039b178b9485aa527576ba4
SHA512 1c05422bee67e7181f83aeb48038904a83ad1cc0e987687d76c20ad0ab5ecc47b6bbbe7945b043970346e0e7df928d0931ca9969bd73c09efaa225edc7f8fd4c

memory/1284-45-0x000000013F150000-0x000000013F4A4000-memory.dmp

memory/2756-88-0x000000013FAB0000-0x000000013FE04000-memory.dmp

\Windows\system\CLcPTVa.exe

MD5 3d0044c5441dd3e44712d25d7fa9a3cd
SHA1 c2776ddbb6fcf1824f4fc654526e4ace2c76f789
SHA256 a37828b4655a1b77e5fa59eb067813661fd2917e7342a5aad3ae00f3cd69d882
SHA512 3b93996d9b4566adad3e5578ba7ffbdb96129f0676b8a93dd3a2031f715d9ccfc627ff1a762c9e28c8054399f363e6f5baf9c1c7a32065359649e12042826ec4

memory/1284-99-0x000000013F290000-0x000000013F5E4000-memory.dmp

memory/1732-102-0x000000013FE50000-0x00000001401A4000-memory.dmp

memory/2716-54-0x000000013F150000-0x000000013F4A4000-memory.dmp

C:\Windows\system\pSnGpfS.exe

MD5 6a695d0186d13eac346bb2db2b45b425
SHA1 a23ee9a67c8718ee03cb357b6926bded895797c6
SHA256 9b40339d6125f8fa522f1c52587585e86758d97944f5c8478c8afa39943dbf9d
SHA512 ad1989a84a4caa9097be04e43c96a71b55af56f977e923d23c7e2ceb1364be6588f5566e238bd45d7ea6aaa614e5c91db626afd2aa9aff3255b1e200439c3e2f

\Windows\system\oeoIbsP.exe

MD5 cdbe912c18104e37c56e4dc61cfb256a
SHA1 48423c0b5e68f2e52f2ba71574de72b6626a4115
SHA256 7f310618c7244bb4b5b450828ad268c8b52a237f4e1d4acf103ec759f0404fdb
SHA512 70552b096ac7bf631a2d4e0d66289694227ec99a3ecd23f1bb254018018e5e895da623a185dd41bbd8f8b2e1c787b6b84218d213dcf19a5acc5755f56a0cb3bb

\Windows\system\rwDMPNJ.exe

MD5 356fdbf0718bf879123053cbb15293c8
SHA1 90162e96fc5ce66d23429d439cde741d4657f699
SHA256 742b639dac4cf2f7cfb4715113e027092dd6737e39137fa5f9b4128645f09b03
SHA512 17f665ba6d0926021f7a6739d51c58d75673e6109cec8471c1b886ef9e4ad21a8bfd59f892b161f24ec18af79b45f586eeeb1c5384882e19e81afef16f15f2bd

C:\Windows\system\pQOaDiD.exe

MD5 7b8011f75e5abd9a5d0a62b27afa1331
SHA1 f9e88c15d496ac88019b8416457d07cb2150e3e5
SHA256 0125e4c043eecba52a8245b63fecea48c1d11044a19289ae37250f27f990d783
SHA512 5d7bc817d72b163c3e56546a24344efe872f78c9e524c623c807a066401c9020b13b3fad831bbe22841e03889ad7e3b8402059c22ba3fab275b27d477b3f561b

C:\Windows\system\TAbAtWi.exe

MD5 75539c83b3bc8c30138e3c93c9f2e140
SHA1 90acc173ccffcf69ad51ae43807b2487111b7b23
SHA256 8261656d283afa98ce41ca223464ad30ab61026e76634691510073ea26e152a8
SHA512 69617fb38811052163bb9890bb368ce2f7cc9810c53ddc9c8e83c94e3c6999a1165b8def918c4d0f85b6d3d2094b89c7382a49c6e0f02562cbd17156373b8ee0

\Windows\system\EUdMUYG.exe

MD5 952af55d4847d0bc445c38172cb510b7
SHA1 4a0669c59cf4e34dbc71c742694baf8866d75eac
SHA256 91becdcd2e30361394e4bbb189a4fd22de5f9151d000ce6d8cd08ab800f8e9ea
SHA512 eab5c9b1d274c1d38ce8b71802773a0c46dde4bca450e34752b82c8f67dfa58975b5eb7814f2df1d270aba99adf576a260d877fd0917ed09cf52c78200520d41

C:\Windows\system\HSDdDvI.exe

MD5 c558800d0781d0c4599ea8378bc7becd
SHA1 d65197ee1583ab4437d333c92f7204722a76e138
SHA256 1cb0a3dcd1783adec922cb1e732cc8d17aa4f426e0f3f6ee27fe81cbbdc35698
SHA512 b9e482349cb8af58376ede7df5403572b2a299fee543ccefb055f5686c25d0856b9ecfa9bf49717774bb0d73867388d61196954ed7d30408f88870249902c560

memory/3040-80-0x000000013F2A0000-0x000000013F5F4000-memory.dmp

memory/1284-79-0x000000013F2A0000-0x000000013F5F4000-memory.dmp

memory/2456-78-0x000000013F380000-0x000000013F6D4000-memory.dmp

memory/1284-74-0x0000000002400000-0x0000000002754000-memory.dmp

memory/1284-64-0x000000013F800000-0x000000013FB54000-memory.dmp

memory/2592-61-0x000000013F8F0000-0x000000013FC44000-memory.dmp

C:\Windows\system\IppVTKm.exe

MD5 40b5fc56d92fa25d6e0d1db0d029245e
SHA1 f25cb81f0b7662426a4a962e2a28ec224d6d7cf8
SHA256 a1b59e5d4d010bcec8276b9961da0a00de1661e17baace8d11a409e9f708f2f9
SHA512 688d5b37074674fe4065ed97386f3f01b788cd3ae8f0b4a81e535d6845a167809e1cd3dd54adc9934499c993f62bd4b8cf45adc1a4b1fe0d58f14a68ed9ae158

memory/2684-103-0x000000013F920000-0x000000013FC74000-memory.dmp

memory/1284-101-0x000000013FE50000-0x00000001401A4000-memory.dmp

memory/2536-100-0x000000013FE40000-0x0000000140194000-memory.dmp

C:\Windows\system\mTgDOEv.exe

MD5 346c8494edeb259af1bce3f1acd5bcd4
SHA1 bb1f4a1b65a13d0923f2bb3868d0c2a84a027956
SHA256 9deb8f12edc5c7b61013f3c967864116a203101fdf48771fc37af39781f05153
SHA512 9ea1d84e158ba2e10acd62573505f9c80ad8b8fc0193fdd0737ad73e4aa37f0aaa3e2fa4a32f45907c25ced853a7a39b156752d0365da96c30c35a8135e0ac62

memory/2156-97-0x000000013F100000-0x000000013F454000-memory.dmp

memory/1560-87-0x000000013FC60000-0x000000013FFB4000-memory.dmp

memory/1284-85-0x0000000002400000-0x0000000002754000-memory.dmp

memory/2708-136-0x000000013F670000-0x000000013F9C4000-memory.dmp

memory/1284-137-0x0000000002400000-0x0000000002754000-memory.dmp

memory/1560-138-0x000000013FC60000-0x000000013FFB4000-memory.dmp

memory/2756-139-0x000000013FAB0000-0x000000013FE04000-memory.dmp

memory/1284-140-0x000000013F290000-0x000000013F5E4000-memory.dmp

memory/2536-141-0x000000013FE40000-0x0000000140194000-memory.dmp

memory/1732-142-0x000000013FE50000-0x00000001401A4000-memory.dmp

memory/112-143-0x000000013F750000-0x000000013FAA4000-memory.dmp

memory/2156-144-0x000000013F100000-0x000000013F454000-memory.dmp

memory/2684-145-0x000000013F920000-0x000000013FC74000-memory.dmp

memory/2776-146-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

memory/2708-147-0x000000013F670000-0x000000013F9C4000-memory.dmp

memory/2716-148-0x000000013F150000-0x000000013F4A4000-memory.dmp

memory/2592-149-0x000000013F8F0000-0x000000013FC44000-memory.dmp

memory/2456-150-0x000000013F380000-0x000000013F6D4000-memory.dmp

memory/3040-151-0x000000013F2A0000-0x000000013F5F4000-memory.dmp

memory/1560-152-0x000000013FC60000-0x000000013FFB4000-memory.dmp

memory/2756-153-0x000000013FAB0000-0x000000013FE04000-memory.dmp

memory/2536-154-0x000000013FE40000-0x0000000140194000-memory.dmp

memory/1732-155-0x000000013FE50000-0x00000001401A4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-08 04:12

Reported

2024-06-08 04:16

Platform

win10v2004-20240508-en

Max time kernel

140s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\kNUIZXw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GwoNuVb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iGnuqsO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gXTVHQW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SNomiOt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WoIaPnq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SSklPbO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\czaDPPX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dxgWSCz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oMMaSGG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YuMHpyr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SUPKLoA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PQIRVDv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UPMvsly.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rezbDyk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ICNKbLx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FaOOhZR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FylkGdW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IJUopgH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VpCmacb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RrhOMWi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2124 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\rezbDyk.exe
PID 2124 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\rezbDyk.exe
PID 2124 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\ICNKbLx.exe
PID 2124 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\ICNKbLx.exe
PID 2124 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\oMMaSGG.exe
PID 2124 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\oMMaSGG.exe
PID 2124 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\FaOOhZR.exe
PID 2124 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\FaOOhZR.exe
PID 2124 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\iGnuqsO.exe
PID 2124 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\iGnuqsO.exe
PID 2124 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\YuMHpyr.exe
PID 2124 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\YuMHpyr.exe
PID 2124 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\gXTVHQW.exe
PID 2124 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\gXTVHQW.exe
PID 2124 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\SNomiOt.exe
PID 2124 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\SNomiOt.exe
PID 2124 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\FylkGdW.exe
PID 2124 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\FylkGdW.exe
PID 2124 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\WoIaPnq.exe
PID 2124 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\WoIaPnq.exe
PID 2124 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\SUPKLoA.exe
PID 2124 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\SUPKLoA.exe
PID 2124 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\SSklPbO.exe
PID 2124 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\SSklPbO.exe
PID 2124 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\czaDPPX.exe
PID 2124 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\czaDPPX.exe
PID 2124 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\kNUIZXw.exe
PID 2124 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\kNUIZXw.exe
PID 2124 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\PQIRVDv.exe
PID 2124 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\PQIRVDv.exe
PID 2124 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\UPMvsly.exe
PID 2124 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\UPMvsly.exe
PID 2124 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\IJUopgH.exe
PID 2124 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\IJUopgH.exe
PID 2124 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\GwoNuVb.exe
PID 2124 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\GwoNuVb.exe
PID 2124 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\VpCmacb.exe
PID 2124 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\VpCmacb.exe
PID 2124 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\dxgWSCz.exe
PID 2124 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\dxgWSCz.exe
PID 2124 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\RrhOMWi.exe
PID 2124 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe C:\Windows\System\RrhOMWi.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_514dbdf838f0a7941ce7613757923aa7_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\rezbDyk.exe

C:\Windows\System\rezbDyk.exe

C:\Windows\System\ICNKbLx.exe

C:\Windows\System\ICNKbLx.exe

C:\Windows\System\oMMaSGG.exe

C:\Windows\System\oMMaSGG.exe

C:\Windows\System\FaOOhZR.exe

C:\Windows\System\FaOOhZR.exe

C:\Windows\System\iGnuqsO.exe

C:\Windows\System\iGnuqsO.exe

C:\Windows\System\YuMHpyr.exe

C:\Windows\System\YuMHpyr.exe

C:\Windows\System\gXTVHQW.exe

C:\Windows\System\gXTVHQW.exe

C:\Windows\System\SNomiOt.exe

C:\Windows\System\SNomiOt.exe

C:\Windows\System\FylkGdW.exe

C:\Windows\System\FylkGdW.exe

C:\Windows\System\WoIaPnq.exe

C:\Windows\System\WoIaPnq.exe

C:\Windows\System\SUPKLoA.exe

C:\Windows\System\SUPKLoA.exe

C:\Windows\System\SSklPbO.exe

C:\Windows\System\SSklPbO.exe

C:\Windows\System\czaDPPX.exe

C:\Windows\System\czaDPPX.exe

C:\Windows\System\kNUIZXw.exe

C:\Windows\System\kNUIZXw.exe

C:\Windows\System\PQIRVDv.exe

C:\Windows\System\PQIRVDv.exe

C:\Windows\System\UPMvsly.exe

C:\Windows\System\UPMvsly.exe

C:\Windows\System\IJUopgH.exe

C:\Windows\System\IJUopgH.exe

C:\Windows\System\GwoNuVb.exe

C:\Windows\System\GwoNuVb.exe

C:\Windows\System\VpCmacb.exe

C:\Windows\System\VpCmacb.exe

C:\Windows\System\dxgWSCz.exe

C:\Windows\System\dxgWSCz.exe

C:\Windows\System\RrhOMWi.exe

C:\Windows\System\RrhOMWi.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=2856,i,2607710392823067546,4648797561512801463,262144 --variations-seed-version --mojo-platform-channel-handle=4008 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2124-0-0x00007FF6C1570000-0x00007FF6C18C4000-memory.dmp

memory/2124-1-0x00000220F3550000-0x00000220F3560000-memory.dmp

C:\Windows\System\rezbDyk.exe

MD5 5e7e9bda2c53928f36556e0361e2b192
SHA1 d08c5a46c985bab7f7fcc78a1092ffdac39e0d51
SHA256 83606993f2a5c005a4cbdfeb5175a59ce573722665f29934c511f2942723085b
SHA512 dddb376b4e6b0f6c3f875fb9cb62aaab8d7de5a07e7c653fe6039e24863146e96b9f94caabd5a6c469320dff5419069fc37208d9c3234981d41275c242602c04

memory/4020-8-0x00007FF64DB00000-0x00007FF64DE54000-memory.dmp

memory/3976-14-0x00007FF6797C0000-0x00007FF679B14000-memory.dmp

C:\Windows\System\oMMaSGG.exe

MD5 e04200b80a537efd39c58668175e0f93
SHA1 a4a6e0ac3fc5a4c935ff65f12a951d18ca5a6096
SHA256 11efe6ef54669cb540ad07aba1706cb37a4288536dd2df03bb815bdda105e015
SHA512 bf6ec8fdd1b2de612b8adb6ca528b12f54b9bc2919e49f5e18b6a1ef78175d35203868b340d49b334052e171a7a77a08e6f30638bee1ff60c9eb2f7acd5264b8

memory/4052-19-0x00007FF6BDC10000-0x00007FF6BDF64000-memory.dmp

C:\Windows\System\FaOOhZR.exe

MD5 1e8f4fd9bc2763341626c33a6bfae62b
SHA1 3c49f54a38be8f401bfe31e691730946efb07f6e
SHA256 5645ba9c683af2541d08ccaccda1c83de384ca3268642abf2a26c935d7113fd8
SHA512 622bdc40634619c00afe91c5e58aa410e3d9a7a525b90c866c3b549575005db02dbeab4cef0069caec3967012933e5a4b9fa981b442331ec9373032e15e667a4

memory/3932-24-0x00007FF662DE0000-0x00007FF663134000-memory.dmp

C:\Windows\System\YuMHpyr.exe

MD5 a830c25b464fc28372a67cc0747605fd
SHA1 90c914dcd61c7d5116d22527df7a66da131e2804
SHA256 07d67984091f5812cff04430d18bb37664c9be7ecb0e767f6793e3d73382ddac
SHA512 92d7aa77858d85511d117b2ec25bf2eff1b1f80c9c462d47c1496eedffa9a3538657661c378b0fd7b646259c1a982a4bef0e71a0526ccb45a673455b1fdfdb95

C:\Windows\System\gXTVHQW.exe

MD5 cd345ac3f378c924ca24f47c7a0cfbd5
SHA1 55c9ae6f9f04e85a78b865cf75eec83a024bbacf
SHA256 3314db24bc471c7c2b896afbc40080a1ef181e50182ea4b4fb46eb00a5cb2e61
SHA512 a5e71d42c531c6b31337753626a62dc1efffcfeb420fb334e1e03c34a7c9d4d7c61cf43035c3e411d9d00db669c1e765c379ef256c6b5718d7098529ad9aad83

memory/844-41-0x00007FF71E6B0000-0x00007FF71EA04000-memory.dmp

memory/4808-42-0x00007FF677E30000-0x00007FF678184000-memory.dmp

memory/4716-39-0x00007FF702AA0000-0x00007FF702DF4000-memory.dmp

C:\Windows\System\iGnuqsO.exe

MD5 29e6a9c84cb0622c51821b292d216b97
SHA1 1c61a13081b4be8a7bfa9bc0f055c614363c96b5
SHA256 d68dbdf8470385cb845f7a4daa01e734b30babafb5d0ebe9d9fa3c2dbaaacddd
SHA512 628cdb47a053a8b8e50c99626df93fa2b63f9bb875a442d64a1a091f6b2210a33c56ebd406fdd1502869041938e26cc17a4ee8709d7b0bcc3aab9be521391c4f

C:\Windows\System\ICNKbLx.exe

MD5 4c550832f096464e035df25e40ab567f
SHA1 db80231d39e531b279000661b48d1179c91ae89e
SHA256 1e5e5a975a5db274f187ce46a29b41b674f750aca78fcec902d7ac1728606728
SHA512 51d66c9d1c972b3db080c27cd53b5ad5ed47f27f484cffd42eafe99032266b393ab6510bd6340c33c59735ea9c292bb3d7f1b03ca3f0a39da77c27002850b48e

C:\Windows\System\SNomiOt.exe

MD5 aab21b7d65623cd35593db2e7b874869
SHA1 e6773e8429e6af4cde98b2a5a53d8aa15d8c9447
SHA256 ff11870aba6b62e9db16aa133b4427b0a9b23c7d2a10c03cac01bda0ab1f1659
SHA512 72ee712f4d7a71b9e023a67c610ebf73c5da0ea27ddd16b913323fdf6afaa25ed6aae9ebe7270e5d5b46160e8d2ffc00060d477430dfdfd1e739b8d8ac6a5f7c

memory/4956-50-0x00007FF7FABE0000-0x00007FF7FAF34000-memory.dmp

C:\Windows\System\FylkGdW.exe

MD5 81a818e966a6e81ddf9305428f1a1a87
SHA1 b5447cf75b765318096bc7ec9fc4e87dea3ae1dc
SHA256 cde3db972bcf4e46b3c8f87bbc11bdeb984624a3b5f07c073632bc18de1dd5fe
SHA512 a758d4c03d9b57046031f5cb87b0fd97cafa2b25b651e4236bf2ffc70af9d0f14494f625cf0adb34b98309a2b686749e9a20678ee2203982231a73fd9a51ee65

memory/2600-56-0x00007FF60F990000-0x00007FF60FCE4000-memory.dmp

C:\Windows\System\WoIaPnq.exe

MD5 048fc865d99a179ee43c40e472a0a004
SHA1 cbf597e58b0e959c7c9b468a77058b65438b983b
SHA256 98ad1858258aa29f7c46075ba1829e5e08ff1f80a095ea6b5e1c162069d0f798
SHA512 4baea6ed0b88536021f8c72d1b6e6d9e4dcb3d20d37638ffe23449bcaaa5a5faa936a5966f44d23cf2f516bcf7d6ad601972973890c5f13a6073c94c11cca7a8

C:\Windows\System\SUPKLoA.exe

MD5 ff629ff2ee4958b40dc85ac1bb7e292d
SHA1 b8d339d81d0f391e0b02fb6e079ea2f2ef8c6a1c
SHA256 c0a81651d9bc2a23973f997aadbb63b53caa61ec65c95e7be0a88d947754ea9e
SHA512 aadc07cf8c405a7534afa2da57aaeba11658700a8d1f43049e9064ceb8711b3f96def18d99b18ce1a74c234b10d3335c7e97a20a754af176a3efb65ad13d7d42

memory/2124-62-0x00007FF6C1570000-0x00007FF6C18C4000-memory.dmp

memory/4880-66-0x00007FF68C720000-0x00007FF68CA74000-memory.dmp

C:\Windows\System\SSklPbO.exe

MD5 2537f8b26adcff3ebe9023385088831c
SHA1 6d38fa9914a0605a86bb249cb6b7c3b7c89a4cc0
SHA256 087a7b0c5ddd7098c8d43fb77428c55013479598fbcb76fdad209ca3eca588fe
SHA512 667efdbc77fd2bfa6e3ca2f3570fb591920e6c36952498f54322856eb26765577ac15029e2b678081ef9109355116a0c4671b5debe7d19c101f41013ce08875d

memory/1116-71-0x00007FF66D530000-0x00007FF66D884000-memory.dmp

memory/1100-75-0x00007FF6A96D0000-0x00007FF6A9A24000-memory.dmp

C:\Windows\System\czaDPPX.exe

MD5 72bb6b5c8aaa98c3500e8b7ca20e8153
SHA1 972726d66ef2eca5659536569bbd07fd2381e8ee
SHA256 30940356ff74d7ac3e7968cd11d9671444d3a0d2064d8e2abe0515b3ed1d258d
SHA512 b5d22d862adca178ca553109cc13f4ece1a85182004d77a09989e826a79d47a00b520bf2191de29b461e09f5ba8de579841905b2445c35135342effff8b72817

memory/4052-80-0x00007FF6BDC10000-0x00007FF6BDF64000-memory.dmp

memory/400-81-0x00007FF660F00000-0x00007FF661254000-memory.dmp

memory/4716-89-0x00007FF702AA0000-0x00007FF702DF4000-memory.dmp

C:\Windows\System\UPMvsly.exe

MD5 d2136e2a0fb1e23b29df8799e959583d
SHA1 321b1a23610e535449c142f1d3a9e1e7f39120b6
SHA256 56173f4e1457b7bcea78c1e4467fbafd9f8959d55e24759b4db4719f8accc933
SHA512 2e2efed77d686d38d9f2a29a86a59b90d2db5f4fdbbeff34960d2149cf90e3e2b30448f5e9b77e2da59d957063d138deecd0a307c29517878f9ebb3de4097f01

C:\Windows\System\IJUopgH.exe

MD5 b87ba3a4fe621fdb57d912354e430e46
SHA1 bd9fe72b508e0595c0fd2a5f4d481d9d97e3ed9d
SHA256 4b539c004d825ddb9b71229fa9b2ff28c5bf4a04f5dc9a55299dec174dab0cf6
SHA512 3eb62de2d11d8af1af2c373c2bef50c5233ca92ee06f46bdcd84829f3c7e96bceb49cacbf5b59f0951ffa96eda645056d6766493acebd4e96a98b09af131b5d6

memory/1224-106-0x00007FF6D3860000-0x00007FF6D3BB4000-memory.dmp

memory/3788-104-0x00007FF68CA70000-0x00007FF68CDC4000-memory.dmp

C:\Windows\System\kNUIZXw.exe

MD5 d00cec7d06298d2a7170f84f97dab3a0
SHA1 6c4729ef7c59eb2e276970069cd71740b18eb278
SHA256 9f8a268e3ae855d849665866041d0a0c99b0ae2a45d7df60b9ed07dd5c262fec
SHA512 a262aceb4f620c15d3ecb5568209572937dc466ec923953bd0a161f1b74f1ad368b54deee80688912f9cc4d8414273854d963fd78a872f7160f354571445698c

C:\Windows\System\PQIRVDv.exe

MD5 24a8760281dca8e51bfbaaf59d53e022
SHA1 0fbd8847f6ffeeb19b6b2814f5669decc7c2da53
SHA256 6c78f42ffa52876e47cdbe48fae72e0f770c0e7582a9be81c392cf3308d948cb
SHA512 272efe14b06753b9b63fa3aac8c698b6563308c4e184f658acc13abc155d301948a28d59876a937b000a35fade5dd6c25d3074617db92588b9a62fd151f78e25

memory/2100-94-0x00007FF688200000-0x00007FF688554000-memory.dmp

memory/1768-93-0x00007FF74AD90000-0x00007FF74B0E4000-memory.dmp

memory/3932-88-0x00007FF662DE0000-0x00007FF663134000-memory.dmp

memory/4436-115-0x00007FF6AAAA0000-0x00007FF6AADF4000-memory.dmp

memory/4808-114-0x00007FF677E30000-0x00007FF678184000-memory.dmp

C:\Windows\System\VpCmacb.exe

MD5 1256ae5ff2e440f86404a0118b08a315
SHA1 083d7d117ed0371781704680fe0763a7111d0ed1
SHA256 afca597a6f7330d84d48011ce5f9971c3d9bbc1256d2385a3cf4423a835eaad6
SHA512 38e16bd970879c612324d86165161c6d680623f97f1375aab933cdc58e32c7c04f4635a83ec454eda35c10b4c0960e8184bacf96b66de4bd886136e07c2805d3

C:\Windows\System\dxgWSCz.exe

MD5 69684c269d4b117890dc6a30f5d8dbbe
SHA1 204bee195c72af86eb198ecae8f9344b0769da3a
SHA256 6a0d0224f1ac2e9a7d1ba8e791021e8ceff1e761f08a76c057b7b232417bb1e2
SHA512 8f7c0675fa94aa1a35c3715ea8cae6f80c0e7b24c933116230ca04504d059196f6c56acd479c3590ab309fb3b0e8397cfd5e96466fa56c51c76b968be79a41c7

memory/4440-121-0x00007FF7EC0F0000-0x00007FF7EC444000-memory.dmp

C:\Windows\System\GwoNuVb.exe

MD5 a8095c514c1bec1de02357135d548b60
SHA1 c8fdca17f4e4d6d715548fc4807da69e8f1f50b0
SHA256 eb282dded4dab25bea8c10becec49f43c260617c5752dac1277f5012475b5b62
SHA512 cad516fceb0849c3c0c153fde8496f2e5ce1f259c9336b1df9a56f8a151141ff551db800e10a92ba635220a4a9f1be7d2262d7c621710114b0228d0bc48aa897

C:\Windows\System\RrhOMWi.exe

MD5 85b3c3af41eb064eeae851ebce4ba093
SHA1 050a6690b98a74f5f969a2772716330813abf35f
SHA256 39d1ecef2738be8c26eca38dda6e9fa7d7c175f7055e3f512205474dd55b010b
SHA512 a4f6bd8b066918a88a8562ba3dc58b885362740d0e28dc663f92d18d712bb03335315cef017f466857af6356c6528650421021be6348fb4b68839d916048864a

memory/4216-130-0x00007FF608E80000-0x00007FF6091D4000-memory.dmp

memory/1340-129-0x00007FF6C9220000-0x00007FF6C9574000-memory.dmp

memory/1116-133-0x00007FF66D530000-0x00007FF66D884000-memory.dmp

memory/1768-134-0x00007FF74AD90000-0x00007FF74B0E4000-memory.dmp

memory/2100-135-0x00007FF688200000-0x00007FF688554000-memory.dmp

memory/1224-136-0x00007FF6D3860000-0x00007FF6D3BB4000-memory.dmp

memory/4216-137-0x00007FF608E80000-0x00007FF6091D4000-memory.dmp

memory/4020-138-0x00007FF64DB00000-0x00007FF64DE54000-memory.dmp

memory/3976-139-0x00007FF6797C0000-0x00007FF679B14000-memory.dmp

memory/4052-140-0x00007FF6BDC10000-0x00007FF6BDF64000-memory.dmp

memory/3932-141-0x00007FF662DE0000-0x00007FF663134000-memory.dmp

memory/844-143-0x00007FF71E6B0000-0x00007FF71EA04000-memory.dmp

memory/4716-142-0x00007FF702AA0000-0x00007FF702DF4000-memory.dmp

memory/4808-144-0x00007FF677E30000-0x00007FF678184000-memory.dmp

memory/4956-145-0x00007FF7FABE0000-0x00007FF7FAF34000-memory.dmp

memory/2600-146-0x00007FF60F990000-0x00007FF60FCE4000-memory.dmp

memory/4880-147-0x00007FF68C720000-0x00007FF68CA74000-memory.dmp

memory/1100-149-0x00007FF6A96D0000-0x00007FF6A9A24000-memory.dmp

memory/1116-148-0x00007FF66D530000-0x00007FF66D884000-memory.dmp

memory/400-150-0x00007FF660F00000-0x00007FF661254000-memory.dmp

memory/1224-154-0x00007FF6D3860000-0x00007FF6D3BB4000-memory.dmp

memory/2100-153-0x00007FF688200000-0x00007FF688554000-memory.dmp

memory/3788-152-0x00007FF68CA70000-0x00007FF68CDC4000-memory.dmp

memory/1768-151-0x00007FF74AD90000-0x00007FF74B0E4000-memory.dmp

memory/4436-155-0x00007FF6AAAA0000-0x00007FF6AADF4000-memory.dmp

memory/4440-156-0x00007FF7EC0F0000-0x00007FF7EC444000-memory.dmp

memory/1340-157-0x00007FF6C9220000-0x00007FF6C9574000-memory.dmp

memory/4216-158-0x00007FF608E80000-0x00007FF6091D4000-memory.dmp