Malware Analysis Report

2024-10-16 03:08

Sample ID 240608-fb3acahb5t
Target 2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike
SHA256 c6976aab552fc4cfc5d4415a4fd4e92b78a97d837368a2261e21b7aa49948588
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c6976aab552fc4cfc5d4415a4fd4e92b78a97d837368a2261e21b7aa49948588

Threat Level: Known bad

The file 2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Xmrig family

UPX dump on OEP (original entry point)

Cobaltstrike

xmrig

Cobalt Strike reflective loader

Cobaltstrike family

Detects Reflective DLL injection artifacts

XMRig Miner payload

XMRig Miner payload

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-08 04:44

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-08 04:42

Reported

2024-06-08 04:46

Platform

win7-20231129-en

Max time kernel

135s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\OLKtbGk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tMpxSGm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FvytjMe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GUDHafY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NtBxkDO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WsoCrLJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pCcHeRO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zxHRdpG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LFivVqT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rLWhJZD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xfhmbgF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cjBoZOh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sbZldbF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\krjcCyA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tQaVuvf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fKRwsjl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ofEZwaK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rPwgwVu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IOSkXFd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\agcdIuW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RmBOmPE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2820 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\tQaVuvf.exe
PID 2820 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\tQaVuvf.exe
PID 2820 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\tQaVuvf.exe
PID 2820 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\OLKtbGk.exe
PID 2820 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\OLKtbGk.exe
PID 2820 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\OLKtbGk.exe
PID 2820 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\xfhmbgF.exe
PID 2820 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\xfhmbgF.exe
PID 2820 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\xfhmbgF.exe
PID 2820 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\ofEZwaK.exe
PID 2820 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\ofEZwaK.exe
PID 2820 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\ofEZwaK.exe
PID 2820 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\rPwgwVu.exe
PID 2820 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\rPwgwVu.exe
PID 2820 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\rPwgwVu.exe
PID 2820 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\fKRwsjl.exe
PID 2820 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\fKRwsjl.exe
PID 2820 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\fKRwsjl.exe
PID 2820 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\cjBoZOh.exe
PID 2820 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\cjBoZOh.exe
PID 2820 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\cjBoZOh.exe
PID 2820 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\tMpxSGm.exe
PID 2820 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\tMpxSGm.exe
PID 2820 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\tMpxSGm.exe
PID 2820 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\FvytjMe.exe
PID 2820 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\FvytjMe.exe
PID 2820 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\FvytjMe.exe
PID 2820 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\GUDHafY.exe
PID 2820 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\GUDHafY.exe
PID 2820 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\GUDHafY.exe
PID 2820 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\NtBxkDO.exe
PID 2820 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\NtBxkDO.exe
PID 2820 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\NtBxkDO.exe
PID 2820 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\sbZldbF.exe
PID 2820 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\sbZldbF.exe
PID 2820 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\sbZldbF.exe
PID 2820 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\WsoCrLJ.exe
PID 2820 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\WsoCrLJ.exe
PID 2820 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\WsoCrLJ.exe
PID 2820 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\pCcHeRO.exe
PID 2820 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\pCcHeRO.exe
PID 2820 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\pCcHeRO.exe
PID 2820 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\IOSkXFd.exe
PID 2820 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\IOSkXFd.exe
PID 2820 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\IOSkXFd.exe
PID 2820 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\agcdIuW.exe
PID 2820 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\agcdIuW.exe
PID 2820 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\agcdIuW.exe
PID 2820 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\zxHRdpG.exe
PID 2820 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\zxHRdpG.exe
PID 2820 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\zxHRdpG.exe
PID 2820 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\LFivVqT.exe
PID 2820 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\LFivVqT.exe
PID 2820 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\LFivVqT.exe
PID 2820 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\krjcCyA.exe
PID 2820 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\krjcCyA.exe
PID 2820 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\krjcCyA.exe
PID 2820 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\RmBOmPE.exe
PID 2820 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\RmBOmPE.exe
PID 2820 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\RmBOmPE.exe
PID 2820 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\rLWhJZD.exe
PID 2820 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\rLWhJZD.exe
PID 2820 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\rLWhJZD.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\tQaVuvf.exe

C:\Windows\System\tQaVuvf.exe

C:\Windows\System\OLKtbGk.exe

C:\Windows\System\OLKtbGk.exe

C:\Windows\System\xfhmbgF.exe

C:\Windows\System\xfhmbgF.exe

C:\Windows\System\ofEZwaK.exe

C:\Windows\System\ofEZwaK.exe

C:\Windows\System\rPwgwVu.exe

C:\Windows\System\rPwgwVu.exe

C:\Windows\System\fKRwsjl.exe

C:\Windows\System\fKRwsjl.exe

C:\Windows\System\cjBoZOh.exe

C:\Windows\System\cjBoZOh.exe

C:\Windows\System\tMpxSGm.exe

C:\Windows\System\tMpxSGm.exe

C:\Windows\System\FvytjMe.exe

C:\Windows\System\FvytjMe.exe

C:\Windows\System\GUDHafY.exe

C:\Windows\System\GUDHafY.exe

C:\Windows\System\NtBxkDO.exe

C:\Windows\System\NtBxkDO.exe

C:\Windows\System\sbZldbF.exe

C:\Windows\System\sbZldbF.exe

C:\Windows\System\WsoCrLJ.exe

C:\Windows\System\WsoCrLJ.exe

C:\Windows\System\pCcHeRO.exe

C:\Windows\System\pCcHeRO.exe

C:\Windows\System\IOSkXFd.exe

C:\Windows\System\IOSkXFd.exe

C:\Windows\System\agcdIuW.exe

C:\Windows\System\agcdIuW.exe

C:\Windows\System\zxHRdpG.exe

C:\Windows\System\zxHRdpG.exe

C:\Windows\System\LFivVqT.exe

C:\Windows\System\LFivVqT.exe

C:\Windows\System\krjcCyA.exe

C:\Windows\System\krjcCyA.exe

C:\Windows\System\RmBOmPE.exe

C:\Windows\System\RmBOmPE.exe

C:\Windows\System\rLWhJZD.exe

C:\Windows\System\rLWhJZD.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

C:\Windows\system\tQaVuvf.exe

MD5 a6992f0d6edf071286d0ec798f60c0d6
SHA1 1eb5cb0921426b100d3511f9ae4d546f3e4843ee
SHA256 07a2f6b7cb64f164d04c0e2ff902673f983063484929f68e43e678b51878402d
SHA512 2a18670680d0b437426c0a140008e033123099a445dd146f0021ad82ee08998f8358667bfa7c73405f95e174507331e2afa25dd649d6e9b19838c21a6451f602

C:\Windows\system\xfhmbgF.exe

MD5 223290c208bd688d3c39ffa22cd1b7a1
SHA1 2b563b399ac4bc948a6cef4f2e101dec94f34d57
SHA256 1be058a87a511d257fb0d3915c419035e1d115f48c4b08c0f16e926c39c8f3e3
SHA512 04c3cef61c4f96333a6ab0a1c9aa202271688212be83e1a8baba660a7926e4ed8f91ebea929dc1dec17e8ff4025bfb5f291b47f8e015175018178c7c3dba5d71

memory/2352-22-0x000000013F920000-0x000000013FC74000-memory.dmp

\Windows\system\fKRwsjl.exe

MD5 4830547ce6b7734260f78d1e1d8b37e8
SHA1 ec2b6774c9d53b969751b236eafa6901180bcbba
SHA256 cf5bac379cd21af794de2fceade61e1a6c4cf80f6437ec3eff916cb5151731ca
SHA512 1a093eead6047d8a3031885d63d07f45756b5bb7154aaae185440ecddec13059995b1728646c902a8300cac4a5807e20b0c0ea82f4d5a0044a84a4142e079f6b

memory/2820-36-0x000000013F430000-0x000000013F784000-memory.dmp

C:\Windows\system\cjBoZOh.exe

MD5 af4b1334bb21d19c042cdc7fef14a372
SHA1 c1ec5fecf28179543f1d8e095dd1b79e8938918d
SHA256 8001899337b88a3afb00833efddd5aab2d9aa47f832da7d09939453a21b588b8
SHA512 903d30a298f67f19346135f18113cdfbb2ca8ce0eb26bfe1fbf9fbd43c901fed5b1cac575390f044e7476bdbf3cee4a5e8c4c54e02129fd845a872f70e0c1b59

C:\Windows\system\tMpxSGm.exe

MD5 01144ecef9069cc1f23870d1872246bd
SHA1 d0464225768d337c98d73abda91632df66df2135
SHA256 f8927abc76c7ab5299cbee405a35d4d253e67575541d9ac55bb41e3b2151747f
SHA512 b6484c14c489d0339c430081964c915d4cebc05d65cedfad3e8c2d4c04d0b458acf75021cc15c77dde7ef68671df31b4c5db226bdd3194f07588f3fa01639c38

C:\Windows\system\GUDHafY.exe

MD5 b1c34639981e1c4605cb03aa8231f634
SHA1 b424e29e516c27431fda517ee9a9e8f615074110
SHA256 80f6d98c155a8d21719cd2cc1f12c711e359fa3327c6fc4b63a4df04d26609a4
SHA512 813ed843faf56d9c15ab581b8d58267b7f38a1d4ff81f3e0844ace0f0482c9b1f6207b2a12ea4e2a01041459eb467168797a2882d5b89509d97568c427f67a50

memory/2128-54-0x000000013F430000-0x000000013F784000-memory.dmp

memory/2820-58-0x000000013F840000-0x000000013FB94000-memory.dmp

memory/2820-74-0x000000013F180000-0x000000013F4D4000-memory.dmp

memory/2820-77-0x000000013F530000-0x000000013F884000-memory.dmp

memory/2096-79-0x000000013F310000-0x000000013F664000-memory.dmp

memory/2820-78-0x000000013F310000-0x000000013F664000-memory.dmp

memory/2820-76-0x000000013F6B0000-0x000000013FA04000-memory.dmp

memory/2540-75-0x000000013F180000-0x000000013F4D4000-memory.dmp

memory/2480-73-0x000000013FBF0000-0x000000013FF44000-memory.dmp

memory/2820-72-0x00000000022D0000-0x0000000002624000-memory.dmp

memory/2828-71-0x000000013FB60000-0x000000013FEB4000-memory.dmp

memory/2820-70-0x00000000022D0000-0x0000000002624000-memory.dmp

memory/2700-69-0x000000013F7E0000-0x000000013FB34000-memory.dmp

C:\Windows\system\sbZldbF.exe

MD5 aa021f5743cd0e2e0f9b44031ad681bf
SHA1 5b2c84234dd57ca4e38d31dbb4bf030aadb16f13
SHA256 0ba76fbd26df60af5b71c9c6c8398bc2d1568cbbe498b8afbcf744d0c55b3fca
SHA512 7f54c4e9f82bfe5c439e10848eb9696700883e58e03dae08e7b2e7190a1cbb1f7271563622928939bebac2462cb49b065cfe1ac15bbedbc61f1357303d927b77

\Windows\system\pCcHeRO.exe

MD5 6a79b638efa48b81747c4eda4cef621f
SHA1 9dfd3f699594994c11af9e80b8c19a0fffc6d535
SHA256 26398ee3f9290c9578e20462c8824d9492df4bbe90e08eb240246e3da3f5aa4a
SHA512 72c3af16a75cfc935496a3994b22e7c02da212adf6a0f4d471fcb7c7970d6c3e0408b762d972636cb69974a7ace8504e4127785f9fb855cf432b979883f38428

C:\Windows\system\agcdIuW.exe

MD5 38e1b7b0b9aa649f5c14f03127a6d132
SHA1 3917ca36707cd2c4dba6b6926d34a14a7bb117b1
SHA256 ddb3f57945f3929208b2b32e9fb1bc992b84f62c9f6d825404b952bbb20eee72
SHA512 47f8cf2986d63387cdc2751aeb8271afa2f9ce56ab0a21337ea9677985ff041ab00a0daf7ea6b9731948111f864f618de503be2edb6c7c0b58599566140c22a0

C:\Windows\system\IOSkXFd.exe

MD5 250ad7a4e01f04597d52046ab0429fc5
SHA1 8b600ec683dbd95076ba479a58ece0eae2c8a536
SHA256 abae4585553ded2d4e201e1c673e89b67097b9be8d9edd737c5aad26c862c030
SHA512 abd5660b83a42eb219cc4a14b5e83d809ee2c1c8a7b812a8d67f3ab0a842d6f8947b6878da09f377236f6e5474dc4b0b39a482722e70b77878504b73c361923a

\Windows\system\LFivVqT.exe

MD5 1045d27158bb23cbae2863a31d3aa66f
SHA1 b5b81d053c6e8f7881b36a3a0ac5e0bc07d6307c
SHA256 157d60736e70dfd4cf13f44cb4de19d63ac5666edb169d78b829a3ddf188e54f
SHA512 40b46f6153516f8313418a8dc01f6413353bd9e75dfb0d1af8c01ffc5d9bd6de18973a00d80d7b6c1ef45f177f282550bb0a9cd7c03a71f5986c7b7e41740e30

C:\Windows\system\zxHRdpG.exe

MD5 7ca4c7d08ec840a69d3101c638d4b72f
SHA1 9a0bd3c709f755b63121fadc936f446aec1e7ee6
SHA256 ad375c6a067690acfdb9ba070a3a7e26450ca7423af526c703ce192d7173f7e7
SHA512 93ae69558c6397f1d10b68fc7e156b1c23dffe4348c43264d4d2484e88db3346ef1d13b6b607cc291558edc2cbc35a0667021d52c5cf7e17eeb41ed495e23c3b

\Windows\system\zxHRdpG.exe

MD5 47d7b88382d457d7c913c6fb06391de8
SHA1 5c0171404a1f7303a03749cde444fffb299dc5e2
SHA256 109ea701568cb51dc375c553f3dfb842d1bbba7f38def2c7f1210b8c83b08109
SHA512 a2ebbe1b06a03a8c2a4d9ea49c3479b887a39707ee0921c2464aaf7d7d404b80f79d70b00f27f44dde41de9d3dd886b23f849839f8a2f5899497b678e0b61108

memory/2820-100-0x00000000022D0000-0x0000000002624000-memory.dmp

memory/2008-107-0x000000013FFF0000-0x0000000140344000-memory.dmp

\Windows\system\agcdIuW.exe

MD5 e1b5d11fe379e5e4fb55f6a03df049eb
SHA1 4dc6b815d658fac3ad97ff5548546b61f351ca5d
SHA256 99ed279e1b8d4619b7098300b9ff6f654080db6250ea836c905b7e9585f6dffa
SHA512 e9b7542985b2119ed081e1984badf4ac95b327938b613270a8c55ad088e0da50cf45d0ab3cb5a5374a6bd924b8a3c6689444f34490a338cc2c61c79618d2fdb6

memory/2820-99-0x00000000022D0000-0x0000000002624000-memory.dmp

C:\Windows\system\pCcHeRO.exe

MD5 6fb6863d9548f3879b1ba1b64fc45a68
SHA1 0dc40616de903c417cc9a8b581f9078af09ea60a
SHA256 b26b72ca0ef6d18aef032253470a78a13f48dcd486b2eb6e1570c96324293e82
SHA512 cf09c13915872b96dcf1f62eac8174c1c1dfa4aabd64fb9272008df1f24e451a988f1edb48cb6ca8b7ef84d58508cf13cc3d0e709b84acf2687dd5617c6c3a61

C:\Windows\system\krjcCyA.exe

MD5 bff5e52b98278428981d89d50b97cdf0
SHA1 b0145023cb079129d5e2f4af672d7013418cc6c9
SHA256 481a44ea91bb608b317a2c1c9f95204016baa6e0cbdf360b1496024b3d71986d
SHA512 7dfb6817237ce5c6a8349062b5061d3640d3043c4049a975789691397f1ca198c4800023a5098c9f4952c5acc16e8c7ab57e57df348cf485f326f756be76b355

\Windows\system\rLWhJZD.exe

MD5 7278af7f52232e096331e99677eb07ca
SHA1 5b9ae7cb082945ceefcd6c73325e43cd53c470e9
SHA256 d4450755e0067e71d233e2fb373cd5342d6420be80a9857fa4939c6abd0fca73
SHA512 8b13dad05e18413dd056b3d31f32d579ea078595b34f94dbea755a2271462076eba775c8d476adcef0f781912f0bb4889b0e45dc382e37f7adbd16eb2e3bde38

C:\Windows\system\RmBOmPE.exe

MD5 93fa439c7ac5c6f5b4ff052d46df769e
SHA1 cf0324227148d998a38b1908e82abf30a8979a03
SHA256 fc2a0b9f805457695f43bffc83b3c791a171d3bf5e185a43d4c05498d3fca380
SHA512 9c06563d65b8adf1223f04821b3ebcc1196df8398cf82b91de88284742d6bc2eed9a31a3e3ecaad00c5039c8bd7a2c6137f34ca2902f40a79f1f0712a9349899

memory/1696-97-0x000000013F480000-0x000000013F7D4000-memory.dmp

memory/2820-92-0x000000013F480000-0x000000013F7D4000-memory.dmp

C:\Windows\system\WsoCrLJ.exe

MD5 db9bce43f13df4a675e86fb6e9911e69
SHA1 733d15fa3177fdc22474d36c18374dff67f9eea9
SHA256 da5b3f69f04ba1b02a4e1980097a89d717ba90234e27c12a55f5ecc179ceb6b3
SHA512 9cda5f04d00d96845d16efcdd5e2243163cc7915c0dbe5e6d948840402db9aaf8110b18bc44ab5e9c9a69951e1a42de07f32f57dfdf8ef1588ffdfeaf233b856

memory/2368-86-0x000000013F040000-0x000000013F394000-memory.dmp

memory/2820-85-0x000000013F040000-0x000000013F394000-memory.dmp

memory/2820-68-0x000000013F7E0000-0x000000013FB34000-memory.dmp

memory/2596-65-0x000000013F530000-0x000000013F884000-memory.dmp

memory/2640-64-0x000000013F840000-0x000000013FB94000-memory.dmp

memory/2584-62-0x000000013F6B0000-0x000000013FA04000-memory.dmp

C:\Windows\system\NtBxkDO.exe

MD5 b535ee21ea9075024dbfa4eeb5ad2063
SHA1 9df8ae788008b01af7afccd4641643fb80af8970
SHA256 49ad60408e2181b6f83cfcbb0ca194aa9ff4d54150cacf977de83ddac7593946
SHA512 9e97b656f0cbf773f39127d9d6f29ca6751465fd02504dafc6056cc285231c9ca3420b05ae3545ebab2cc22b167f5676793d1e4b8bc17c83ba5c7981cf9d0a76

\Windows\system\NtBxkDO.exe

MD5 f6cdfb3d88537b367792cbd894bd98ed
SHA1 3d3f99c94c72c456dffcf949bc5d30603a7e936c
SHA256 05dd3d926d8f7a6b3411e38a31ef4f8229eb7d780b830e3fca3bbab5124eef86
SHA512 0da483abd45f0fc31271e46184ea3a074b58fa3e0dc6bb0072318eee13b5c0ffc1280f1aa582bb4e78cf8a2c355408182d9725282b3a73e6e2dadc9f4f43faa3

\Windows\system\FvytjMe.exe

MD5 04d080fcb4119488cce7e08853d03abc
SHA1 1716829293776f790b7a8079c295b9dc1e1db64a
SHA256 d6cfb01d0b11c33169b94ad604cd62b047fe3f9af705e054714b22dea5774ada
SHA512 3694d9a0083d59cbfa3f138550a0cbff03e677364b3adb92064b43019cd867dfcb49d62315d2ecdee9616f0c0a89f2bcfa8899b08bf337edb05ef122be416809

memory/3028-32-0x000000013FEC0000-0x0000000140214000-memory.dmp

C:\Windows\system\rPwgwVu.exe

MD5 f0cca580442925c5eaa70b383dbb615a
SHA1 e3aeb77c93931230c7d94ad0a9e210e49ef23b92
SHA256 7c2b8f85f35dc76b41ab689e6b10607fe934ee399e688d70d52c35ed2d0c40cb
SHA512 f1b8b5de5d0cb0a74c418402bfc1339fff26574d662c97c222a9b3f5ff90ea97447a0490e2ecfd81c6e05938aff1da63f27f8b869bc76a3b6743565a8e75f9df

\Windows\system\rPwgwVu.exe

MD5 984a8cf637fc9f46a5be1646493a183b
SHA1 eff3045fcb5d0b4a9321004fdd3e94f3f336f5af
SHA256 0d4a824efda706db87b77805c320758f4772451fa0404efc091a4e3040c61068
SHA512 f10e98d33b97922d86b629662f92ca9b0747603db9cee26627e84885ca9797232c0f5349bf7b35b6812a24bc6e60bd825c6020365d2a762c823adc6158a78b7d

memory/2820-25-0x00000000022D0000-0x0000000002624000-memory.dmp

C:\Windows\system\ofEZwaK.exe

MD5 395a138e7d83b3151a400bc20096b6e4
SHA1 3e4011f9d7e2d9d7f698bcaa1aa6ff33a3fb1bfa
SHA256 ff2b179c923912f539fb2c4fa52b1c8c8d2d6d577000b0366b18e5f55876a628
SHA512 79d17b856f55843cb6d4aaadd5255c37e192e9af81ed6625fde28de8234e7a6db91851878c74876b0e426396433220bd1cc254e03c95da38de6abe923ba8286d

C:\Windows\system\OLKtbGk.exe

MD5 a64a49f83d2b9d16d5bdb1bfc43d3ed7
SHA1 0d675559f2a0e24df4da783fc9fba0417096bf19
SHA256 d8734139074b95bfe65c89d26f3edfcde9c067568965e72298511a8c61dafff3
SHA512 d67450ec3df55de83701f9b7a635c10ba14cf3a5341f709d827510057d05b27e1de99ae028af35ab7c63177a870e3a5f0e579f6ada4bf6b0605b080221e4fea0

memory/2820-10-0x000000013F920000-0x000000013FC74000-memory.dmp

memory/2820-1-0x00000000001F0000-0x0000000000200000-memory.dmp

memory/2820-0-0x000000013FCB0000-0x0000000140004000-memory.dmp

memory/2820-136-0x000000013FCB0000-0x0000000140004000-memory.dmp

memory/2820-137-0x000000013F840000-0x000000013FB94000-memory.dmp

memory/2820-139-0x000000013F7E0000-0x000000013FB34000-memory.dmp

memory/2820-138-0x00000000022D0000-0x0000000002624000-memory.dmp

memory/1696-140-0x000000013F480000-0x000000013F7D4000-memory.dmp

memory/2352-141-0x000000013F920000-0x000000013FC74000-memory.dmp

memory/2584-145-0x000000013F6B0000-0x000000013FA04000-memory.dmp

memory/2640-146-0x000000013F840000-0x000000013FB94000-memory.dmp

memory/2128-144-0x000000013F430000-0x000000013F784000-memory.dmp

memory/3028-143-0x000000013FEC0000-0x0000000140214000-memory.dmp

memory/2096-149-0x000000013F310000-0x000000013F664000-memory.dmp

memory/2480-151-0x000000013FBF0000-0x000000013FF44000-memory.dmp

memory/2700-150-0x000000013F7E0000-0x000000013FB34000-memory.dmp

memory/2828-148-0x000000013FB60000-0x000000013FEB4000-memory.dmp

memory/2596-147-0x000000013F530000-0x000000013F884000-memory.dmp

memory/2540-142-0x000000013F180000-0x000000013F4D4000-memory.dmp

memory/2368-152-0x000000013F040000-0x000000013F394000-memory.dmp

memory/1696-153-0x000000013F480000-0x000000013F7D4000-memory.dmp

memory/2008-154-0x000000013FFF0000-0x0000000140344000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-08 04:42

Reported

2024-06-08 04:46

Platform

win10v2004-20240508-en

Max time kernel

138s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\gXjrjLB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wAuAFWX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jCEtliZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YXQRtrQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HqtbRDp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jMhVfyJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JHhmkwl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PGNAHKl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lMzQJwi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LTatXIP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sBUbJKo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HYxIPmg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zmuhSMF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kLQhPVZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eZjpsZR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OnhrRCw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qbvkORx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RvMXjjB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cBMWTQv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IBEvdHZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CEeEQkU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4852 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\wAuAFWX.exe
PID 4852 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\wAuAFWX.exe
PID 4852 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\jCEtliZ.exe
PID 4852 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\jCEtliZ.exe
PID 4852 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\YXQRtrQ.exe
PID 4852 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\YXQRtrQ.exe
PID 4852 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\OnhrRCw.exe
PID 4852 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\OnhrRCw.exe
PID 4852 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\HqtbRDp.exe
PID 4852 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\HqtbRDp.exe
PID 4852 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\qbvkORx.exe
PID 4852 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\qbvkORx.exe
PID 4852 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\lMzQJwi.exe
PID 4852 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\lMzQJwi.exe
PID 4852 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\LTatXIP.exe
PID 4852 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\LTatXIP.exe
PID 4852 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\HYxIPmg.exe
PID 4852 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\HYxIPmg.exe
PID 4852 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\RvMXjjB.exe
PID 4852 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\RvMXjjB.exe
PID 4852 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\jMhVfyJ.exe
PID 4852 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\jMhVfyJ.exe
PID 4852 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\sBUbJKo.exe
PID 4852 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\sBUbJKo.exe
PID 4852 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\cBMWTQv.exe
PID 4852 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\cBMWTQv.exe
PID 4852 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\JHhmkwl.exe
PID 4852 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\JHhmkwl.exe
PID 4852 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\zmuhSMF.exe
PID 4852 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\zmuhSMF.exe
PID 4852 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\kLQhPVZ.exe
PID 4852 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\kLQhPVZ.exe
PID 4852 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\PGNAHKl.exe
PID 4852 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\PGNAHKl.exe
PID 4852 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\IBEvdHZ.exe
PID 4852 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\IBEvdHZ.exe
PID 4852 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\eZjpsZR.exe
PID 4852 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\eZjpsZR.exe
PID 4852 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\gXjrjLB.exe
PID 4852 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\gXjrjLB.exe
PID 4852 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\CEeEQkU.exe
PID 4852 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe C:\Windows\System\CEeEQkU.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b0ac92524e77206350c295fad388003_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\wAuAFWX.exe

C:\Windows\System\wAuAFWX.exe

C:\Windows\System\jCEtliZ.exe

C:\Windows\System\jCEtliZ.exe

C:\Windows\System\YXQRtrQ.exe

C:\Windows\System\YXQRtrQ.exe

C:\Windows\System\OnhrRCw.exe

C:\Windows\System\OnhrRCw.exe

C:\Windows\System\HqtbRDp.exe

C:\Windows\System\HqtbRDp.exe

C:\Windows\System\qbvkORx.exe

C:\Windows\System\qbvkORx.exe

C:\Windows\System\lMzQJwi.exe

C:\Windows\System\lMzQJwi.exe

C:\Windows\System\LTatXIP.exe

C:\Windows\System\LTatXIP.exe

C:\Windows\System\HYxIPmg.exe

C:\Windows\System\HYxIPmg.exe

C:\Windows\System\RvMXjjB.exe

C:\Windows\System\RvMXjjB.exe

C:\Windows\System\jMhVfyJ.exe

C:\Windows\System\jMhVfyJ.exe

C:\Windows\System\sBUbJKo.exe

C:\Windows\System\sBUbJKo.exe

C:\Windows\System\cBMWTQv.exe

C:\Windows\System\cBMWTQv.exe

C:\Windows\System\JHhmkwl.exe

C:\Windows\System\JHhmkwl.exe

C:\Windows\System\zmuhSMF.exe

C:\Windows\System\zmuhSMF.exe

C:\Windows\System\kLQhPVZ.exe

C:\Windows\System\kLQhPVZ.exe

C:\Windows\System\PGNAHKl.exe

C:\Windows\System\PGNAHKl.exe

C:\Windows\System\IBEvdHZ.exe

C:\Windows\System\IBEvdHZ.exe

C:\Windows\System\eZjpsZR.exe

C:\Windows\System\eZjpsZR.exe

C:\Windows\System\gXjrjLB.exe

C:\Windows\System\gXjrjLB.exe

C:\Windows\System\CEeEQkU.exe

C:\Windows\System\CEeEQkU.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3468,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=2404 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4852-0-0x00007FF6541B0000-0x00007FF654504000-memory.dmp

memory/4852-1-0x00000223562B0000-0x00000223562C0000-memory.dmp

C:\Windows\System\wAuAFWX.exe

MD5 47aa6e7880d5d7a9c210a8d6eb010c30
SHA1 4f4f97ab7452fedfb8b32135b9b6f72bc03dc76b
SHA256 c405b9b2de9ea26852bf43b73b2ef8a680d98c2238c2dcf0f91fce57b0171e99
SHA512 a3859436c4c8f5bec58ac33d0b19e873b48384c9e65401a55c47b51dd0e542fc85c749a32f75b2dc72467ba737637d421c4781c8928d210c27b809fa464d1510

memory/1192-8-0x00007FF7F6AC0000-0x00007FF7F6E14000-memory.dmp

C:\Windows\System\jCEtliZ.exe

MD5 0f7db1acf5d2b71d2bb2e8a45566f7f3
SHA1 de154a1d6026bef5871a8f83ed6d6d93fb5d87bf
SHA256 a9a692ce0bb47f16664d2f4b5e97d928c439d844bd0971177cfb860f4a02950f
SHA512 b43fe1ea6e7c6b7bd1698dbead83992aaa05b5fff21a310e225f3c9951c5f423e4ac63206950f71e2e34b0bd388e4123c6327dbbc749df35d7d2d820de381e1f

memory/2416-12-0x00007FF6BEAD0000-0x00007FF6BEE24000-memory.dmp

C:\Windows\System\YXQRtrQ.exe

MD5 8554def9eecf22326d1c0711319e042a
SHA1 80934a8a84d9b3ba030590b3ec4697d2802bd76d
SHA256 35d0ea20b6c37d37b2a7a1bce82bb753a579b3fabf73eeaf0a97933b66d8a03e
SHA512 cf697a7b36bf52f1dbe9f2ba5fd0822868db93febc492c34c4149012a602d3712171a7c0b359578f6cee6390bb16c9e2a759e92f64b8799bdddd56737dd3c005

C:\Windows\System\OnhrRCw.exe

MD5 3afa71f5edb8bdce0308c72f7f282d06
SHA1 cefa6f5c806ef3dab73ad8973dce932037c35b44
SHA256 1e2c70746bf2ca7534ce5af9fac97309e6c10fa3a58df07455d79c22ac0cf377
SHA512 f33dacd052f7f4296e8d38a128937370bbdebbebaa13b53da23869e1a9015301292a0f08f87b4f7aeb5277c1110f11ffbe571eef6609d2cb10050487b3ef6ce2

memory/3272-22-0x00007FF637F80000-0x00007FF6382D4000-memory.dmp

C:\Windows\System\HqtbRDp.exe

MD5 204e982c3006189984944dc7eaf13309
SHA1 16f46e9d3472c08a69b7cabb05593a0219935b05
SHA256 8dad0bcca293e948f415d030d3bc89ae019872777d2ab7606b6cb8753f4a4ff7
SHA512 aeba0efc7093074057be04c36cb26c1febe91c2d397f411c958e9a680336b989ca687b97644eb5df6e1dc00f15798b13fb394ad89f3243b7513abbfbe7fa8da1

C:\Windows\System\LTatXIP.exe

MD5 76f8c665cdf5a60cbc80f7ebdc1938e6
SHA1 d10fc42dc7ea45fd727a2d12c5c7c0c5a6b4390a
SHA256 e7b8f21bd0a3f357d39ece56d4447deb4c9089dc2a83c25f8d5ef79f272dca42
SHA512 d40017d7ac1c8a771211b3c85be7419149b63a27f72e6104c502e05f87ce0c5f818a87e0f0daee81cc6349b5c84ab412cf2090b626b1d4c9dd6eed41974e6864

memory/5092-49-0x00007FF788200000-0x00007FF788554000-memory.dmp

C:\Windows\System\HYxIPmg.exe

MD5 759f0b1014b0830905d1d59bf1190f36
SHA1 89adc4c111cdc64d3257925466be155dd572c42d
SHA256 c33e8a29f056629b0e3dc2629b750c71bef1cdfe618f70609162d35e86679cbe
SHA512 77e519cfc32b32ce2e45d3b34fe2d849b6bd8101fadae749ff2bfe94cd6d96e780b55e65e07d8be5b2168d8f64781e15c48879f05f19360a0ab39d59f07a94cb

memory/4580-55-0x00007FF7E1990000-0x00007FF7E1CE4000-memory.dmp

memory/3864-56-0x00007FF6664B0000-0x00007FF666804000-memory.dmp

memory/3092-51-0x00007FF650B40000-0x00007FF650E94000-memory.dmp

memory/4152-50-0x00007FF7B8B40000-0x00007FF7B8E94000-memory.dmp

C:\Windows\System\lMzQJwi.exe

MD5 85632817de59ba03d86293f556405dd9
SHA1 7b166bbd39835df95d6377700199c6812c8cf345
SHA256 1aabf0a30a5483e06061ae3fec5bb07d3b38dcbfae034e78b3d3bd32b896dc87
SHA512 717bc302441c72f2ba758a5964470ba06102101d1df60c08fc47a9753f3291094c65704018b4b0b9a0b368ba1bba4e9a9fb65bef0ebf5bcff63152ebf8cf227f

C:\Windows\System\qbvkORx.exe

MD5 2cfcf45885227798c2530eea864b1213
SHA1 5c80f98780575dcfb37c4565f6819be71c108df0
SHA256 8d1b8aba504eb3e10c1b183ea1863214ad54df6dd796ab3753aa9d9524fbc4f6
SHA512 a50f0674a14dfda7b2de12637b60d1b79b485af95d8cd31a4912609d7a727d8dc275fed8cc5ce2daef0a2d8d7f56d92d755e8092b52ca67064548b6f91118ecc

memory/5048-24-0x00007FF69DC00000-0x00007FF69DF54000-memory.dmp

C:\Windows\System\jMhVfyJ.exe

MD5 b5b4bc68d21b20ebed3874141e905e63
SHA1 9754c4e62cf542e2783af2f0d063e995d790740e
SHA256 1591e716a58234160290e090c5980980a4c09669128cc58a7fcba91a5f77e30d
SHA512 c6ea349d069a342d4ff9e61f6d3cce090ecf73ad3365adcee1d622abd60ed31596b9d18501ef8c6e220426762b43671a92460a4007670cf508e70a851b861263

memory/1760-66-0x00007FF7A91D0000-0x00007FF7A9524000-memory.dmp

memory/1812-62-0x00007FF756630000-0x00007FF756984000-memory.dmp

C:\Windows\System\RvMXjjB.exe

MD5 f0b066d94b3ebd5b6737f731a2152068
SHA1 4d002b5d1e0e83c7f71843e4c3718dd4567dde32
SHA256 68e991d2075c2a442abf4642bf83644ebb55fa7975e91185a3ac00cc09c13571
SHA512 487ffeb99c121214e06dfe2cad48d8697c5707586f5ffc3e3fdc3cff0dcff18a7a972a962b56b7d19bb5909c09f50cb35cef88ea1de7fb6bca340eaf2dce86e9

C:\Windows\System\sBUbJKo.exe

MD5 4051900e5eabc16b5c160fac6ee83fc4
SHA1 9f7f37edfe747724d0d4b73776631197e5549e04
SHA256 d9dbd8372b0245f50fc6f6e26664581979368773eda94ae0fbdbf5d5ded4ea80
SHA512 c3405e509548a23d76fede6a22b05e1a51a1cb1a41e87788125758b6f41861c1141aa685c7bb979ded4c68919a73b0664948eb1196338385426ab31f4e427ef6

C:\Windows\System\cBMWTQv.exe

MD5 9181ef246b534a3fc8cb7f17bbacb44d
SHA1 42793995cf35f73bec58f260819145500d92f973
SHA256 eefe94abc78d0733d1f179ba17a340937c0208113ebfc0c8cc0227af578fc66a
SHA512 f73088503ba2d1334ce3360700fd9331280214e99d7496859963abab82cbadb55c521dcb7922a90ba6a119f996dee91f5e0f4c89d20624a25aa4ad5884d9c081

C:\Windows\System\JHhmkwl.exe

MD5 3bcd5b8b960d0cf77a6d135bc70bb7a6
SHA1 cdb77a96fc4d2710cec5d82a8864927ce93448bf
SHA256 53db796b42b56270f256b10f88e1107f8e9097d259dacff52af416c25302ea14
SHA512 9d9bf215d5d645e0a613e1604917c26f890cada8addd9b15a47ce27385246c8bfd6cec166359782f139aceb2ab0cce42588e3d8bf0db72e35ce08bd5b63cdec7

memory/3792-82-0x00007FF6E38D0000-0x00007FF6E3C24000-memory.dmp

C:\Windows\System\zmuhSMF.exe

MD5 fb0f5ccd507b0ecc24e749cf3d040119
SHA1 d078c09c244c5e01c12dbff8327556dae06086e8
SHA256 cc706dc76fc8e30443f981a7265bcce857c5f1a86898a91dc6664563c72f1942
SHA512 caaed998ed36ec933287ab9624c80d8caab61a154a4cdf5c37aa16fa4f6d9d6e8ba95cb8ad2ec77d3c23baff2f488354637d3ec06d57864c0f62c86f9b90a05e

memory/4852-89-0x00007FF6541B0000-0x00007FF654504000-memory.dmp

memory/1996-91-0x00007FF6983F0000-0x00007FF698744000-memory.dmp

memory/1780-88-0x00007FF646A70000-0x00007FF646DC4000-memory.dmp

memory/2964-84-0x00007FF64F350000-0x00007FF64F6A4000-memory.dmp

C:\Windows\System\kLQhPVZ.exe

MD5 1167686d8d2e862741b37ccb1b7e771f
SHA1 789ceba1231bc1b44f1d9dadb1b9e5e9cb26c6f8
SHA256 050f3cd0b60a657cd1fc1fc8ca730f0821765c7bf848b6e4225263e4fa45685e
SHA512 f664549a6f871b43ef6dd1e6ee095596a96178184088df10db56d10631e48df0df4d7bee9d3af2e49e94ab095ebd966170be878387940c7040f0d8ce0f2398c8

C:\Windows\System\PGNAHKl.exe

MD5 dbc708ac9956929315715d4de22ec3f4
SHA1 737ea857291764e45de8e2bac5bd16ef52057a65
SHA256 83ec793258c09a5524902fe0d69e9e5a72f8ccfea9918c2347d9f39b5c97b8ad
SHA512 1ed58c19e1f72bb5dff664cb42aa7763145e0f6b70a45e3efb2b0fae7af683d21a843a8ba1b7199fdd2cd5e2ffc04d2997b636c4e93ba43d0a5ade15739d85de

C:\Windows\System\eZjpsZR.exe

MD5 4aed3f0a28ca8509a40824fd3ff99733
SHA1 239375c5d005075ba7411001c0b3a0b4b04d50a2
SHA256 125a16ee74c56755699d1d3e33165c59cc539fb91d730a165aff5a91b89069b3
SHA512 85d0eab531ecdbeb051ff5131b5521587008de90238d6a9cb7dc2f0f7e1dcca3381bc7ad57a375c9e7f825cdf1323b0a6605c1d934c6c662217b909d1800abc4

C:\Windows\System\gXjrjLB.exe

MD5 5b7e391f9c094b162b64c430558bf269
SHA1 ba0b2bb68d6b91cd2bb848589e10a78b911fca4d
SHA256 71ef0ba569e3067068ba01864a7b3b91b07b9756de971738330dbd72e0d4b774
SHA512 3fd818bf15312f8c3e9e52e2326014fb9f2ea4cc77350ea949d321cb8a4cb99a6bc91150b4ee4645d775a87949647ef2fa07cf7cbdcd07999682406e5feb8dfa

C:\Windows\System\CEeEQkU.exe

MD5 d56136d74f395000372fdf025e878197
SHA1 7c87821180906388f220e2c219c4e3d2b23c1732
SHA256 b33200dd25150db676ba8d660c757738507aa636173e9592e8a32e0010735fb1
SHA512 aa98b08051893311806dccdf1a800a33902eb16bf378af523e4a5e10fce1a4524819ef5dbe5d336e50cee5b78bd8d7dc3bac319f3cef8da38ee84fd5917ac215

C:\Windows\System\IBEvdHZ.exe

MD5 12d5bc2db6703abccc620539c963c203
SHA1 10d79902e6ebf991d19b748bb3ac912d451dac09
SHA256 ca86008ecabeda5c9cef9b34cd986a44070482f416b946f0f536e9eb4395d298
SHA512 9511c7102b191a2a2aedfaec70215b2a95cbc620f7ae426ded3d5f447ec3dca6a28a7ca1009950dbb042c36515075b5f80947baff0e6fb073250e9ea83d019df

memory/4240-117-0x00007FF7DC700000-0x00007FF7DCA54000-memory.dmp

memory/4864-110-0x00007FF64DD70000-0x00007FF64E0C4000-memory.dmp

memory/3272-107-0x00007FF637F80000-0x00007FF6382D4000-memory.dmp

memory/2324-105-0x00007FF736D40000-0x00007FF737094000-memory.dmp

memory/2416-101-0x00007FF6BEAD0000-0x00007FF6BEE24000-memory.dmp

memory/5048-130-0x00007FF69DC00000-0x00007FF69DF54000-memory.dmp

memory/3404-131-0x00007FF68C310000-0x00007FF68C664000-memory.dmp

memory/4844-132-0x00007FF6D2080000-0x00007FF6D23D4000-memory.dmp

memory/3724-129-0x00007FF6947C0000-0x00007FF694B14000-memory.dmp

memory/1192-97-0x00007FF7F6AC0000-0x00007FF7F6E14000-memory.dmp

memory/3092-133-0x00007FF650B40000-0x00007FF650E94000-memory.dmp

memory/1780-135-0x00007FF646A70000-0x00007FF646DC4000-memory.dmp

memory/1760-134-0x00007FF7A91D0000-0x00007FF7A9524000-memory.dmp

memory/1996-136-0x00007FF6983F0000-0x00007FF698744000-memory.dmp

memory/2324-137-0x00007FF736D40000-0x00007FF737094000-memory.dmp

memory/4240-139-0x00007FF7DC700000-0x00007FF7DCA54000-memory.dmp

memory/4864-138-0x00007FF64DD70000-0x00007FF64E0C4000-memory.dmp

memory/1192-140-0x00007FF7F6AC0000-0x00007FF7F6E14000-memory.dmp

memory/2416-141-0x00007FF6BEAD0000-0x00007FF6BEE24000-memory.dmp

memory/5092-144-0x00007FF788200000-0x00007FF788554000-memory.dmp

memory/4580-145-0x00007FF7E1990000-0x00007FF7E1CE4000-memory.dmp

memory/5048-143-0x00007FF69DC00000-0x00007FF69DF54000-memory.dmp

memory/4152-146-0x00007FF7B8B40000-0x00007FF7B8E94000-memory.dmp

memory/3272-142-0x00007FF637F80000-0x00007FF6382D4000-memory.dmp

memory/3864-147-0x00007FF6664B0000-0x00007FF666804000-memory.dmp

memory/3092-148-0x00007FF650B40000-0x00007FF650E94000-memory.dmp

memory/1812-149-0x00007FF756630000-0x00007FF756984000-memory.dmp

memory/1760-150-0x00007FF7A91D0000-0x00007FF7A9524000-memory.dmp

memory/3792-151-0x00007FF6E38D0000-0x00007FF6E3C24000-memory.dmp

memory/2964-152-0x00007FF64F350000-0x00007FF64F6A4000-memory.dmp

memory/1780-153-0x00007FF646A70000-0x00007FF646DC4000-memory.dmp

memory/1996-154-0x00007FF6983F0000-0x00007FF698744000-memory.dmp

memory/4864-155-0x00007FF64DD70000-0x00007FF64E0C4000-memory.dmp

memory/2324-156-0x00007FF736D40000-0x00007FF737094000-memory.dmp

memory/3724-160-0x00007FF6947C0000-0x00007FF694B14000-memory.dmp

memory/4844-159-0x00007FF6D2080000-0x00007FF6D23D4000-memory.dmp

memory/3404-158-0x00007FF68C310000-0x00007FF68C664000-memory.dmp

memory/4240-157-0x00007FF7DC700000-0x00007FF7DCA54000-memory.dmp