Malware Analysis Report

2024-10-16 03:08

Sample ID 240608-fdvy2shb6x
Target 2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike
SHA256 71209aafe39d92bcb0cfa9b3ca7dfc3962622f887c481bb98d9648c4afae54eb
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

71209aafe39d92bcb0cfa9b3ca7dfc3962622f887c481bb98d9648c4afae54eb

Threat Level: Known bad

The file 2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Xmrig family

xmrig

Cobaltstrike

Cobaltstrike family

UPX dump on OEP (original entry point)

Cobalt Strike reflective loader

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

XMRig Miner payload

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-08 04:46

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-08 04:45

Reported

2024-06-08 04:48

Platform

win7-20240221-en

Max time kernel

141s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\XmocJMB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sLETzhg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HwhQnjA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pJaOtiE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kXaDhbd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hXoCyfi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XuCNTGK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SUqcqKY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iqPIDPS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vBPWSEC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EYJbJwl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dOALRYo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BlsPPlm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RBeVSsT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BWmjEaS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NxMJnzb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jNsVUEd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LEJJGNu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OyMMgcn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oddxNcS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WGomaVj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2076 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\BWmjEaS.exe
PID 2076 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\BWmjEaS.exe
PID 2076 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\BWmjEaS.exe
PID 2076 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\NxMJnzb.exe
PID 2076 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\NxMJnzb.exe
PID 2076 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\NxMJnzb.exe
PID 2076 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\iqPIDPS.exe
PID 2076 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\iqPIDPS.exe
PID 2076 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\iqPIDPS.exe
PID 2076 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\oddxNcS.exe
PID 2076 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\oddxNcS.exe
PID 2076 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\oddxNcS.exe
PID 2076 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\vBPWSEC.exe
PID 2076 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\vBPWSEC.exe
PID 2076 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\vBPWSEC.exe
PID 2076 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\EYJbJwl.exe
PID 2076 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\EYJbJwl.exe
PID 2076 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\EYJbJwl.exe
PID 2076 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\jNsVUEd.exe
PID 2076 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\jNsVUEd.exe
PID 2076 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\jNsVUEd.exe
PID 2076 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\dOALRYo.exe
PID 2076 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\dOALRYo.exe
PID 2076 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\dOALRYo.exe
PID 2076 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\BlsPPlm.exe
PID 2076 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\BlsPPlm.exe
PID 2076 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\BlsPPlm.exe
PID 2076 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\XmocJMB.exe
PID 2076 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\XmocJMB.exe
PID 2076 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\XmocJMB.exe
PID 2076 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\LEJJGNu.exe
PID 2076 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\LEJJGNu.exe
PID 2076 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\LEJJGNu.exe
PID 2076 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\hXoCyfi.exe
PID 2076 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\hXoCyfi.exe
PID 2076 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\hXoCyfi.exe
PID 2076 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\sLETzhg.exe
PID 2076 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\sLETzhg.exe
PID 2076 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\sLETzhg.exe
PID 2076 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\HwhQnjA.exe
PID 2076 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\HwhQnjA.exe
PID 2076 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\HwhQnjA.exe
PID 2076 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\XuCNTGK.exe
PID 2076 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\XuCNTGK.exe
PID 2076 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\XuCNTGK.exe
PID 2076 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\SUqcqKY.exe
PID 2076 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\SUqcqKY.exe
PID 2076 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\SUqcqKY.exe
PID 2076 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\OyMMgcn.exe
PID 2076 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\OyMMgcn.exe
PID 2076 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\OyMMgcn.exe
PID 2076 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\pJaOtiE.exe
PID 2076 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\pJaOtiE.exe
PID 2076 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\pJaOtiE.exe
PID 2076 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\WGomaVj.exe
PID 2076 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\WGomaVj.exe
PID 2076 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\WGomaVj.exe
PID 2076 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\kXaDhbd.exe
PID 2076 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\kXaDhbd.exe
PID 2076 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\kXaDhbd.exe
PID 2076 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\RBeVSsT.exe
PID 2076 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\RBeVSsT.exe
PID 2076 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\RBeVSsT.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\BWmjEaS.exe

C:\Windows\System\BWmjEaS.exe

C:\Windows\System\NxMJnzb.exe

C:\Windows\System\NxMJnzb.exe

C:\Windows\System\iqPIDPS.exe

C:\Windows\System\iqPIDPS.exe

C:\Windows\System\oddxNcS.exe

C:\Windows\System\oddxNcS.exe

C:\Windows\System\vBPWSEC.exe

C:\Windows\System\vBPWSEC.exe

C:\Windows\System\EYJbJwl.exe

C:\Windows\System\EYJbJwl.exe

C:\Windows\System\jNsVUEd.exe

C:\Windows\System\jNsVUEd.exe

C:\Windows\System\dOALRYo.exe

C:\Windows\System\dOALRYo.exe

C:\Windows\System\BlsPPlm.exe

C:\Windows\System\BlsPPlm.exe

C:\Windows\System\XmocJMB.exe

C:\Windows\System\XmocJMB.exe

C:\Windows\System\LEJJGNu.exe

C:\Windows\System\LEJJGNu.exe

C:\Windows\System\hXoCyfi.exe

C:\Windows\System\hXoCyfi.exe

C:\Windows\System\sLETzhg.exe

C:\Windows\System\sLETzhg.exe

C:\Windows\System\HwhQnjA.exe

C:\Windows\System\HwhQnjA.exe

C:\Windows\System\XuCNTGK.exe

C:\Windows\System\XuCNTGK.exe

C:\Windows\System\SUqcqKY.exe

C:\Windows\System\SUqcqKY.exe

C:\Windows\System\OyMMgcn.exe

C:\Windows\System\OyMMgcn.exe

C:\Windows\System\pJaOtiE.exe

C:\Windows\System\pJaOtiE.exe

C:\Windows\System\WGomaVj.exe

C:\Windows\System\WGomaVj.exe

C:\Windows\System\kXaDhbd.exe

C:\Windows\System\kXaDhbd.exe

C:\Windows\System\RBeVSsT.exe

C:\Windows\System\RBeVSsT.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2076-0-0x000000013F310000-0x000000013F664000-memory.dmp

memory/2076-1-0x0000000000180000-0x0000000000190000-memory.dmp

\Windows\system\NxMJnzb.exe

MD5 f109803ed05a79da20baf494318c917a
SHA1 c3a06eb4ac55b7e498fed37d4cf6be528464ca7e
SHA256 c66b2388d10eba788f5fc5e3fc7ba3d6d4ac28d7e2d7bfcca64c7a77f3acc383
SHA512 d3dc2a34956045168ac59806d0ef26cdb1e5e99fa92dc8febf8d8cda09c8261fd522b26ba0914cf91769d4f398df92d086fb5dd19a602d1ae507373be6333ec8

memory/2076-11-0x000000013F730000-0x000000013FA84000-memory.dmp

memory/2076-13-0x0000000002330000-0x0000000002684000-memory.dmp

memory/2308-12-0x000000013F730000-0x000000013FA84000-memory.dmp

C:\Windows\system\BWmjEaS.exe

MD5 9f9b9f68f108c17c3e1020df552a018d
SHA1 256e21b9500200d41ff6e9ed2cfcd3e677dcb769
SHA256 b39f6e0fa62a8defe87f84668aa5d38207dfcfb7fc59364218e9b8e470dad114
SHA512 d1d4e250306fc09f497bae2a775475772025c031208cc2e5dcf36400ca0d688f0ba8ee5682b91a6ebc1a212230e30e534d22f6373e0564cda58f4cd23cbdc6a7

C:\Windows\system\iqPIDPS.exe

MD5 a16484668fa34722f42e52cdc124ae4f
SHA1 4e7040f71ad9ee5b45b09f840a14cf7d1ad77266
SHA256 3e0cd3317bce00ed2bac9962ed968efec531e085fd6f83f6d7c7155d5649cad0
SHA512 4acc3f484363e20823c84596ccecb9b9ddace4970a41db868249b3c8975f28e9ae5118f69d58a644e39aaf4c9eed80d4ab6055e48b3f21397a7b69423bb61478

\Windows\system\oddxNcS.exe

MD5 6be588e76313787d6c46b08850f8b795
SHA1 1ef84bbb6511c3c75a6194624e39713074613f2f
SHA256 71b65dda3a5921ad7f843050d1d54f60d0a873cb71675b586f973a63552af405
SHA512 65a3012f1961ad5977eab2351231f8fe7036dd2360e3df8a37e6de549d5a3282d1e4d1324f57fff5b87f3a36f67b25dfadb06bc60955cc347505cd17d22e19bc

C:\Windows\system\vBPWSEC.exe

MD5 7f403972a1a01f2a1dde73ecf5e0e15b
SHA1 58e2c028e04402cc64bd4c716b4793ab6c1b1d95
SHA256 ee3b6e168a4e11ea08058339f26cf52f65f64b1a5f4d819a2f470992c1f216bc
SHA512 62f38f523e726ea2fc3f7b56672c22ade02459cb31b385eb90ea9b1a3735158cbd941382336c85607fe880fa47de35fd86c0aca6e722c1b4a8436095297d7d21

C:\Windows\system\BlsPPlm.exe

MD5 11d91ef09b27f31bca692f723cce2e01
SHA1 8d55f0161b6c520647e934ba89b0c160a25d4f9b
SHA256 a74539033cf6b7ec77eb424fa22fb1da376211703819e1c9d636d09f8fc6e1c3
SHA512 f58483a338355fbb41442a71a2030d47b23a4a9a797048550f889172b878b95fe663ee8057156a4dc5d14a927656d55bb98b74a846943862116221bb01b139a0

C:\Windows\system\SUqcqKY.exe

MD5 c482aaf068262092b525561edec99281
SHA1 0bfb3b9c49a202aa1be811833e24531cc11a5d00
SHA256 307716138da2c760150120827692c31c8c6323336be2f9a849705d2ace0ea432
SHA512 aecd6595f77ea290f48b377382777f86573032df73e7a5385263565348f4ade917469af377d354701519598d2f960209be17858222885f4de6928cac1cbdcfb3

C:\Windows\system\WGomaVj.exe

MD5 a2b2377764f16720e9144acfa09bac44
SHA1 e08e38ee78f087811d5302134a797fe844c8ed1d
SHA256 adf36e2457579ea07a9a56f5f56d01544292d2768aee5d2e5aa56560e6065fda
SHA512 f151231ad0ad2b23d0898af8e15738f272e084365805a4cce74df24d68c943d683b8e9ee0b538f511fc3c79f47f0926b05fdc9ed36f7688714904dc16bcaf358

\Windows\system\RBeVSsT.exe

MD5 df551b99fe1cd373b6adb5ae7444cd4e
SHA1 b78d007b6e880afa0f9b253b2c94d22b501348f5
SHA256 e9d04ee1538a8f16916c76feee485e76830da323e2af7f452f2080e22a91aa01
SHA512 bfe27ef83df99f44c70f8d4a06bd5108f76a1c1701af3ff024e5920de6d7a4507de7d15282915d95531b7450dd594b61315c0cf11941aed14ad0b6e6c218c75e

C:\Windows\system\kXaDhbd.exe

MD5 8ed7d2640030c9c33be20ff45f6e2606
SHA1 3d7d80f949b97bc0a0a1e31a832ad163fb1ee436
SHA256 d72d8dd3382123efa21f7bd103703704c3511c74d428fb05307d23cbb83e23e4
SHA512 4045f43bf3f3683972744d67e9763995128fc25de9e8fdb9bf653f1b534a7bf6b74b357954344854854742f3057334e6c16994d0daa65b6a9771ebb66c229e9c

C:\Windows\system\pJaOtiE.exe

MD5 8a2b9dba697f53c95ed193cbb29a4a2f
SHA1 51683b0724e47113305aa214d0a97842bd368ea1
SHA256 f87dd941667a1839cdd84564948230b18f169651eeabf23153a361cd610356a7
SHA512 4391ebc3e3ca2e9f6e0d14a0b9e666b74c6816ea21b7b014d7e3caa44fa61ae23c6d8ee52e74e1a5a42f824c4b563515f5de3b6801b6333c4c4423aa7e41f3fb

memory/2172-90-0x000000013F4A0000-0x000000013F7F4000-memory.dmp

C:\Windows\system\OyMMgcn.exe

MD5 2f104183502db3361fd9add35957ceef
SHA1 40f0333306e357077cea272d287e239ec1b5cf98
SHA256 fdc77e92f9fac155192d5164fb6d648414a27717c588f40499815e6ecc34f75a
SHA512 d914cc3e1e6878674e55def936735bb6ed3e164cace9be84a0d0d7383b61d1bdb8876b440117d23eed74d49d7182c542faca7047e2175bd77e54c20c42de8035

C:\Windows\system\XuCNTGK.exe

MD5 cee59e7d10781f9d24fd2a9a44eb0795
SHA1 d82cf717985da496de39aaa6e1a448e5f028cbbf
SHA256 e7865d5fdcbc8540056b603a1000f4655ca5b6cd070466c36332f3309cf10b46
SHA512 c96e13f4947db2dd869d74af1ae9c51ecf8d62a50ff3465a2f8ea1bde42f1cfac724916644659d245d72a95fc2e896c8c5c365a4a530318844ea1caec328f715

C:\Windows\system\HwhQnjA.exe

MD5 ce4c0cb6c8a8c28bbbc21178066a1d5f
SHA1 f6dce32585b317cbdf661988d788f5d56809daf0
SHA256 7b378652d67e345c389601454feb85cb002fef115f153a5e9f1cd401a3f5442b
SHA512 fa70f03358f68a7bee0b3f467a086dd3dcb6d558bc8421d2e3e83e674a7e0279f0afba0ae38070f57097d53f9e634d878d570bba7381509714cbb319092587d6

C:\Windows\system\sLETzhg.exe

MD5 bec319a208b9826fa4bb6a2520d2afff
SHA1 8947aaf1d0059e5843ad050df0d760a6091d61e9
SHA256 91104a1367603b4da9f7040d5ba3c55bd8f5df13e25730463ed2b9cb0dd0ab2e
SHA512 ef95db76b8de87415c7d83828352a512027beaaac2044ca155676b3a3ca5cd9d782218b7dbab2d7f381465e206035be82a5579a878511af29da58013b63082dd

C:\Windows\system\hXoCyfi.exe

MD5 87f7209bbb4e01aaac6cac281eb71740
SHA1 04080809b4bc81b51f816d57c68540b262e95d77
SHA256 e76481084a43bdd5213d7c1d4d18a8dc6e3f8f38434f6668cccb98d96691cc9d
SHA512 c43d9cb5ef610ef24e62e1a6d03b76d2ff13f92202d97b8d209d83f72f9e70b4364189da599f2922fd629d87e381bfdf264c46f8713f0631511209ebe4578713

C:\Windows\system\LEJJGNu.exe

MD5 5977ede5247067f65190930040e9457f
SHA1 6c44f4f7615de2813477415dc8110cf5f8c8c6c9
SHA256 30a832b1758c5b7bd36ae9386c18d7fe4eb97d9a2f5aa00f897fd3e7490ac7a9
SHA512 2251b907c66e7a85d6bcb9870c8e9bed925edc74c7a2382f0c97bc7b60bce93aa63c573aba72ea1d50f3da351522cacee4763b3ffded74d354fccc1cfafc6305

C:\Windows\system\XmocJMB.exe

MD5 6fed57db65ff83417798aec8eaf3fff2
SHA1 1008da209f1bb1b59d640a195f78b011be08ed0a
SHA256 880bafb4ab59c3afd37c3fa0760e30669b52cc66956733918a503d0dbd1b1419
SHA512 582114a48bc67db8bdfd47520ad88c1eaff68d6d267fdaf653ee3455036c5d9a2981521b3344265c82c2739c6282dd5be933c61b2b4fe986b0607750ec011334

C:\Windows\system\dOALRYo.exe

MD5 3af43d2c01a52374946d296605b3e6a5
SHA1 d054d01a48170b61a155c46e2a215337cfe62fd0
SHA256 fcb0c0674372a81cb35e2519f4c10bd88862f4374899f7ee473abc464cb5dd03
SHA512 c48a734a3077901ba0706245a74f2855f0d484b2d7e1fa5f1fd905d8e982fb572dbbb5b1b9d9620ef31d86fe7cd705594d97080e8fd13d2adff10b3f22e666c9

C:\Windows\system\jNsVUEd.exe

MD5 817bfeea52b53ed4b56ad8643d98449e
SHA1 e94b8f0fe7f35ff0c41f90a26687bcdfb15f492c
SHA256 548435b912b9a06907c49ae1e90dfba4ea689145357de171fb21cc16d063975a
SHA512 bd9ddc3b81428ed8fe6d1f0f30c60adccc201e1a2208870c9838cc8a37ebd3b57ce5d254d3a8f0126c55fdab403a558c43f5b781545d50cfd0d6860ab454ea64

C:\Windows\system\EYJbJwl.exe

MD5 93f5ccb4b45463a7877a6782c76dbbcf
SHA1 aa3f810b6d3d9c53f534d29e358648d6b1eb1523
SHA256 c92c078c0db1a24d62b5023f22f2a2c5468420c86dca6f5966f8787d636051d2
SHA512 ad9f93974d0c1569099973acd936869b1cbfff3a7d71f5eb8569557d46605ffb1abec3d3013e3e250ef1282bda0b3371d405d6388f16f46c057c06b34c8be2f7

memory/2076-114-0x000000013FB40000-0x000000013FE94000-memory.dmp

memory/2076-124-0x000000013FD70000-0x00000001400C4000-memory.dmp

memory/2716-125-0x000000013FD70000-0x00000001400C4000-memory.dmp

memory/2076-133-0x000000013FBC0000-0x000000013FF14000-memory.dmp

memory/1676-132-0x000000013F100000-0x000000013F454000-memory.dmp

memory/2500-131-0x000000013F5E0000-0x000000013F934000-memory.dmp

memory/2076-130-0x0000000002330000-0x0000000002684000-memory.dmp

memory/2444-129-0x000000013FD90000-0x00000001400E4000-memory.dmp

memory/2076-128-0x000000013FD90000-0x00000001400E4000-memory.dmp

memory/2676-127-0x000000013FD30000-0x0000000140084000-memory.dmp

memory/2076-126-0x000000013FD30000-0x0000000140084000-memory.dmp

memory/2476-123-0x000000013FB70000-0x000000013FEC4000-memory.dmp

memory/2076-122-0x000000013FB70000-0x000000013FEC4000-memory.dmp

memory/2576-121-0x000000013F840000-0x000000013FB94000-memory.dmp

memory/2076-120-0x000000013F840000-0x000000013FB94000-memory.dmp

memory/2604-119-0x000000013FD10000-0x0000000140064000-memory.dmp

memory/2076-118-0x000000013FD10000-0x0000000140064000-memory.dmp

memory/2668-117-0x000000013F820000-0x000000013FB74000-memory.dmp

memory/2076-116-0x000000013F820000-0x000000013FB74000-memory.dmp

memory/2600-115-0x000000013FB40000-0x000000013FE94000-memory.dmp

memory/2168-113-0x000000013F0E0000-0x000000013F434000-memory.dmp

memory/2076-112-0x0000000002330000-0x0000000002684000-memory.dmp

memory/2560-111-0x000000013F430000-0x000000013F784000-memory.dmp

memory/2076-134-0x000000013F310000-0x000000013F664000-memory.dmp

memory/2172-135-0x000000013F4A0000-0x000000013F7F4000-memory.dmp

memory/2308-136-0x000000013F730000-0x000000013FA84000-memory.dmp

memory/2500-149-0x000000013F5E0000-0x000000013F934000-memory.dmp

memory/2676-148-0x000000013FD30000-0x0000000140084000-memory.dmp

memory/2476-147-0x000000013FB70000-0x000000013FEC4000-memory.dmp

memory/2604-146-0x000000013FD10000-0x0000000140064000-memory.dmp

memory/2600-145-0x000000013FB40000-0x000000013FE94000-memory.dmp

memory/1676-144-0x000000013F100000-0x000000013F454000-memory.dmp

memory/2560-143-0x000000013F430000-0x000000013F784000-memory.dmp

memory/2444-142-0x000000013FD90000-0x00000001400E4000-memory.dmp

memory/2716-141-0x000000013FD70000-0x00000001400C4000-memory.dmp

memory/2576-140-0x000000013F840000-0x000000013FB94000-memory.dmp

memory/2668-139-0x000000013F820000-0x000000013FB74000-memory.dmp

memory/2168-138-0x000000013F0E0000-0x000000013F434000-memory.dmp

memory/2172-137-0x000000013F4A0000-0x000000013F7F4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-08 04:45

Reported

2024-06-08 04:48

Platform

win10v2004-20240508-en

Max time kernel

137s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\lgoZbCR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ymJElAa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OdrnsAh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\faSbweA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CPfnvXZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZcDkcOc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zzgdmEP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\osdsLaz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JpKYbbV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tOSKlPm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hxtLKws.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\frblhEl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sNvOlJy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yxyVKGH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dmshkeY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FHWyTpC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CGGPUOT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zBAAiUk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DLfLAIZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lDoHXcv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YORPPsa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1692 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\ymJElAa.exe
PID 1692 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\ymJElAa.exe
PID 1692 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\tOSKlPm.exe
PID 1692 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\tOSKlPm.exe
PID 1692 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\zzgdmEP.exe
PID 1692 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\zzgdmEP.exe
PID 1692 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\OdrnsAh.exe
PID 1692 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\OdrnsAh.exe
PID 1692 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\faSbweA.exe
PID 1692 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\faSbweA.exe
PID 1692 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\CPfnvXZ.exe
PID 1692 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\CPfnvXZ.exe
PID 1692 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZcDkcOc.exe
PID 1692 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZcDkcOc.exe
PID 1692 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\CGGPUOT.exe
PID 1692 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\CGGPUOT.exe
PID 1692 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\zBAAiUk.exe
PID 1692 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\zBAAiUk.exe
PID 1692 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\DLfLAIZ.exe
PID 1692 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\DLfLAIZ.exe
PID 1692 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\osdsLaz.exe
PID 1692 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\osdsLaz.exe
PID 1692 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\hxtLKws.exe
PID 1692 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\hxtLKws.exe
PID 1692 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\lDoHXcv.exe
PID 1692 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\lDoHXcv.exe
PID 1692 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\frblhEl.exe
PID 1692 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\frblhEl.exe
PID 1692 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\YORPPsa.exe
PID 1692 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\YORPPsa.exe
PID 1692 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\JpKYbbV.exe
PID 1692 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\JpKYbbV.exe
PID 1692 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\yxyVKGH.exe
PID 1692 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\yxyVKGH.exe
PID 1692 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\sNvOlJy.exe
PID 1692 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\sNvOlJy.exe
PID 1692 wrote to memory of 732 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\lgoZbCR.exe
PID 1692 wrote to memory of 732 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\lgoZbCR.exe
PID 1692 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\dmshkeY.exe
PID 1692 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\dmshkeY.exe
PID 1692 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\FHWyTpC.exe
PID 1692 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe C:\Windows\System\FHWyTpC.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_47fa911f91bddd7fb796d06bdb240184_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\ymJElAa.exe

C:\Windows\System\ymJElAa.exe

C:\Windows\System\tOSKlPm.exe

C:\Windows\System\tOSKlPm.exe

C:\Windows\System\zzgdmEP.exe

C:\Windows\System\zzgdmEP.exe

C:\Windows\System\OdrnsAh.exe

C:\Windows\System\OdrnsAh.exe

C:\Windows\System\faSbweA.exe

C:\Windows\System\faSbweA.exe

C:\Windows\System\CPfnvXZ.exe

C:\Windows\System\CPfnvXZ.exe

C:\Windows\System\ZcDkcOc.exe

C:\Windows\System\ZcDkcOc.exe

C:\Windows\System\CGGPUOT.exe

C:\Windows\System\CGGPUOT.exe

C:\Windows\System\zBAAiUk.exe

C:\Windows\System\zBAAiUk.exe

C:\Windows\System\DLfLAIZ.exe

C:\Windows\System\DLfLAIZ.exe

C:\Windows\System\osdsLaz.exe

C:\Windows\System\osdsLaz.exe

C:\Windows\System\hxtLKws.exe

C:\Windows\System\hxtLKws.exe

C:\Windows\System\lDoHXcv.exe

C:\Windows\System\lDoHXcv.exe

C:\Windows\System\frblhEl.exe

C:\Windows\System\frblhEl.exe

C:\Windows\System\YORPPsa.exe

C:\Windows\System\YORPPsa.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=2700,i,14648456027158448592,4956305794400220180,262144 --variations-seed-version --mojo-platform-channel-handle=3644 /prefetch:8

C:\Windows\System\JpKYbbV.exe

C:\Windows\System\JpKYbbV.exe

C:\Windows\System\yxyVKGH.exe

C:\Windows\System\yxyVKGH.exe

C:\Windows\System\sNvOlJy.exe

C:\Windows\System\sNvOlJy.exe

C:\Windows\System\lgoZbCR.exe

C:\Windows\System\lgoZbCR.exe

C:\Windows\System\dmshkeY.exe

C:\Windows\System\dmshkeY.exe

C:\Windows\System\FHWyTpC.exe

C:\Windows\System\FHWyTpC.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 88.90.14.23.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1692-0-0x00007FF637F10000-0x00007FF638264000-memory.dmp

memory/1692-1-0x000001BBB2B60000-0x000001BBB2B70000-memory.dmp

C:\Windows\System\ymJElAa.exe

MD5 3db5144f55b72b29bc52e06677ecf256
SHA1 29c5623cb7e96cd314af708485b8c46a37d85160
SHA256 1ab1ecf4af95635557246b1986d45eeb514b9d604653b06e3ca41196286e503a
SHA512 0a9eaec7abb4870bb1b7abf4f53d197b0529c45aa7653403ea5ac809c58a1dc3442dc1981074a652ff0c0cf6253eb966b54131403027cc98da8ab6cabe2f9632

memory/1036-7-0x00007FF737500000-0x00007FF737854000-memory.dmp

C:\Windows\System\zzgdmEP.exe

MD5 4bc6304f36df7c649e34a4f0df1c36f6
SHA1 3aaaa99c61cb51f8a7c3e7da5fb8bda0390af646
SHA256 866d60b66547c852c27dc5c806274c4eb8c1e00ef83b8dc39fdf2fbfdaf79f95
SHA512 14865653b27ac4a797d7ef42eb158b494853335f59504d1a2f49cf0b23ae048d7fe41044af281928f4cb26f5f6d0dbe295aa1395287ba90b8a043692d894b4ee

C:\Windows\System\tOSKlPm.exe

MD5 e59e87e6eb40f44d4273f8ca2cd4d579
SHA1 24bd9f5969ddf7ae31a9ccf9ef924f50c9d2b374
SHA256 e810a7304a0451d2c9c7c9df19150bbb39c8adc3d7af01bc1ec251e47ba2558c
SHA512 04edfb05cfd6ea9523121e4b826923c3b3443d22f4310d7770f9d80d079cd0f2b54dce45eb4bc00fa64cb4177433c29dc9f16e5009232d365fed8db41b663306

memory/1720-14-0x00007FF669F00000-0x00007FF66A254000-memory.dmp

C:\Windows\System\OdrnsAh.exe

MD5 d3a1f18a802f0ac18c6cc751a01528ca
SHA1 ad3c56a0d46da50245e0b3c2cb06127df0404581
SHA256 8e53780a9bd31b08b1f681753c5f362e757ea8f9abcae1056807686bb220e241
SHA512 b76d78f0a119b1c0e2d2a42d40da8081ceb2a3a15ae90df64e7223201ea711fef55d41939a404908a0d2c38389c236021bcd4b9b08b390b87ca9a7fb5cbc8f5e

memory/3940-26-0x00007FF6E3930000-0x00007FF6E3C84000-memory.dmp

memory/3900-18-0x00007FF7544D0000-0x00007FF754824000-memory.dmp

C:\Windows\System\faSbweA.exe

MD5 cca30bc902364fedb3f85c9af854110e
SHA1 a3a4c3e4a46dffa83deaeae1afc0bf523a618c9a
SHA256 5024a36d3ef9fa01f975b9ee005088807eadf2da15342b6562fd65ca56d11047
SHA512 0a0c07c8a3e5d86352d0e601e6d411e43cdb81e6e7d99716818df8efb45cd0b6f93a1a67730d03d0521da19fc8fbf03fbd9ffe667a631ecb9d5cfbfa087b8331

memory/3612-34-0x00007FF7F7B80000-0x00007FF7F7ED4000-memory.dmp

C:\Windows\System\ZcDkcOc.exe

MD5 093452cc701d537d5e0636ef396c34f6
SHA1 1d8af20edd4e5d584944ea83cddc41e1033b128a
SHA256 d6aaad07d279d94c102fe730e0b92ace8ebc03aa76e8d3a27e2ae9662d00feac
SHA512 09ac65d18fb45274fb375a23cbd31d6cb3a0b5d4617aaa8f96f0f688a1ed8891f709844a70294297c51f11d7dab059b1fe5d92e4d701efbdd05a2b30e9e96d3d

C:\Windows\System\CPfnvXZ.exe

MD5 bb4e0fca22dca14a09886cc3f4486f89
SHA1 9100f4c9679e82c2f5b7efb248eea17567f9c401
SHA256 d1d1fd60cda142160928852c3a62549b931b3b2185a48c7d058e7f967c39cfb0
SHA512 85e1bd7b39cf9efa76fdcb495d7ddec616e5671178a488f209539b5327b87013d3130597356da063b6cb3ff1ca6b5102671dbd80649e162a99cbf2ec3e06ad70

C:\Windows\System\zBAAiUk.exe

MD5 d8974aa5bf6a8f35cf5a8e4c031b757b
SHA1 d49c7372cc397639b92a20c606c7e22b70da6cee
SHA256 6b4d1e448535e911f132ab42c437c1b36b8dce8042f94a4ffe7e5623822da272
SHA512 b858ccb330eb79064978bb15cac53c01a51ff09c282fd8f77491cfb7bd220ad7930f292c4d2fba26ecea61af7db869f0d01244b14ea31a8aaee948be837aa4e5

memory/2396-59-0x00007FF782380000-0x00007FF7826D4000-memory.dmp

C:\Windows\System\osdsLaz.exe

MD5 13f3a188ab2bb731e551d06542b08bb3
SHA1 070e0bf8b2d1de310aad83598331671a621d8914
SHA256 0f7b5d5bea5b1c7f3906da77a4ebc1117993ea7daf5a4d8b84feffcd6a0d2e83
SHA512 c04efa702a353620fac4e5fe04c2dcc545dafae1b8d52f4f1503558f9c863d5fd15cc717b878cc1994a4c2dd0a75b83a0f906665ef593aa005017b945b4c7201

C:\Windows\System\DLfLAIZ.exe

MD5 14d9775facafef3c9edfd3159b1c0318
SHA1 1b3ea60dcf89539cb5566f245c0d6953d0e4b38b
SHA256 125f6ffdd54c51c69f5b893959b8377a3226af0e41e639c6982064b63f93d397
SHA512 abe2813b74744df3d12b0ea3ea9dfc943cc627c866995d8d386f6c657adbb84aa295f3d8e8d05834a8c1ab994254133c942dd2200b84b5dc945b3b19395418d4

memory/2168-60-0x00007FF7435C0000-0x00007FF743914000-memory.dmp

memory/1648-49-0x00007FF6CB790000-0x00007FF6CBAE4000-memory.dmp

memory/2928-53-0x00007FF786130000-0x00007FF786484000-memory.dmp

C:\Windows\System\CGGPUOT.exe

MD5 2f674b9a28914513508c345b37f15910
SHA1 fb951ca45efc3486532d6eb997864514d1983434
SHA256 7dd432f7f24c2f24c7f46ca3b753929df067b6c09692edd8d1c32fe6882d0603
SHA512 bc2e499c784f6fb4a72c81a4c184bb10c1e1cf1cdc2975af5f045b7430e7f0d7b25cd4781384e0b18dfb79d1be778a8662a171948db1da66c41aa204c4f601ec

memory/4072-39-0x00007FF621FB0000-0x00007FF622304000-memory.dmp

memory/1744-68-0x00007FF625250000-0x00007FF6255A4000-memory.dmp

memory/1692-67-0x00007FF637F10000-0x00007FF638264000-memory.dmp

C:\Windows\System\hxtLKws.exe

MD5 310c669b19379983a4154293bb5bffc3
SHA1 288f7289f3137ef63e70c447ed959b01c151fcc7
SHA256 dd3faaccc5933e337168842869cb346f6b1d62ae10dbae90e43f4e2aabb5b9e5
SHA512 36ca9dda0eb1aca55d4303fbdf4c8f721f4388c7f8aa91c5b997a0e224cc0b298ad186f3eea3844c7797664eeef01cb18b7dd6a808278773aa7ad5088e5160c6

C:\Windows\System\lDoHXcv.exe

MD5 e9869d346a157063e427774fb28113b9
SHA1 04879f98f1fa70eec9370dcf9c4b2f78a296154d
SHA256 a675f71b4315bc8b129a49250bf6c1fd5362990be006a9afe90f9f294875cd40
SHA512 baa2b43f6b8cf13f4e33a414f98b267fd07ec437e71e5a3a3895219e8eda3847860ab1e266d9369ca1b5426857bed77fb118090d48634687590ed0df2af5017d

C:\Windows\System\frblhEl.exe

MD5 26282629d367ebee58f3375db844d21f
SHA1 264324a902ce1fe9cd201756f699536691418971
SHA256 92352385acfce3b5c75401d423ce19e19463ffdc7a669a52df4dbd50d4b5adee
SHA512 8166d0139ee600a5b9eae250dd30f97da4fa9dfabe15c65bed63757bedf747c809c035fb8276c6e411ed6cdecd4be980010e7ac8c38e29e7aa34ad1b6b0d96d3

memory/4688-80-0x00007FF736350000-0x00007FF7366A4000-memory.dmp

memory/4000-76-0x00007FF654D80000-0x00007FF6550D4000-memory.dmp

memory/1036-75-0x00007FF737500000-0x00007FF737854000-memory.dmp

memory/3900-88-0x00007FF7544D0000-0x00007FF754824000-memory.dmp

C:\Windows\System\JpKYbbV.exe

MD5 dd42d05d9ef4fccdfb5a3bf321098a4a
SHA1 9cf150a9de9092221a41fdd6a1720ab29a68b42d
SHA256 8f8ad2d39ca42f3fb539b774bea743562f34d598823e730d29cd5e1355a7a9d0
SHA512 d1a3f8ccb5382cf1970623047a0c23c80b313b9b834d6b9c37cc3fd606ebddf56eea7120e78067f896dad7cca95629686b1a110832f91fd91e38f6b494fba5aa

memory/4296-97-0x00007FF6F8A00000-0x00007FF6F8D54000-memory.dmp

C:\Windows\System\YORPPsa.exe

MD5 babc3acb970dddd8cb4d20937a78cb1c
SHA1 588319d4e90846a87e1860888711876c29e173d6
SHA256 9d7e651cf643400c4ed770f9ee714615d5edbc39377af6411d86278b9e72d843
SHA512 292c449ee337e8cdbd47950981cba191925d2a4b6cf168b56d4ec2dec312997c580733778d4827774df997e789221780bb29e177ef2de380d1b0a8173b128769

memory/4108-89-0x00007FF77DE80000-0x00007FF77E1D4000-memory.dmp

memory/1648-103-0x00007FF6CB790000-0x00007FF6CBAE4000-memory.dmp

C:\Windows\System\sNvOlJy.exe

MD5 3c98dfb7a00748886a9fa916ce8a563c
SHA1 729b2e2f30cf445b229f8b9e198648a2291ca306
SHA256 345cb0e57c20ab9669e548bb2e248729ce96cc15a4eae78b7c7202185ff56af4
SHA512 09a44f2c16284eb67e32f49c15eb4e9b60ee6c07d71bc388c2641eca2ef1dffec3efbc532a0ec4659630d0ab55310ed26d8a72e1f473e010841560b912572fa2

C:\Windows\System\dmshkeY.exe

MD5 8a6821c88226c46787e591c1fb50177e
SHA1 eeee964c9f2915ffab56770da4b4226fa78d1bcc
SHA256 c0d3ec8db99125ecb4d11a04d8c86e33cd98969e7543aa769e6d908f60a50887
SHA512 8b2b27c4a4c8d6b6743029bb6a1b4e42b35e17744d24e72f61789356e9c3f63eefeae40cfb9b46bd4001269bd57a12e225fed78a4f1ab2a1abdc1052bdf12252

memory/732-125-0x00007FF756800000-0x00007FF756B54000-memory.dmp

C:\Windows\System\FHWyTpC.exe

MD5 552d7b531acad8a311a2cca14a967ea1
SHA1 ad70e2f6029b23c09e5655dbccf6397cc25efc5b
SHA256 9e32a7ae2561810413536ae3062c3cf55783896ffc121bd967e7d100dca0e3da
SHA512 cd8d9851e19f4cd182c3e97589aeb94cf9eb94ac8a0ac1965226fd1fb059b10e8566cd27f279d156303f2ecdd5103449444bb2e1472bed1a2cdd5c31ff7e3422

memory/2168-127-0x00007FF7435C0000-0x00007FF743914000-memory.dmp

memory/2396-122-0x00007FF782380000-0x00007FF7826D4000-memory.dmp

C:\Windows\System\lgoZbCR.exe

MD5 403d06d74ce4bb838d81ebdd20247eb6
SHA1 c005f99a09b4a076b208a74ea48dc36e7f60bbca
SHA256 53ccc9d8fec1335ded41b9874b1a2d1c35038832755f774c3971478292d583de
SHA512 93c3f1ad5c42b355e0525ffeb4abbd422ca43eb47b0cf5dfd51dd38ed601f8f1b926bb726f3bf8d2398f05cdebf1621554b016830153ca2231d841a58310de19

memory/2708-113-0x00007FF617230000-0x00007FF617584000-memory.dmp

memory/1620-112-0x00007FF7152D0000-0x00007FF715624000-memory.dmp

C:\Windows\System\yxyVKGH.exe

MD5 7ff257b502c198af93053799f65cb44a
SHA1 e76a8e228412f6525d9c47e393bc63b0be3531ab
SHA256 cfae498a16bf6100bb450d048af01ff9bedc323cae95819203775bd686887447
SHA512 d05c96f78af94193b5675ae4871fe6e6136902260e5b919802d6765fd660af556e3970684284575fb96af72743527e02a66c324bf0ce222bdd31dfd7b49e66a4

memory/4072-108-0x00007FF621FB0000-0x00007FF622304000-memory.dmp

memory/740-107-0x00007FF7CC9D0000-0x00007FF7CCD24000-memory.dmp

memory/4488-134-0x00007FF7C06E0000-0x00007FF7C0A34000-memory.dmp

memory/4380-133-0x00007FF7AA080000-0x00007FF7AA3D4000-memory.dmp

memory/4688-135-0x00007FF736350000-0x00007FF7366A4000-memory.dmp

memory/2708-137-0x00007FF617230000-0x00007FF617584000-memory.dmp

memory/1620-136-0x00007FF7152D0000-0x00007FF715624000-memory.dmp

memory/1036-138-0x00007FF737500000-0x00007FF737854000-memory.dmp

memory/1720-139-0x00007FF669F00000-0x00007FF66A254000-memory.dmp

memory/3900-141-0x00007FF7544D0000-0x00007FF754824000-memory.dmp

memory/3940-140-0x00007FF6E3930000-0x00007FF6E3C84000-memory.dmp

memory/3612-142-0x00007FF7F7B80000-0x00007FF7F7ED4000-memory.dmp

memory/2928-145-0x00007FF786130000-0x00007FF786484000-memory.dmp

memory/1648-144-0x00007FF6CB790000-0x00007FF6CBAE4000-memory.dmp

memory/4072-143-0x00007FF621FB0000-0x00007FF622304000-memory.dmp

memory/2396-146-0x00007FF782380000-0x00007FF7826D4000-memory.dmp

memory/2168-148-0x00007FF7435C0000-0x00007FF743914000-memory.dmp

memory/1744-147-0x00007FF625250000-0x00007FF6255A4000-memory.dmp

memory/4000-149-0x00007FF654D80000-0x00007FF6550D4000-memory.dmp

memory/4108-151-0x00007FF77DE80000-0x00007FF77E1D4000-memory.dmp

memory/4688-150-0x00007FF736350000-0x00007FF7366A4000-memory.dmp

memory/4296-152-0x00007FF6F8A00000-0x00007FF6F8D54000-memory.dmp

memory/740-153-0x00007FF7CC9D0000-0x00007FF7CCD24000-memory.dmp

memory/732-156-0x00007FF756800000-0x00007FF756B54000-memory.dmp

memory/2708-155-0x00007FF617230000-0x00007FF617584000-memory.dmp

memory/4380-157-0x00007FF7AA080000-0x00007FF7AA3D4000-memory.dmp

memory/4488-158-0x00007FF7C06E0000-0x00007FF7C0A34000-memory.dmp

memory/1620-154-0x00007FF7152D0000-0x00007FF715624000-memory.dmp