Malware Analysis Report

2024-10-16 03:08

Sample ID 240608-jlylpabb78
Target 2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike
SHA256 20147b9edc885c96895744428ed52da490e918d709be6c29d730fe000b3ff64e
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

20147b9edc885c96895744428ed52da490e918d709be6c29d730fe000b3ff64e

Threat Level: Known bad

The file 2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

xmrig

Xmrig family

Cobalt Strike reflective loader

Cobaltstrike family

XMRig Miner payload

Cobaltstrike

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

XMRig Miner payload

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-08 07:46

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-08 07:46

Reported

2024-06-08 07:48

Platform

win7-20240221-en

Max time kernel

137s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\rWxRKAw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WrOrdBj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FYncfZM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BTWhqkI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KpEYgfR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KtDNMKV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WdjGgGF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hmeMWem.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UqwPaha.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vnkVKcD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NllkwpZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xxSTrVe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EqYwwRD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DeVlfsU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TPrucFI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yodmDdV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JSmPjmL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HVQylBI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HiQnGVo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iYGKDJA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GGWCyOd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1948 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\rWxRKAw.exe
PID 1948 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\rWxRKAw.exe
PID 1948 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\rWxRKAw.exe
PID 1948 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\KtDNMKV.exe
PID 1948 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\KtDNMKV.exe
PID 1948 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\KtDNMKV.exe
PID 1948 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\WrOrdBj.exe
PID 1948 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\WrOrdBj.exe
PID 1948 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\WrOrdBj.exe
PID 1948 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\xxSTrVe.exe
PID 1948 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\xxSTrVe.exe
PID 1948 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\xxSTrVe.exe
PID 1948 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\WdjGgGF.exe
PID 1948 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\WdjGgGF.exe
PID 1948 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\WdjGgGF.exe
PID 1948 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\EqYwwRD.exe
PID 1948 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\EqYwwRD.exe
PID 1948 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\EqYwwRD.exe
PID 1948 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\hmeMWem.exe
PID 1948 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\hmeMWem.exe
PID 1948 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\hmeMWem.exe
PID 1948 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\UqwPaha.exe
PID 1948 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\UqwPaha.exe
PID 1948 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\UqwPaha.exe
PID 1948 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\JSmPjmL.exe
PID 1948 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\JSmPjmL.exe
PID 1948 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\JSmPjmL.exe
PID 1948 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\DeVlfsU.exe
PID 1948 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\DeVlfsU.exe
PID 1948 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\DeVlfsU.exe
PID 1948 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\FYncfZM.exe
PID 1948 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\FYncfZM.exe
PID 1948 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\FYncfZM.exe
PID 1948 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\TPrucFI.exe
PID 1948 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\TPrucFI.exe
PID 1948 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\TPrucFI.exe
PID 1948 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\BTWhqkI.exe
PID 1948 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\BTWhqkI.exe
PID 1948 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\BTWhqkI.exe
PID 1948 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\yodmDdV.exe
PID 1948 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\yodmDdV.exe
PID 1948 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\yodmDdV.exe
PID 1948 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\NllkwpZ.exe
PID 1948 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\NllkwpZ.exe
PID 1948 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\NllkwpZ.exe
PID 1948 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\vnkVKcD.exe
PID 1948 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\vnkVKcD.exe
PID 1948 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\vnkVKcD.exe
PID 1948 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\KpEYgfR.exe
PID 1948 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\KpEYgfR.exe
PID 1948 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\KpEYgfR.exe
PID 1948 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\HVQylBI.exe
PID 1948 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\HVQylBI.exe
PID 1948 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\HVQylBI.exe
PID 1948 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\HiQnGVo.exe
PID 1948 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\HiQnGVo.exe
PID 1948 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\HiQnGVo.exe
PID 1948 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\iYGKDJA.exe
PID 1948 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\iYGKDJA.exe
PID 1948 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\iYGKDJA.exe
PID 1948 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\GGWCyOd.exe
PID 1948 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\GGWCyOd.exe
PID 1948 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\GGWCyOd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\rWxRKAw.exe

C:\Windows\System\rWxRKAw.exe

C:\Windows\System\KtDNMKV.exe

C:\Windows\System\KtDNMKV.exe

C:\Windows\System\WrOrdBj.exe

C:\Windows\System\WrOrdBj.exe

C:\Windows\System\xxSTrVe.exe

C:\Windows\System\xxSTrVe.exe

C:\Windows\System\WdjGgGF.exe

C:\Windows\System\WdjGgGF.exe

C:\Windows\System\EqYwwRD.exe

C:\Windows\System\EqYwwRD.exe

C:\Windows\System\hmeMWem.exe

C:\Windows\System\hmeMWem.exe

C:\Windows\System\UqwPaha.exe

C:\Windows\System\UqwPaha.exe

C:\Windows\System\JSmPjmL.exe

C:\Windows\System\JSmPjmL.exe

C:\Windows\System\DeVlfsU.exe

C:\Windows\System\DeVlfsU.exe

C:\Windows\System\FYncfZM.exe

C:\Windows\System\FYncfZM.exe

C:\Windows\System\TPrucFI.exe

C:\Windows\System\TPrucFI.exe

C:\Windows\System\BTWhqkI.exe

C:\Windows\System\BTWhqkI.exe

C:\Windows\System\yodmDdV.exe

C:\Windows\System\yodmDdV.exe

C:\Windows\System\NllkwpZ.exe

C:\Windows\System\NllkwpZ.exe

C:\Windows\System\vnkVKcD.exe

C:\Windows\System\vnkVKcD.exe

C:\Windows\System\KpEYgfR.exe

C:\Windows\System\KpEYgfR.exe

C:\Windows\System\HVQylBI.exe

C:\Windows\System\HVQylBI.exe

C:\Windows\System\HiQnGVo.exe

C:\Windows\System\HiQnGVo.exe

C:\Windows\System\iYGKDJA.exe

C:\Windows\System\iYGKDJA.exe

C:\Windows\System\GGWCyOd.exe

C:\Windows\System\GGWCyOd.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1948-0-0x000000013FEF0000-0x0000000140244000-memory.dmp

memory/1948-1-0x0000000000080000-0x0000000000090000-memory.dmp

C:\Windows\system\rWxRKAw.exe

MD5 5e49779baf21837c08fbd76484afb099
SHA1 96e10fd8d3b56ec2922ac8d2231395d0b48081ec
SHA256 69077fa990fcdcaf82af965fc9402c1d44cb2ac0e6abb2edb46ee179f2e04316
SHA512 0a0c9a8f35f6d364ac622b9324fb45c978a48959042cf94db6088754689ff0818901d2b8ca31092a55f3fbc4a2c2ad1820ab7aca79a060b326750f8173522cfc

memory/1948-8-0x000000013F870000-0x000000013FBC4000-memory.dmp

memory/2228-13-0x000000013F870000-0x000000013FBC4000-memory.dmp

C:\Windows\system\KtDNMKV.exe

MD5 96832980caf732ff1e18483722d20c45
SHA1 9e88d7032568ab723b568572424afdb6b1bece45
SHA256 c1fc017ff99941913423caf6fd19bc2ead08a9aacdce7e189d8a891cd34eb6dd
SHA512 ecbfc88881afb60d7653e2ff7703ab37760dc9aa705f2f11f6f42b3d53afa7a6cf7c41e8cc695fba0aad73ceb6587d44e6ff99de26c456f5425046f900835085

memory/1624-16-0x000000013F440000-0x000000013F794000-memory.dmp

memory/1948-15-0x000000013F440000-0x000000013F794000-memory.dmp

\Windows\system\WrOrdBj.exe

MD5 fbd48157202acbf21d516a05b5195101
SHA1 635ba96d8a56f8bb06287136e2fda620870dc4d0
SHA256 0cd8357098d17444821dc047033dce833b4b8de50e7118b672854c70020b7e3b
SHA512 866691d9d5c8ec3d2b9c97f07ceaed6cfe88a07575525c4dc0a7acf22d2ab432e54da4465b05d5e673d316355a06fcd7ca63971538943c569191efd427f49934

memory/1948-21-0x000000013F280000-0x000000013F5D4000-memory.dmp

memory/2532-26-0x000000013F280000-0x000000013F5D4000-memory.dmp

C:\Windows\system\xxSTrVe.exe

MD5 e46a51c1f211cd9aa7c9dea0e3e5daa3
SHA1 c01779a8bcdde0f8624bab3a146d69468a0535fd
SHA256 60759699729e66a7d5b6e62a9c5ad01a31b5c15aef2f063a787f80c4a89951a6
SHA512 d6c029430e9617f8b6674aad510aa7da17839c13b8ec65913d7ac67e60a38b7d2830d52981b11e61252eea47ef65f18cdbe0bcaaec384f12e980c879051eca0f

memory/1948-27-0x000000013F180000-0x000000013F4D4000-memory.dmp

\Windows\system\WdjGgGF.exe

MD5 369676845f8724cedff74cb6f1537cb9
SHA1 cd999d58c8a047f1acbedc9574d55d7dab74c66e
SHA256 23a157ed4fcafa6ba874c5c235485574fdabd06b284f7f41b6fe554d961588f7
SHA512 7e885c1982a50f65fd4acbab6ddce4365c6a513a8d542eb9614f851f7ec65fc082a5efb62164ab5f54784705500aa80806c1f70fd6b614ba6990072406a0d190

memory/2952-48-0x000000013F1D0000-0x000000013F524000-memory.dmp

memory/2508-39-0x000000013F040000-0x000000013F394000-memory.dmp

C:\Windows\system\EqYwwRD.exe

MD5 af55767918cfa19f741ec9ffe74e606a
SHA1 c9770cc061d0bb7321fb4f80c419f17965c98e64
SHA256 b2b4e83d7513aa6b1ff50634b7d89e96a2b7a60a09c862e446f76846d91108e8
SHA512 a50d95b5e12e9c4eba773a0db41ddcdf2c81a560a77e71b56b25d571fbcbc0fc8a632a0a14622b05a90fb9b59d3ded8313396f63a308389f42c873519b084b4c

memory/2424-51-0x000000013F290000-0x000000013F5E4000-memory.dmp

memory/1948-50-0x000000013F290000-0x000000013F5E4000-memory.dmp

memory/1948-47-0x000000013F1D0000-0x000000013F524000-memory.dmp

C:\Windows\system\hmeMWem.exe

MD5 cc920f8789a677cc2b067ac06cd7e1a4
SHA1 1a13b38c882fdad2c8c0d9a8c8d3765f4e886ef2
SHA256 f7b4503944ecb280728f6698f25c6ad82cc046d080d0db7a2cb7803cf307274c
SHA512 7f0a53c5fd0b156e8a058c4d70d200b241a66f069f35a4013a3cfe11fa28109612c57307a283e7da56f80675068c27f2274f64b8889a130939ba57681aa42651

memory/1948-44-0x000000013F040000-0x000000013F394000-memory.dmp

memory/2616-34-0x000000013F180000-0x000000013F4D4000-memory.dmp

C:\Windows\system\UqwPaha.exe

MD5 0ec41b183d7a352b6b4b1ffbbb26946b
SHA1 c86373b51871219b5fb9a4368808482823a1e8ee
SHA256 78cb913f00181b65cbad49628110c2f3f6e0f8a4263262d9e3e4724fb62d5d64
SHA512 1081b0bd8dc12aab85ca35a242d5317671373b964eebefd9394e07164d2429422ee45062a2743b69360365060f5ef2f0a277579bf50d673737eeeba96c6d26d3

memory/1948-62-0x000000013FEF0000-0x0000000140244000-memory.dmp

memory/2384-64-0x000000013F540000-0x000000013F894000-memory.dmp

C:\Windows\system\JSmPjmL.exe

MD5 4083c1a8275015f054982fbf6c97096b
SHA1 75698177ec5b826b20f23d787631d66212451f94
SHA256 c79d77f73b62b9581fedd485eab524b227c6a10e593706083f60ad920be44fa9
SHA512 41b5a916e77dbf7559a2e804cbda35c554177a9ea9a51aef42a0067d45f60920972a5084cc3bf80a281e4dbc41deef4be0da8a90f28186c60b2814d6cca962af

memory/2436-57-0x000000013F800000-0x000000013FB54000-memory.dmp

memory/2312-69-0x000000013F100000-0x000000013F454000-memory.dmp

memory/1948-68-0x000000013F100000-0x000000013F454000-memory.dmp

C:\Windows\system\DeVlfsU.exe

MD5 aec86cead20784e99b1efe9ae113af22
SHA1 1bfc4743de1c6a037e5805157b279bcf776189ad
SHA256 739cbd6bd170089bdcf145ddba399b6301985c43a75af84a97aeefe9856a02de
SHA512 a61145ea439e54b71ecc92d4856b716328c15740aee84bb4e5a06cf84a6ae04aa82fc868fc72f7a82398650d77496be9dd9b86dfc5b7c9812debec27a73e9ffd

memory/2532-87-0x000000013F280000-0x000000013F5D4000-memory.dmp

memory/2564-104-0x000000013F7F0000-0x000000013FB44000-memory.dmp

C:\Windows\system\NllkwpZ.exe

MD5 175407f9571d11c200b758f9815fa12b
SHA1 33ea63978d87c59b5f9705332f029d03bf2ea8e7
SHA256 fe2e0660e041201d42c05c8db98f9517ec25d69409d73c4471a8287410f44158
SHA512 cac8a6079b257c7018cce90422c481cbd7de6e8523f05df7c764506750a884b41bfb266e51fa19c384993d85fa658023cbd11ba4d58025b6a7d9c0cf74c002af

C:\Windows\system\KpEYgfR.exe

MD5 1a54c7b772e42f4ef13f4c40b876ce59
SHA1 09d1f64f792649b733080960c82a23d8161a29de
SHA256 5cef326f303ec1b36057920963c118bee523019367d6282841a64a6930a13a69
SHA512 a8c3971269a509d68fef5ce4f0ebf401d41f90840960639c82c18e83285860ef6aa5bcb914d2acc41a7ebac028dee2420af2dd5ba1f7b519019f69da9736f535

C:\Windows\system\HVQylBI.exe

MD5 00670ab04c6f20e219aeb309a2f58100
SHA1 44b46e291983218fd99417d5c80fcbef9fef1be2
SHA256 bc6949a2fd4192b8adbd50417cbdc30693951b27f00f64d83824655f50f9efab
SHA512 d044311af214ab8419f8b8cb17fe6b68ad594216e1a80571200c00b894b407a5247fcd4dacf3e0998b1dbc60fcf255f014f6e21e4f26848bee372f7c0ff33a3a

\Windows\system\GGWCyOd.exe

MD5 a2088c845cac8f4056a728341b3da73a
SHA1 8f3bc5b866b259adea7dd98bee28990ea7e379f2
SHA256 1f21608c386e0b48e389d44546f71b52d6f0e05e203cdc8669e5d2559424539b
SHA512 086f547a8df96385c7a3833b1e6aeb45ae06e8c1fbb86c035abec47eaeaac8a09c1230e5338ce1143863cc8d57dc4f97983262ff6920daec6d1c767ee8884b6d

C:\Windows\system\iYGKDJA.exe

MD5 003ba33ca81217b0771bc83d53f7d4b5
SHA1 2e403e2a5ba1cb85dd12658e848a09baf6f3304f
SHA256 088b3b41c672275fbbef77777b6c341f86399a7bbc6584ec5e70868099b73fa1
SHA512 3d1c472ce9de37f6d68d716907d69fb3da23273c8dda64a26564da9bc546bf2e88b70c1df0e98a48ce4819a06e3b3176417954086942de3ff842d6d2cfc4620a

C:\Windows\system\HiQnGVo.exe

MD5 211a57d460290deab06d87994edc0b3e
SHA1 46647209a7088ddcc81e321ea05e5a43dfdc3b29
SHA256 80477adb23f70c81f318f865c7b67601be1dab0a8f43eb673cabd25d4194fb4a
SHA512 b739ecc5ec3e82627f56fc929c2c7f49efae780ef233aeaf45832b9a5caae122266ceab8a264704d2e4ee51f39639aa2c6b0f68fe952dbb5cd1c7d7ca2b63215

memory/1948-94-0x0000000002400000-0x0000000002754000-memory.dmp

\Windows\system\BTWhqkI.exe

MD5 c3ed1e9aca2a7d36f6d30736f4606a29
SHA1 02dad6c6b68fca0c4e734b27cdc29c75c7123a97
SHA256 de0956edb2e13e53dbff8878122e00580bfeb488a07bb8662dfeed0f3ce90476
SHA512 bfefe422254e924b48fd2a84e29fd7cb6efb28d01f8b90a0c7ac461256dbe6d544cbc014703cf086c53264fc4c6bdcf48b9217a2fd14826f6f4b12888afa2504

memory/1948-109-0x000000013F8E0000-0x000000013FC34000-memory.dmp

memory/1948-107-0x000000013F350000-0x000000013F6A4000-memory.dmp

memory/2508-106-0x000000013F040000-0x000000013F394000-memory.dmp

memory/1948-105-0x0000000002400000-0x0000000002754000-memory.dmp

memory/1276-103-0x000000013FC20000-0x000000013FF74000-memory.dmp

memory/1948-100-0x000000013F7F0000-0x000000013FB44000-memory.dmp

C:\Windows\system\vnkVKcD.exe

MD5 64a1cf77385c9dab45370a7ddc2ca7ca
SHA1 911e36e562aea12ab927a6301cf63b37a244bcd9
SHA256 069633201129dcca577e71d93a773692ed3d9c717be24267c32cafac06bbd9b5
SHA512 dceab33879ed54245f5b702d75ae0ec74996d167f02f7ec1a5e89edcdcd785e5841f0a9cb09ae808d0d8bb9d2a776522c86d39d7d52dee51ddf962b5379ba879

C:\Windows\system\yodmDdV.exe

MD5 8932516c7a0ca556565b94ebb53f0680
SHA1 3d4e67ed71320b96a211cd34e5fc5c6c79735cf9
SHA256 dc0c25e4e10633160ab7ec222fc30c9b3d6d3e147f376a3408fe20d83096e6c8
SHA512 70579d52df6bdd5a0cb2fc5c851b52c4e66ac273f36b0d29add8339f5f44864781cf945b4fbf1535413040ff478d76fe7eb4b3aed33f84ba535e034f1fc5a6d0

memory/1948-77-0x000000013F2F0000-0x000000013F644000-memory.dmp

C:\Windows\system\TPrucFI.exe

MD5 ce6ae57c970f4cc6b067ec0e0f4c0825
SHA1 a9bd152b2df06a8726003cf0cc33b94cdc9cc48d
SHA256 c877ac9c7560c63af28a64bd4bd23c124e1b8c0c1075d2f9a265187e4e187d3e
SHA512 93d33424069099363512ed8ae782a9fe984acd84ad2153268e81418da6d32ef918badab36df3ac522f0863e6e2f6bda04bd620e3df0c8859b5fd88e22d7af9a3

memory/1256-81-0x000000013F2F0000-0x000000013F644000-memory.dmp

memory/2616-136-0x000000013F180000-0x000000013F4D4000-memory.dmp

C:\Windows\system\FYncfZM.exe

MD5 beb41b68511b01413f4ebb6ccde7b41d
SHA1 60085748a8a15159eb07c6ffe84acf8dd456ab41
SHA256 b0d38e6747f62b4111a1d56cdc1f38f263bab676854d3cc28dbed9960441aee6
SHA512 6ee8d6c510fb4d83bab84e0a615f2f395bc7485585aaf06f1edfdeeee9a84f6822916f84399d8ac0d0c4f940bf4b38f96fabef9e1c94de00b6309a7294da8f57

memory/2952-138-0x000000013F1D0000-0x000000013F524000-memory.dmp

memory/1948-139-0x000000013F800000-0x000000013FB54000-memory.dmp

memory/2384-140-0x000000013F540000-0x000000013F894000-memory.dmp

memory/1948-141-0x000000013F100000-0x000000013F454000-memory.dmp

memory/2312-142-0x000000013F100000-0x000000013F454000-memory.dmp

memory/1948-143-0x000000013F2F0000-0x000000013F644000-memory.dmp

memory/1948-144-0x0000000002400000-0x0000000002754000-memory.dmp

memory/1948-145-0x000000013F350000-0x000000013F6A4000-memory.dmp

memory/2228-146-0x000000013F870000-0x000000013FBC4000-memory.dmp

memory/1624-147-0x000000013F440000-0x000000013F794000-memory.dmp

memory/2532-148-0x000000013F280000-0x000000013F5D4000-memory.dmp

memory/2616-149-0x000000013F180000-0x000000013F4D4000-memory.dmp

memory/2508-150-0x000000013F040000-0x000000013F394000-memory.dmp

memory/2424-151-0x000000013F290000-0x000000013F5E4000-memory.dmp

memory/2952-152-0x000000013F1D0000-0x000000013F524000-memory.dmp

memory/2436-153-0x000000013F800000-0x000000013FB54000-memory.dmp

memory/2384-154-0x000000013F540000-0x000000013F894000-memory.dmp

memory/2312-155-0x000000013F100000-0x000000013F454000-memory.dmp

memory/1256-156-0x000000013F2F0000-0x000000013F644000-memory.dmp

memory/1276-157-0x000000013FC20000-0x000000013FF74000-memory.dmp

memory/2564-158-0x000000013F7F0000-0x000000013FB44000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-08 07:46

Reported

2024-06-08 07:48

Platform

win10v2004-20240226-en

Max time kernel

145s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\fMBadLU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CVkUpZN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ovtLNvj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TlMwlyG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fELHCAv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TOarsvx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IzdhCrP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TbMMuGn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YUMLZwu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PPVRjwJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DONLyFC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XXQZlhw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BTOPGUZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MukVSEo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PSIgdpt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MkaQGAa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eOthoWD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yLEGKPh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LkOJyrF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UQnqACx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LheJcvQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4076 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\BTOPGUZ.exe
PID 4076 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\BTOPGUZ.exe
PID 4076 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\MukVSEo.exe
PID 4076 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\MukVSEo.exe
PID 4076 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\PSIgdpt.exe
PID 4076 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\PSIgdpt.exe
PID 4076 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\fELHCAv.exe
PID 4076 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\fELHCAv.exe
PID 4076 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\TOarsvx.exe
PID 4076 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\TOarsvx.exe
PID 4076 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\TbMMuGn.exe
PID 4076 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\TbMMuGn.exe
PID 4076 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\LkOJyrF.exe
PID 4076 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\LkOJyrF.exe
PID 4076 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\YUMLZwu.exe
PID 4076 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\YUMLZwu.exe
PID 4076 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\PPVRjwJ.exe
PID 4076 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\PPVRjwJ.exe
PID 4076 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\DONLyFC.exe
PID 4076 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\DONLyFC.exe
PID 4076 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\UQnqACx.exe
PID 4076 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\UQnqACx.exe
PID 4076 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\LheJcvQ.exe
PID 4076 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\LheJcvQ.exe
PID 4076 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\MkaQGAa.exe
PID 4076 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\MkaQGAa.exe
PID 4076 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\fMBadLU.exe
PID 4076 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\fMBadLU.exe
PID 4076 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\CVkUpZN.exe
PID 4076 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\CVkUpZN.exe
PID 4076 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\eOthoWD.exe
PID 4076 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\eOthoWD.exe
PID 4076 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\IzdhCrP.exe
PID 4076 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\IzdhCrP.exe
PID 4076 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\yLEGKPh.exe
PID 4076 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\yLEGKPh.exe
PID 4076 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\XXQZlhw.exe
PID 4076 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\XXQZlhw.exe
PID 4076 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\TlMwlyG.exe
PID 4076 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\TlMwlyG.exe
PID 4076 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\ovtLNvj.exe
PID 4076 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe C:\Windows\System\ovtLNvj.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_d7e62a362b03eae6bb7289014017cdab_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\BTOPGUZ.exe

C:\Windows\System\BTOPGUZ.exe

C:\Windows\System\MukVSEo.exe

C:\Windows\System\MukVSEo.exe

C:\Windows\System\PSIgdpt.exe

C:\Windows\System\PSIgdpt.exe

C:\Windows\System\fELHCAv.exe

C:\Windows\System\fELHCAv.exe

C:\Windows\System\TOarsvx.exe

C:\Windows\System\TOarsvx.exe

C:\Windows\System\TbMMuGn.exe

C:\Windows\System\TbMMuGn.exe

C:\Windows\System\LkOJyrF.exe

C:\Windows\System\LkOJyrF.exe

C:\Windows\System\YUMLZwu.exe

C:\Windows\System\YUMLZwu.exe

C:\Windows\System\PPVRjwJ.exe

C:\Windows\System\PPVRjwJ.exe

C:\Windows\System\DONLyFC.exe

C:\Windows\System\DONLyFC.exe

C:\Windows\System\UQnqACx.exe

C:\Windows\System\UQnqACx.exe

C:\Windows\System\LheJcvQ.exe

C:\Windows\System\LheJcvQ.exe

C:\Windows\System\MkaQGAa.exe

C:\Windows\System\MkaQGAa.exe

C:\Windows\System\fMBadLU.exe

C:\Windows\System\fMBadLU.exe

C:\Windows\System\CVkUpZN.exe

C:\Windows\System\CVkUpZN.exe

C:\Windows\System\eOthoWD.exe

C:\Windows\System\eOthoWD.exe

C:\Windows\System\IzdhCrP.exe

C:\Windows\System\IzdhCrP.exe

C:\Windows\System\yLEGKPh.exe

C:\Windows\System\yLEGKPh.exe

C:\Windows\System\XXQZlhw.exe

C:\Windows\System\XXQZlhw.exe

C:\Windows\System\TlMwlyG.exe

C:\Windows\System\TlMwlyG.exe

C:\Windows\System\ovtLNvj.exe

C:\Windows\System\ovtLNvj.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4476 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
FR 142.250.179.106:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 106.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 29.32.239.216.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 106.246.116.51.in-addr.arpa udp
DE 3.120.209.58:8080 tcp

Files

memory/4076-0-0x00007FF7B3F40000-0x00007FF7B4294000-memory.dmp

memory/4076-1-0x000001A66D1F0000-0x000001A66D200000-memory.dmp

C:\Windows\System\BTOPGUZ.exe

MD5 63891eea5cc1d7f5489f3048031beb87
SHA1 57d57e629b54f8f7de5faebcb3b11c5688ecb09c
SHA256 b9899b2fae148fe67f68798f5a0df6faed3746e029233a8ac65dd78be879a956
SHA512 df4d11ce52e6e1b22196aaf26e0e17cf9a3718410e91b46019946d6ef2ba8f660b1ae67cc23c00be4046177ef570f0637281a00ab2d0d0c113c271f0b7ee570c

memory/3080-8-0x00007FF6103C0000-0x00007FF610714000-memory.dmp

C:\Windows\System\MukVSEo.exe

MD5 74d2530b4d87b5454a29ca663f3aa0df
SHA1 6ee481ae7d063316de0fdcc6a0eea68a69b4b79d
SHA256 02c4dbb6b3b5d15318ccda9079ddb7e5c600abffb264d92d8a02707712e8c468
SHA512 75ebc11ddf0543587b3f0f2fe74bf9ecd0a81c18689d66320f2875fb0cfe43cec0691f5818f34de578827a60c931f3098dc8d01e793bbda512a5a167522dac5f

C:\Windows\System\PSIgdpt.exe

MD5 85a52cd0cd0fcf3bb13448bdbfaad5dd
SHA1 37cec2fd6d38211a9a523c5b823560ed53cd8c7a
SHA256 2f564dfa9208f8b4b94423f568b936378acf76831c42805d943d300a01a82243
SHA512 8d09bfceffc68a647c3fb2f867ba206500c050d9e580d7147bf395c3fc3f37b5fa30b83a20e1109d2aa08724d5bf0009064a3ca00c1add8afadc27bb60ac1fa3

memory/1616-14-0x00007FF6FCCE0000-0x00007FF6FD034000-memory.dmp

memory/1404-20-0x00007FF789C10000-0x00007FF789F64000-memory.dmp

C:\Windows\System\fELHCAv.exe

MD5 c1deb8afe3d299d82a2e63457bd19dc3
SHA1 7ba69b1966c4bf49015891fae12b64ce1bc50ec7
SHA256 cbae21e505864f0bad59fc2e38dc9c154e77f94570fff4f51d9367fd79977f8e
SHA512 5415af2e5cd551c7307c811ce79c837939d0e5c995151ada902d4f16dff27bd94ab3fd5c5e90b45c2cff1a2ad2fb0d00b3f44e87461c7f61ca1d124c6ed0afad

memory/3456-25-0x00007FF769A20000-0x00007FF769D74000-memory.dmp

C:\Windows\System\TOarsvx.exe

MD5 8824b51e3c6b022563e40d26b44e7e35
SHA1 e71a7fd7a4d195110419493ae9bfc662c9dc17bf
SHA256 0834bb17e1291b516251b8519429245b66a2ed843fc7f49e2e8c7f78c751c56e
SHA512 1e6e7e28bbe3824522f735b1fb66dbbf8adc41ec29976529fb80d21a87d2ed5142418bc2ceb8a42544c868733fc241cfb9136585623702ace2f51154780957d0

memory/4536-33-0x00007FF65A030000-0x00007FF65A384000-memory.dmp

C:\Windows\System\TbMMuGn.exe

MD5 644ed1c78c3c9fefd0e3f3f46d0265ae
SHA1 c71571f833c11b6005f1ed6c87e78871c9b28645
SHA256 087f2b16908ce042fbfe919a7cd82ab134fa4f22a760477189fe0a4f0f6f0a2e
SHA512 80b836fc36c6953a21d1e146bf8774d5fb882c95f34e1f5f0654cd80476972fcf9f7e45b4474d1747c9b7313a967508145c83040325d03849e6a84c5addbbe41

memory/232-44-0x00007FF7714F0000-0x00007FF771844000-memory.dmp

C:\Windows\System\YUMLZwu.exe

MD5 b9d446c86370d852ba1eb3f25996a705
SHA1 f3f062c80668e9cc9007b2f22b4cbf154ffb7ca6
SHA256 74509fa6d6a161791e6368489b7825db4b4a1d9c68890782d0d5dd4cc1785bad
SHA512 06e165e6bf768faa32ea3596eed78e87201eb821b2c32a81ef5124fe56133b0e18346624a5c915794987dbc503d906b3de485c5b0c3143c3689ac4cb01fc9b96

memory/4476-50-0x00007FF7FC900000-0x00007FF7FCC54000-memory.dmp

C:\Windows\System\PPVRjwJ.exe

MD5 cc4913a42fc7172ee9741bc5bb56faef
SHA1 c31af3fe1fd13c6f46dda02a5641773aec1dabf6
SHA256 c1acf2f0a6f047af4a65a348f8f8a1b4ac0a8b677859e9d07093163b75f3d255
SHA512 6dac796aa4adb8a40e1ea4f2550df52ee80bc2ae6d5d8b9cf4ea8feaa353784cec93279eea52cbcd9445e3c7da2dc47cc4d6087971618499f49e071aad709905

C:\Windows\System\DONLyFC.exe

MD5 f29ba56f07c0690759785127abaf5b9a
SHA1 6a3e81137e924c92d31cae33ae223918e7f285e7
SHA256 818dc5c84ab04e991a4a29e31ace8ba277e630845ec999c7cc26301b3371c0ed
SHA512 0ca5ecd995c29f54ad82178ad0890375501642823c668436694ba1775cbfa10ca72ca699c89f23588445bdef9b2499407609225bba8011d28293dcb46bf3ed79

C:\Windows\System\UQnqACx.exe

MD5 9638de3c8ef40e850a0f3915f525ddb6
SHA1 2b1f8933df2a16284fb5b5a4d2b49c7a0eeff627
SHA256 870a81c896d246b45c559dfcf48fd7a628b019f5778860f809537081ce3ee007
SHA512 b328b4fabb8ba7a055bc7ce9ac4bf7a078b09fb6ee450fc614a487e106ad1aee70df76783c37968d22c9ec3e45873e78a82bcb295b5af19b710827685d611b8b

C:\Windows\System\LheJcvQ.exe

MD5 f9542c862b314acb4c6fde7a15606f1f
SHA1 6b35a695460507ac8476f984e6886781bf37e3cf
SHA256 a48bde4e9c3ea2d283b78d9d77676ddba9d6856339649bbf19572c6d6b3c55ce
SHA512 732020e397816903a3fa0700455091503f0d4d91d443f29f169af425cb39c8f41dcf521f5b9c2741e8d1fc55f5aeb43b07e1be08395c133f8675cccb072c9df3

C:\Windows\System\MkaQGAa.exe

MD5 671bde84eb49c280fbee140e137a0bf6
SHA1 5e5686b93bb9b29ed231e792c79825afcf641056
SHA256 e82dbfa487d9b7aacab5bd66176d5164a660e177b1440487abf2cc9cf3783840
SHA512 676ae49b236cd41dff736cfcec121cf65758a70742369aa34a606c4dd5dbb5dd24acfad1208477a4dd735c430fb18920702463b44d8b68842055a6ca9467cbd6

memory/2108-78-0x00007FF7A7530000-0x00007FF7A7884000-memory.dmp

memory/2516-81-0x00007FF67F910000-0x00007FF67FC64000-memory.dmp

memory/3992-82-0x00007FF639540000-0x00007FF639894000-memory.dmp

memory/412-80-0x00007FF7B6A30000-0x00007FF7B6D84000-memory.dmp

memory/4724-79-0x00007FF77F390000-0x00007FF77F6E4000-memory.dmp

C:\Windows\System\CVkUpZN.exe

MD5 6583ed2a50e3b66d3075f760bda83088
SHA1 d6fc949d1deb3ce0adef87a96983d42e42cdc2f9
SHA256 02b7658248d60df741e769119c957d24870ea3619eeab2a38d167f3f373d3dff
SHA512 059b6e1e39af29d09dc94602dabc403d62dc80a29459a6ee7a083d35ef51973b293a2506819df514d0184fdbae21433fcc065824b85b92818a5d4ac5226e01da

memory/4076-89-0x00007FF7B3F40000-0x00007FF7B4294000-memory.dmp

memory/2740-93-0x00007FF7FC2C0000-0x00007FF7FC614000-memory.dmp

memory/1812-92-0x00007FF7659D0000-0x00007FF765D24000-memory.dmp

C:\Windows\System\fMBadLU.exe

MD5 ae8e06fd7ecafac1a19f87455d1ee8f7
SHA1 e6e6d1b6dad05a9588c0be1e5c7eec5ced5912e8
SHA256 8da7a95cf85d5bff75e4a2706aeb509ca01187fa299b8dd6f48ac9f17e21b503
SHA512 046cc3c428d0a0b00f09226bcc7af2100512be394e1f66ced2c7ca3bcf6b52b5541cc76898ce7d20dc7e6904c2b8a77c28e636f0d783584287e7d3dfe42508d8

C:\Windows\System\LkOJyrF.exe

MD5 ab0e5edb1ce2fb9a80f68cd6a57e1883
SHA1 e0eda5d50c3e9f59074bb7769a5d5bd7806aee95
SHA256 07616fa220bdec225f7bbb657fcde0615fb41e0f5cbea1ed615e0805bff3e28a
SHA512 d3c506acf66fa84ab1329d6dfef8b3a8757f6e458485feff42729c2c2adf051f0295e6a7aaf4699b9aa5a06cc8143c635c65566969eb7c0fc89f3e83c4b540b8

memory/3616-41-0x00007FF6C1770000-0x00007FF6C1AC4000-memory.dmp

C:\Windows\System\eOthoWD.exe

MD5 3be80e0e91d2097578d1011a351f4a9d
SHA1 532ec93dc1e2dffb9db01d799032e3b252f4155a
SHA256 80556424c17c15cfa3db7e058a41adb97d897e7b55294417ebf6a323b400996e
SHA512 1adef89ef56c2f6f8acc9cecd822801b6158cb5c2ced56e19757cd95a036b91ff718983c76e1cb75ca4e4d42df9eeefb63618aa5b758c682caca77b3152de00e

memory/3080-97-0x00007FF6103C0000-0x00007FF610714000-memory.dmp

C:\Windows\System\IzdhCrP.exe

MD5 b06348697272af35da46ccc85bfb92a0
SHA1 c8532aa2d5e4dae4c116922d879266f2210cccb2
SHA256 4767543904f5164459d4a6c6f68b750a5207619e294e4ea7c0e7a1865f6381e4
SHA512 adea3a3cab4fcfdb9dc5b5f4bca562af2f6d42323c2d40cdb9bf8a717a25b86999b429cf240fd22a88f0e5b789dfe312aa3286b2ddc40af37bf40379fd2fdbfb

memory/3808-102-0x00007FF665AF0000-0x00007FF665E44000-memory.dmp

C:\Windows\System\yLEGKPh.exe

MD5 bde0ed23f738141454aa8eb827b74b6e
SHA1 8d42502e91e0c632cfb816707332e48d1976d943
SHA256 1021bad96dcdcf677d7adf94f25a4a5b9c4ff8ce05b758a8ff60a883081256b0
SHA512 7e0abe1970f1907f1d99cb0cde0cbeb8b4bb983bb560b5f564b4150f77bd518b73dbc8a23a1494725483061a07152f323de0872ff3a4b8bebb19faab1ce37962

memory/1616-105-0x00007FF6FCCE0000-0x00007FF6FD034000-memory.dmp

memory/612-110-0x00007FF787810000-0x00007FF787B64000-memory.dmp

memory/452-119-0x00007FF6DED20000-0x00007FF6DF074000-memory.dmp

C:\Windows\System\TlMwlyG.exe

MD5 1782d9ba8419a8dcb101e948454fd661
SHA1 7bb806270a6ae749951ea6f69ccb37b0d0841d49
SHA256 05e5136611c759ff75837bc03b6e0b01547ec739495788aba96083c92af0a364
SHA512 8263b9d5020e05772cb33f01217296db4e2090a75b7353d27e9b1e53d24ce1cfa9fdae1a44d8a358d6f60033d598410365e21c6362b7b6ca2c9ddb597605b1c2

C:\Windows\System\ovtLNvj.exe

MD5 99c992c02a96105f91de728f2ca4f913
SHA1 83a0490576cd7ab734b7e2b7aa49c12431c9b020
SHA256 e6b8f7bab79110b2f55c72d5701fd97996968d1be26a652bdf5c07d1e3df8e25
SHA512 47f0283cf085c36d52e0c2e41855f7e15d6fb2bfaec7dbefcade422299ff8cc368d63a1db33012a9bb63b03502b281a314c51ba78bfac3ca7f1b771708be9b6b

C:\Windows\System\XXQZlhw.exe

MD5 db4f27a7553e70ef96bb5c14b866164b
SHA1 72fe075cdd08e0ccf61c93a633033a7d1af57de4
SHA256 803078490b2e6ccec184ff7263b77a05063972c0b98f9a67a0668a3f70b65905
SHA512 6e4db30e96a6e8877f634f1e20289dd8672a97b43cc9fba323062dd1e95194e07b8fe77c4b38e4c0b13cba8e013bd5dec088d2d03010e50488a5bc0d0bee1b6d

memory/1404-111-0x00007FF789C10000-0x00007FF789F64000-memory.dmp

memory/3456-129-0x00007FF769A20000-0x00007FF769D74000-memory.dmp

memory/1844-130-0x00007FF612550000-0x00007FF6128A4000-memory.dmp

memory/3964-131-0x00007FF629880000-0x00007FF629BD4000-memory.dmp

memory/4536-133-0x00007FF65A030000-0x00007FF65A384000-memory.dmp

memory/3616-134-0x00007FF6C1770000-0x00007FF6C1AC4000-memory.dmp

memory/4900-132-0x00007FF7FED70000-0x00007FF7FF0C4000-memory.dmp

memory/232-135-0x00007FF7714F0000-0x00007FF771844000-memory.dmp

memory/4476-136-0x00007FF7FC900000-0x00007FF7FCC54000-memory.dmp

memory/3808-137-0x00007FF665AF0000-0x00007FF665E44000-memory.dmp

memory/452-138-0x00007FF6DED20000-0x00007FF6DF074000-memory.dmp

memory/3080-139-0x00007FF6103C0000-0x00007FF610714000-memory.dmp

memory/1616-140-0x00007FF6FCCE0000-0x00007FF6FD034000-memory.dmp

memory/1404-141-0x00007FF789C10000-0x00007FF789F64000-memory.dmp

memory/3456-142-0x00007FF769A20000-0x00007FF769D74000-memory.dmp

memory/4536-143-0x00007FF65A030000-0x00007FF65A384000-memory.dmp

memory/3616-144-0x00007FF6C1770000-0x00007FF6C1AC4000-memory.dmp

memory/4476-146-0x00007FF7FC900000-0x00007FF7FCC54000-memory.dmp

memory/2108-147-0x00007FF7A7530000-0x00007FF7A7884000-memory.dmp

memory/232-145-0x00007FF7714F0000-0x00007FF771844000-memory.dmp

memory/3992-149-0x00007FF639540000-0x00007FF639894000-memory.dmp

memory/412-151-0x00007FF7B6A30000-0x00007FF7B6D84000-memory.dmp

memory/2516-150-0x00007FF67F910000-0x00007FF67FC64000-memory.dmp

memory/4724-148-0x00007FF77F390000-0x00007FF77F6E4000-memory.dmp

memory/1812-152-0x00007FF7659D0000-0x00007FF765D24000-memory.dmp

memory/2740-153-0x00007FF7FC2C0000-0x00007FF7FC614000-memory.dmp

memory/3808-154-0x00007FF665AF0000-0x00007FF665E44000-memory.dmp

memory/612-155-0x00007FF787810000-0x00007FF787B64000-memory.dmp

memory/452-156-0x00007FF6DED20000-0x00007FF6DF074000-memory.dmp

memory/1844-157-0x00007FF612550000-0x00007FF6128A4000-memory.dmp

memory/3964-158-0x00007FF629880000-0x00007FF629BD4000-memory.dmp

memory/4900-159-0x00007FF7FED70000-0x00007FF7FF0C4000-memory.dmp