Malware Analysis Report

2024-10-16 03:06

Sample ID 240608-tvsrxadc3x
Target 2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike
SHA256 08a737956ced15ab1dbf6f4139b8e06b18ce2b38dbba50c2353cc6d4657288ff
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

08a737956ced15ab1dbf6f4139b8e06b18ce2b38dbba50c2353cc6d4657288ff

Threat Level: Known bad

The file 2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

xmrig

Detects Reflective DLL injection artifacts

Cobaltstrike

UPX dump on OEP (original entry point)

XMRig Miner payload

Cobaltstrike family

Xmrig family

Cobalt Strike reflective loader

XMRig Miner payload

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-08 16:23

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-08 16:23

Reported

2024-06-08 16:25

Platform

win7-20240220-en

Max time kernel

133s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\MZlqEQi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zGRcZcO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\Xfkdtdk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\miXKmTt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PLMQnkx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QlPFgLN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dqKRuYB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XoVUTlO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LrJuACe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JGlobpx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fqwzRwA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pGpCbji.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xUqulQO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nhTxPSd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xnEzBjl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VIjYqYZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ScxhFnj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\umugkmY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xeoDMaw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RhVpHCR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\USetOJB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1720 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\fqwzRwA.exe
PID 1720 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\fqwzRwA.exe
PID 1720 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\fqwzRwA.exe
PID 1720 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\pGpCbji.exe
PID 1720 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\pGpCbji.exe
PID 1720 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\pGpCbji.exe
PID 1720 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\xUqulQO.exe
PID 1720 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\xUqulQO.exe
PID 1720 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\xUqulQO.exe
PID 1720 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\PLMQnkx.exe
PID 1720 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\PLMQnkx.exe
PID 1720 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\PLMQnkx.exe
PID 1720 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\QlPFgLN.exe
PID 1720 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\QlPFgLN.exe
PID 1720 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\QlPFgLN.exe
PID 1720 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\umugkmY.exe
PID 1720 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\umugkmY.exe
PID 1720 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\umugkmY.exe
PID 1720 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\MZlqEQi.exe
PID 1720 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\MZlqEQi.exe
PID 1720 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\MZlqEQi.exe
PID 1720 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\nhTxPSd.exe
PID 1720 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\nhTxPSd.exe
PID 1720 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\nhTxPSd.exe
PID 1720 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\dqKRuYB.exe
PID 1720 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\dqKRuYB.exe
PID 1720 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\dqKRuYB.exe
PID 1720 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\XoVUTlO.exe
PID 1720 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\XoVUTlO.exe
PID 1720 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\XoVUTlO.exe
PID 1720 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\xeoDMaw.exe
PID 1720 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\xeoDMaw.exe
PID 1720 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\xeoDMaw.exe
PID 1720 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\LrJuACe.exe
PID 1720 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\LrJuACe.exe
PID 1720 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\LrJuACe.exe
PID 1720 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\RhVpHCR.exe
PID 1720 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\RhVpHCR.exe
PID 1720 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\RhVpHCR.exe
PID 1720 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\USetOJB.exe
PID 1720 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\USetOJB.exe
PID 1720 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\USetOJB.exe
PID 1720 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\zGRcZcO.exe
PID 1720 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\zGRcZcO.exe
PID 1720 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\zGRcZcO.exe
PID 1720 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\JGlobpx.exe
PID 1720 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\JGlobpx.exe
PID 1720 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\JGlobpx.exe
PID 1720 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\xnEzBjl.exe
PID 1720 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\xnEzBjl.exe
PID 1720 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\xnEzBjl.exe
PID 1720 wrote to memory of 344 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\Xfkdtdk.exe
PID 1720 wrote to memory of 344 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\Xfkdtdk.exe
PID 1720 wrote to memory of 344 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\Xfkdtdk.exe
PID 1720 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\VIjYqYZ.exe
PID 1720 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\VIjYqYZ.exe
PID 1720 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\VIjYqYZ.exe
PID 1720 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\ScxhFnj.exe
PID 1720 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\ScxhFnj.exe
PID 1720 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\ScxhFnj.exe
PID 1720 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\miXKmTt.exe
PID 1720 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\miXKmTt.exe
PID 1720 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\miXKmTt.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\fqwzRwA.exe

C:\Windows\System\fqwzRwA.exe

C:\Windows\System\pGpCbji.exe

C:\Windows\System\pGpCbji.exe

C:\Windows\System\xUqulQO.exe

C:\Windows\System\xUqulQO.exe

C:\Windows\System\PLMQnkx.exe

C:\Windows\System\PLMQnkx.exe

C:\Windows\System\QlPFgLN.exe

C:\Windows\System\QlPFgLN.exe

C:\Windows\System\umugkmY.exe

C:\Windows\System\umugkmY.exe

C:\Windows\System\MZlqEQi.exe

C:\Windows\System\MZlqEQi.exe

C:\Windows\System\nhTxPSd.exe

C:\Windows\System\nhTxPSd.exe

C:\Windows\System\dqKRuYB.exe

C:\Windows\System\dqKRuYB.exe

C:\Windows\System\XoVUTlO.exe

C:\Windows\System\XoVUTlO.exe

C:\Windows\System\xeoDMaw.exe

C:\Windows\System\xeoDMaw.exe

C:\Windows\System\LrJuACe.exe

C:\Windows\System\LrJuACe.exe

C:\Windows\System\RhVpHCR.exe

C:\Windows\System\RhVpHCR.exe

C:\Windows\System\USetOJB.exe

C:\Windows\System\USetOJB.exe

C:\Windows\System\zGRcZcO.exe

C:\Windows\System\zGRcZcO.exe

C:\Windows\System\JGlobpx.exe

C:\Windows\System\JGlobpx.exe

C:\Windows\System\xnEzBjl.exe

C:\Windows\System\xnEzBjl.exe

C:\Windows\System\Xfkdtdk.exe

C:\Windows\System\Xfkdtdk.exe

C:\Windows\System\VIjYqYZ.exe

C:\Windows\System\VIjYqYZ.exe

C:\Windows\System\ScxhFnj.exe

C:\Windows\System\ScxhFnj.exe

C:\Windows\System\miXKmTt.exe

C:\Windows\System\miXKmTt.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1720-0-0x000000013FA20000-0x000000013FD74000-memory.dmp

memory/1720-1-0x00000000000F0000-0x0000000000100000-memory.dmp

C:\Windows\system\fqwzRwA.exe

MD5 7beac341bb22e7c700c99f1272187113
SHA1 632885de395dafc1a66dc4eba2b95dd8718f6aae
SHA256 887a454b5a46d67e94f2b0273d30386a210acffc32de041692f91959ee651661
SHA512 bf500f8380aeea717c16561461726d4a57fdd5e107fcc124fa1dd8cd5168501c95ad85b5915bc36e9af9f5ba85927299f8efbf63903306c9bebe79eb0ec60b39

memory/2144-9-0x000000013FBF0000-0x000000013FF44000-memory.dmp

memory/1720-8-0x0000000002350000-0x00000000026A4000-memory.dmp

\Windows\system\pGpCbji.exe

MD5 6e4660190ab4cf3097fa97db95752f40
SHA1 3b55110bedc527fec7f358a2da169d30e20d169c
SHA256 b31f7a949069a8bc8cca36b9bf522d56a041c36d635ce10a87e4d482e29526e3
SHA512 7646d74c916cf2c37cf2ccef4db9e96b535ff4e694e751b99e77f3a496a8bb35e70bd43e2946346228c6365e44cf56128c0ea1b314417ac4caabe2ef50e24558

C:\Windows\system\xUqulQO.exe

MD5 a844587417616594885316b3fa5add02
SHA1 8d8a8d1fe843502648b87090ccc0cc6573fc4d6e
SHA256 e42a4bc590daa07e0d4f35949197e93efdb80992ff0b014ea43fb108a5081066
SHA512 c2d2ab0c34eb10bec248398912f26fa83506a55fed1894468fe4e4d625bd2e965097d1fbfcf32faccdbda2aac934bbcd4580e0c952e4fcd68415c7679d754b90

memory/2540-20-0x000000013F2D0000-0x000000013F624000-memory.dmp

memory/2640-21-0x000000013FFD0000-0x0000000140324000-memory.dmp

memory/1720-22-0x000000013FFD0000-0x0000000140324000-memory.dmp

C:\Windows\system\PLMQnkx.exe

MD5 516927d4f9fa54382e612631d4786ff4
SHA1 5feaa985646af17d94de258da4c3ea2bf4040676
SHA256 4a4577ef388c5cc3b5c4faf2028d828d662abc4ebb586f321b861117a04b2915
SHA512 32bd4cef9b67431b918a4193de245d614f6cdab8faea76c0540cf18a4fe534615cb05ecad64a0e39434452fd12a7ce314c34bd8d0a337955f9ad9711c7b3f6c7

C:\Windows\system\umugkmY.exe

MD5 6144a4f4febbf34d517936a0eb9035f8
SHA1 076d48ce32c622d936e3fbf741749ded2dc18d58
SHA256 5eaefe6b6b95f8fe0987c4e2fcfafb4f169ec0ec822a2b266e9bca36eefc7e1e
SHA512 cd6c80c72083d6d85cc64c20fc5f504f014786a50b568a2c9023d78d18753465c3bb542e593a9b2f2fbc06bc3c515c923dbe3711e588327b768bb01f7b4f9831

memory/2516-45-0x000000013FD60000-0x00000001400B4000-memory.dmp

memory/2808-36-0x000000013F860000-0x000000013FBB4000-memory.dmp

memory/1720-48-0x000000013FE70000-0x00000001401C4000-memory.dmp

memory/2716-47-0x000000013FBB0000-0x000000013FF04000-memory.dmp

memory/1720-50-0x0000000002350000-0x00000000026A4000-memory.dmp

C:\Windows\system\nhTxPSd.exe

MD5 d224b683437c21d237ded85e6aff4156
SHA1 0501ea80a852d74e59ba36441d2c44079ccef1da
SHA256 9fdd9e0986d7602c25e5e2959c150c0400c06252dc6f4764ec0662408cf7d5cd
SHA512 f2fb592934fb9dc8324f1863eb44465e5552d6fa79330e9d74c7951a156d0f7c17749197868829503dbc641b5fe78b7a4d9e9cd6a4a054251e573d45bb886731

memory/2588-57-0x000000013F5F0000-0x000000013F944000-memory.dmp

memory/1720-56-0x000000013F5F0000-0x000000013F944000-memory.dmp

memory/1720-49-0x0000000002350000-0x00000000026A4000-memory.dmp

C:\Windows\system\MZlqEQi.exe

MD5 7d6570cae76f0a6a1ce99ce70b66b86f
SHA1 40abd40a8be97f46a91816963c68fc4af059fbde
SHA256 28b06bf6d41f6e307d79485456a6e60c0fe304f399cffba7f68de148cd691b84
SHA512 53ab56bf25c55c8b799b19699aa499845d72f240c7e04e9498bc0954c0f77ad76db3b944a06cb75ed80d7e2621e6d7bc650515a8907b6793a928f45c34e64a86

memory/2696-42-0x000000013FE70000-0x00000001401C4000-memory.dmp

memory/1720-32-0x0000000002350000-0x00000000026A4000-memory.dmp

C:\Windows\system\QlPFgLN.exe

MD5 d1e8feb13566e124767d4cd82eadb897
SHA1 4de3eabaca461af2cdfde1c34a2653e2816bb6bb
SHA256 6b031888255942440b226f8318f79fdfbfe088095447695de265fe67d5d5fe71
SHA512 9de8a2e6de377fc466ef145897e6cdcd681dc741d2105e7b0c9f7fd4c1b69087bbc9cb57fe51cbe4e8a69a88dc93a2cc41cbfbcfda6ece464d1e6d0dcbe44f3f

\Windows\system\dqKRuYB.exe

MD5 0fb72da0429077d88e5d18ba7f2903ae
SHA1 68cfa7812ffd1715f26722a78d8b18d2f0afe362
SHA256 aefa7cb972cfb0be3248fec7625f7ca6ed3f48c4baeda51a8a25fc75238ac995
SHA512 2fb6532593c9adf547fe5cb426bfc93f483347d3b79729ea43ab0e6dfeb9d0ceb02ceb858e37a502163b91b84916937131f8516fa822130a5608bb39fb39b1d9

C:\Windows\system\XoVUTlO.exe

MD5 c52528fb12954efc777dbc193030db4e
SHA1 cca9156417a5569cecc93fb485f81108d08d92d8
SHA256 564ff0dfaad521088ac5d6b1680cb56f4b9933c04d18792b3e4ec02013460357
SHA512 d319d6c4a074b008ba4a53fd0b6bb917e522c39d80c1e01c545dd18737ded06b2db7c29968580949b6c8ccd44b627a7927f7f5cde122dfb0e7fddb0d57fbefb6

C:\Windows\system\LrJuACe.exe

MD5 d76926cfe28b568401a0f6af7ff22186
SHA1 6b7b9255895926bd12e2e7659fb8449a66a4717e
SHA256 bc947171f4ddbd9e6da3808b9d79459cc78beb4ba6486be3759b075cef42b815
SHA512 ce96faeb7eed7fbd9f877a87ee2a4e6b2ff154007e37e19fd21e634e7aef696fb0a2d996c967245776afc797548634357fe2742882ed650fefe5be4280126544

\Windows\system\JGlobpx.exe

MD5 03f01943b5db40acafeefc76da491a47
SHA1 324a1d80bf45b6630c20fb0cff920874f67ca893
SHA256 b6ec3bebb344b841671145cc46fe84615283e133edfdb9fcf3ce87dd767abbb5
SHA512 91149731caa86c77818d536b96a5bc1a268bb7c3ac54cb0eee1f9b9c67c38cad995ec5bd262653ccad7363ae9edd8458514e4db82297fe05c87cf52c56399dfd

memory/240-103-0x000000013FF40000-0x0000000140294000-memory.dmp

C:\Windows\system\ScxhFnj.exe

MD5 af0a2f1beb584aa9fc03cbd6257da347
SHA1 2ca7510e283df62474cdf849ce0333bd0afab79f
SHA256 8056398ee5ab2a229f5456e6e8ef6db4f4ef358bb8c015df2e302a95126b09f7
SHA512 d3eca40e3f28cbfbec503225fa0358f8620451beeb81083e02042c8ee5c3c47a74ea234ff024abfec1bb51426c6ac9378be7e2d5150a9d70d90e8e64129a11b2

memory/1720-122-0x000000013FDA0000-0x00000001400F4000-memory.dmp

C:\Windows\system\zGRcZcO.exe

MD5 39358a2372fdd4c7171901e5f0cd8891
SHA1 8f689d932f7c712030bc32415cbdecc0f445e177
SHA256 8b50b311bbacebdc2fb627448baa56b370865831444397d451935c8430917a19
SHA512 5f7cac7ddb85bfb6883bd4be8f23e6ea4377a2f93f911c312ef3b7a10be827a2d206789d620e7fd2c5dabc4ddb82349ee00bebed66dc762b032eba6e6e73a3e6

\Windows\system\miXKmTt.exe

MD5 22564d78f7afb2afba62e32162a8127a
SHA1 981875db193201b8819845dc9cf4925d1b8c9e76
SHA256 a4a706e5b7c3a72d84f33e5709c2f841e3930ff5925e73208170857c419ce87e
SHA512 cd5b925caa34aee763e299186d645981b198eaec4ae8f5d5b5e8010463969a1540541aa7aeb80281488fd426fcabe0b113745cbd2528f90db7002d1bcf2f7f57

C:\Windows\system\Xfkdtdk.exe

MD5 30f76a3293b4d7cc45bc9e4883061e74
SHA1 43366f0a28763b1bfce5fa21eb1b497d25a98ab5
SHA256 a56344e442e5b5c6c6e27be5c546ae1e54bde60db9da8196f850e8bfbaf96acd
SHA512 27fd94ea8e0ae83523b4e4e9981dae888c5ebbfc6922359385b23899f3576ce13e6e1d64317400390d7ec2a4e11ff3e7c332afe7630bc85e0438976fd7c90db5

\Windows\system\VIjYqYZ.exe

MD5 528ef36165b459b51ac9d0e1b00402c1
SHA1 2cfa71775aea0cd01bf4824b44722216fb479bca
SHA256 ef816747fc10cd5ef638ae1e5b66c6653c91f91cc7869b77930156b0e16e0ead
SHA512 ac5bf7cc69ec1cae5a5e0009f1212123c68b152ae48737e9b99d3735604366eaa5bb381ee94b6f339900e421fe81021a73e890b1fcca689084f0828d34c86434

\Windows\system\xnEzBjl.exe

MD5 ab9e75426f608e9c9bfa85715ac5fa78
SHA1 3835870e8c85fee1ba3347430864b62a3746f4e3
SHA256 bca08d37271dccad08f02f9a18cc1fb11b51b4cb09549a8ca0b2543b8495b628
SHA512 96552d93f7f08526073593ece3490ffe34af910f22a78ca9a375d525e6e3c167f7663fc639607cbd200b0751161bfa5860cde73af37f101d64fddc2231027327

memory/2268-90-0x000000013F980000-0x000000013FCD4000-memory.dmp

memory/1720-121-0x0000000002350000-0x00000000026A4000-memory.dmp

memory/1720-119-0x000000013FA20000-0x000000013FD74000-memory.dmp

memory/2708-115-0x000000013FBB0000-0x000000013FF04000-memory.dmp

C:\Windows\system\RhVpHCR.exe

MD5 46e550a303741f225f82de15344fa5b1
SHA1 032981fdee81ef783a956a317c7b92f8e28b1484
SHA256 adf59e7073fa741e2c4bfb6e9c86caedbbd0ecadcc9a368c426bc3442a37dcd9
SHA512 c063621ad58233fc2d0fdcdd1493b7f318840201c7d56890e9a1e72b06925e7a56586d8518cae523feb90b0ac669e6ae56b8c0b3108b14178ec69322d70d6889

memory/2924-93-0x000000013F770000-0x000000013FAC4000-memory.dmp

C:\Windows\system\USetOJB.exe

MD5 4639eaa8382a399a1d474b80197c204f
SHA1 85b9d405b2c6c0bc7ceb9f3c94f548ec01a6941b
SHA256 f5483d4cf281fa01af55bd359830f122c10fcbac3cef4e3a94d13a4f0385792f
SHA512 ff0527e866394d2712a3d1cf33a75e513171a59568a8eaff6f27a065045fe3b8182fef775db790b069b28f31fdc13d29593a1f5e81fb28cf33ffe15706610385

memory/1720-75-0x0000000002350000-0x00000000026A4000-memory.dmp

C:\Windows\system\xeoDMaw.exe

MD5 cac45141597a4d7159293084c466bfac
SHA1 864614110d5adccc976e53c699d80798db75661b
SHA256 7070d67809b2d30b1de69f598e8eae89ba85ac98983b8c8034ae4536854df984
SHA512 f128c6e0110efc4c67bdd2c69b4d12c5cba74423ec3948f3798b9186e27d1990fd01dc6f3519ce76e2b65f6370de0708698749473beed2cfbf9bf463c82e01e7

memory/2444-71-0x000000013F760000-0x000000013FAB4000-memory.dmp

memory/1720-66-0x0000000002350000-0x00000000026A4000-memory.dmp

memory/2696-132-0x000000013FE70000-0x00000001401C4000-memory.dmp

memory/2516-133-0x000000013FD60000-0x00000001400B4000-memory.dmp

memory/2144-134-0x000000013FBF0000-0x000000013FF44000-memory.dmp

memory/2640-135-0x000000013FFD0000-0x0000000140324000-memory.dmp

memory/2540-136-0x000000013F2D0000-0x000000013F624000-memory.dmp

memory/2808-137-0x000000013F860000-0x000000013FBB4000-memory.dmp

memory/2716-138-0x000000013FBB0000-0x000000013FF04000-memory.dmp

memory/2696-139-0x000000013FE70000-0x00000001401C4000-memory.dmp

memory/2516-140-0x000000013FD60000-0x00000001400B4000-memory.dmp

memory/2588-141-0x000000013F5F0000-0x000000013F944000-memory.dmp

memory/2444-142-0x000000013F760000-0x000000013FAB4000-memory.dmp

memory/2924-143-0x000000013F770000-0x000000013FAC4000-memory.dmp

memory/240-145-0x000000013FF40000-0x0000000140294000-memory.dmp

memory/2268-144-0x000000013F980000-0x000000013FCD4000-memory.dmp

memory/2708-146-0x000000013FBB0000-0x000000013FF04000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-08 16:23

Reported

2024-06-08 16:25

Platform

win10v2004-20240508-en

Max time kernel

144s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\JpjCdKX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VcPdBCy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\Ghjlgqq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xbehudK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jaZebXk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gEZZDaR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gUMACkI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xwYUyTl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WKibwxj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GoEtMUz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fSCgaqD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bqUczVr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SlaBiQz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jPndcpr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pTybALj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LJFlokN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XptBbHD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xgjYUoX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yeCZcqy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NoKqXER.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hVfLCjo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4960 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\jaZebXk.exe
PID 4960 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\jaZebXk.exe
PID 4960 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\JpjCdKX.exe
PID 4960 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\JpjCdKX.exe
PID 4960 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\gEZZDaR.exe
PID 4960 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\gEZZDaR.exe
PID 4960 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\pTybALj.exe
PID 4960 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\pTybALj.exe
PID 4960 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\gUMACkI.exe
PID 4960 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\gUMACkI.exe
PID 4960 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\xwYUyTl.exe
PID 4960 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\xwYUyTl.exe
PID 4960 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\WKibwxj.exe
PID 4960 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\WKibwxj.exe
PID 4960 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\GoEtMUz.exe
PID 4960 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\GoEtMUz.exe
PID 4960 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\fSCgaqD.exe
PID 4960 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\fSCgaqD.exe
PID 4960 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\jPndcpr.exe
PID 4960 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\jPndcpr.exe
PID 4960 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\bqUczVr.exe
PID 4960 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\bqUczVr.exe
PID 4960 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\LJFlokN.exe
PID 4960 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\LJFlokN.exe
PID 4960 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\XptBbHD.exe
PID 4960 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\XptBbHD.exe
PID 4960 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\xgjYUoX.exe
PID 4960 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\xgjYUoX.exe
PID 4960 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\yeCZcqy.exe
PID 4960 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\yeCZcqy.exe
PID 4960 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\SlaBiQz.exe
PID 4960 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\SlaBiQz.exe
PID 4960 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\NoKqXER.exe
PID 4960 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\NoKqXER.exe
PID 4960 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\VcPdBCy.exe
PID 4960 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\VcPdBCy.exe
PID 4960 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\Ghjlgqq.exe
PID 4960 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\Ghjlgqq.exe
PID 4960 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\hVfLCjo.exe
PID 4960 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\hVfLCjo.exe
PID 4960 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\xbehudK.exe
PID 4960 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\xbehudK.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\jaZebXk.exe

C:\Windows\System\jaZebXk.exe

C:\Windows\System\JpjCdKX.exe

C:\Windows\System\JpjCdKX.exe

C:\Windows\System\gEZZDaR.exe

C:\Windows\System\gEZZDaR.exe

C:\Windows\System\pTybALj.exe

C:\Windows\System\pTybALj.exe

C:\Windows\System\gUMACkI.exe

C:\Windows\System\gUMACkI.exe

C:\Windows\System\xwYUyTl.exe

C:\Windows\System\xwYUyTl.exe

C:\Windows\System\WKibwxj.exe

C:\Windows\System\WKibwxj.exe

C:\Windows\System\GoEtMUz.exe

C:\Windows\System\GoEtMUz.exe

C:\Windows\System\fSCgaqD.exe

C:\Windows\System\fSCgaqD.exe

C:\Windows\System\jPndcpr.exe

C:\Windows\System\jPndcpr.exe

C:\Windows\System\bqUczVr.exe

C:\Windows\System\bqUczVr.exe

C:\Windows\System\LJFlokN.exe

C:\Windows\System\LJFlokN.exe

C:\Windows\System\XptBbHD.exe

C:\Windows\System\XptBbHD.exe

C:\Windows\System\xgjYUoX.exe

C:\Windows\System\xgjYUoX.exe

C:\Windows\System\yeCZcqy.exe

C:\Windows\System\yeCZcqy.exe

C:\Windows\System\SlaBiQz.exe

C:\Windows\System\SlaBiQz.exe

C:\Windows\System\NoKqXER.exe

C:\Windows\System\NoKqXER.exe

C:\Windows\System\VcPdBCy.exe

C:\Windows\System\VcPdBCy.exe

C:\Windows\System\Ghjlgqq.exe

C:\Windows\System\Ghjlgqq.exe

C:\Windows\System\hVfLCjo.exe

C:\Windows\System\hVfLCjo.exe

C:\Windows\System\xbehudK.exe

C:\Windows\System\xbehudK.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4960-0-0x00007FF6299B0000-0x00007FF629D04000-memory.dmp

memory/4960-1-0x000001D1BE750000-0x000001D1BE760000-memory.dmp

C:\Windows\System\jaZebXk.exe

MD5 f9fd7086b172f6ea992cd1ba25e906f8
SHA1 483986ee9ce535a706fdb9590552d522cf1c18c0
SHA256 510972ad2b5b1ea51f8095fa303117ee06b254d794a71f1d11fe2c1b387a4ad6
SHA512 1ff48589d712862e3f9537492bd203354f568b53fa28ca138e18195ea54ec451845cbcc615565fdd7edba8847d82e8c8c84bf419b96b14425d3c04b1f57a0317

memory/4804-7-0x00007FF70E020000-0x00007FF70E374000-memory.dmp

C:\Windows\System\JpjCdKX.exe

MD5 671fa7316d4859ec5e5d1eddf429b50c
SHA1 a6ca412d05bc1fe75298fc98eaeddf63ed66f34c
SHA256 b01bc239e86af01248dee559fe00f6d3d8841b23abf20b4068281db55c066476
SHA512 c1bf377cef4fbeac6be8151f9d11f7b909e3e7fee5168a9cd48e5a4475eeba8dd68e1d05df5e141852586ace54492e34ce9cdc6ef73d2593993c64a4592eff3c

C:\Windows\System\gEZZDaR.exe

MD5 2b75add19ed9fde292c5d14f2881f93a
SHA1 11ede25ce1a5adffe03f806baabb7c0e3ba0c067
SHA256 64a7382e5a50002ac494bed98820a4528820fd95a97d5d7913bba0202cd55275
SHA512 09eb6e561e8e227c95270b60b76eab22384f6c9f1db0b82d2d6339c9b82300b4782f58866feb2f99371a4c7add48c3c3f41f45463e192ca458b876fb8e2130d1

memory/2304-25-0x00007FF76BA40000-0x00007FF76BD94000-memory.dmp

C:\Windows\System\pTybALj.exe

MD5 58c64e4b04de01327fcdbbc6a61a57b8
SHA1 844d770c1f4b3cc72520ce040ea926a2bf0848e4
SHA256 b87756ba966fb410e303d24c3a31cf5f64dab17718728aa2aaa82a0bd817e0b2
SHA512 cbb91eadcff801cfecd298e69f4b1d66cab2cd850e0b9f5e8c50f4f3f29655f093b9000c526da3014b5333b91192ae35948bcf44c162838f6e365578b402dbc3

C:\Windows\System\gUMACkI.exe

MD5 15d6956810c43eb87b784bd8c71d9d8d
SHA1 0ef6ed912163f8b82039f51f7b9f08440f09d130
SHA256 75c1ce31d066d1295fd3ac5638f41bfd01c4a46d931601e0f11a6673f04aaae6
SHA512 dd0d23e6110119488df990c256978b95ffe6dc34d4189efe78af520d2656b718bc06063302ba5dc024fc6aa3b53992d4c133e903fbdbdf5690471b83f47c8094

memory/5108-28-0x00007FF6CB200000-0x00007FF6CB554000-memory.dmp

memory/3600-20-0x00007FF6161F0000-0x00007FF616544000-memory.dmp

memory/4436-34-0x00007FF684B90000-0x00007FF684EE4000-memory.dmp

C:\Windows\System\xwYUyTl.exe

MD5 477c52e153f4f4443579289afa45398a
SHA1 61eac336fc24a16b4291c60888e0c4ce6fe4f5b5
SHA256 b67e7ebf3d30d9e23831ae42235663a2fff4c067694f2894aca9170236467fd0
SHA512 129e308c2faf9d77d2e2b33aa3f95af4ba43dca8985ac1cdf78c4629a83572018581c771b95f5c591d4454b5645b40195d32e9f672bfd3fda59a08cffd279890

C:\Windows\System\WKibwxj.exe

MD5 68973d2e0d477b663958c4c1cb5dd4e6
SHA1 9193a92a6514e796d6b35fe46969d1cad8935c7a
SHA256 e21b765799458d4279d31201b3c9b6b170e477b303bf63e7f5717ce669224be1
SHA512 cc81e7417adf016ee84fb74931a775399416ea85ae5e1d7b88afe6ec26d5ea98ec68ec8fad78c6573e44be687f13aed8ef5e970562115fe696a27c5d0ded4997

C:\Windows\System\GoEtMUz.exe

MD5 3b2e4663daad01f1436e363493c3e5b0
SHA1 9c4542b5fe0b0f9110632aeea5e2681514280f71
SHA256 c2e5515d6b3eabed096a2eed162f6ba85b35676dfb585d8e7f126385beac4d0e
SHA512 e3e4947cfc47f985f6abb777b1cffba3d11cb02534441c3f1f908b612ddecd648c9247f0092fe2f9212c2a861c7b9bc09c21b93a4fd653313f671a579218e1a4

memory/2020-47-0x00007FF701070000-0x00007FF7013C4000-memory.dmp

C:\Windows\System\LJFlokN.exe

MD5 3b6151eee8a52652107169331a411dc7
SHA1 a9ad860fee0594fd9ea403aa1c02bdaed6d74f06
SHA256 4dc4183e03ff5cc55538feb2504d1cb1ab6371a3fadff04f603b382ef0340cb0
SHA512 5661a0425d7c3674cea7bde55b330b2c306aea9034b2ec918d169d201ae7316317498b3aaafa9b7cbb51e309a58efd2d4f0fc58bc059e38fe3bd105689c8d228

C:\Windows\System\xgjYUoX.exe

MD5 343d9d0dcec3fcbf65453960bdbd3d2a
SHA1 97fb28b22efd3227649d6ad2baf24014621c020b
SHA256 cb9b3f04a0db8431fcb555d194f587aee032c1c35bce9f4a1a66709f56aa8218
SHA512 101376c6b1113f2736fd17d58d11bc9b7aa303a9a7e9d569893b1d5c8496299ebea9375a766fabaec47a4fa98c05951b54bdb9742ce4bdfe355b35bbd4ee6dbc

memory/2728-77-0x00007FF72D700000-0x00007FF72DA54000-memory.dmp

C:\Windows\System\XptBbHD.exe

MD5 30aefc0874884399990bf856e62719ac
SHA1 528a8927075834f5c6f5089de784efd04667a061
SHA256 143aee5c13531e3756521e461ec17614436c3b9b3a3b9ce6c7686e320a18c80e
SHA512 356f97746ca220ab7014138e26c3fbf63cebaa72dfb7dc06793c00af156ab3d6a37edbef0e4e6549d475e8ff4ec4c578680c1e65a442629400bd755783b06429

C:\Windows\System\jPndcpr.exe

MD5 31abda858db42888633d9b714c39ba56
SHA1 eda9e0eca2d62f7cfae5e11eecfa5705dad5c5d0
SHA256 83bce1dac341e1bd872d0ff541c3a9e3f107fcf74a81470b2995d563478e3b99
SHA512 be91fa71be5b570bdf97cd7de6cb9ca540908dba60d518d69c2d7d5154f6bd557a1ea34c4adc88119fcefd5c4fea8f42312666c5617725cb10493efa90e8b2c2

memory/4532-80-0x00007FF61D3B0000-0x00007FF61D704000-memory.dmp

memory/4804-79-0x00007FF70E020000-0x00007FF70E374000-memory.dmp

memory/512-78-0x00007FF7515F0000-0x00007FF751944000-memory.dmp

C:\Windows\System\bqUczVr.exe

MD5 fbd5aaa653dc55054ceba13fbcc5ae85
SHA1 8159ae9ad9affa0eabf58654eae521f98d6c5ea7
SHA256 0b241da0f2e9853ca06844655c1996eff7e72d021e118d3268a957fea08ff3db
SHA512 fb90d08052ce6416e777aa6fe09f102137810729c9e68899740a9a83ff1eab5cf110e20941c7381f1010e65a565c776ca6953a3f564b0a102b6f6c043dd93df1

memory/3972-72-0x00007FF6B4500000-0x00007FF6B4854000-memory.dmp

memory/4960-71-0x00007FF6299B0000-0x00007FF629D04000-memory.dmp

memory/1276-64-0x00007FF6FF670000-0x00007FF6FF9C4000-memory.dmp

memory/2696-60-0x00007FF6D55F0000-0x00007FF6D5944000-memory.dmp

C:\Windows\System\fSCgaqD.exe

MD5 31953b0ef659ed41f7cee4b2210901b3
SHA1 bcee48f50231618e730168fdc11ceb56affa071e
SHA256 6c453932aeb7d7eec94467ce7f9dd125f875d0682ab868059b1ede9420e65adb
SHA512 326b2673fec9150f8f3ab2e750f908282f1befb5763550f28dd5a2ad4bbc8c6f19f3692deb5ca749445fa9a3f48ee5aaa97e1e3c0be6eeddef05b49f3419beaa

memory/3316-55-0x00007FF68C930000-0x00007FF68CC84000-memory.dmp

memory/968-43-0x00007FF6B0570000-0x00007FF6B08C4000-memory.dmp

C:\Windows\System\yeCZcqy.exe

MD5 2782605f2c8a17c1ee07354121d50d36
SHA1 f08e849efdf4fee0b5cba07b9da7b81c34e2b146
SHA256 dfeb8729c7563323bfdced26b65c0a36e00767207524993a1f1ebe7420fa99c1
SHA512 733253712816a0d20c683e93072ddefbb37ef72c26dddf18b37de64824978fde1e75f20e7ec84fa4ffa3928a592fbfbe667c4070b1e013f9842250b2d9c5488c

memory/4988-94-0x00007FF7886D0000-0x00007FF788A24000-memory.dmp

C:\Windows\System\SlaBiQz.exe

MD5 9227087f7b1ae422e512103f83c7d228
SHA1 d525e63ff96fc5d95fee815e1d332a971477076b
SHA256 af7a43de2707083fbf36090af8ea8c713be10982a1d265bcd10e6c8204e202e2
SHA512 6d0050685df97c13a7dd0e1d1f7cd8d4653b27a7b99434c6cca37898885fe80280c8cf32b401513541b1f20df1cf11387df19057f020050c008eeed50d71d30b

memory/4500-103-0x00007FF614210000-0x00007FF614564000-memory.dmp

C:\Windows\System\NoKqXER.exe

MD5 8bd9bb050a0c54be7642f50b907ae995
SHA1 1606d3673cbbdc7a37f4637e7d90ba7f407140bd
SHA256 ab1186131f011090881d61d1328951d61ae789e950b9ecb47c6ac2f5c8118493
SHA512 94ce325dcdaf39ace3619f30515e22b077789bd847eb681e1b08b55b1cffd9b63081b9306800edb40bbc8f18421e9c3b4565dd0a874c960511cfc1d14186383c

memory/1812-113-0x00007FF68BD50000-0x00007FF68C0A4000-memory.dmp

C:\Windows\System\VcPdBCy.exe

MD5 b0dc8a6e9aa5117ba8da9614c2553315
SHA1 4dd83164aaee55015adbdc0ff7bfdc432581f23a
SHA256 c674e38dee80bf611d8b49984ba355149d9dd518c723f998f33cedbb0a847ef7
SHA512 dea2961bc95b1e0ab5028ee0ecca0e3acc44ff779b48caa089b470d2e8e5ce41650a3f99236bb8f481dade51df4e8d0bee6d95135381afd6fbcd5fe4a825962e

C:\Windows\System\hVfLCjo.exe

MD5 4be673f5fb58c14a5e4ac28c823ee852
SHA1 4d4d41c6a25082ab87cf5eeb0b577874f9e89040
SHA256 51e5b42727e80a82cab8f2146af5b00fbfe575696a07ca73e0fccb425223cddd
SHA512 c160bbe0e5941ad8ab8c4b8e91a1e9e35861a2d011866b7af3dffeb1701f4f4567ab8fa4c72103ec11e74cd13f2d892cadd340f59d96a6a1851193cfc2b7d955

C:\Windows\System\Ghjlgqq.exe

MD5 1f7866c2c226f3a4a654214b80ce2220
SHA1 822bd3c37a520c24e3c73100f31593dd07d8ffeb
SHA256 fdc708ee6491f6e4bdb27af92337ac949e7f2173bc0c19f3a28e2955d02b6f3a
SHA512 42e77740572277ceb3cb35209d2cdd59ae7faf80edf18a1a6d93b010b93295c864bc5f291328ee6bc6ba2b76260ef501014be9dafc05687b3995e803b1b89878

memory/968-110-0x00007FF6B0570000-0x00007FF6B08C4000-memory.dmp

memory/5000-107-0x00007FF7C6550000-0x00007FF7C68A4000-memory.dmp

C:\Windows\System\xbehudK.exe

MD5 ac38912bacd44ba1fbc4180852fa2f4c
SHA1 e33a21ce2c0bcf36c8d338103bf0afa5e0a350e4
SHA256 b93a42c544614096c2ac7abb908de2b60f77173ea67959e33ea68a8353ffe142
SHA512 a3c28347304e6f40cd3d37f34d3b60736336791e8b40d0a8923956dc2783f386eff14766f0dde9ee2c474e0454c591b5c37a530c8b344661023c300b270a26d2

memory/2504-126-0x00007FF6111D0000-0x00007FF611524000-memory.dmp

memory/1072-124-0x00007FF75FD80000-0x00007FF7600D4000-memory.dmp

memory/1904-130-0x00007FF6ACF30000-0x00007FF6AD284000-memory.dmp

memory/1276-131-0x00007FF6FF670000-0x00007FF6FF9C4000-memory.dmp

memory/3972-132-0x00007FF6B4500000-0x00007FF6B4854000-memory.dmp

memory/512-134-0x00007FF7515F0000-0x00007FF751944000-memory.dmp

memory/2728-133-0x00007FF72D700000-0x00007FF72DA54000-memory.dmp

memory/4532-135-0x00007FF61D3B0000-0x00007FF61D704000-memory.dmp

memory/4988-136-0x00007FF7886D0000-0x00007FF788A24000-memory.dmp

memory/5000-137-0x00007FF7C6550000-0x00007FF7C68A4000-memory.dmp

memory/1812-138-0x00007FF68BD50000-0x00007FF68C0A4000-memory.dmp

memory/3600-139-0x00007FF6161F0000-0x00007FF616544000-memory.dmp

memory/4804-140-0x00007FF70E020000-0x00007FF70E374000-memory.dmp

memory/5108-142-0x00007FF6CB200000-0x00007FF6CB554000-memory.dmp

memory/2304-141-0x00007FF76BA40000-0x00007FF76BD94000-memory.dmp

memory/4436-143-0x00007FF684B90000-0x00007FF684EE4000-memory.dmp

memory/2020-144-0x00007FF701070000-0x00007FF7013C4000-memory.dmp

memory/968-145-0x00007FF6B0570000-0x00007FF6B08C4000-memory.dmp

memory/3316-146-0x00007FF68C930000-0x00007FF68CC84000-memory.dmp

memory/2696-147-0x00007FF6D55F0000-0x00007FF6D5944000-memory.dmp

memory/3972-148-0x00007FF6B4500000-0x00007FF6B4854000-memory.dmp

memory/2728-149-0x00007FF72D700000-0x00007FF72DA54000-memory.dmp

memory/4532-150-0x00007FF61D3B0000-0x00007FF61D704000-memory.dmp

memory/1276-151-0x00007FF6FF670000-0x00007FF6FF9C4000-memory.dmp

memory/512-152-0x00007FF7515F0000-0x00007FF751944000-memory.dmp

memory/4988-153-0x00007FF7886D0000-0x00007FF788A24000-memory.dmp

memory/4500-154-0x00007FF614210000-0x00007FF614564000-memory.dmp

memory/1812-155-0x00007FF68BD50000-0x00007FF68C0A4000-memory.dmp

memory/1072-157-0x00007FF75FD80000-0x00007FF7600D4000-memory.dmp

memory/2504-156-0x00007FF6111D0000-0x00007FF611524000-memory.dmp

memory/5000-158-0x00007FF7C6550000-0x00007FF7C68A4000-memory.dmp

memory/1904-159-0x00007FF6ACF30000-0x00007FF6AD284000-memory.dmp