Malware Analysis Report

2024-10-16 03:06

Sample ID 240608-v1zyvadg7z
Target 2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike
SHA256 6d0fca74a2b4dd0989795f9c807810e68007f89f010e9797369d75d4470e85a1
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6d0fca74a2b4dd0989795f9c807810e68007f89f010e9797369d75d4470e85a1

Threat Level: Known bad

The file 2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Xmrig family

UPX dump on OEP (original entry point)

Cobaltstrike family

Cobalt Strike reflective loader

Cobaltstrike

xmrig

Detects Reflective DLL injection artifacts

XMRig Miner payload

UPX dump on OEP (original entry point)

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-08 17:28

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-08 17:28

Reported

2024-06-08 17:30

Platform

win7-20240215-en

Max time kernel

137s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\FOZxoAz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qNatcTP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eLFZrSf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BcjIJyo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fnFlKYg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uEIYKsn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZUCNMyn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FWmHEgf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lQsrfEC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gqtIAVi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZgNFrle.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\okmfbxZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YZHMRvl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LUnpTgM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\znwcZEx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BXRIoTh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jESABMn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\STmFKdR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gidOMJY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jumHBGX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WjtIxsW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1728 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\eLFZrSf.exe
PID 1728 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\eLFZrSf.exe
PID 1728 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\eLFZrSf.exe
PID 1728 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\BcjIJyo.exe
PID 1728 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\BcjIJyo.exe
PID 1728 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\BcjIJyo.exe
PID 1728 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\FOZxoAz.exe
PID 1728 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\FOZxoAz.exe
PID 1728 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\FOZxoAz.exe
PID 1728 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\jESABMn.exe
PID 1728 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\jESABMn.exe
PID 1728 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\jESABMn.exe
PID 1728 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\fnFlKYg.exe
PID 1728 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\fnFlKYg.exe
PID 1728 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\fnFlKYg.exe
PID 1728 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\STmFKdR.exe
PID 1728 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\STmFKdR.exe
PID 1728 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\STmFKdR.exe
PID 1728 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\lQsrfEC.exe
PID 1728 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\lQsrfEC.exe
PID 1728 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\lQsrfEC.exe
PID 1728 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZgNFrle.exe
PID 1728 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZgNFrle.exe
PID 1728 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZgNFrle.exe
PID 1728 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\gqtIAVi.exe
PID 1728 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\gqtIAVi.exe
PID 1728 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\gqtIAVi.exe
PID 1728 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\okmfbxZ.exe
PID 1728 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\okmfbxZ.exe
PID 1728 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\okmfbxZ.exe
PID 1728 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\YZHMRvl.exe
PID 1728 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\YZHMRvl.exe
PID 1728 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\YZHMRvl.exe
PID 1728 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\qNatcTP.exe
PID 1728 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\qNatcTP.exe
PID 1728 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\qNatcTP.exe
PID 1728 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\uEIYKsn.exe
PID 1728 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\uEIYKsn.exe
PID 1728 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\uEIYKsn.exe
PID 1728 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZUCNMyn.exe
PID 1728 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZUCNMyn.exe
PID 1728 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZUCNMyn.exe
PID 1728 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\LUnpTgM.exe
PID 1728 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\LUnpTgM.exe
PID 1728 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\LUnpTgM.exe
PID 1728 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\znwcZEx.exe
PID 1728 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\znwcZEx.exe
PID 1728 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\znwcZEx.exe
PID 1728 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\BXRIoTh.exe
PID 1728 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\BXRIoTh.exe
PID 1728 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\BXRIoTh.exe
PID 1728 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\jumHBGX.exe
PID 1728 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\jumHBGX.exe
PID 1728 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\jumHBGX.exe
PID 1728 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\WjtIxsW.exe
PID 1728 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\WjtIxsW.exe
PID 1728 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\WjtIxsW.exe
PID 1728 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\gidOMJY.exe
PID 1728 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\gidOMJY.exe
PID 1728 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\gidOMJY.exe
PID 1728 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\FWmHEgf.exe
PID 1728 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\FWmHEgf.exe
PID 1728 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\FWmHEgf.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\eLFZrSf.exe

C:\Windows\System\eLFZrSf.exe

C:\Windows\System\BcjIJyo.exe

C:\Windows\System\BcjIJyo.exe

C:\Windows\System\FOZxoAz.exe

C:\Windows\System\FOZxoAz.exe

C:\Windows\System\jESABMn.exe

C:\Windows\System\jESABMn.exe

C:\Windows\System\fnFlKYg.exe

C:\Windows\System\fnFlKYg.exe

C:\Windows\System\STmFKdR.exe

C:\Windows\System\STmFKdR.exe

C:\Windows\System\lQsrfEC.exe

C:\Windows\System\lQsrfEC.exe

C:\Windows\System\ZgNFrle.exe

C:\Windows\System\ZgNFrle.exe

C:\Windows\System\gqtIAVi.exe

C:\Windows\System\gqtIAVi.exe

C:\Windows\System\okmfbxZ.exe

C:\Windows\System\okmfbxZ.exe

C:\Windows\System\YZHMRvl.exe

C:\Windows\System\YZHMRvl.exe

C:\Windows\System\qNatcTP.exe

C:\Windows\System\qNatcTP.exe

C:\Windows\System\uEIYKsn.exe

C:\Windows\System\uEIYKsn.exe

C:\Windows\System\ZUCNMyn.exe

C:\Windows\System\ZUCNMyn.exe

C:\Windows\System\LUnpTgM.exe

C:\Windows\System\LUnpTgM.exe

C:\Windows\System\znwcZEx.exe

C:\Windows\System\znwcZEx.exe

C:\Windows\System\BXRIoTh.exe

C:\Windows\System\BXRIoTh.exe

C:\Windows\System\jumHBGX.exe

C:\Windows\System\jumHBGX.exe

C:\Windows\System\WjtIxsW.exe

C:\Windows\System\WjtIxsW.exe

C:\Windows\System\gidOMJY.exe

C:\Windows\System\gidOMJY.exe

C:\Windows\System\FWmHEgf.exe

C:\Windows\System\FWmHEgf.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1728-0-0x000000013F4F0000-0x000000013F844000-memory.dmp

memory/1728-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\eLFZrSf.exe

MD5 49ca570156d395f4dcfc95be2ed7c285
SHA1 68dd1b67698a5adfe2cea2d4a144c6b67dbc70c5
SHA256 52ffcd7282dc8d13c162357018c15f4c3da8148b7f03864be6aafd162ef370cf
SHA512 ab8e4b038874c3e51a74cf0017c035dca1b7e9eb6917543bde82a1cc7d1531a4b9e1c878543de62ab244876ae96777f87e0a7a3ca253ddb2783fed7ceab36f97

C:\Windows\system\BcjIJyo.exe

MD5 41b8c94940834b430286fd6771db1759
SHA1 dc8e75c8de5fb5affe469d4798184ace7efcff44
SHA256 143585bf661bf4085f5bee055d38f2c2e571ec2ebbabb61f44ea88837928995a
SHA512 a006b2a5febe16aa1eaac8a490a77f3e519f83c4da072d47ff821df1bf4c9da44bd3861a606ad2ec93b0ab9e21842992e716ae5d3205a5a43d8de7f264bbecda

memory/2712-16-0x000000013F740000-0x000000013FA94000-memory.dmp

memory/1728-14-0x0000000002420000-0x0000000002774000-memory.dmp

memory/1608-12-0x000000013FE60000-0x00000001401B4000-memory.dmp

memory/1728-9-0x000000013FE60000-0x00000001401B4000-memory.dmp

C:\Windows\system\FOZxoAz.exe

MD5 26a9f3ba6f2b6e58c486d8f306e1785e
SHA1 c5cc87c5d44423c3f80a11c9797d46d717b5e76b
SHA256 dd1896f6b7cdf903238ffb04e0a2f52e3177da116aeaf9cf0f1cfee783b731a2
SHA512 098cc8ef97cc982de394029ad4f5a4103238dbb5c5e39c165b59c0d55b8b142f44934269e9180c8f7312b6cb0bec2c0155b869759e61512295f6c7739097292a

memory/1728-21-0x000000013F970000-0x000000013FCC4000-memory.dmp

memory/2596-23-0x000000013F970000-0x000000013FCC4000-memory.dmp

C:\Windows\system\jESABMn.exe

MD5 add96bd92cc0ee963341bb179dba4975
SHA1 84321c62fc12ec5ab82d1e2e8e26387742653e8c
SHA256 0521ad682976aaa3781cc322b28c130f2f19950c894b489e3ae0b5ecbe395e1e
SHA512 d66dcd333a740921c495479befb4ff07665f438f7f5c376b0ce1bdcc0991d06ada5a1d18fd4eb3288d0eb0f7f2194e1232fb4d3bd81d9e33416829965389af45

memory/1728-29-0x0000000002420000-0x0000000002774000-memory.dmp

C:\Windows\system\fnFlKYg.exe

MD5 e87369d7e2a6d8ae6eb6b6fe29005250
SHA1 782c32cd103847a6dd27d3ae7c8e6d31e5a4ccac
SHA256 c8350855b7fabba931e9e3f48788ccb53acb9fce068208dcb4205032bb2e728a
SHA512 79e512fa9ab13a565307843a5a1073170e0cddef1bc8fad8a04512a59b1ce2427e591b313aff8ffe0dc7f77737e75baa1f6eb2dc192a2a05e7a7c0dafe9e281e

C:\Windows\system\STmFKdR.exe

MD5 f6a7ae28ae1376c029cca98bfa07dfee
SHA1 9934ec6d763ee162cb59b076df038ef0baedfe88
SHA256 aa1f6fde01187b4d78cdcd467c16c69d073fb175056337661ede59978b5950d1
SHA512 e0f66bdcbfaa82a32a1db15145fedd76d18f844169f45e2bb8c3b87f3746d11a6df0e95d3ff8bad9f1957c41f861d96b6d11bc78264013e5bce755de2d71348a

memory/1728-38-0x0000000002420000-0x0000000002774000-memory.dmp

C:\Windows\system\lQsrfEC.exe

MD5 707838ffc0764646ea357795df2b0485
SHA1 ad3471d36133498e06c2c2ee6ccdf89c34c49455
SHA256 6cb6e62412dad3298d9d75155a59bc302c669bfacd4aa10397ea425d061a8418
SHA512 fbd461a02a436abca219d2dd4e504728d1b85c239453f83daf77cd7d1d7bebb7da3dcf36bb95327432aea841a7adce125eed673c8904758d02ac5c4702951e7a

C:\Windows\system\ZgNFrle.exe

MD5 1b5eb8a1cc16a4375430510e82ea7567
SHA1 ba6eb7d49915ffa2f6a85e23fcc42215313a0a40
SHA256 0e1022e7e6229a67de846fb54acde61a5041b6001b6ce6493f9773241eae9ae4
SHA512 093127eaf89ef587bd82afa85bc548dd7a4bc1c8ec9f5563d337164b00a49a21b72015312dea228e3808635efc1b2a66a048d2c32fff0a75a5e835f6226d3fc7

memory/2528-52-0x000000013F4A0000-0x000000013F7F4000-memory.dmp

memory/2708-55-0x000000013FEB0000-0x0000000140204000-memory.dmp

memory/1728-58-0x000000013FEB0000-0x0000000140204000-memory.dmp

memory/2532-57-0x000000013F4A0000-0x000000013F7F4000-memory.dmp

memory/1728-56-0x0000000002420000-0x0000000002774000-memory.dmp

memory/2556-54-0x000000013F2F0000-0x000000013F644000-memory.dmp

memory/1728-53-0x0000000002420000-0x0000000002774000-memory.dmp

memory/2592-30-0x000000013F400000-0x000000013F754000-memory.dmp

\Windows\system\gqtIAVi.exe

MD5 7d69f896061c4b18426543e285492cdb
SHA1 1c34561865acaa5b180e972b0ef29a5c943f07ed
SHA256 7799eb3183d40ba1674e9e153f9d8e4957e0c1b51d0919cca825bca9cdfddd1d
SHA512 c17b98325fd856295e7c1cb283663d7f318d95bcf4b2091796018c796232f73d210f729ebe6175776deb328aa9b13ce2bd89c55695d484558572890e271dde35

memory/1728-68-0x000000013F4F0000-0x000000013F844000-memory.dmp

memory/1728-71-0x000000013FE60000-0x00000001401B4000-memory.dmp

memory/2316-74-0x000000013F780000-0x000000013FAD4000-memory.dmp

memory/1728-73-0x0000000002420000-0x0000000002774000-memory.dmp

memory/2868-64-0x000000013FD30000-0x0000000140084000-memory.dmp

C:\Windows\system\okmfbxZ.exe

MD5 6fb995cf50dac3ce60871453b2120f14
SHA1 567e746ebf08079d20e519a90c7f0983448bee8a
SHA256 25857737e291037181b137abbef6c20cd41880f0c956a55d25a30974ef92aaef
SHA512 54d0b5c37136e70248fc3f1a27677b26e2f0fa52a412b54e559cfb5a64237b625a8f1e4468fbdf4beda0dfa7e58d81fbdf1bb31191a6847a989d674dcb40d376

memory/1728-62-0x000000013FD30000-0x0000000140084000-memory.dmp

\Windows\system\uEIYKsn.exe

MD5 8819ddf7ec3a2cd592cc350a1a725450
SHA1 5897d55d32dce1a46ba8aa7aeb8268d2c3bccb09
SHA256 f45a9dd15076c625e5f7b0c2b69056bb19ebef689871e6f8eaa70463945e5baf
SHA512 bd388d5a1eefca42a2160c56c80b39f96b94ecea71b5121c414769ac8720dd9ae84a3f558e973aab0805cbd1adcf5fbd822a413e37eff68d3626d977ce47302a

C:\Windows\system\qNatcTP.exe

MD5 51f6c853ad71d681a219ea5d036a8191
SHA1 828d9769ec96dc761c01d1f5bafc64750bb66dc5
SHA256 5b3594b2185740763ef81e0b2704fcd286b078f01ad6916bd66ee7527cf29c55
SHA512 f66e77d1b615a30c3f01603bfa168bff5edb91a0ac8ecacece2cab90e9107bbe34e43c1ae707e3973de12f6a69062227ec5beba2b6dad4ada46f752d639263c9

memory/2712-109-0x000000013F740000-0x000000013FA94000-memory.dmp

\Windows\system\LUnpTgM.exe

MD5 fbe444145075c82d6e668a358b1be1aa
SHA1 2cde933ed746841ef5fa8f9ea82dcaf2a4fad93b
SHA256 62fbb1566dd6bfd073f451a3baade0c900fd2715553cc4dc80d4bbe4bbcb1dd4
SHA512 d3a441c0aa04ee1b71d713e032063a9c3c1802fcb51f84fccc6171befff2c234d756150b5d1526be03099aa2cb0ae218392cd1c41182f9201599a38675e0448f

C:\Windows\system\znwcZEx.exe

MD5 eddf5b0c26f9dd1949c10259fa0f9080
SHA1 cf64a7bef3f0d5da0a45b07913dee8090700b06d
SHA256 ec167028e2ef14b1b05264c9f79181d370416c0a61a67caf9b11c06e022780aa
SHA512 58d08d7f70e4bad8aa2fdcf5aa9996b22ccea21dcb87f0cd063c37107c5b7a9e4c0047bd3a0ef03af6e7c3c47743e05ff317221fb20f63152f3cbf24d8973472

memory/1728-113-0x000000013FCF0000-0x0000000140044000-memory.dmp

\Windows\system\BXRIoTh.exe

MD5 6232373f9bde9291f39894a30074315a
SHA1 df379a7d6e338fb56f290c038382930394f32ecd
SHA256 6f06646af75c7837692bf63e6d70278df603f52061f5c837b83831119ebb05ee
SHA512 edbe6acac15901e2c8cd333129b41ac84c09ec8055ae16b9f481a99e9c67ac84bd6b4b9f382da8b329768064589f7a2a15dc57370aa7d309605bb5c3d7aa8ace

C:\Windows\system\jumHBGX.exe

MD5 032f381e7c96eb1da6d00d6915ba4bb3
SHA1 b468bf81d0e5575f303627d0071d8dacd8461242
SHA256 2d0d0346480f62afb67f804dc6480832091487575e2feb20bcb42bdf9765e87f
SHA512 dead1fb6479af756ed48d643dc605d54bb558a6de87789e118f2b73cda05544a96c87ca2f1ab73fe0f427ac8120c2e7e780f645a6e3e502aaae79f33ca77727a

memory/2840-105-0x000000013F8A0000-0x000000013FBF4000-memory.dmp

memory/2576-101-0x000000013F670000-0x000000013F9C4000-memory.dmp

memory/1728-100-0x0000000002420000-0x0000000002774000-memory.dmp

memory/2752-99-0x000000013F180000-0x000000013F4D4000-memory.dmp

memory/1728-97-0x000000013F8A0000-0x000000013FBF4000-memory.dmp

memory/1728-96-0x000000013F180000-0x000000013F4D4000-memory.dmp

memory/2484-95-0x000000013F8F0000-0x000000013FC44000-memory.dmp

C:\Windows\system\ZUCNMyn.exe

MD5 aab8bb1494f7da943e73902fef86baf3
SHA1 12d77052406fb4007caf0d51beb69d1cb5bf2ef1
SHA256 9b3d57a77c02ab7b0016dde95a21ebbf89911dd52ff4ea0fb31750e0526f74e8
SHA512 9a522e070e52141585531124f3cccfa3d7c33dc2a30bc8b229c46966121a26b7f2714f7ba6c8d75f4ed3a6b334746d7adf535ad0ff5cda860e45e44ceacb02f1

memory/1728-93-0x000000013F8F0000-0x000000013FC44000-memory.dmp

C:\Windows\system\YZHMRvl.exe

MD5 39c6308f51d124bb16a2f9ce1cf2d5c7
SHA1 a9e9ab1f909ce139a30733eb102984d73eb13ee9
SHA256 10b8b377e24bbf12efef7d1499dbd923f7a1ba70ac5511356defecd700e6c49b
SHA512 18b5a070088c79730651a8dc95a4bd2b1286d6561cb20f70519bec82c8c3cc67664bc9db0c65213707bba856d4e0983a3639a0b5dd7f0094b0793fcb0708c926

\Windows\system\WjtIxsW.exe

MD5 5728b0caa2f5b5d683756dcc1cd0e581
SHA1 6c4b159837296c19563927a6e3bf60af8c11c3f9
SHA256 2daba21211abdde9352bb774bd74914ea42eb119c3b37f4761379df9977a0613
SHA512 59cdd35175768f6f4109b4053399f2bd364bdace0bab5531134617e58805ce270b0b359d96a99d391fe471e943c31963e561ef80a5d39db684c71136219c41f7

C:\Windows\system\gidOMJY.exe

MD5 9d032310c99dcb3971b8ebee46f1a735
SHA1 775f0ed0fa048ec7a44e6a47a5066e5dfdaabecb
SHA256 65462510c8af7aa9833d91e46f70f08da367cd8641502fd52d321e15336ea046
SHA512 63fd620de618c3f1523792e331a076147ea4fadb32afeb9505c7d77daacf320b6332bd31676a99324665b472293b1851c3097e0e26bc62975dbc7a0f3af76c14

memory/2596-135-0x000000013F970000-0x000000013FCC4000-memory.dmp

C:\Windows\system\FWmHEgf.exe

MD5 3909399fab93719cef82b2c7d90ddf81
SHA1 4b2b5c4234f898dd5924ca6a7d5cb4abd5d2a873
SHA256 861336257010e70aec87ef07db66de5799f309618bc20801198dbd29f46c48a6
SHA512 b1f7ddd7f8f7e427f220e35a67beceb53b2cd24fa5c77306a3a099b1d311a235db1606a082803a1462cfea262e7e4fcd7859c1308992817b5cffa78ce79f1f8d

memory/2528-141-0x000000013F4A0000-0x000000013F7F4000-memory.dmp

memory/1728-140-0x0000000002420000-0x0000000002774000-memory.dmp

memory/1728-142-0x0000000002420000-0x0000000002774000-memory.dmp

memory/1728-143-0x000000013FEB0000-0x0000000140204000-memory.dmp

memory/2868-144-0x000000013FD30000-0x0000000140084000-memory.dmp

memory/1728-145-0x000000013F8F0000-0x000000013FC44000-memory.dmp

memory/1728-146-0x000000013FCF0000-0x0000000140044000-memory.dmp

memory/1608-147-0x000000013FE60000-0x00000001401B4000-memory.dmp

memory/2712-148-0x000000013F740000-0x000000013FA94000-memory.dmp

memory/2596-149-0x000000013F970000-0x000000013FCC4000-memory.dmp

memory/2592-150-0x000000013F400000-0x000000013F754000-memory.dmp

memory/2528-151-0x000000013F4A0000-0x000000013F7F4000-memory.dmp

memory/2556-152-0x000000013F2F0000-0x000000013F644000-memory.dmp

memory/2532-153-0x000000013F4A0000-0x000000013F7F4000-memory.dmp

memory/2708-154-0x000000013FEB0000-0x0000000140204000-memory.dmp

memory/2316-156-0x000000013F780000-0x000000013FAD4000-memory.dmp

memory/2868-155-0x000000013FD30000-0x0000000140084000-memory.dmp

memory/2484-157-0x000000013F8F0000-0x000000013FC44000-memory.dmp

memory/2752-159-0x000000013F180000-0x000000013F4D4000-memory.dmp

memory/2576-158-0x000000013F670000-0x000000013F9C4000-memory.dmp

memory/2840-160-0x000000013F8A0000-0x000000013FBF4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-08 17:28

Reported

2024-06-08 17:30

Platform

win10v2004-20240508-en

Max time kernel

143s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\jESABMn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fnFlKYg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gqtIAVi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qNatcTP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gidOMJY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eLFZrSf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FOZxoAz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uEIYKsn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BcjIJyo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZgNFrle.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LUnpTgM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BXRIoTh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jumHBGX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WjtIxsW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lQsrfEC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZUCNMyn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YZHMRvl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\znwcZEx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FWmHEgf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\STmFKdR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\okmfbxZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5116 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\eLFZrSf.exe
PID 5116 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\eLFZrSf.exe
PID 5116 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\BcjIJyo.exe
PID 5116 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\BcjIJyo.exe
PID 5116 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\FOZxoAz.exe
PID 5116 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\FOZxoAz.exe
PID 5116 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\jESABMn.exe
PID 5116 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\jESABMn.exe
PID 5116 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\fnFlKYg.exe
PID 5116 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\fnFlKYg.exe
PID 5116 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\STmFKdR.exe
PID 5116 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\STmFKdR.exe
PID 5116 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\lQsrfEC.exe
PID 5116 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\lQsrfEC.exe
PID 5116 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZgNFrle.exe
PID 5116 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZgNFrle.exe
PID 5116 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\gqtIAVi.exe
PID 5116 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\gqtIAVi.exe
PID 5116 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\okmfbxZ.exe
PID 5116 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\okmfbxZ.exe
PID 5116 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\YZHMRvl.exe
PID 5116 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\YZHMRvl.exe
PID 5116 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\qNatcTP.exe
PID 5116 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\qNatcTP.exe
PID 5116 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\uEIYKsn.exe
PID 5116 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\uEIYKsn.exe
PID 5116 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZUCNMyn.exe
PID 5116 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZUCNMyn.exe
PID 5116 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\LUnpTgM.exe
PID 5116 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\LUnpTgM.exe
PID 5116 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\znwcZEx.exe
PID 5116 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\znwcZEx.exe
PID 5116 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\BXRIoTh.exe
PID 5116 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\BXRIoTh.exe
PID 5116 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\jumHBGX.exe
PID 5116 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\jumHBGX.exe
PID 5116 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\WjtIxsW.exe
PID 5116 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\WjtIxsW.exe
PID 5116 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\gidOMJY.exe
PID 5116 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\gidOMJY.exe
PID 5116 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\FWmHEgf.exe
PID 5116 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe C:\Windows\System\FWmHEgf.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_978ce57d65853388404d5a14e024dabd_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\eLFZrSf.exe

C:\Windows\System\eLFZrSf.exe

C:\Windows\System\BcjIJyo.exe

C:\Windows\System\BcjIJyo.exe

C:\Windows\System\FOZxoAz.exe

C:\Windows\System\FOZxoAz.exe

C:\Windows\System\jESABMn.exe

C:\Windows\System\jESABMn.exe

C:\Windows\System\fnFlKYg.exe

C:\Windows\System\fnFlKYg.exe

C:\Windows\System\STmFKdR.exe

C:\Windows\System\STmFKdR.exe

C:\Windows\System\lQsrfEC.exe

C:\Windows\System\lQsrfEC.exe

C:\Windows\System\ZgNFrle.exe

C:\Windows\System\ZgNFrle.exe

C:\Windows\System\gqtIAVi.exe

C:\Windows\System\gqtIAVi.exe

C:\Windows\System\okmfbxZ.exe

C:\Windows\System\okmfbxZ.exe

C:\Windows\System\YZHMRvl.exe

C:\Windows\System\YZHMRvl.exe

C:\Windows\System\qNatcTP.exe

C:\Windows\System\qNatcTP.exe

C:\Windows\System\uEIYKsn.exe

C:\Windows\System\uEIYKsn.exe

C:\Windows\System\ZUCNMyn.exe

C:\Windows\System\ZUCNMyn.exe

C:\Windows\System\LUnpTgM.exe

C:\Windows\System\LUnpTgM.exe

C:\Windows\System\znwcZEx.exe

C:\Windows\System\znwcZEx.exe

C:\Windows\System\BXRIoTh.exe

C:\Windows\System\BXRIoTh.exe

C:\Windows\System\jumHBGX.exe

C:\Windows\System\jumHBGX.exe

C:\Windows\System\WjtIxsW.exe

C:\Windows\System\WjtIxsW.exe

C:\Windows\System\gidOMJY.exe

C:\Windows\System\gidOMJY.exe

C:\Windows\System\FWmHEgf.exe

C:\Windows\System\FWmHEgf.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 21.121.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/5116-0-0x00007FF6FE150000-0x00007FF6FE4A4000-memory.dmp

memory/5116-1-0x000001B777F90000-0x000001B777FA0000-memory.dmp

C:\Windows\System\eLFZrSf.exe

MD5 49ca570156d395f4dcfc95be2ed7c285
SHA1 68dd1b67698a5adfe2cea2d4a144c6b67dbc70c5
SHA256 52ffcd7282dc8d13c162357018c15f4c3da8148b7f03864be6aafd162ef370cf
SHA512 ab8e4b038874c3e51a74cf0017c035dca1b7e9eb6917543bde82a1cc7d1531a4b9e1c878543de62ab244876ae96777f87e0a7a3ca253ddb2783fed7ceab36f97

C:\Windows\System\FOZxoAz.exe

MD5 26a9f3ba6f2b6e58c486d8f306e1785e
SHA1 c5cc87c5d44423c3f80a11c9797d46d717b5e76b
SHA256 dd1896f6b7cdf903238ffb04e0a2f52e3177da116aeaf9cf0f1cfee783b731a2
SHA512 098cc8ef97cc982de394029ad4f5a4103238dbb5c5e39c165b59c0d55b8b142f44934269e9180c8f7312b6cb0bec2c0155b869759e61512295f6c7739097292a

memory/2452-14-0x00007FF7B3140000-0x00007FF7B3494000-memory.dmp

C:\Windows\System\jESABMn.exe

MD5 add96bd92cc0ee963341bb179dba4975
SHA1 84321c62fc12ec5ab82d1e2e8e26387742653e8c
SHA256 0521ad682976aaa3781cc322b28c130f2f19950c894b489e3ae0b5ecbe395e1e
SHA512 d66dcd333a740921c495479befb4ff07665f438f7f5c376b0ce1bdcc0991d06ada5a1d18fd4eb3288d0eb0f7f2194e1232fb4d3bd81d9e33416829965389af45

C:\Windows\System\fnFlKYg.exe

MD5 e87369d7e2a6d8ae6eb6b6fe29005250
SHA1 782c32cd103847a6dd27d3ae7c8e6d31e5a4ccac
SHA256 c8350855b7fabba931e9e3f48788ccb53acb9fce068208dcb4205032bb2e728a
SHA512 79e512fa9ab13a565307843a5a1073170e0cddef1bc8fad8a04512a59b1ce2427e591b313aff8ffe0dc7f77737e75baa1f6eb2dc192a2a05e7a7c0dafe9e281e

memory/1408-28-0x00007FF7AA8A0000-0x00007FF7AABF4000-memory.dmp

memory/3052-25-0x00007FF67EF00000-0x00007FF67F254000-memory.dmp

C:\Windows\System\BcjIJyo.exe

MD5 41b8c94940834b430286fd6771db1759
SHA1 dc8e75c8de5fb5affe469d4798184ace7efcff44
SHA256 143585bf661bf4085f5bee055d38f2c2e571ec2ebbabb61f44ea88837928995a
SHA512 a006b2a5febe16aa1eaac8a490a77f3e519f83c4da072d47ff821df1bf4c9da44bd3861a606ad2ec93b0ab9e21842992e716ae5d3205a5a43d8de7f264bbecda

memory/4420-6-0x00007FF621AD0000-0x00007FF621E24000-memory.dmp

memory/3544-29-0x00007FF664400000-0x00007FF664754000-memory.dmp

C:\Windows\System\lQsrfEC.exe

MD5 707838ffc0764646ea357795df2b0485
SHA1 ad3471d36133498e06c2c2ee6ccdf89c34c49455
SHA256 6cb6e62412dad3298d9d75155a59bc302c669bfacd4aa10397ea425d061a8418
SHA512 fbd461a02a436abca219d2dd4e504728d1b85c239453f83daf77cd7d1d7bebb7da3dcf36bb95327432aea841a7adce125eed673c8904758d02ac5c4702951e7a

memory/8-49-0x00007FF7254B0000-0x00007FF725804000-memory.dmp

C:\Windows\System\gqtIAVi.exe

MD5 7d69f896061c4b18426543e285492cdb
SHA1 1c34561865acaa5b180e972b0ef29a5c943f07ed
SHA256 7799eb3183d40ba1674e9e153f9d8e4957e0c1b51d0919cca825bca9cdfddd1d
SHA512 c17b98325fd856295e7c1cb283663d7f318d95bcf4b2091796018c796232f73d210f729ebe6175776deb328aa9b13ce2bd89c55695d484558572890e271dde35

C:\Windows\System\okmfbxZ.exe

MD5 6fb995cf50dac3ce60871453b2120f14
SHA1 567e746ebf08079d20e519a90c7f0983448bee8a
SHA256 25857737e291037181b137abbef6c20cd41880f0c956a55d25a30974ef92aaef
SHA512 54d0b5c37136e70248fc3f1a27677b26e2f0fa52a412b54e559cfb5a64237b625a8f1e4468fbdf4beda0dfa7e58d81fbdf1bb31191a6847a989d674dcb40d376

C:\Windows\System\YZHMRvl.exe

MD5 39c6308f51d124bb16a2f9ce1cf2d5c7
SHA1 a9e9ab1f909ce139a30733eb102984d73eb13ee9
SHA256 10b8b377e24bbf12efef7d1499dbd923f7a1ba70ac5511356defecd700e6c49b
SHA512 18b5a070088c79730651a8dc95a4bd2b1286d6561cb20f70519bec82c8c3cc67664bc9db0c65213707bba856d4e0983a3639a0b5dd7f0094b0793fcb0708c926

C:\Windows\System\qNatcTP.exe

MD5 51f6c853ad71d681a219ea5d036a8191
SHA1 828d9769ec96dc761c01d1f5bafc64750bb66dc5
SHA256 5b3594b2185740763ef81e0b2704fcd286b078f01ad6916bd66ee7527cf29c55
SHA512 f66e77d1b615a30c3f01603bfa168bff5edb91a0ac8ecacece2cab90e9107bbe34e43c1ae707e3973de12f6a69062227ec5beba2b6dad4ada46f752d639263c9

C:\Windows\System\uEIYKsn.exe

MD5 8819ddf7ec3a2cd592cc350a1a725450
SHA1 5897d55d32dce1a46ba8aa7aeb8268d2c3bccb09
SHA256 f45a9dd15076c625e5f7b0c2b69056bb19ebef689871e6f8eaa70463945e5baf
SHA512 bd388d5a1eefca42a2160c56c80b39f96b94ecea71b5121c414769ac8720dd9ae84a3f558e973aab0805cbd1adcf5fbd822a413e37eff68d3626d977ce47302a

C:\Windows\System\LUnpTgM.exe

MD5 fbe444145075c82d6e668a358b1be1aa
SHA1 2cde933ed746841ef5fa8f9ea82dcaf2a4fad93b
SHA256 62fbb1566dd6bfd073f451a3baade0c900fd2715553cc4dc80d4bbe4bbcb1dd4
SHA512 d3a441c0aa04ee1b71d713e032063a9c3c1802fcb51f84fccc6171befff2c234d756150b5d1526be03099aa2cb0ae218392cd1c41182f9201599a38675e0448f

C:\Windows\System\znwcZEx.exe

MD5 eddf5b0c26f9dd1949c10259fa0f9080
SHA1 cf64a7bef3f0d5da0a45b07913dee8090700b06d
SHA256 ec167028e2ef14b1b05264c9f79181d370416c0a61a67caf9b11c06e022780aa
SHA512 58d08d7f70e4bad8aa2fdcf5aa9996b22ccea21dcb87f0cd063c37107c5b7a9e4c0047bd3a0ef03af6e7c3c47743e05ff317221fb20f63152f3cbf24d8973472

C:\Windows\System\BXRIoTh.exe

MD5 6232373f9bde9291f39894a30074315a
SHA1 df379a7d6e338fb56f290c038382930394f32ecd
SHA256 6f06646af75c7837692bf63e6d70278df603f52061f5c837b83831119ebb05ee
SHA512 edbe6acac15901e2c8cd333129b41ac84c09ec8055ae16b9f481a99e9c67ac84bd6b4b9f382da8b329768064589f7a2a15dc57370aa7d309605bb5c3d7aa8ace

C:\Windows\System\WjtIxsW.exe

MD5 5728b0caa2f5b5d683756dcc1cd0e581
SHA1 6c4b159837296c19563927a6e3bf60af8c11c3f9
SHA256 2daba21211abdde9352bb774bd74914ea42eb119c3b37f4761379df9977a0613
SHA512 59cdd35175768f6f4109b4053399f2bd364bdace0bab5531134617e58805ce270b0b359d96a99d391fe471e943c31963e561ef80a5d39db684c71136219c41f7

C:\Windows\System\FWmHEgf.exe

MD5 3909399fab93719cef82b2c7d90ddf81
SHA1 4b2b5c4234f898dd5924ca6a7d5cb4abd5d2a873
SHA256 861336257010e70aec87ef07db66de5799f309618bc20801198dbd29f46c48a6
SHA512 b1f7ddd7f8f7e427f220e35a67beceb53b2cd24fa5c77306a3a099b1d311a235db1606a082803a1462cfea262e7e4fcd7859c1308992817b5cffa78ce79f1f8d

C:\Windows\System\gidOMJY.exe

MD5 9d032310c99dcb3971b8ebee46f1a735
SHA1 775f0ed0fa048ec7a44e6a47a5066e5dfdaabecb
SHA256 65462510c8af7aa9833d91e46f70f08da367cd8641502fd52d321e15336ea046
SHA512 63fd620de618c3f1523792e331a076147ea4fadb32afeb9505c7d77daacf320b6332bd31676a99324665b472293b1851c3097e0e26bc62975dbc7a0f3af76c14

C:\Windows\System\jumHBGX.exe

MD5 032f381e7c96eb1da6d00d6915ba4bb3
SHA1 b468bf81d0e5575f303627d0071d8dacd8461242
SHA256 2d0d0346480f62afb67f804dc6480832091487575e2feb20bcb42bdf9765e87f
SHA512 dead1fb6479af756ed48d643dc605d54bb558a6de87789e118f2b73cda05544a96c87ca2f1ab73fe0f427ac8120c2e7e780f645a6e3e502aaae79f33ca77727a

C:\Windows\System\ZUCNMyn.exe

MD5 aab8bb1494f7da943e73902fef86baf3
SHA1 12d77052406fb4007caf0d51beb69d1cb5bf2ef1
SHA256 9b3d57a77c02ab7b0016dde95a21ebbf89911dd52ff4ea0fb31750e0526f74e8
SHA512 9a522e070e52141585531124f3cccfa3d7c33dc2a30bc8b229c46966121a26b7f2714f7ba6c8d75f4ed3a6b334746d7adf535ad0ff5cda860e45e44ceacb02f1

memory/1716-60-0x00007FF6278E0000-0x00007FF627C34000-memory.dmp

memory/1968-56-0x00007FF768170000-0x00007FF7684C4000-memory.dmp

C:\Windows\System\ZgNFrle.exe

MD5 1b5eb8a1cc16a4375430510e82ea7567
SHA1 ba6eb7d49915ffa2f6a85e23fcc42215313a0a40
SHA256 0e1022e7e6229a67de846fb54acde61a5041b6001b6ce6493f9773241eae9ae4
SHA512 093127eaf89ef587bd82afa85bc548dd7a4bc1c8ec9f5563d337164b00a49a21b72015312dea228e3808635efc1b2a66a048d2c32fff0a75a5e835f6226d3fc7

memory/3932-50-0x00007FF731790000-0x00007FF731AE4000-memory.dmp

memory/3100-48-0x00007FF64EE60000-0x00007FF64F1B4000-memory.dmp

C:\Windows\System\STmFKdR.exe

MD5 f6a7ae28ae1376c029cca98bfa07dfee
SHA1 9934ec6d763ee162cb59b076df038ef0baedfe88
SHA256 aa1f6fde01187b4d78cdcd467c16c69d073fb175056337661ede59978b5950d1
SHA512 e0f66bdcbfaa82a32a1db15145fedd76d18f844169f45e2bb8c3b87f3746d11a6df0e95d3ff8bad9f1957c41f861d96b6d11bc78264013e5bce755de2d71348a

memory/5076-117-0x00007FF7BF330000-0x00007FF7BF684000-memory.dmp

memory/700-118-0x00007FF653090000-0x00007FF6533E4000-memory.dmp

memory/4760-119-0x00007FF664C10000-0x00007FF664F64000-memory.dmp

memory/2456-120-0x00007FF6989A0000-0x00007FF698CF4000-memory.dmp

memory/4452-121-0x00007FF679740000-0x00007FF679A94000-memory.dmp

memory/4436-122-0x00007FF77F000000-0x00007FF77F354000-memory.dmp

memory/2908-123-0x00007FF620B10000-0x00007FF620E64000-memory.dmp

memory/4900-124-0x00007FF7EC150000-0x00007FF7EC4A4000-memory.dmp

memory/2380-125-0x00007FF7FC170000-0x00007FF7FC4C4000-memory.dmp

memory/3040-127-0x00007FF614280000-0x00007FF6145D4000-memory.dmp

memory/3260-126-0x00007FF603500000-0x00007FF603854000-memory.dmp

memory/5116-128-0x00007FF6FE150000-0x00007FF6FE4A4000-memory.dmp

memory/4420-129-0x00007FF621AD0000-0x00007FF621E24000-memory.dmp

memory/2452-130-0x00007FF7B3140000-0x00007FF7B3494000-memory.dmp

memory/3544-131-0x00007FF664400000-0x00007FF664754000-memory.dmp

memory/3932-132-0x00007FF731790000-0x00007FF731AE4000-memory.dmp

memory/1968-133-0x00007FF768170000-0x00007FF7684C4000-memory.dmp

memory/1716-134-0x00007FF6278E0000-0x00007FF627C34000-memory.dmp

memory/2452-135-0x00007FF7B3140000-0x00007FF7B3494000-memory.dmp

memory/4420-136-0x00007FF621AD0000-0x00007FF621E24000-memory.dmp

memory/3052-138-0x00007FF67EF00000-0x00007FF67F254000-memory.dmp

memory/1408-137-0x00007FF7AA8A0000-0x00007FF7AABF4000-memory.dmp

memory/3544-139-0x00007FF664400000-0x00007FF664754000-memory.dmp

memory/3100-140-0x00007FF64EE60000-0x00007FF64F1B4000-memory.dmp

memory/8-141-0x00007FF7254B0000-0x00007FF725804000-memory.dmp

memory/3932-142-0x00007FF731790000-0x00007FF731AE4000-memory.dmp

memory/1968-143-0x00007FF768170000-0x00007FF7684C4000-memory.dmp

memory/1716-144-0x00007FF6278E0000-0x00007FF627C34000-memory.dmp

memory/5076-145-0x00007FF7BF330000-0x00007FF7BF684000-memory.dmp

memory/700-146-0x00007FF653090000-0x00007FF6533E4000-memory.dmp

memory/4760-147-0x00007FF664C10000-0x00007FF664F64000-memory.dmp

memory/4452-148-0x00007FF679740000-0x00007FF679A94000-memory.dmp

memory/2456-149-0x00007FF6989A0000-0x00007FF698CF4000-memory.dmp

memory/4436-152-0x00007FF77F000000-0x00007FF77F354000-memory.dmp

memory/4900-151-0x00007FF7EC150000-0x00007FF7EC4A4000-memory.dmp

memory/2908-150-0x00007FF620B10000-0x00007FF620E64000-memory.dmp

memory/2380-153-0x00007FF7FC170000-0x00007FF7FC4C4000-memory.dmp

memory/3260-154-0x00007FF603500000-0x00007FF603854000-memory.dmp

memory/3040-155-0x00007FF614280000-0x00007FF6145D4000-memory.dmp