Malware Analysis Report

2024-10-16 03:06

Sample ID 240608-v2ts8adg9v
Target 2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike
SHA256 3090993f6749f4e20b04c27cb3f31a778194e0363cb3a955491f82f4f7418d52
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3090993f6749f4e20b04c27cb3f31a778194e0363cb3a955491f82f4f7418d52

Threat Level: Known bad

The file 2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobaltstrike family

XMRig Miner payload

Cobaltstrike

Xmrig family

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

xmrig

Cobalt Strike reflective loader

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

XMRig Miner payload

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-08 17:29

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-08 17:29

Reported

2024-06-08 17:32

Platform

win7-20240221-en

Max time kernel

145s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\ohYJwSA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xicyXau.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pLTSqbE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oSVXiuQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RvoIVAx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FHaaNBF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MgRUbvI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EfmvSSQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HfZRGnU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fjWqgBE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MEchGDj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UVOMQdG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oTbVVpb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GGaRNCK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\azLekOi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\Mlorqcq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yCxvrOY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hvmjpsC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NtRbIBT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wATUqzA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oBYiOdX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1152 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\MgRUbvI.exe
PID 1152 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\MgRUbvI.exe
PID 1152 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\MgRUbvI.exe
PID 1152 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\oTbVVpb.exe
PID 1152 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\oTbVVpb.exe
PID 1152 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\oTbVVpb.exe
PID 1152 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\EfmvSSQ.exe
PID 1152 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\EfmvSSQ.exe
PID 1152 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\EfmvSSQ.exe
PID 1152 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\NtRbIBT.exe
PID 1152 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\NtRbIBT.exe
PID 1152 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\NtRbIBT.exe
PID 1152 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\ohYJwSA.exe
PID 1152 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\ohYJwSA.exe
PID 1152 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\ohYJwSA.exe
PID 1152 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\HfZRGnU.exe
PID 1152 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\HfZRGnU.exe
PID 1152 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\HfZRGnU.exe
PID 1152 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\fjWqgBE.exe
PID 1152 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\fjWqgBE.exe
PID 1152 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\fjWqgBE.exe
PID 1152 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\GGaRNCK.exe
PID 1152 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\GGaRNCK.exe
PID 1152 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\GGaRNCK.exe
PID 1152 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\MEchGDj.exe
PID 1152 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\MEchGDj.exe
PID 1152 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\MEchGDj.exe
PID 1152 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\xicyXau.exe
PID 1152 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\xicyXau.exe
PID 1152 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\xicyXau.exe
PID 1152 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\azLekOi.exe
PID 1152 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\azLekOi.exe
PID 1152 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\azLekOi.exe
PID 1152 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\Mlorqcq.exe
PID 1152 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\Mlorqcq.exe
PID 1152 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\Mlorqcq.exe
PID 1152 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\yCxvrOY.exe
PID 1152 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\yCxvrOY.exe
PID 1152 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\yCxvrOY.exe
PID 1152 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\UVOMQdG.exe
PID 1152 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\UVOMQdG.exe
PID 1152 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\UVOMQdG.exe
PID 1152 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\wATUqzA.exe
PID 1152 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\wATUqzA.exe
PID 1152 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\wATUqzA.exe
PID 1152 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\RvoIVAx.exe
PID 1152 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\RvoIVAx.exe
PID 1152 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\RvoIVAx.exe
PID 1152 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\pLTSqbE.exe
PID 1152 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\pLTSqbE.exe
PID 1152 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\pLTSqbE.exe
PID 1152 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\oBYiOdX.exe
PID 1152 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\oBYiOdX.exe
PID 1152 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\oBYiOdX.exe
PID 1152 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\FHaaNBF.exe
PID 1152 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\FHaaNBF.exe
PID 1152 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\FHaaNBF.exe
PID 1152 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\oSVXiuQ.exe
PID 1152 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\oSVXiuQ.exe
PID 1152 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\oSVXiuQ.exe
PID 1152 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\hvmjpsC.exe
PID 1152 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\hvmjpsC.exe
PID 1152 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\hvmjpsC.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\MgRUbvI.exe

C:\Windows\System\MgRUbvI.exe

C:\Windows\System\oTbVVpb.exe

C:\Windows\System\oTbVVpb.exe

C:\Windows\System\EfmvSSQ.exe

C:\Windows\System\EfmvSSQ.exe

C:\Windows\System\NtRbIBT.exe

C:\Windows\System\NtRbIBT.exe

C:\Windows\System\ohYJwSA.exe

C:\Windows\System\ohYJwSA.exe

C:\Windows\System\HfZRGnU.exe

C:\Windows\System\HfZRGnU.exe

C:\Windows\System\fjWqgBE.exe

C:\Windows\System\fjWqgBE.exe

C:\Windows\System\GGaRNCK.exe

C:\Windows\System\GGaRNCK.exe

C:\Windows\System\MEchGDj.exe

C:\Windows\System\MEchGDj.exe

C:\Windows\System\xicyXau.exe

C:\Windows\System\xicyXau.exe

C:\Windows\System\azLekOi.exe

C:\Windows\System\azLekOi.exe

C:\Windows\System\Mlorqcq.exe

C:\Windows\System\Mlorqcq.exe

C:\Windows\System\yCxvrOY.exe

C:\Windows\System\yCxvrOY.exe

C:\Windows\System\UVOMQdG.exe

C:\Windows\System\UVOMQdG.exe

C:\Windows\System\wATUqzA.exe

C:\Windows\System\wATUqzA.exe

C:\Windows\System\RvoIVAx.exe

C:\Windows\System\RvoIVAx.exe

C:\Windows\System\pLTSqbE.exe

C:\Windows\System\pLTSqbE.exe

C:\Windows\System\oBYiOdX.exe

C:\Windows\System\oBYiOdX.exe

C:\Windows\System\FHaaNBF.exe

C:\Windows\System\FHaaNBF.exe

C:\Windows\System\oSVXiuQ.exe

C:\Windows\System\oSVXiuQ.exe

C:\Windows\System\hvmjpsC.exe

C:\Windows\System\hvmjpsC.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1964-97-0x000000013FA70000-0x000000013FDC4000-memory.dmp

C:\Windows\system\FHaaNBF.exe

MD5 83f3c094c5cc8eb03b8385eec5f1c30f
SHA1 3027db39271408628d9eeb0b74eb8f814351a8e4
SHA256 9339144e25aa3a7f3f1a58bb99b4d64aac002cef67b6b3be6b1e61a5cf873982
SHA512 97a077710860e54b0eee8a79b29f1545fcd798bf5a17705829feb84a2ac2fc2dce29a996b38503fc5121e651689dc8098feaf14ea2ab3bd409915a6975558e92

\Windows\system\oSVXiuQ.exe

MD5 6b15e30939b3e541c9c1a4780e4d6c6a
SHA1 be73f3045506d6534b3fd7f7c464bda02bed38b5
SHA256 bf596f75562bfb9ad9fe34b3ed5dd076521d5c4bb9e17e7e876686fa0337b40c
SHA512 b21ecf3210d196a03e2642246656c3367d73ed4eb1050413dd6cace7ddae796b2d0c3c9e6e93f2d8bd0955d94e4a62ceab3a3b821a7f5aa2c92791ae6ffd4017

memory/1152-88-0x000000013F140000-0x000000013F494000-memory.dmp

\Windows\system\oBYiOdX.exe

MD5 bac023fa4ad6a13ef7ed381f07d8addb
SHA1 51ca2a85044ad71252e7c0439412d89d31f5e8ae
SHA256 7350a7f523341b8f75aa6afc976587c5e60571a8afad0117421bd4b5c619a16f
SHA512 8e1b79711cb2cbb0d5a3533151de1ddc2f6362963a0a6731adcbde583ce82aa07e472e0b24feed568ad5f59f22b556db6a7778d0f036718fc32f65d25e1535d6

\Windows\system\RvoIVAx.exe

MD5 d7f67856d8e26aa1b4a2f79b5d080c3b
SHA1 831d153a71665434dfc9d154a8dcd85977e77549
SHA256 b0bdf36332eb31c0f87ae9b6c27f2dbcea6a0492b3412ed154fa470e2ccb1733
SHA512 ed6741f427eaf6a8224617572df74979df7616055fcb763d919a9eafd2b6486ac229a66e828c16b461cef7eb5c9ef4ec3225571653f6802a05aa25978d8ec493

memory/1152-71-0x000000013F240000-0x000000013F594000-memory.dmp

\Windows\system\UVOMQdG.exe

MD5 dc8f6e350b915ebecdc8b194a8c20e75
SHA1 cb10067c9c6e6719d99ccca8c6ead3a28976f2c4
SHA256 b057516b6a858301e02de32b784248c32cc2e10cbf32a235b895f252834055f9
SHA512 f439d43c8d22a8bb9bc9bd6a490cb80aa0b79df94519e553352f7573b9e23f581c9893bdf8e7d97a9633ff62b72ffa993de866c34637488e712ae05f83ad0f89

memory/2536-62-0x000000013F640000-0x000000013F994000-memory.dmp

\Windows\system\Mlorqcq.exe

MD5 084a4272ea999564cdbe9cedff6546f3
SHA1 8f3a5d9c668c81ec3901e61d927f17f5c10c1c02
SHA256 23403177d501b2288aa2a8619f2e08176d99b17e84ac4bb56150fffa123dbf6a
SHA512 73cbd957fdd7ee56d65c6f127a570c23a7f217e9da9aca82fc8ea2537ac428ccbe4a4f482eedc53bab6e3ea513be63286b6a524c2952a27a0e5e3a291abe5b99

memory/2744-50-0x000000013F100000-0x000000013F454000-memory.dmp

C:\Windows\system\MEchGDj.exe

MD5 b2960617dca0130cf68f33182f0e56a9
SHA1 0ade6d75e04402dca3ca37b382a85d4c3925233a
SHA256 d96c983f0c8433a3b3ca1095cf56a14d8f348859189ff4786875b76cf7d47b8a
SHA512 dc9066ba7f12bdd85e9cc82faeff4d8c4349a2d2cd53b3f4a85944aa49b1b965d2b6d641678ad7a330cb9e44cc83a18f8095e1784dd1bdd703332fb42623844e

\Windows\system\xicyXau.exe

MD5 be12c7b9afa42bf05098e383586a2ead
SHA1 6d03f4e70f978f5ea9731689019f100b5038a8a8
SHA256 4287e95a4d4931eebd0c1b5795e1cf201b59931c9f322dc1195ec73f3843f5c4
SHA512 0de7585d184e7fa680b24e88c52b10b4b04f2047bb45838b059588d320f50de80484e812167fea5a771627a1df9e64b91c7ddbff43f1dbbd8d0bb3f3a6e0efca

C:\Windows\system\fjWqgBE.exe

MD5 d850ef4ed63980659792ed06d85f275b
SHA1 9e7c24532e52d6498850c419fb5f53ced460f9c1
SHA256 a465b578deccddf4c780ec2cffb0f4d9176b82d4d741566141b5615322ce93a3
SHA512 995e5f81b17919f24777b03950ad8160b17bfadf286580620fc87cf8afe367335a50725f7a0a5ea95888ef77d7c1dca461d9ddf98be2fe554f9ee3bcd62b0f23

\Windows\system\GGaRNCK.exe

MD5 adaf843e3bd2f2319374b825c9ba8f4e
SHA1 c2974964444d81ae52cef2e4320358b357e9f567
SHA256 35c60e7d91f1e9b1c54774497b49f59b21e9e5227e9a499f30336757262d9584
SHA512 575e05c3a7e3d9a1c3408f81822a42198993eb8ee55de0c01ec1ee99dcab11cfb595c77502228e4bf479ac148e17ea688561e8782fd950d18d92e212d21bb98f

C:\Windows\system\ohYJwSA.exe

MD5 33305bba916abdde1b415da20ed1c67d
SHA1 aae0d62e84e8fecdf9d1b9f4e78ac1a6dc656475
SHA256 f5e4fa843a828aa7daa12caebdc79e18ed4a11f5f32fcc46159a12b4544d9d80
SHA512 04d4db84293bb5d5f91e16fb5ff5c2c3b21e5ff1dc7d68c53b64444e727ba6a43edb85ea59f5da9f48a635cc067022cfea62f55739834892bdd9fed6ec3d96de

memory/2200-30-0x000000013FE80000-0x00000001401D4000-memory.dmp

\Windows\system\HfZRGnU.exe

MD5 a3884fed2fea2a3e210641818139ba95
SHA1 7518123243f151db7f7bba3b83c6c8f042e124b9
SHA256 7a8c5c58ebe864c0ef705d580f4c058cdea601ad0482368ab2c80ccba5eee8ac
SHA512 b92f1e78c9a4b5dc0c57a4057495006f1a612d8e351f2e688b3579e6eb599f645e1803d35de4ae95e4fb28890008797bc68eb629b272073e6364afff4ecdfa1e

memory/1152-21-0x000000013FE80000-0x00000001401D4000-memory.dmp

\Windows\system\NtRbIBT.exe

MD5 987ec693daae89f725c901069d108702
SHA1 d7290c0f0675f36aabe84c257ce27c4d170e7c78
SHA256 f7ddbb4df09c10051af1faaccb16c788eab9f49d95a2ae26ea773936fe010eff
SHA512 14c4e92d223e3df4db695cc11882d4f9900151d750ea23efbbd5443db24acdec9b4c772de7af1a0bee731f95e87635e1384d09457b9183b9a522eb94fd63f858

memory/1152-106-0x000000013F6A0000-0x000000013F9F4000-memory.dmp

memory/1152-105-0x000000013F1D0000-0x000000013F524000-memory.dmp

memory/1152-104-0x000000013F300000-0x000000013F654000-memory.dmp

memory/1788-103-0x000000013F300000-0x000000013F654000-memory.dmp

memory/1152-102-0x0000000002380000-0x00000000026D4000-memory.dmp

memory/1152-101-0x000000013FF00000-0x0000000140254000-memory.dmp

C:\Windows\system\hvmjpsC.exe

MD5 383600fb7fa6c875393a011b5e168aaa
SHA1 96a0be911b38296f46915ec89e561ead316cc66d
SHA256 53dd4be8d847eeffa2688e6bc79df23bad45c61fe62a362cecf6eb6975867ef7
SHA512 eac01f86c6bf94693ba8e02c0a8a734a473e3c04a3e133fe9fa90f7f6f8bd9250a04c0e7d145baae6c255866b1c0b59283af19d0255031543e757183979d5298

memory/1152-92-0x0000000002380000-0x00000000026D4000-memory.dmp

memory/2660-84-0x000000013F240000-0x000000013F594000-memory.dmp

C:\Windows\system\pLTSqbE.exe

MD5 6197790ef98475071e84e9214fc4589a
SHA1 ab1056ec402f78a0fbfae60b243408830e12c96c
SHA256 0d77d38feb8f6e99abd289009d3117cb7699ab8346731a35942ede3a6c0ba9bf
SHA512 0ac773cd65d1a22f646c5a446acc1fef15acb2ab7419af776f654d40376bbf9b6612c9f919684ed9ee5f6f72e04b77a3b83af8589109636bee81b8b2dc1799b4

memory/2824-76-0x000000013FF00000-0x0000000140254000-memory.dmp

C:\Windows\system\wATUqzA.exe

MD5 f097dc34eb765050c0729f9d66551596
SHA1 b7cb72ee587669833b6036041bed36637d57c56d
SHA256 aa14bf3fa3dd7141c0a7c561ff094985e41fa0be8a6b6c094e263d3d76fe2bc4
SHA512 4c084a6e15aeeb16268f897608c4f4652c5c0179fb7cf3448e021e061d392e719df90ebf3dcac92c9d14c4b72a0ec125511b954d329cee23d3fea9377f8d79d0

C:\Windows\system\yCxvrOY.exe

MD5 94705f8dfd7bdc02d0023d15f6496b81
SHA1 1dc355e32145681c09f41902b07e17d93444f73d
SHA256 073f6e53b95662c50b0bc1230a5bfec9b87e4e17e1dc56bcdad7c8a5a54310f1
SHA512 2eae69b7b221164661b7f7be2887caf11c7899564e48de095a5b990145abae754b4ad20b8738e6b861282d0bf6b924530581925e655dbe2e27141d129d997711

memory/1152-66-0x000000013F320000-0x000000013F674000-memory.dmp

memory/1152-58-0x000000013FE50000-0x00000001401A4000-memory.dmp

C:\Windows\system\azLekOi.exe

MD5 7864ad7c0c195d45eebeb696986eeb9b
SHA1 fc04c66f5b2a198ca37eb481e48f48505565608a
SHA256 b2c21283c8c0305262233e851f56ff227ce20f1a6485b95d03f12c964609e903
SHA512 738ab80df6797fb80e31b5f2dd77670c9b9111727fe922767caede632dc942e1146f1b3a972207f6f2d88e8a5cca12a43ae1abce2da3e08bfc1ec5ee17e317ad

memory/2556-54-0x000000013F270000-0x000000013F5C4000-memory.dmp

memory/1152-52-0x000000013F270000-0x000000013F5C4000-memory.dmp

memory/1152-35-0x0000000002380000-0x00000000026D4000-memory.dmp

memory/1152-27-0x0000000002380000-0x00000000026D4000-memory.dmp

memory/1680-18-0x000000013FD60000-0x00000001400B4000-memory.dmp

C:\Windows\system\EfmvSSQ.exe

MD5 c068c17b2539792848e066c385f4ca20
SHA1 43e592bec686d5958c74e5f2f23fb3a4f1186e2a
SHA256 07bbff86ed80d9551c7fe3a50dc6c5353e38adca663d7b023279af419215484d
SHA512 3093bf7937fbeabf0da777b661626d4edbfbbfad5ec6e6042559b33c66ef9f8a0f96a95b225a705fbce265191ff15d8afc4320959d8c3ddf9f1b643e028527a9

memory/1292-16-0x000000013FD50000-0x00000001400A4000-memory.dmp

C:\Windows\system\oTbVVpb.exe

MD5 5273135dc2b444d029e06872f0b1242c
SHA1 8907d141d57d893ffb540177b053f508085a0074
SHA256 a1ec9aba739b63882471e1c444a9994d0612140c45da1f3956702cf6e495d3ec
SHA512 4e178511e6ba56bfec64b0d4391ad73d121bd22a8c3c12f1c075266b927747d3baf3dde9c1063b89dfffec5ae3d9fb00805a2b5916fd1e83c62f3c049258fe98

C:\Windows\system\MgRUbvI.exe

MD5 bccf552072e9142c51a66286dd1e773a
SHA1 db2b7a23c2304a4e044eea4665329d121390f9bf
SHA256 5d427c300bb23c3faaefa5184c028c6ed674ff3df9de6b65c485d5578fc007fa
SHA512 e9a028c771b7c5f32dcf807639788afe740e806bf254b655f9528d598b4ce01a6a86b883165839ca814db1f304d1346a56e8b3c3fdb050558058d6bd5a8541cd

memory/1152-1-0x00000000000F0000-0x0000000000100000-memory.dmp

memory/1152-0-0x000000013FA50000-0x000000013FDA4000-memory.dmp

memory/1152-131-0x000000013FA50000-0x000000013FDA4000-memory.dmp

memory/1152-132-0x0000000002380000-0x00000000026D4000-memory.dmp

memory/2556-133-0x000000013F270000-0x000000013F5C4000-memory.dmp

memory/2824-134-0x000000013FF00000-0x0000000140254000-memory.dmp

memory/2660-135-0x000000013F240000-0x000000013F594000-memory.dmp

memory/1964-136-0x000000013FA70000-0x000000013FDC4000-memory.dmp

memory/1788-137-0x000000013F300000-0x000000013F654000-memory.dmp

memory/1292-138-0x000000013FD50000-0x00000001400A4000-memory.dmp

memory/2200-139-0x000000013FE80000-0x00000001401D4000-memory.dmp

memory/1680-140-0x000000013FD60000-0x00000001400B4000-memory.dmp

memory/2536-141-0x000000013F640000-0x000000013F994000-memory.dmp

memory/2744-142-0x000000013F100000-0x000000013F454000-memory.dmp

memory/2556-143-0x000000013F270000-0x000000013F5C4000-memory.dmp

memory/1964-147-0x000000013FA70000-0x000000013FDC4000-memory.dmp

memory/1788-146-0x000000013F300000-0x000000013F654000-memory.dmp

memory/2824-145-0x000000013FF00000-0x0000000140254000-memory.dmp

memory/2660-144-0x000000013F240000-0x000000013F594000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-08 17:29

Reported

2024-06-08 17:32

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\LITQOlx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ndtLbpG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HXNboQE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pSaohxy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kwpYsdI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\snmBIyk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JkftEwk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OHtoFtl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mKuNGvI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xycRENT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qUfosyx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oMsbiPy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VTBcqlj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vFYmBFJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zOOaaLw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CiAWfTm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LEBGamz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ftXoxOC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uUKVWgq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oxqYpoz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zBuJUPO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1660 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\CiAWfTm.exe
PID 1660 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\CiAWfTm.exe
PID 1660 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\mKuNGvI.exe
PID 1660 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\mKuNGvI.exe
PID 1660 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\LEBGamz.exe
PID 1660 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\LEBGamz.exe
PID 1660 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\ftXoxOC.exe
PID 1660 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\ftXoxOC.exe
PID 1660 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\kwpYsdI.exe
PID 1660 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\kwpYsdI.exe
PID 1660 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\snmBIyk.exe
PID 1660 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\snmBIyk.exe
PID 1660 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\JkftEwk.exe
PID 1660 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\JkftEwk.exe
PID 1660 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\uUKVWgq.exe
PID 1660 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\uUKVWgq.exe
PID 1660 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\OHtoFtl.exe
PID 1660 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\OHtoFtl.exe
PID 1660 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\xycRENT.exe
PID 1660 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\xycRENT.exe
PID 1660 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\LITQOlx.exe
PID 1660 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\LITQOlx.exe
PID 1660 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\VTBcqlj.exe
PID 1660 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\VTBcqlj.exe
PID 1660 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\ndtLbpG.exe
PID 1660 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\ndtLbpG.exe
PID 1660 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\oxqYpoz.exe
PID 1660 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\oxqYpoz.exe
PID 1660 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\HXNboQE.exe
PID 1660 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\HXNboQE.exe
PID 1660 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\qUfosyx.exe
PID 1660 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\qUfosyx.exe
PID 1660 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\zBuJUPO.exe
PID 1660 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\zBuJUPO.exe
PID 1660 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\oMsbiPy.exe
PID 1660 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\oMsbiPy.exe
PID 1660 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\pSaohxy.exe
PID 1660 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\pSaohxy.exe
PID 1660 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\vFYmBFJ.exe
PID 1660 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\vFYmBFJ.exe
PID 1660 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\zOOaaLw.exe
PID 1660 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe C:\Windows\System\zOOaaLw.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_fe9b7cb91555874aec0d2355ba05a17d_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\CiAWfTm.exe

C:\Windows\System\CiAWfTm.exe

C:\Windows\System\mKuNGvI.exe

C:\Windows\System\mKuNGvI.exe

C:\Windows\System\LEBGamz.exe

C:\Windows\System\LEBGamz.exe

C:\Windows\System\ftXoxOC.exe

C:\Windows\System\ftXoxOC.exe

C:\Windows\System\kwpYsdI.exe

C:\Windows\System\kwpYsdI.exe

C:\Windows\System\snmBIyk.exe

C:\Windows\System\snmBIyk.exe

C:\Windows\System\JkftEwk.exe

C:\Windows\System\JkftEwk.exe

C:\Windows\System\uUKVWgq.exe

C:\Windows\System\uUKVWgq.exe

C:\Windows\System\OHtoFtl.exe

C:\Windows\System\OHtoFtl.exe

C:\Windows\System\xycRENT.exe

C:\Windows\System\xycRENT.exe

C:\Windows\System\LITQOlx.exe

C:\Windows\System\LITQOlx.exe

C:\Windows\System\VTBcqlj.exe

C:\Windows\System\VTBcqlj.exe

C:\Windows\System\ndtLbpG.exe

C:\Windows\System\ndtLbpG.exe

C:\Windows\System\oxqYpoz.exe

C:\Windows\System\oxqYpoz.exe

C:\Windows\System\HXNboQE.exe

C:\Windows\System\HXNboQE.exe

C:\Windows\System\qUfosyx.exe

C:\Windows\System\qUfosyx.exe

C:\Windows\System\zBuJUPO.exe

C:\Windows\System\zBuJUPO.exe

C:\Windows\System\oMsbiPy.exe

C:\Windows\System\oMsbiPy.exe

C:\Windows\System\pSaohxy.exe

C:\Windows\System\pSaohxy.exe

C:\Windows\System\vFYmBFJ.exe

C:\Windows\System\vFYmBFJ.exe

C:\Windows\System\zOOaaLw.exe

C:\Windows\System\zOOaaLw.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1660-0-0x00007FF6E10F0000-0x00007FF6E1444000-memory.dmp

memory/1660-1-0x0000027D42B20000-0x0000027D42B30000-memory.dmp

memory/2568-9-0x00007FF7DE770000-0x00007FF7DEAC4000-memory.dmp

C:\Windows\System\CiAWfTm.exe

MD5 d915eea473d11e5e02cb9559597c33ab
SHA1 8ed1f977abd951c237ae33ac561867ad271b9dd2
SHA256 d32c8c50369298ff380b63d72a51ec1481810c5d453b1e3575b265b289509d33
SHA512 a84726215b6890c5a1fa4152e4b3699c0e9b8e1ad35e18c65de201fa60de3ade4496aaa02183a1c7c2e1c90d948cde27fa8eb7931bd2819f3864e1b1619a89d0

C:\Windows\System\LEBGamz.exe

MD5 27938f4b72df530e7f36e75daec72cad
SHA1 43a994772795e4dfee839fa6c177631c1c19fbfc
SHA256 46daa201a53489b37cd1c0a383dee7dc3a2b4397ff412bbac68c64581c76e179
SHA512 123d23dcac218ee66a75e80c21e32a92cba4c11611ee335091389af92db5ea704bda979575bc07e23ed3daf79b1e76fff4e39c75d523224560c254d36ffaa3b7

C:\Windows\System\ftXoxOC.exe

MD5 e61d3c41fb24d40656b3b2b2575aba81
SHA1 ff7635fa7493571d81f8da125dacb882cecb5774
SHA256 e769661bd045635df7fcc4a8c7457e4c14c53e3075a8c9174f2ab92a445a8d36
SHA512 4cd528ff77403d0496a021c36bacf310cf99ce2da718870799aad98eb72d40211014c09644b72c755b22e8910155a9584120fb7daa0e913a75c2b532ec5f255a

C:\Windows\System\kwpYsdI.exe

MD5 1b241fbb8d2eea14a3ccb31f8e529569
SHA1 0e2d63e11319eaccc077ff72fd6c15fdfde1f205
SHA256 41e3d5537fd91c0a4032d8059790aeae16086d013c4a9b3c18495acbabca6943
SHA512 0590a74b4e61cd96ffb5c9d41cbd0b9ef00b727f23e26a6a3e21fc39566c1bba7cf319b49067ddd3c00ca26eba249a394919cf37187b2a712e7b61c8d13d62fa

memory/644-33-0x00007FF744A90000-0x00007FF744DE4000-memory.dmp

memory/3716-38-0x00007FF6FA4E0000-0x00007FF6FA834000-memory.dmp

C:\Windows\System\OHtoFtl.exe

MD5 1e1c1c293c632aa1f81b3c93616fb065
SHA1 4dbae8202d8b058d096cb07f251610881eea393e
SHA256 88ead4a562c24fb5326ddc10084a7ef9ca9bec2f66510628604cb766d1e50db2
SHA512 c3e416808cec0853ca6ceb38c794e8f168f7e9bda023e2daa5670db003fe61b158d30d5686aba04c83f07b7458dcfb6a697e66195903ee509b71355c19397d4d

C:\Windows\System\LITQOlx.exe

MD5 15f6a10165848e4b6e35e26980e8a229
SHA1 ff1bd273e40ca2c26ecc7a003aa2cd39ca1a46db
SHA256 09c551ab823a8b89f592cdfc68f16493fe9bb3e0bf943b1e05289efc7fc56397
SHA512 4077348a31cd131313b4aba9fcb24a93f36e987ade3bd9c809c57cd44d3914804ea0e0453f86d9f1ef38198fb04fa7eafda8d730132eadf06a79b59ed4c3a06e

C:\Windows\System\xycRENT.exe

MD5 be36d7568b153d18a02920e8c1da0a98
SHA1 d0f01cae27337a12dbfbd36df26a062f102b3f1e
SHA256 76e238ff1ec8a919eb21395c8b35a7f74b00723e96a27f1ee18e39e071e0eb58
SHA512 df41ea432aeb141b28177ca396504143f71daaf8341d6530710889c28a93b381eda5d0a00451223b3029de6b78db126d4fe186ddc242de35cb38a46087895881

C:\Windows\System\oxqYpoz.exe

MD5 6a0fb4d576c1a215127bb6432ede3431
SHA1 85502488ad1bba454fc76577bc48b16a7ac375e2
SHA256 94b25afbfe25dad767e1bff32d2e522777c6e9a227f9ed6ed86e227c052c8ae0
SHA512 cc94df00533ad990607f9765aa05e3f8bcfb9f4a9be87f008a01447543d22d1d7add72fced9c8059993bf71edada0a4c44723f4411a2eb74446180b8dbdefdc9

memory/448-89-0x00007FF7AA400000-0x00007FF7AA754000-memory.dmp

memory/2596-95-0x00007FF7A9960000-0x00007FF7A9CB4000-memory.dmp

C:\Windows\System\zBuJUPO.exe

MD5 cffdfb0a9a2f4322964f76bdab9956c3
SHA1 05b782fab2988806b015d096ca0dca122d8e3b15
SHA256 8f0d9d4409ecdd5265ded724b5b8b2226d781a2a384673557fbc94a72b802d13
SHA512 e8ea5b93cb854b5c9e9c989a291e8db88b980dca0ef433282f451af78d4cd00e234c933355b1a4aafb03a314d5383e34a75c29a3a8664e83029e03dd4f07dbf0

memory/4404-113-0x00007FF610250000-0x00007FF6105A4000-memory.dmp

C:\Windows\System\vFYmBFJ.exe

MD5 d293b0e79e76e2b69a6685f290f2ac3f
SHA1 a5b2b2972608f194ec59fbded237c0e515e0b036
SHA256 792a30ff6f4901466e42dffe83ef81a46cbbe1cf1fa39a3e3618e9e90d9b6110
SHA512 e94e29b417824a07e3ec5ccf6c3a37ece395b27caf8cead8254476f3b8c4ce4a123262f83f544509841a9ca2ec1e855ccdb5072d6cc0a1f717781108a6936b42

C:\Windows\System\pSaohxy.exe

MD5 8a74a01f38f873e6d52b164377e1fb53
SHA1 1d65af29ed2692acfb1b558166d03a7fa11ee9e7
SHA256 59c5ca9977d8283a3b1ac0b407c39ce9a84a9cb8d964771343aea1c577c6852e
SHA512 a645900ee32374ea0bf9b620fa2519f7f4b9b815c4c8277e502978f4176b538d55afb159a6865d58700a1c264aaeae6bd5da6dfc99d483bc55d9900bb21efe9a

C:\Windows\System\oMsbiPy.exe

MD5 ddbf34037698b878d355f273f2a00941
SHA1 db8b047c82229998c7707fdbb20df702f676fffa
SHA256 7e6caab7b1432662f6bfcb62a0e2366e2a4ba68524c1161d763f4fbd3d2adb44
SHA512 17091c132f03edda2f32d1651b8efa3d1902bce00758ae187234a08850f815aac13af82d1d6e2da0c20edcaa79b775fdd9cc05b97000b654b9ee9d42fc5ca6ee

memory/4364-116-0x00007FF663E40000-0x00007FF664194000-memory.dmp

memory/2568-115-0x00007FF7DE770000-0x00007FF7DEAC4000-memory.dmp

memory/1660-114-0x00007FF6E10F0000-0x00007FF6E1444000-memory.dmp

memory/4864-112-0x00007FF6768F0000-0x00007FF676C44000-memory.dmp

memory/3412-111-0x00007FF760FC0000-0x00007FF761314000-memory.dmp

memory/1620-102-0x00007FF65F510000-0x00007FF65F864000-memory.dmp

C:\Windows\System\HXNboQE.exe

MD5 a222431e51359acc19d24af0088b693a
SHA1 6f5d51d3e190c953c0eb527169329fc56bf6b522
SHA256 6e476dfbc2ac6f545f3fd4f2985602777841395c48d8c264d1568f780260fd12
SHA512 44bd0ef4d9796befb1df7c79c16b14f28a1d9c82985f0541b02a79dccb763fc6944148e981f883bb5f9ffe8d7b319b3b09b950129ab526e2748fcdfd41059dff

memory/392-92-0x00007FF7116D0000-0x00007FF711A24000-memory.dmp

C:\Windows\System\qUfosyx.exe

MD5 5bc36b3e22684ef7fec8834d1a90e4f6
SHA1 90b2e26494ce0620a40a939197c1d023a8061fd7
SHA256 742519804179746d7111b8080843d11e1df8c4b78f228a0adc5efc46222399b1
SHA512 693b53381bb83db6cb28f578234dd293eecf91e9db21a5cfb6a2197ff8ff8163c4729ea48ae2ad1b2edb3249a13399465aeedca0f265aff7ff27da9a905f64a0

memory/1836-91-0x00007FF602E60000-0x00007FF6031B4000-memory.dmp

memory/3880-84-0x00007FF791E60000-0x00007FF7921B4000-memory.dmp

C:\Windows\System\ndtLbpG.exe

MD5 3c6c17ca52fd44a1c1e43e7c406954a9
SHA1 ecb70205833db9a5cda83af30e6dfd1f9a805e17
SHA256 b004830d08fbedd4a26ee92c66630de6048135657a31d44fd0792896aed0b7a2
SHA512 499b98af81d672792704290f4247715856b69147b5eaea1005212ba75758c1754b35034deb16c604e90bbf2c63f09e8b1fb70c9d88e586cf03ec91f3f365c80e

memory/3584-76-0x00007FF631240000-0x00007FF631594000-memory.dmp

memory/4984-75-0x00007FF7EED30000-0x00007FF7EF084000-memory.dmp

C:\Windows\System\VTBcqlj.exe

MD5 b10e1cb1e54910a267b73b122c83bf68
SHA1 f8b677f4139138b5c554025100a612bee19af246
SHA256 15b15e56e1ca366bdee191e3325183bf2f3c4740894078b4b84573bfdf5382da
SHA512 355eefe3c5915e4b845c1389ba209d32c9ed9bd668b7e884aaecc36db015ba201acba2908373f2d8b6d09c30cba93a0bdf1d752b083c4d5b6ae9210b3ed92791

memory/1460-74-0x00007FF79E410000-0x00007FF79E764000-memory.dmp

memory/3516-68-0x00007FF71A570000-0x00007FF71A8C4000-memory.dmp

C:\Windows\System\JkftEwk.exe

MD5 18d1042c6a6fcbe34dccb381135627b5
SHA1 1d777d39daafbbb073a539c0672a6a11bf609e12
SHA256 ef067bc6901aa7b6ab594dfaa2f91bb939c81608e76a28f5b4d0f301a18ab9e1
SHA512 aa03438edc33598d8d1a416ffd4168300759ecb08fe0440207ee85b778366bac7b73e00932e3324d5d55f54b54d8fa7e49648803acd66df82f76264b242192e9

C:\Windows\System\uUKVWgq.exe

MD5 8be1635a310131b4e30d0ecabb20699e
SHA1 eaa30af38a76595d98cbddd837506d97b4d69dde
SHA256 2212279a4b75cdaeec44fa304b9fd39098191605800284c27689f2d02e486522
SHA512 9bd79ff86a07d9658af33889ec5347e90cf507b65f2d5dc2e4915439711c5e9b64ec5fd2cc54bbeb6c61d5ac5fe6ee002bbda20c89c9100e17472424bcb9a7cc

C:\Windows\System\snmBIyk.exe

MD5 3cc70ab162f036cb0607ff3d9ebd1128
SHA1 8057168bbe56c1c13c12bf641e7b09456cce6980
SHA256 04d0423daad12265ad3cbbe900f0fd074125ef689d93079c3cf80ecc5b0f4116
SHA512 8fe655ab4066a217be58aaaa1c9bd277f8f9dd21a1245d6c6307bee3b8888ef985a935388446e3499159e138e0efc8f10824c0973ea8e3c39a0b78ffef15219f

memory/208-29-0x00007FF6C5E70000-0x00007FF6C61C4000-memory.dmp

memory/1492-20-0x00007FF79FE80000-0x00007FF7A01D4000-memory.dmp

memory/792-14-0x00007FF71D480000-0x00007FF71D7D4000-memory.dmp

C:\Windows\System\mKuNGvI.exe

MD5 635eb898251bcfb4b72d3ddc159e3c15
SHA1 9ff0954384af6a14ac9e1f87a838bf96bc5d31c7
SHA256 eb522163620c834bde9ccc5740d9bb03a84100e0d0a6be015667ea369036809a
SHA512 a31f5092d51095a07766a3f219512f9943b3c630f8178a5f8ce5287f2bf5a9aaf35a6076887e2a51972e7175572d1ceb2c5c6afdede3641bc2d3f60db9c885cf

C:\Windows\System\zOOaaLw.exe

MD5 1ee05fde9984d1e3251dc69000aa2562
SHA1 3e336e52f7e48b2879fe259d4dfe579c470d5b35
SHA256 96bbed340b189b198d81334a1a11b8be45b35c45eab0f0a05b5445346af268f5
SHA512 a0aca4576c2cd209d074e435806533c45f7405bce96833eec3b246c9a4aaed75508fdbf6c82d7f2d7c43dfd8ab50f6337292ec7108a03bf6b1c6915e7b0edc8e

memory/1032-129-0x00007FF62B0E0000-0x00007FF62B434000-memory.dmp

memory/792-130-0x00007FF71D480000-0x00007FF71D7D4000-memory.dmp

memory/1492-131-0x00007FF79FE80000-0x00007FF7A01D4000-memory.dmp

memory/3716-132-0x00007FF6FA4E0000-0x00007FF6FA834000-memory.dmp

memory/644-133-0x00007FF744A90000-0x00007FF744DE4000-memory.dmp

memory/3516-134-0x00007FF71A570000-0x00007FF71A8C4000-memory.dmp

memory/448-135-0x00007FF7AA400000-0x00007FF7AA754000-memory.dmp

memory/1620-136-0x00007FF65F510000-0x00007FF65F864000-memory.dmp

memory/3412-137-0x00007FF760FC0000-0x00007FF761314000-memory.dmp

memory/4864-138-0x00007FF6768F0000-0x00007FF676C44000-memory.dmp

memory/4404-139-0x00007FF610250000-0x00007FF6105A4000-memory.dmp

memory/4364-140-0x00007FF663E40000-0x00007FF664194000-memory.dmp

memory/2568-141-0x00007FF7DE770000-0x00007FF7DEAC4000-memory.dmp

memory/792-142-0x00007FF71D480000-0x00007FF71D7D4000-memory.dmp

memory/208-143-0x00007FF6C5E70000-0x00007FF6C61C4000-memory.dmp

memory/1492-144-0x00007FF79FE80000-0x00007FF7A01D4000-memory.dmp

memory/644-145-0x00007FF744A90000-0x00007FF744DE4000-memory.dmp

memory/3716-146-0x00007FF6FA4E0000-0x00007FF6FA834000-memory.dmp

memory/1836-147-0x00007FF602E60000-0x00007FF6031B4000-memory.dmp

memory/3516-148-0x00007FF71A570000-0x00007FF71A8C4000-memory.dmp

memory/3584-150-0x00007FF631240000-0x00007FF631594000-memory.dmp

memory/1460-149-0x00007FF79E410000-0x00007FF79E764000-memory.dmp

memory/4984-151-0x00007FF7EED30000-0x00007FF7EF084000-memory.dmp

memory/392-153-0x00007FF7116D0000-0x00007FF711A24000-memory.dmp

memory/448-152-0x00007FF7AA400000-0x00007FF7AA754000-memory.dmp

memory/3880-154-0x00007FF791E60000-0x00007FF7921B4000-memory.dmp

memory/1620-155-0x00007FF65F510000-0x00007FF65F864000-memory.dmp

memory/2596-156-0x00007FF7A9960000-0x00007FF7A9CB4000-memory.dmp

memory/4404-158-0x00007FF610250000-0x00007FF6105A4000-memory.dmp

memory/4864-157-0x00007FF6768F0000-0x00007FF676C44000-memory.dmp

memory/3412-160-0x00007FF760FC0000-0x00007FF761314000-memory.dmp

memory/4364-159-0x00007FF663E40000-0x00007FF664194000-memory.dmp

memory/1032-161-0x00007FF62B0E0000-0x00007FF62B434000-memory.dmp