Malware Analysis Report

2024-10-16 03:05

Sample ID 240608-va7wrsdd7x
Target 2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike
SHA256 a6b2bec4ef3cb07d405fd89a87e27ee8ff3fa3210959fe7f4d44b727bf072156
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a6b2bec4ef3cb07d405fd89a87e27ee8ff3fa3210959fe7f4d44b727bf072156

Threat Level: Known bad

The file 2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

UPX dump on OEP (original entry point)

xmrig

XMRig Miner payload

Detects Reflective DLL injection artifacts

Xmrig family

Cobaltstrike

Cobaltstrike family

Cobalt Strike reflective loader

XMRig Miner payload

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-08 16:48

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-08 16:48

Reported

2024-06-08 16:50

Platform

win7-20240221-en

Max time kernel

137s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\zSxvTed.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xRsoahj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WrTyYPh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pjiHoVg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HpAZDdo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PLmCBDN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MQjqkOs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xcXdOru.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MUMXQDL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jnTZKod.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UUjPKoq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QfmKXTe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gIZplgE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kLVMqlC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HUMexTU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xpRdYdK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vZjEVOI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fgmdRFy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MisVPUk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zwoNMyD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MGCXSra.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1936 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\WrTyYPh.exe
PID 1936 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\WrTyYPh.exe
PID 1936 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\WrTyYPh.exe
PID 1936 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\pjiHoVg.exe
PID 1936 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\pjiHoVg.exe
PID 1936 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\pjiHoVg.exe
PID 1936 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\HpAZDdo.exe
PID 1936 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\HpAZDdo.exe
PID 1936 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\HpAZDdo.exe
PID 1936 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\kLVMqlC.exe
PID 1936 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\kLVMqlC.exe
PID 1936 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\kLVMqlC.exe
PID 1936 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\HUMexTU.exe
PID 1936 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\HUMexTU.exe
PID 1936 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\HUMexTU.exe
PID 1936 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\PLmCBDN.exe
PID 1936 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\PLmCBDN.exe
PID 1936 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\PLmCBDN.exe
PID 1936 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\xpRdYdK.exe
PID 1936 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\xpRdYdK.exe
PID 1936 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\xpRdYdK.exe
PID 1936 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\zSxvTed.exe
PID 1936 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\zSxvTed.exe
PID 1936 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\zSxvTed.exe
PID 1936 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\MQjqkOs.exe
PID 1936 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\MQjqkOs.exe
PID 1936 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\MQjqkOs.exe
PID 1936 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\xcXdOru.exe
PID 1936 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\xcXdOru.exe
PID 1936 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\xcXdOru.exe
PID 1936 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\vZjEVOI.exe
PID 1936 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\vZjEVOI.exe
PID 1936 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\vZjEVOI.exe
PID 1936 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\MUMXQDL.exe
PID 1936 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\MUMXQDL.exe
PID 1936 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\MUMXQDL.exe
PID 1936 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\fgmdRFy.exe
PID 1936 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\fgmdRFy.exe
PID 1936 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\fgmdRFy.exe
PID 1936 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\xRsoahj.exe
PID 1936 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\xRsoahj.exe
PID 1936 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\xRsoahj.exe
PID 1936 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\jnTZKod.exe
PID 1936 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\jnTZKod.exe
PID 1936 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\jnTZKod.exe
PID 1936 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\UUjPKoq.exe
PID 1936 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\UUjPKoq.exe
PID 1936 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\UUjPKoq.exe
PID 1936 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\MisVPUk.exe
PID 1936 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\MisVPUk.exe
PID 1936 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\MisVPUk.exe
PID 1936 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\zwoNMyD.exe
PID 1936 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\zwoNMyD.exe
PID 1936 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\zwoNMyD.exe
PID 1936 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\gIZplgE.exe
PID 1936 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\gIZplgE.exe
PID 1936 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\gIZplgE.exe
PID 1936 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\MGCXSra.exe
PID 1936 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\MGCXSra.exe
PID 1936 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\MGCXSra.exe
PID 1936 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\QfmKXTe.exe
PID 1936 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\QfmKXTe.exe
PID 1936 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\QfmKXTe.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\WrTyYPh.exe

C:\Windows\System\WrTyYPh.exe

C:\Windows\System\pjiHoVg.exe

C:\Windows\System\pjiHoVg.exe

C:\Windows\System\HpAZDdo.exe

C:\Windows\System\HpAZDdo.exe

C:\Windows\System\kLVMqlC.exe

C:\Windows\System\kLVMqlC.exe

C:\Windows\System\HUMexTU.exe

C:\Windows\System\HUMexTU.exe

C:\Windows\System\PLmCBDN.exe

C:\Windows\System\PLmCBDN.exe

C:\Windows\System\xpRdYdK.exe

C:\Windows\System\xpRdYdK.exe

C:\Windows\System\zSxvTed.exe

C:\Windows\System\zSxvTed.exe

C:\Windows\System\MQjqkOs.exe

C:\Windows\System\MQjqkOs.exe

C:\Windows\System\xcXdOru.exe

C:\Windows\System\xcXdOru.exe

C:\Windows\System\vZjEVOI.exe

C:\Windows\System\vZjEVOI.exe

C:\Windows\System\MUMXQDL.exe

C:\Windows\System\MUMXQDL.exe

C:\Windows\System\fgmdRFy.exe

C:\Windows\System\fgmdRFy.exe

C:\Windows\System\xRsoahj.exe

C:\Windows\System\xRsoahj.exe

C:\Windows\System\jnTZKod.exe

C:\Windows\System\jnTZKod.exe

C:\Windows\System\UUjPKoq.exe

C:\Windows\System\UUjPKoq.exe

C:\Windows\System\MisVPUk.exe

C:\Windows\System\MisVPUk.exe

C:\Windows\System\zwoNMyD.exe

C:\Windows\System\zwoNMyD.exe

C:\Windows\System\gIZplgE.exe

C:\Windows\System\gIZplgE.exe

C:\Windows\System\MGCXSra.exe

C:\Windows\System\MGCXSra.exe

C:\Windows\System\QfmKXTe.exe

C:\Windows\System\QfmKXTe.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1936-0-0x000000013F180000-0x000000013F4D4000-memory.dmp

memory/1936-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\WrTyYPh.exe

MD5 4a311c089a5ac2560ca324c6a13ccb57
SHA1 76b8ca83d0b1c584bac3e3d0e15c9e32bff328ce
SHA256 c509d87d244cf377d7ffcbf372875e8ff5bf68a362fe76ede4becdc8e6080a1c
SHA512 f0a18e522c76f882f5e20569ed380d8b6c49d17f7bd0a422eb5d0a90170eeaa3c7f7d68b2ac5ea33a374b3440b52679046928d90b949cc78fb9b63d34069fa41

memory/2708-16-0x000000013F2E0000-0x000000013F634000-memory.dmp

C:\Windows\system\kLVMqlC.exe

MD5 3f50af427bbf5a19deeb58de53be5df3
SHA1 66a412e78d08f5f828e79201e68b37fdd0e930f5
SHA256 04e5e5905eb4308a6c03059502adec481a0f30117ae5d518cadcef1aa609b695
SHA512 db75c69b984cdb4d5a60f092e2d1a147c23d7ccf600a29ede5e4b836b95054142a512b2ad9b587009a73cd61c8ba6936504f635b285df0db1923af825db151f0

\Windows\system\HpAZDdo.exe

MD5 8b90137e05a7cd165160852360c4f894
SHA1 3f2bf5e00de3ee5faab7390b6ca87eb3e713e911
SHA256 812743b4b8aba1208c0a7cfe821d0b88222faf37d78ad701a8fa559564838232
SHA512 5d95f2af53b6bd2672e48988fb5cd8b7fb901a758a6febd8e5c979dfb389abc42bf6e3cec8076525f14361e75d44b5f48876667bd0be2e28d742e56a1e727609

C:\Windows\system\PLmCBDN.exe

MD5 230c489f048e37b00d42cc5142411cdf
SHA1 99dfe239b0960ef229e9e5aa8972a8d8032ce297
SHA256 958931a659c320681a1277e64fdec493557c1f7652a66bdabda5b35c169fb4ca
SHA512 ab226487c05765b7ec6e8876b7a631978744e3c03754b96a68a4b8158d872c9e74f0a62871ca0c63a92943d652cd2ae8b46ff41095fb825139ced228effd46c1

C:\Windows\system\pjiHoVg.exe

MD5 92195936e5c18ed8a011dc9c964f6586
SHA1 dd58151bd9656267f513bb1ef12a003fb247c436
SHA256 52fc20a7b10e6b63618a2d75df4e4aeaeee5c9b6b12c9affbd165a14d9b59b4f
SHA512 0dd193d11612c6f231830319408b19c34b22d9fd5a1b2d59ef675d0cb63e1da7016dc6455c603abd3cdee76712dbbc5deba8dc170e24077e0460589014e7699e

memory/1936-8-0x0000000002390000-0x00000000026E4000-memory.dmp

\Windows\system\MUMXQDL.exe

MD5 9ccc82321f219b1f9e0c1c0f21af84ca
SHA1 0319bdd0a129cb773707e74b4c99e2d356dbb876
SHA256 dd9e3dfc560ba4c9a15202c71726491c73e3c32b9e1b7ef794e84515cddfccdd
SHA512 4ce397452abf29edcb4b11515edb04453b1f22958ec0f22bf2abb3edf0b68892501c394fdb37376f904ec8d1e54a4428164a6bb29644a5820275ec97fe217f09

memory/2532-96-0x000000013F8D0000-0x000000013FC24000-memory.dmp

C:\Windows\system\QfmKXTe.exe

MD5 5285f2d6b2a0835c4923de5502c2bd3b
SHA1 cb068444c72c4d7c8cf215df49ea727806caf010
SHA256 7f26b166fe681b2012706285a8e9408edea9c2018f071390ca708de050d3510f
SHA512 2b2925fdf44a7950f6a21565f6c3a143ae189e589212ec0bafa055b972be043e4b6cfc5250f2332b657226f6e4acc5d828db7db14c3f41ab0509f0d8595d4ea6

C:\Windows\system\MGCXSra.exe

MD5 a6df8841b0a382c40c27797f5a109132
SHA1 52256ea7bddcc4d9d31fbb31581589756cdb74d1
SHA256 4bef775c16ba1c709a53e83158b05f81a39a9f192050e69602007aecc8172b0d
SHA512 e51f1284a067dc6330accb28756baa6203446207cba8f81253534880eb96640a7caad4bd3fb571b3f894e5a0014ada2631fe70211bd42a3f31c09cb95a865a50

C:\Windows\system\gIZplgE.exe

MD5 6b31ee19909eb886c6294725677e2c74
SHA1 e157f27d9b78a618f6e90ad9af41de7942a0fbd4
SHA256 49b27036e5c85f06d6c1dd6281eef822d78eefc44ad2f78dfec2746e7851fd2c
SHA512 188788405078f73a95fe059c7856b269b34ea80e393738d004b430fdd265f165b9cb22e46e1df0339a4f540ee5fd410daa529d82ad5649a1e24a4bce31c31314

C:\Windows\system\zwoNMyD.exe

MD5 8e00a6ffb00e95d53ec1e2e9f4ffb2ae
SHA1 d8ec97437cd69c5522c69c09abc183ae4c43cbf5
SHA256 3e643ff73634fada9c34a60685192f818fa2266c55187ea4f9e4628f7e150431
SHA512 780f5166ac1893f51763d362b7aa6a6f2b2d95daa1d040ada8f473cb5e9777ec702ac565195c2d8448fb92f6c7de35172fa697d523b3e80e799da328ef957866

C:\Windows\system\MisVPUk.exe

MD5 3cd8e81130935ce69afa288e41c345c6
SHA1 b5ad5e7938a2afbd531d672e6fd78a7b07d666dc
SHA256 0ad78996a376d8ed2764b19ff86b025374cf4453bf2ad0106b8a79d5dc408b9a
SHA512 57e7ed3182bc3adfd723dd9a28506fadf24cad3278b2e3ae682e2e076cbeac79fbe3f1a279be731001c2b3537ba9a99b9b7117020111feb9332cc965428f18b1

C:\Windows\system\UUjPKoq.exe

MD5 19c5cc28c2fb195d38f5f6a1309ee37c
SHA1 a0f8ea9b308e9273f43500ab8a4f4b6f45c84d9e
SHA256 c1cf712deb03d650350a88c78c61caf6dfafb4b0c49ff1f0118eb07a62ebfaa4
SHA512 3f48109ef5da2656ab370a726562098ccb1b863c13e62b2400fda4bb5ee22611d6353a304778a77985e931030af6466920caff396e9b02d057c0374dd2ff6551

memory/1936-106-0x000000013FE10000-0x0000000140164000-memory.dmp

C:\Windows\system\jnTZKod.exe

MD5 2e9f0920caa65366510b4c80a038e38c
SHA1 384347f0195ca774d6a9e2c7fd3b82856bc2b662
SHA256 b61ae8454263954d7bbf7a92247e00252d0eca0eb695fd83854a2aef6baeec3a
SHA512 bacc034ad868737b193cf73601574418fd47780c13ec9a44b63583419ae549aae8ed54f8d4dcbf0db03a46544cd2a5d5e080f2b40f950b7cbcb21032160d8f32

memory/1248-99-0x000000013FA20000-0x000000013FD74000-memory.dmp

memory/2376-98-0x000000013F1B0000-0x000000013F504000-memory.dmp

memory/1936-97-0x000000013FA20000-0x000000013FD74000-memory.dmp

memory/2528-95-0x000000013F6B0000-0x000000013FA04000-memory.dmp

C:\Windows\system\xRsoahj.exe

MD5 286adc7cfe97e97aa996c5e770284ed2
SHA1 06345fcb263c3a1f998301d67b952eaafe9b659d
SHA256 e0e93e9f588fb10f7629da757c36320a5d24a48ec158d425282f76283418f9e5
SHA512 a8e23e1b420b1bb62c21587b15b5cf1405a7833196337bc11394f97e698701a405547599356c42d6470b27966071e1991fa6801321e0b4ca38ce226126945d96

\Windows\system\xcXdOru.exe

MD5 f58aaea1323de22e1aadd1421ec6cb08
SHA1 aedc75cd5a4c425342a7534d44b1ffe576101672
SHA256 f34b57410ce8902e60f90907c4a9612fe90d135dda748e9fa4f5026c8f4d4d0f
SHA512 b864df1a6d698e4738ae903f01bd18efc031490b0b740c50b54a35bfc2da0028ca79a20de8208b436a51df3a813f63e5deff16ff7620d64556dc99aba9862dea

memory/1936-39-0x000000013FB50000-0x000000013FEA4000-memory.dmp

\Windows\system\zSxvTed.exe

MD5 593a26b77f1bae911d419b798719144e
SHA1 de37a11b39a84400ac0875e19014109322861950
SHA256 0a1fa42f1f8991d40443f6c1106a6efd86d0b7591fc8c67cc082f3701ed6ccea
SHA512 1ae264708bdaa2572d378037b3b9cdce26671db449552e3e8586f10fde58e751dbd2a3e8010e19faca3bccd1dd88cd491eb7772286ce340b85bfc7f10371562c

memory/2636-84-0x000000013FBC0000-0x000000013FF14000-memory.dmp

memory/1936-83-0x0000000002390000-0x00000000026E4000-memory.dmp

memory/1936-82-0x000000013F8D0000-0x000000013FC24000-memory.dmp

memory/1936-81-0x0000000002390000-0x00000000026E4000-memory.dmp

memory/1936-80-0x000000013F6B0000-0x000000013FA04000-memory.dmp

memory/2580-79-0x000000013FB50000-0x000000013FEA4000-memory.dmp

memory/2508-78-0x000000013F590000-0x000000013F8E4000-memory.dmp

memory/1936-77-0x000000013FA60000-0x000000013FDB4000-memory.dmp

memory/2428-76-0x000000013F440000-0x000000013F794000-memory.dmp

memory/2416-75-0x000000013F970000-0x000000013FCC4000-memory.dmp

memory/2552-74-0x000000013F450000-0x000000013F7A4000-memory.dmp

memory/2548-73-0x000000013F440000-0x000000013F794000-memory.dmp

memory/1936-72-0x0000000002390000-0x00000000026E4000-memory.dmp

memory/1936-71-0x000000013F970000-0x000000013FCC4000-memory.dmp

memory/1936-64-0x0000000002390000-0x00000000026E4000-memory.dmp

C:\Windows\system\fgmdRFy.exe

MD5 dc2ec1367e3e0a28166f8ea648e3c2ab
SHA1 e213250491c94e521c54eae5e22a13c2cc8d4ffb
SHA256 885fa01736ec6e7c8ce33590aa4792c6342c3b214cb08f9f96164c9eb2721374
SHA512 b4aedf12eb6cbecfdbedfaf48743211728c14805b79616331c50358756030122d104de3d410306857c67dec126f243b635c8a4b6f551d232bb4de1611e29c96c

C:\Windows\system\vZjEVOI.exe

MD5 7c88392fedc9e62158ef533897c3da79
SHA1 5113a3079bd34baf0c7c74490cba66048c6b9739
SHA256 13b97fa7402e10d75de9981f9ff0343b80210428455c234b2e21e0ba228fcd69
SHA512 f313bc87e4deffe1afaa8118a32729f3a4c64a9d866c878275db8e025741f39242985fa35d0dfb1240ce6a514c9eb11c424c30258fecf5806b6e9da9276628a0

C:\Windows\system\MQjqkOs.exe

MD5 ee3a7d932ea84f4ee65fb4c55699e05f
SHA1 400ff4db4e6c38cc08d85921b1b6a0f71bb14443
SHA256 91f7a7c4a408ac937106a3713cbcda66d026bbb12606b47f36f92bf62ca43a35
SHA512 69a5f978b3f11dee2f43c8d932bc0ccb73112df78abc3a79ef84713091dde6ffa170dc6a5bb65a662d2dab1046a1d5e1796017efb82c99f8121af55895888b4f

C:\Windows\system\xpRdYdK.exe

MD5 37653264959983231dba393fce002506
SHA1 3694bc65daef043c6efc1ff61a44473fda84c04b
SHA256 c220768795ae650a704e3a42716754db91af4e3599f284acab9bcf7210cd6ca2
SHA512 1b05edcb7ad0ac620f13095134273eae08be950b06afe60cc8b5666cb76d134a83c64bad26cfb574877b5a8bde447f3e9196ae11d627ebc7fe3b91b8f2d1ae5a

C:\Windows\system\HUMexTU.exe

MD5 5c10ffc706214d10dca5ee4f7e75b1a6
SHA1 f3626f27b0f69d2ca50c6709c8d865acd160a9db
SHA256 7ed42346e399e2b7bd5c10cc94cd428d11471547cf3be9b7061d895719c3969a
SHA512 5ed9b3313a8464f0eea069bd074d1eaaade47470a39d73795426ef76e121c8d1ae68d1273be0a0c78d17f680d417ec876a3c2628185d1a229995e49b452f4676

memory/2496-58-0x000000013F430000-0x000000013F784000-memory.dmp

memory/1936-51-0x0000000002390000-0x00000000026E4000-memory.dmp

memory/1936-44-0x000000013FBC0000-0x000000013FF14000-memory.dmp

memory/1936-34-0x000000013F590000-0x000000013F8E4000-memory.dmp

memory/2936-25-0x000000013FA60000-0x000000013FDB4000-memory.dmp

memory/1936-136-0x000000013F180000-0x000000013F4D4000-memory.dmp

memory/2936-137-0x000000013FA60000-0x000000013FDB4000-memory.dmp

memory/1936-138-0x0000000002390000-0x00000000026E4000-memory.dmp

memory/2528-139-0x000000013F6B0000-0x000000013FA04000-memory.dmp

memory/2708-140-0x000000013F2E0000-0x000000013F634000-memory.dmp

memory/2936-141-0x000000013FA60000-0x000000013FDB4000-memory.dmp

memory/2580-142-0x000000013FB50000-0x000000013FEA4000-memory.dmp

memory/2496-143-0x000000013F430000-0x000000013F784000-memory.dmp

memory/2508-144-0x000000013F590000-0x000000013F8E4000-memory.dmp

memory/2416-149-0x000000013F970000-0x000000013FCC4000-memory.dmp

memory/2428-148-0x000000013F440000-0x000000013F794000-memory.dmp

memory/2552-147-0x000000013F450000-0x000000013F7A4000-memory.dmp

memory/2636-146-0x000000013FBC0000-0x000000013FF14000-memory.dmp

memory/2548-145-0x000000013F440000-0x000000013F794000-memory.dmp

memory/2532-150-0x000000013F8D0000-0x000000013FC24000-memory.dmp

memory/1248-151-0x000000013FA20000-0x000000013FD74000-memory.dmp

memory/2376-152-0x000000013F1B0000-0x000000013F504000-memory.dmp

memory/2528-153-0x000000013F6B0000-0x000000013FA04000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-08 16:48

Reported

2024-06-08 16:50

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\gokoUrK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rsOHvPz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\evZRzAy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LNSrlYq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ztVUtNU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wxZbQkL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DvFrSsx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xMPLiDd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SQbLqjt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\epRdAOq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DDsboiq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MnznQuS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qxqMhdQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XXSKMYQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KkSelga.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zMBTmAk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AQtOuRx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SSPsBQT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MNvPJIM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SgIZAqe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FTAJzgh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2412 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\gokoUrK.exe
PID 2412 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\gokoUrK.exe
PID 2412 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\rsOHvPz.exe
PID 2412 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\rsOHvPz.exe
PID 2412 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\AQtOuRx.exe
PID 2412 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\AQtOuRx.exe
PID 2412 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\SSPsBQT.exe
PID 2412 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\SSPsBQT.exe
PID 2412 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\MNvPJIM.exe
PID 2412 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\MNvPJIM.exe
PID 2412 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\evZRzAy.exe
PID 2412 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\evZRzAy.exe
PID 2412 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\SgIZAqe.exe
PID 2412 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\SgIZAqe.exe
PID 2412 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\DvFrSsx.exe
PID 2412 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\DvFrSsx.exe
PID 2412 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\LNSrlYq.exe
PID 2412 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\LNSrlYq.exe
PID 2412 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\xMPLiDd.exe
PID 2412 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\xMPLiDd.exe
PID 2412 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\SQbLqjt.exe
PID 2412 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\SQbLqjt.exe
PID 2412 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\MnznQuS.exe
PID 2412 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\MnznQuS.exe
PID 2412 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\qxqMhdQ.exe
PID 2412 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\qxqMhdQ.exe
PID 2412 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\epRdAOq.exe
PID 2412 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\epRdAOq.exe
PID 2412 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\XXSKMYQ.exe
PID 2412 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\XXSKMYQ.exe
PID 2412 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\DDsboiq.exe
PID 2412 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\DDsboiq.exe
PID 2412 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\KkSelga.exe
PID 2412 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\KkSelga.exe
PID 2412 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\ztVUtNU.exe
PID 2412 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\ztVUtNU.exe
PID 2412 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\wxZbQkL.exe
PID 2412 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\wxZbQkL.exe
PID 2412 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\FTAJzgh.exe
PID 2412 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\FTAJzgh.exe
PID 2412 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\zMBTmAk.exe
PID 2412 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe C:\Windows\System\zMBTmAk.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\gokoUrK.exe

C:\Windows\System\gokoUrK.exe

C:\Windows\System\rsOHvPz.exe

C:\Windows\System\rsOHvPz.exe

C:\Windows\System\AQtOuRx.exe

C:\Windows\System\AQtOuRx.exe

C:\Windows\System\SSPsBQT.exe

C:\Windows\System\SSPsBQT.exe

C:\Windows\System\MNvPJIM.exe

C:\Windows\System\MNvPJIM.exe

C:\Windows\System\evZRzAy.exe

C:\Windows\System\evZRzAy.exe

C:\Windows\System\SgIZAqe.exe

C:\Windows\System\SgIZAqe.exe

C:\Windows\System\DvFrSsx.exe

C:\Windows\System\DvFrSsx.exe

C:\Windows\System\LNSrlYq.exe

C:\Windows\System\LNSrlYq.exe

C:\Windows\System\xMPLiDd.exe

C:\Windows\System\xMPLiDd.exe

C:\Windows\System\SQbLqjt.exe

C:\Windows\System\SQbLqjt.exe

C:\Windows\System\MnznQuS.exe

C:\Windows\System\MnznQuS.exe

C:\Windows\System\qxqMhdQ.exe

C:\Windows\System\qxqMhdQ.exe

C:\Windows\System\epRdAOq.exe

C:\Windows\System\epRdAOq.exe

C:\Windows\System\XXSKMYQ.exe

C:\Windows\System\XXSKMYQ.exe

C:\Windows\System\DDsboiq.exe

C:\Windows\System\DDsboiq.exe

C:\Windows\System\KkSelga.exe

C:\Windows\System\KkSelga.exe

C:\Windows\System\ztVUtNU.exe

C:\Windows\System\ztVUtNU.exe

C:\Windows\System\wxZbQkL.exe

C:\Windows\System\wxZbQkL.exe

C:\Windows\System\FTAJzgh.exe

C:\Windows\System\FTAJzgh.exe

C:\Windows\System\zMBTmAk.exe

C:\Windows\System\zMBTmAk.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp

Files

memory/2412-0-0x00007FF636C70000-0x00007FF636FC4000-memory.dmp

memory/2412-1-0x000002ABF8580000-0x000002ABF8590000-memory.dmp

C:\Windows\System\gokoUrK.exe

MD5 62f811cd35066a4c38f7d28d0d628e31
SHA1 382348b3ad4f07dd15d75765ead564a4361f97a0
SHA256 de969c809bd5604176f0d6065f0c7ed9a4447c515ed86d9623d67cad44052a61
SHA512 d4731eedd2b693cfb776527132714e6e6491f0dbe53501fb871a2cb48396e3753b20650526b94f32a9471293c05f6051b7e6effd58701979ec09cc571fb1c337

memory/3192-8-0x00007FF7D1AA0000-0x00007FF7D1DF4000-memory.dmp

C:\Windows\System\rsOHvPz.exe

MD5 6578db8d29f1497248ffb3c052fcffb6
SHA1 861af2528c1d22a9a6e6ed2fcb35f66fd4a4b5ff
SHA256 d513698c32d443dfc486c88524eb52ffd6d09a225ae256ecd951a527cead17d2
SHA512 20586875ac61593c15f23f6d9e1b0d3d8aedb911abab35c63fdc146c2cf62b91d886239d8437511cff6b76e0f291b86f2f1d17f1737c9fd85b0904626770d4ec

C:\Windows\System\AQtOuRx.exe

MD5 cf332c290779a0ad90338aec41158ff8
SHA1 ae0b4c2df9158c76e938e2f3903bc9ea045e1b26
SHA256 7ea62af3854f8f38054ef4653ae4d5b55bbbe18ad12e4f7475b23815aff7c68c
SHA512 938e09dda8eb42db4f9e746204016b11d5119d4e59f1f3830d27ff7f947174d14b3f7412eb9fc7e2b3ba0d2f27a25d57005b78987511be45bef1dc408eea10d5

memory/1544-14-0x00007FF7605A0000-0x00007FF7608F4000-memory.dmp

C:\Windows\System\SSPsBQT.exe

MD5 e9eaedc136477e23bca2ec50e8a51fc2
SHA1 ae57da36b6e8f9d8b9a8d8db5d4071930fc17d84
SHA256 869e31c5ecbd31c8160f6a3b371886b1835e9d78ee626e73158db99c497feaef
SHA512 996e8a2163fd9fc7b53fa6ac4234c51eb16614e4b03819802c1deed111cc6c8b4ac0001c6a7f8ed398902fee14333f917a51b58f3bcbaeb3cfee47f912f43dd8

memory/1268-18-0x00007FF7D9FB0000-0x00007FF7DA304000-memory.dmp

C:\Windows\System\MNvPJIM.exe

MD5 0deefb9c870a034434d35c408c69333e
SHA1 0df5bd9a76a9613c06dae551e73b0c1549d785e9
SHA256 59b72fc6cc84fc7dddeaef7c31deb20d1d428d31dc4422eeb5f2a8eb49637803
SHA512 ec392802023bc6d9715df71e4543b194a4a7efda04d838f96219c7bfeb0d7b36013155d1e1d539d8c5522941ff60efebed422a94127c586d9ababed81f6b7670

C:\Windows\System\evZRzAy.exe

MD5 839ef7d67d1ec0758837b1726c5db098
SHA1 c7f56205c8b52ca3f6293b6dcfc515da1854912a
SHA256 7ed31769bdf175b204a1ebf425286e7acc9cde881122f8653b5d0dbfdaddab42
SHA512 06126cd69dfe3dd5ccc8f20e218db7a7432860263a1ae1b57832867dabff492564131d1a6ec87a1c2b8592821ba9993227b47b4e2abf17a5ffb9746e5c032f84

memory/3284-36-0x00007FF7FA610000-0x00007FF7FA964000-memory.dmp

memory/60-35-0x00007FF612600000-0x00007FF612954000-memory.dmp

memory/1388-26-0x00007FF7E5330000-0x00007FF7E5684000-memory.dmp

C:\Windows\System\SgIZAqe.exe

MD5 f871dfd423b4f114803531aa83a73b3c
SHA1 36238d3a270b33d4adcd5601a115f8021a6b204e
SHA256 729e7fc0c400026142dab57e69c8fac880d3f1450a3484951b235ba3db2cab5f
SHA512 5c33d18a063bc83d0e61251a70daa110a1c67ded194129c440af808d24bdb40b69a58901f251d62c1ee9612639d07f4c297efdeb69dbfa6cb0c0ae056fcf684d

C:\Windows\System\DvFrSsx.exe

MD5 b6d18370b5a4e18a6cf7df46ca581063
SHA1 369c6011a7e128c1a757e603e9ae1ed98237440e
SHA256 2ccd104eceae8d2b8996ba70d604e421002f229b947582e369c008ddc2e9232e
SHA512 440c4e94981189237ec24290d80f3a4f38b3ebf74aa0e396dd343a3eb6e51f6df5f68ccd2eea618cafd15d95eb9e718cb668d636e3d5bc67bd82d7dad20cb8b5

memory/2344-50-0x00007FF76B570000-0x00007FF76B8C4000-memory.dmp

memory/4160-44-0x00007FF649A80000-0x00007FF649DD4000-memory.dmp

C:\Windows\System\LNSrlYq.exe

MD5 c75450e13075867da71ff514fcbd1242
SHA1 916af68ffca64555a0a3ba286e44e4e882c532e4
SHA256 4ec055d37442c175604d7c88532a1ab5ba6ccd090e5416f10e94ce59f13246fc
SHA512 11a2caf9fd9ef06f04b764ba060e88a43d1f45638bfe1fe012c0f2d7216839bd1d2ce1bc38db6d4b8b9ffcb1dede6964a034a05942ba27cfa3c3d50464756a7a

memory/4840-54-0x00007FF7EB530000-0x00007FF7EB884000-memory.dmp

C:\Windows\System\xMPLiDd.exe

MD5 6a9c4c0f0196620f1298af6e1bea5c43
SHA1 e4e1555c3026b5b67b01222ee8ff0c50b92d6950
SHA256 048cb7accb150e1f7e7e9dc25a45e39212c687e4bf3b462d0b28972b3d9766c7
SHA512 190a1a63b6a07b1ec17d878ee809fdc7e0f5485f48d1ee7e7cb83854609e8af1be05fee93d872d2fa6704ade1a209036c8166c01de52d99b0dd5f8c301a8341a

C:\Windows\System\SQbLqjt.exe

MD5 b159a42f6783965e56cb4615ee5dee15
SHA1 75d05428dab6c271ee000121d9accc6923d283a8
SHA256 62bda1132329f29317e249a09e2e17ce8662781de400c0f96c318d7348ec3b65
SHA512 65805553996c87e4f2643ba35e890f4e0ad886e597ff3d42b028fece4b1bfef2624310d34b9a5af434789b813199f27329c2b422ffb21b18b0191139c295db02

C:\Windows\System\MnznQuS.exe

MD5 895733e95744ac790442643c1003fc0c
SHA1 3e801790e3b690eece5400c89ac2970f57a4b53f
SHA256 94d1d541711ff641d1f847964782636cee91c378e25a68f2dca29c0e43ebaaeb
SHA512 cc5449abb9ce1c841766a7fe145a8b8bff1309270409721a233936d06fffd5c7043870f905da722217c398e19b393bccb71b9d8cbc27b7fcdce783fff4ee90fb

C:\Windows\System\qxqMhdQ.exe

MD5 39551b697b7881d4155a80ec71e0f844
SHA1 fbb3af21cad56c264a636ea3de4529a74f6654c6
SHA256 d3298f4c836d3f20b58e03e2b9b6ed7d750a90cd8c23ca17316c2807bb841937
SHA512 73ba089290af46e32a1c95a9cc7067525455b16cc04d7fcf0d3cf08ccf474304b5d9f43bc528a8c0f00917be84667ea665f26012b26452d9d03931d64c5255d2

memory/1848-78-0x00007FF65A5B0000-0x00007FF65A904000-memory.dmp

C:\Windows\System\epRdAOq.exe

MD5 909dd8da55733ef239af3b098bf911a0
SHA1 fb358972023c88db392a148549e49daa0b5256b7
SHA256 f645b74d4be03f715c9c4c8943e3063c8f55bdb9f0b67e73724dd35a9e5dd0e5
SHA512 257a71c2c437e7a500d991117d660daf36069604f1910b766f1cedf8022fc208b698dd682c76ab12a5a25ab0504b07b9964f404bfc9d233a2e7e18599d952d61

memory/2452-88-0x00007FF71F490000-0x00007FF71F7E4000-memory.dmp

C:\Windows\System\XXSKMYQ.exe

MD5 9ae9fd50a5ceda3d84cbd0eaad0c027c
SHA1 452afda80a2743477c4b457eafa307c07a37b22a
SHA256 4a313e99684b18a428e56d8ad8d6aad77106fdb6b1c553d1f455b96809c56fa7
SHA512 49be1bfd5867081eafcb4eb8239a8475ac816d28ed6eb98e2190534b7361f4a0d3e5549c50fbd8df245900d0ab88ed0c95e01771aba3f47e108bcabe9d409255

C:\Windows\System\DDsboiq.exe

MD5 de58e334b13502bf9664a52018c99575
SHA1 2f72a27119fc36b52fa318a0a21d1cd4411ed54a
SHA256 e271581d6de71eb4d6b617278e0906df1c086518bf984bc192c461a2f51f19ec
SHA512 a185aaa42649d1bfd108c29e6e7e12f229bce6bd5f9ee5ee577121d2cbf13537cef56f036ffc15eda455514872e633615c313c7c0d8f7225838cb23d493eedb6

C:\Windows\System\ztVUtNU.exe

MD5 c9b3efc82d88b3edca7386f897200ba3
SHA1 af40df76196878f66d779b08c13f942f83502707
SHA256 6b25529f7bb8148ed42aae2278c8422358d1d89a83914adf47555e81b3624881
SHA512 c9a031a7d2bf7a9934395e0587bd93e982398e11e4f39fa038562082a9704b4ba6b93bd55c3498b5c65702624022f357ce6a926717ad19191d85d35a4b10ca8a

memory/4492-110-0x00007FF7A0A60000-0x00007FF7A0DB4000-memory.dmp

memory/3284-119-0x00007FF7FA610000-0x00007FF7FA964000-memory.dmp

memory/220-124-0x00007FF705180000-0x00007FF7054D4000-memory.dmp

memory/1952-125-0x00007FF73A8A0000-0x00007FF73ABF4000-memory.dmp

C:\Windows\System\FTAJzgh.exe

MD5 543a902a91c1595d65c58ab30e980fe1
SHA1 dfc3258be383900bc4fc29fe119a8de662aef235
SHA256 271301db3b556e50719eff818802a320cf861acd90fc4f4d2876ec72f137fc1e
SHA512 f13d1a52c7de8115181bb3b43a078f8ba57f74f4bb362d21a5c77c89c2ded4a126613935a64001c76b16badd425a83aa65db74d2c2542fe0a5e1deef39cf76d1

C:\Windows\System\zMBTmAk.exe

MD5 91116043da05ee7599ec161619cc19c1
SHA1 4707c150935852ceddb284e3edf57fbc70d8e99f
SHA256 7def9b182cb375a2b9749bd62aa65c001398a5e46ade4f367bba9c796614eb8a
SHA512 bd243e7e7b1c4239d1a23e86417aacb22fc960224eeb898b53c103d46d2638ae342fc9627fbefc4e9a87a3526373c819439e7a95e0402e8ba89f7e4eb025c6f6

C:\Windows\System\wxZbQkL.exe

MD5 24cfec77a20ff0acd40cd4afabafecdd
SHA1 9841aa96b39061158bb63d4317be1fd47e95bee4
SHA256 500714dff8ee4240639d512086abe037fee74c62399ba9453d828c39cd0fec6f
SHA512 30bc07ec93b8151b982a0d12aac0bc44a1272e1deb7758f65c72182c4b746152d1382402a4be5b8677dbc52361e8bce0fbd84d2443c28d2198f3325c8d368d9d

memory/4264-123-0x00007FF7034A0000-0x00007FF7037F4000-memory.dmp

memory/2592-120-0x00007FF7692C0000-0x00007FF769614000-memory.dmp

C:\Windows\System\KkSelga.exe

MD5 86a249402dce513e1542ce4c172d575e
SHA1 f40fadaede5f876558e37096ae8939039a6c70bf
SHA256 6853c47df53a3c0bdf651bcc9787df97545905a6e7b8b5a39df502076cdae636
SHA512 9c8a8397cbfb150f3beb1809f89b40d7e4b074f3d8be55bbe5df6a28bf55f82fe400958d36503938c714b06090a89fd805f9c91383c50c92df2ae7da6036c821

memory/3892-100-0x00007FF733970000-0x00007FF733CC4000-memory.dmp

memory/60-99-0x00007FF612600000-0x00007FF612954000-memory.dmp

memory/4644-93-0x00007FF6A9970000-0x00007FF6A9CC4000-memory.dmp

memory/1268-92-0x00007FF7D9FB0000-0x00007FF7DA304000-memory.dmp

memory/1388-87-0x00007FF7E5330000-0x00007FF7E5684000-memory.dmp

memory/4628-84-0x00007FF7883A0000-0x00007FF7886F4000-memory.dmp

memory/3228-81-0x00007FF7A7B80000-0x00007FF7A7ED4000-memory.dmp

memory/4780-69-0x00007FF7C6BA0000-0x00007FF7C6EF4000-memory.dmp

memory/2412-64-0x00007FF636C70000-0x00007FF636FC4000-memory.dmp

memory/4840-133-0x00007FF7EB530000-0x00007FF7EB884000-memory.dmp

memory/4628-134-0x00007FF7883A0000-0x00007FF7886F4000-memory.dmp

memory/2452-135-0x00007FF71F490000-0x00007FF71F7E4000-memory.dmp

memory/4644-136-0x00007FF6A9970000-0x00007FF6A9CC4000-memory.dmp

memory/3892-137-0x00007FF733970000-0x00007FF733CC4000-memory.dmp

memory/4492-138-0x00007FF7A0A60000-0x00007FF7A0DB4000-memory.dmp

memory/4264-139-0x00007FF7034A0000-0x00007FF7037F4000-memory.dmp

memory/2592-140-0x00007FF7692C0000-0x00007FF769614000-memory.dmp

memory/220-141-0x00007FF705180000-0x00007FF7054D4000-memory.dmp

memory/1952-142-0x00007FF73A8A0000-0x00007FF73ABF4000-memory.dmp

memory/3192-143-0x00007FF7D1AA0000-0x00007FF7D1DF4000-memory.dmp

memory/1544-144-0x00007FF7605A0000-0x00007FF7608F4000-memory.dmp

memory/1268-145-0x00007FF7D9FB0000-0x00007FF7DA304000-memory.dmp

memory/1388-146-0x00007FF7E5330000-0x00007FF7E5684000-memory.dmp

memory/60-147-0x00007FF612600000-0x00007FF612954000-memory.dmp

memory/3284-148-0x00007FF7FA610000-0x00007FF7FA964000-memory.dmp

memory/4160-149-0x00007FF649A80000-0x00007FF649DD4000-memory.dmp

memory/2344-150-0x00007FF76B570000-0x00007FF76B8C4000-memory.dmp

memory/4840-151-0x00007FF7EB530000-0x00007FF7EB884000-memory.dmp

memory/4780-152-0x00007FF7C6BA0000-0x00007FF7C6EF4000-memory.dmp

memory/1848-153-0x00007FF65A5B0000-0x00007FF65A904000-memory.dmp

memory/3228-154-0x00007FF7A7B80000-0x00007FF7A7ED4000-memory.dmp

memory/4628-155-0x00007FF7883A0000-0x00007FF7886F4000-memory.dmp

memory/2452-156-0x00007FF71F490000-0x00007FF71F7E4000-memory.dmp

memory/4644-157-0x00007FF6A9970000-0x00007FF6A9CC4000-memory.dmp

memory/4492-158-0x00007FF7A0A60000-0x00007FF7A0DB4000-memory.dmp

memory/3892-159-0x00007FF733970000-0x00007FF733CC4000-memory.dmp

memory/2592-160-0x00007FF7692C0000-0x00007FF769614000-memory.dmp

memory/220-162-0x00007FF705180000-0x00007FF7054D4000-memory.dmp

memory/1952-163-0x00007FF73A8A0000-0x00007FF73ABF4000-memory.dmp

memory/4264-161-0x00007FF7034A0000-0x00007FF7037F4000-memory.dmp