Malware Analysis Report

2024-10-16 03:09

Sample ID 240608-vbm8radd71
Target 2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike
SHA256 8d086dd0efdd5882981c13ae122518b7b944b875dc662e04974586923ce544b7
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8d086dd0efdd5882981c13ae122518b7b944b875dc662e04974586923ce544b7

Threat Level: Known bad

The file 2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Detects Reflective DLL injection artifacts

Cobalt Strike reflective loader

xmrig

XMRig Miner payload

Cobaltstrike family

Cobaltstrike

UPX dump on OEP (original entry point)

Xmrig family

Detects Reflective DLL injection artifacts

XMRig Miner payload

UPX dump on OEP (original entry point)

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-08 16:49

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-08 16:49

Reported

2024-06-08 16:51

Platform

win7-20240220-en

Max time kernel

137s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\fXAxcVs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BFtSFvF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wBQchfB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WrxdicW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QORpaBt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CgMxDXm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qWoGSDc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\csOLEXw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wOKJjbn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OjAPjZw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DgTIfnk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xZLaruX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rHygUxe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZBwNaBs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DNkvFjX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\marOvxA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VlriSPd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VhoUodD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jAjAEtJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AWnEreT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UOrGxjK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2908 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\UOrGxjK.exe
PID 2908 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\UOrGxjK.exe
PID 2908 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\UOrGxjK.exe
PID 2908 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\marOvxA.exe
PID 2908 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\marOvxA.exe
PID 2908 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\marOvxA.exe
PID 2908 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\VlriSPd.exe
PID 2908 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\VlriSPd.exe
PID 2908 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\VlriSPd.exe
PID 2908 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\DNkvFjX.exe
PID 2908 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\DNkvFjX.exe
PID 2908 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\DNkvFjX.exe
PID 2908 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\wBQchfB.exe
PID 2908 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\wBQchfB.exe
PID 2908 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\wBQchfB.exe
PID 2908 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\wOKJjbn.exe
PID 2908 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\wOKJjbn.exe
PID 2908 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\wOKJjbn.exe
PID 2908 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\OjAPjZw.exe
PID 2908 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\OjAPjZw.exe
PID 2908 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\OjAPjZw.exe
PID 2908 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\fXAxcVs.exe
PID 2908 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\fXAxcVs.exe
PID 2908 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\fXAxcVs.exe
PID 2908 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\csOLEXw.exe
PID 2908 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\csOLEXw.exe
PID 2908 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\csOLEXw.exe
PID 2908 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\DgTIfnk.exe
PID 2908 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\DgTIfnk.exe
PID 2908 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\DgTIfnk.exe
PID 2908 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\WrxdicW.exe
PID 2908 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\WrxdicW.exe
PID 2908 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\WrxdicW.exe
PID 2908 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\xZLaruX.exe
PID 2908 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\xZLaruX.exe
PID 2908 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\xZLaruX.exe
PID 2908 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\QORpaBt.exe
PID 2908 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\QORpaBt.exe
PID 2908 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\QORpaBt.exe
PID 2908 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\VhoUodD.exe
PID 2908 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\VhoUodD.exe
PID 2908 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\VhoUodD.exe
PID 2908 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\rHygUxe.exe
PID 2908 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\rHygUxe.exe
PID 2908 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\rHygUxe.exe
PID 2908 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZBwNaBs.exe
PID 2908 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZBwNaBs.exe
PID 2908 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZBwNaBs.exe
PID 2908 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\jAjAEtJ.exe
PID 2908 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\jAjAEtJ.exe
PID 2908 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\jAjAEtJ.exe
PID 2908 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\AWnEreT.exe
PID 2908 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\AWnEreT.exe
PID 2908 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\AWnEreT.exe
PID 2908 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\CgMxDXm.exe
PID 2908 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\CgMxDXm.exe
PID 2908 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\CgMxDXm.exe
PID 2908 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\qWoGSDc.exe
PID 2908 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\qWoGSDc.exe
PID 2908 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\qWoGSDc.exe
PID 2908 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\BFtSFvF.exe
PID 2908 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\BFtSFvF.exe
PID 2908 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\BFtSFvF.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\UOrGxjK.exe

C:\Windows\System\UOrGxjK.exe

C:\Windows\System\marOvxA.exe

C:\Windows\System\marOvxA.exe

C:\Windows\System\VlriSPd.exe

C:\Windows\System\VlriSPd.exe

C:\Windows\System\DNkvFjX.exe

C:\Windows\System\DNkvFjX.exe

C:\Windows\System\wBQchfB.exe

C:\Windows\System\wBQchfB.exe

C:\Windows\System\wOKJjbn.exe

C:\Windows\System\wOKJjbn.exe

C:\Windows\System\OjAPjZw.exe

C:\Windows\System\OjAPjZw.exe

C:\Windows\System\fXAxcVs.exe

C:\Windows\System\fXAxcVs.exe

C:\Windows\System\csOLEXw.exe

C:\Windows\System\csOLEXw.exe

C:\Windows\System\DgTIfnk.exe

C:\Windows\System\DgTIfnk.exe

C:\Windows\System\WrxdicW.exe

C:\Windows\System\WrxdicW.exe

C:\Windows\System\xZLaruX.exe

C:\Windows\System\xZLaruX.exe

C:\Windows\System\QORpaBt.exe

C:\Windows\System\QORpaBt.exe

C:\Windows\System\VhoUodD.exe

C:\Windows\System\VhoUodD.exe

C:\Windows\System\rHygUxe.exe

C:\Windows\System\rHygUxe.exe

C:\Windows\System\ZBwNaBs.exe

C:\Windows\System\ZBwNaBs.exe

C:\Windows\System\jAjAEtJ.exe

C:\Windows\System\jAjAEtJ.exe

C:\Windows\System\AWnEreT.exe

C:\Windows\System\AWnEreT.exe

C:\Windows\System\CgMxDXm.exe

C:\Windows\System\CgMxDXm.exe

C:\Windows\System\qWoGSDc.exe

C:\Windows\System\qWoGSDc.exe

C:\Windows\System\BFtSFvF.exe

C:\Windows\System\BFtSFvF.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2908-0-0x000000013F970000-0x000000013FCC4000-memory.dmp

memory/2908-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\UOrGxjK.exe

MD5 bb07f5b648c08b1570536023ac66b2c5
SHA1 bb7201eb73e020a9e2d26bb2a55d631e22cbf135
SHA256 57b0dd0ef3d8d055514c43339bcd78e2474f15f84fab041984c7121f5d68afb2
SHA512 ace20c5d7275897c2c67860eaf188c8bc42ef1bb15c23296f19b980caff77255821c143bd1bfed06bcc34f35f470448e08be3b98df32a5687d69a98427b61c0c

\Windows\system\marOvxA.exe

MD5 0082bd9d6cb71e667c65f3244e9b8e2b
SHA1 2f9a301a5829c4ea4b531ffe232bb44aedbe5d1e
SHA256 ed332d8cc5548900d6fe88a06ceed2b66146082ff5b3cea47afc63f1b58aa620
SHA512 c8e1d62cc1ed42bab77b7a9859b1f04380b7fe943d33a6c72422a192b370a6597072c20c12ec70f298013cb3b159c6ca508713cf772344a247231383b958c4db

memory/2908-6-0x000000013F2E0000-0x000000013F634000-memory.dmp

memory/2900-14-0x000000013F2E0000-0x000000013F634000-memory.dmp

C:\Windows\system\VlriSPd.exe

MD5 cff4c3af45ae45c83f9f53f305359d31
SHA1 511e0530a8ef1007a63fe4bc025baf6ebb365ceb
SHA256 f51e396022df19287a7ff7a323c6949dda0b0c2027251893f2c990c4a9b610f0
SHA512 d882786bf8adea93622ffc15bdc03bcda2d9296ad2093e39eb284cfd9b22df0a49b7db9b36284df58315b783d91b37f6dfef949c4759746913038c12dccb4a8d

memory/2540-21-0x000000013F890000-0x000000013FBE4000-memory.dmp

memory/2908-19-0x0000000002390000-0x00000000026E4000-memory.dmp

memory/3024-18-0x000000013F940000-0x000000013FC94000-memory.dmp

C:\Windows\system\DNkvFjX.exe

MD5 0ae0c8af50d66e9f5172006e1b3272e5
SHA1 c08de10e6c3421501eb4f926f9acdaf4d4489a52
SHA256 ac8173bae01792c4a44100caf8f9631402cab636d5d3f6b6916ff3d558e3678e
SHA512 73dd18f3a325e0182100765019be31e5e4afc14eebd90003b5568dc1d17c339f92923873693cfb50f129cf309b771adebe2df9024efd3300ac08a204e7b992ec

memory/2908-32-0x000000013F270000-0x000000013F5C4000-memory.dmp

C:\Windows\system\OjAPjZw.exe

MD5 279a100d1450a0b8367a19ff7beed97e
SHA1 7510bb65bf13398195de8647ba5b9d06fb639383
SHA256 9d7c3ee73d7f772e44aba95a2a1ce3f84ae0c1cb03c86d2b1bd0ba0f91f89c15
SHA512 cfdc0c9bc759c381f3838dee111d8bf45b08af842f804e525dba0e6520a8bfe46f1eb7ae36ff832e2df3062e522118797c9236e53eb195b0a0d1517315c550c4

memory/2908-46-0x0000000002390000-0x00000000026E4000-memory.dmp

memory/2712-37-0x000000013F270000-0x000000013F5C4000-memory.dmp

\Windows\system\wOKJjbn.exe

MD5 ec39c1ee7128cd40217664b6775ed549
SHA1 f554cffc4427207d2b9fa4c6bdbe8d537bf7a7c7
SHA256 aa1ed8fa91dab62db9545dc9cd6a59c8d707664c4a28ca467cf96b92cda16fa2
SHA512 3fc179f6839a582198114e19bf5ef82ae3df01daa104afebe22ef40ec50d54ccf1a736ea8af026114da38b0a14184ad63969d93c50cb997e5a361917b997607e

memory/2432-49-0x000000013FFA0000-0x00000001402F4000-memory.dmp

memory/2908-48-0x000000013FFA0000-0x00000001402F4000-memory.dmp

memory/2724-47-0x000000013FAB0000-0x000000013FE04000-memory.dmp

memory/2524-39-0x000000013FAD0000-0x000000013FE24000-memory.dmp

C:\Windows\system\wBQchfB.exe

MD5 e264c947e55ff374c2d94d0990ba12c2
SHA1 5e4ba7579051283a8b8d00e0f03baf4da4e892df
SHA256 8bb5707954630c30aeef0ab59510ec1b31ef98f1b57e345e7200c3f5a7f41f1f
SHA512 018b0446ae16729d70c301476fe75e49aaae894539492ec8cd19a00878554c5402027e876721170c909b28fdc367fa2582498e0c4dba41206bc9e7893c33552b

C:\Windows\system\fXAxcVs.exe

MD5 eec6708159c91b2e2cdfd8af4327d0e3
SHA1 eb56c9f8f6a71e480aa55d2a22fd01dbc10c4f2b
SHA256 980d91e391f82d803194e39442ec76f066f2b38f5ba528638b2712fb4c29552b
SHA512 56d5f91e7826b8a68017abbd59c317d4105aeff439c24df2f1ce0e72962cf2a640463d2148aceb12812b5e853e2bd7280dcd4ea4782631dc04087488917c7c82

memory/2908-54-0x000000013FD20000-0x0000000140074000-memory.dmp

memory/2504-56-0x000000013FD20000-0x0000000140074000-memory.dmp

C:\Windows\system\csOLEXw.exe

MD5 5842c20e061a5e685c815861832a0326
SHA1 42cae1d5c22e0851767522b1da1ea0dfff39abfd
SHA256 6ae20fefb9ad869c22def329c42b5863e1cb29663275c5fccbd8d944401babf0
SHA512 b772279ddebb84d988ce6108e2b637a2fd8b8070758ebc2c44f73deef99d6d04787b20d764439abb6607eabb783a9989cdfb02de6430debc93bb75f2b216233c

memory/2720-63-0x000000013F060000-0x000000013F3B4000-memory.dmp

memory/2908-62-0x000000013F970000-0x000000013FCC4000-memory.dmp

memory/2908-69-0x0000000002390000-0x00000000026E4000-memory.dmp

C:\Windows\system\WrxdicW.exe

MD5 fd8de8b57bcab4730e7ba92292cc54a2
SHA1 654d9b5b95506824da18af4940c65cb6a3d04788
SHA256 df0ad07a0d1771f87374c60701b25d68a3f67b01e5d32c7b3cf575cd55b7e7fd
SHA512 3831c5bedc70b0199c9dffd6ecc6b006e718044871667cd7945f90faf302665214048650bfcba9c11e738ad9227aae577f8b651022c6608a883a6ae96c78f103

memory/1556-70-0x000000013FB80000-0x000000013FED4000-memory.dmp

memory/2900-82-0x000000013F2E0000-0x000000013F634000-memory.dmp

C:\Windows\system\xZLaruX.exe

MD5 61f5ec32e4b3613e38dc6866a72a868a
SHA1 2cdfe885cc54dafce4f9a983189badfd49841147
SHA256 8404e7b094b79862a79e308bd01b1c89f62e9c999bc6bee507d04e3b6cd06261
SHA512 182eef9651b4b09ece0a8a0a1e0e5139dfd9ce05447148a9251318d2d3a801e14bb4d560afc094b771da37059eb7700d1e63d63c32f9c4d498c5aa3f50924b66

memory/1356-78-0x000000013F750000-0x000000013FAA4000-memory.dmp

C:\Windows\system\DgTIfnk.exe

MD5 9c53c405aa34504cdcfddc1a055f9959
SHA1 22b3a49eec7c890c69ae2409336627b692e41c94
SHA256 c98b8933e8b7d58719af490a75d377905a0939a784113a54cc2601d604542f7f
SHA512 eb339d7f4e8be45618ccf2e2e71e6c97ce77d209305080a986940a704593c0d0dc1fa2e2152658e557e4c206350a6f1cac40777dce6fa30c3408afbc1b512ae6

C:\Windows\system\QORpaBt.exe

MD5 cc20c06e3c2a5c0e7cd2a108c236ed91
SHA1 2249fc698b14de5fd8798b0e5abb4b1d67ed8ec6
SHA256 4e0c1809a77502ba51340e04e6487a34d81c2b1cb156e5c7f70c7eff547fc1b5
SHA512 eddffc63d0bebe9a0ab05bf4fd9ff108fdaaceed11f37fb3cdad99ea400db402811d53a8bbc9dc9388b6c8b66634f3d0a76ae28cbfaf189fb3800c0bfa73101c

memory/2696-90-0x000000013FEB0000-0x0000000140204000-memory.dmp

memory/2908-91-0x000000013F430000-0x000000013F784000-memory.dmp

memory/2596-89-0x000000013F430000-0x000000013F784000-memory.dmp

\Windows\system\VhoUodD.exe

MD5 b1add670de7722249346e3c8a51ca3b1
SHA1 42a7fad4333b7faa01374b064c5b96ea4829dce9
SHA256 eb69d138ed2a125e83aa8ca6f4aec1b10c13f1056e9b0681ed9af6e4a0188418
SHA512 235113825b8c384501559ad4b2c04e3dd3406e654c99313de1c107ec8fe54ea366c503da5fd1e34227c261fca3394149506289ce6aba84bd82a6ebab8d109697

memory/2908-88-0x000000013FEB0000-0x0000000140204000-memory.dmp

\Windows\system\ZBwNaBs.exe

MD5 6c76e58780cc01d1077189d0582af726
SHA1 cdbe086380920cae49143661dc1ef53c22c0f512
SHA256 2c4c8d1a37f989031b3fcbec7f1c62afa50b68cf5e7df16ff77c065d3523adff
SHA512 a221e788f4ca102c09c519615507ed83978a8f36a629af6238367548c8eefa0b60ebefe251767e8d735c2666bdcd75416c1310bb1e1a4727e4d8a29079146b1a

C:\Windows\system\AWnEreT.exe

MD5 07ff2cc5ff859b409f1ebebf36adec21
SHA1 9ef0c583b02a589524187df78d29ebd01592dd96
SHA256 076fe92fb154422aac0d5155f39c389bb97fc76f28ed426b6f43e8962d3ea498
SHA512 e7fe1e4550843dd2446b298f32bed697acff4ee0464611094a3edd8a046f7832fe44076a4d0b3fbd6b72f9cd85c6e58f4b85f6b5163b308349471021eacc5780

C:\Windows\system\qWoGSDc.exe

MD5 9a528b9b8e1a8e0e04c7b5af82ce92a4
SHA1 9cbaa8eb5373f693e0774d678a6e275f2faaf12b
SHA256 f8361cd8d5352f4fd8ea70ad947a71e51fe9aeb16452c6b46236c012e9f52ab0
SHA512 1a98a383db625c3168f74141364609a98567fe991602d79261a83319598de6255caf4ce13e4298d95ef2746da968a7f1340f06a15b8661e3376439e83ff874b8

\Windows\system\BFtSFvF.exe

MD5 e70daa33f8214b5157f5261827bb3c93
SHA1 aca0274e16883e5157af026049dfd884baa325e5
SHA256 c46f327143cf92217811de61c588ef690a8d58fdb11b36fec49aa4afd56db6e8
SHA512 cc076040b3b8368759ff759fa6f2a6e5815b60129dd708cb196176b6ac552564aeece208d036d79c29849f7d04e82d4acaee7ff425484728533cb33419b035ef

C:\Windows\system\jAjAEtJ.exe

MD5 689e62f76653424755448915fa6e0e07
SHA1 9f07f0ec8889b545cbf96753dbabad1b9f5b24c7
SHA256 647265d99fa5665cbd9349ec926544732d9c1096e1e8b12d45c89b78bf927be7
SHA512 53ebd4a438c6f5419c49e72184cf6385af36c761470245ae004fd3b0a39cf92a14aed220e75da64a20e1bca15d673387b5c10e02716cd89fca20c643df38cab6

\Windows\system\CgMxDXm.exe

MD5 025e7c9c67cb066b0a1ca55078bfdddb
SHA1 32940229cea8efd5168bd2cf13da853e8a9fd4c4
SHA256 cc3be1f36df98aaec78b26fb08ab7d3d53921bf3e05a88cd7312f1a7cd55fd53
SHA512 901ff59b98c5d012be3f82abd640f83bc2a1971c17e44b01042b5ad9d68587d963c16c8cb92d76c791b2182b359379645221731ef200c9b31b5c5a0f5eeacfa9

C:\Windows\system\rHygUxe.exe

MD5 93c724daaa04db830326217e04d47c8b
SHA1 2aeff7be448213daccc748d6dabd17c9111e3b32
SHA256 deb3c513a7cac2f83c7d1d9835d696eac5cdbbfe35c4de72680820e74db5d56f
SHA512 ac73ed528b5653fd7d836835393f6a65683a1c41e8ec5424a1b71f3d44513983b43d131eb48bdc93f8e5d6d88cde8c37f15d29e0b3cc9becebd879e72193e9d5

memory/2908-132-0x000000013F270000-0x000000013F5C4000-memory.dmp

memory/2540-130-0x000000013F890000-0x000000013FBE4000-memory.dmp

memory/1872-134-0x000000013F770000-0x000000013FAC4000-memory.dmp

memory/2908-133-0x0000000002390000-0x00000000026E4000-memory.dmp

memory/2504-135-0x000000013FD20000-0x0000000140074000-memory.dmp

memory/2908-136-0x000000013FEB0000-0x0000000140204000-memory.dmp

memory/2908-137-0x000000013F430000-0x000000013F784000-memory.dmp

memory/2900-139-0x000000013F2E0000-0x000000013F634000-memory.dmp

memory/3024-138-0x000000013F940000-0x000000013FC94000-memory.dmp

memory/2540-140-0x000000013F890000-0x000000013FBE4000-memory.dmp

memory/2712-141-0x000000013F270000-0x000000013F5C4000-memory.dmp

memory/2524-142-0x000000013FAD0000-0x000000013FE24000-memory.dmp

memory/2724-143-0x000000013FAB0000-0x000000013FE04000-memory.dmp

memory/2432-144-0x000000013FFA0000-0x00000001402F4000-memory.dmp

memory/2504-145-0x000000013FD20000-0x0000000140074000-memory.dmp

memory/2720-146-0x000000013F060000-0x000000013F3B4000-memory.dmp

memory/1556-147-0x000000013FB80000-0x000000013FED4000-memory.dmp

memory/1356-148-0x000000013F750000-0x000000013FAA4000-memory.dmp

memory/2696-149-0x000000013FEB0000-0x0000000140204000-memory.dmp

memory/2596-150-0x000000013F430000-0x000000013F784000-memory.dmp

memory/1872-151-0x000000013F770000-0x000000013FAC4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-08 16:49

Reported

2024-06-08 16:51

Platform

win10v2004-20240426-en

Max time kernel

138s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\nFMKupL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XzTlQCC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wdaNjag.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lNOGaKI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XHkRgsN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xzHQXcG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PWhBuOf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AIpjiOp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yfpxxJz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tDduVPR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qniVQLO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NcNXCEw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yeltZfN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eUFikpq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iZkRikm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NyBhMGW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GJkWxgp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YUxzbOF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ymtyuIa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xTJEzvY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GOWkOzh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1796 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\XzTlQCC.exe
PID 1796 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\XzTlQCC.exe
PID 1796 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\GJkWxgp.exe
PID 1796 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\GJkWxgp.exe
PID 1796 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\wdaNjag.exe
PID 1796 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\wdaNjag.exe
PID 1796 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\lNOGaKI.exe
PID 1796 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\lNOGaKI.exe
PID 1796 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\NcNXCEw.exe
PID 1796 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\NcNXCEw.exe
PID 1796 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\yfpxxJz.exe
PID 1796 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\yfpxxJz.exe
PID 1796 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\YUxzbOF.exe
PID 1796 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\YUxzbOF.exe
PID 1796 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\yeltZfN.exe
PID 1796 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\yeltZfN.exe
PID 1796 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\eUFikpq.exe
PID 1796 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\eUFikpq.exe
PID 1796 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\XHkRgsN.exe
PID 1796 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\XHkRgsN.exe
PID 1796 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\tDduVPR.exe
PID 1796 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\tDduVPR.exe
PID 1796 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\xzHQXcG.exe
PID 1796 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\xzHQXcG.exe
PID 1796 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\PWhBuOf.exe
PID 1796 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\PWhBuOf.exe
PID 1796 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\ymtyuIa.exe
PID 1796 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\ymtyuIa.exe
PID 1796 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\qniVQLO.exe
PID 1796 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\qniVQLO.exe
PID 1796 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\iZkRikm.exe
PID 1796 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\iZkRikm.exe
PID 1796 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\AIpjiOp.exe
PID 1796 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\AIpjiOp.exe
PID 1796 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\xTJEzvY.exe
PID 1796 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\xTJEzvY.exe
PID 1796 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\nFMKupL.exe
PID 1796 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\nFMKupL.exe
PID 1796 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\GOWkOzh.exe
PID 1796 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\GOWkOzh.exe
PID 1796 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\NyBhMGW.exe
PID 1796 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe C:\Windows\System\NyBhMGW.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\XzTlQCC.exe

C:\Windows\System\XzTlQCC.exe

C:\Windows\System\GJkWxgp.exe

C:\Windows\System\GJkWxgp.exe

C:\Windows\System\wdaNjag.exe

C:\Windows\System\wdaNjag.exe

C:\Windows\System\lNOGaKI.exe

C:\Windows\System\lNOGaKI.exe

C:\Windows\System\NcNXCEw.exe

C:\Windows\System\NcNXCEw.exe

C:\Windows\System\yfpxxJz.exe

C:\Windows\System\yfpxxJz.exe

C:\Windows\System\YUxzbOF.exe

C:\Windows\System\YUxzbOF.exe

C:\Windows\System\yeltZfN.exe

C:\Windows\System\yeltZfN.exe

C:\Windows\System\eUFikpq.exe

C:\Windows\System\eUFikpq.exe

C:\Windows\System\XHkRgsN.exe

C:\Windows\System\XHkRgsN.exe

C:\Windows\System\tDduVPR.exe

C:\Windows\System\tDduVPR.exe

C:\Windows\System\xzHQXcG.exe

C:\Windows\System\xzHQXcG.exe

C:\Windows\System\PWhBuOf.exe

C:\Windows\System\PWhBuOf.exe

C:\Windows\System\ymtyuIa.exe

C:\Windows\System\ymtyuIa.exe

C:\Windows\System\qniVQLO.exe

C:\Windows\System\qniVQLO.exe

C:\Windows\System\iZkRikm.exe

C:\Windows\System\iZkRikm.exe

C:\Windows\System\AIpjiOp.exe

C:\Windows\System\AIpjiOp.exe

C:\Windows\System\xTJEzvY.exe

C:\Windows\System\xTJEzvY.exe

C:\Windows\System\nFMKupL.exe

C:\Windows\System\nFMKupL.exe

C:\Windows\System\GOWkOzh.exe

C:\Windows\System\GOWkOzh.exe

C:\Windows\System\NyBhMGW.exe

C:\Windows\System\NyBhMGW.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1796-0-0x00007FF7D9210000-0x00007FF7D9564000-memory.dmp

memory/1796-1-0x00000275E7780000-0x00000275E7790000-memory.dmp

C:\Windows\System\XzTlQCC.exe

MD5 e03e2a8a1af02917d5a17987559b238c
SHA1 9e906a8eb117d2c4396547505bf6ca108bc14791
SHA256 4704580b1e6ab40563636dcaa062a268ec2a711b80a2a45a841ee30b26b3daec
SHA512 10b52608d42a16287fe8b37c4b376f027f1373b7dec44b8d5dfe65698c32ecbac3d0322e0bcd8ca1220d901d77752c9642e9ff36aaedd97abaae7afab3431144

memory/4576-8-0x00007FF672780000-0x00007FF672AD4000-memory.dmp

C:\Windows\System\GJkWxgp.exe

MD5 403fe9b5c6f381add36165fa888c8f1f
SHA1 bd528a3c4ab98808c7bb69bd2080d78ffc651718
SHA256 9ee1de7e16bf066d56c07d9b4e4907ad12e84efdad777e736197fb05a6993f56
SHA512 e5b3db7773f809f2b5921aafeb7f7118cbd21a32f7e89db0d63fce977abe4a1dc19f75ff51bd5e1a88e88954a1ff96ad7c5c7a629f9ecc9b311ca9b6eda64066

C:\Windows\System\wdaNjag.exe

MD5 8ebea5bcf997cf509f9b8dd0e37fed2f
SHA1 4af0048160a226837e0a58f0de4c52cf7c22f018
SHA256 b6eeb9837a52372b1687e24cf2d9592bae0cf3b2f01d45ac54985b9a679bf81e
SHA512 562fcd7a1621acd59881674351b4b8d02ea0d0bb0a6823dae44bc3a2b6821a631c52f72fe2bd005a8b881edee231da6c379e4bafb59f64cc62ecbf102a29a376

memory/4944-14-0x00007FF795D90000-0x00007FF7960E4000-memory.dmp

memory/1096-20-0x00007FF74BA50000-0x00007FF74BDA4000-memory.dmp

C:\Windows\System\lNOGaKI.exe

MD5 a2a999c4de6d50d6971c5e19b53cee0b
SHA1 a1660af639bd9ebc413b2338fa65b034e906427c
SHA256 da38fa560cd3031503233f8cedb7b29ff4b725ce5de8ffea6851cd42922d82e0
SHA512 9be84faec70672c418d9afb4e8b72cada2cfdb4e0225e23a081026d6e6a9a03bdc07c75d52b2cb02dd890d85c458805883584e817439d7d965b9f61a35ce92e7

memory/3204-26-0x00007FF62EF90000-0x00007FF62F2E4000-memory.dmp

C:\Windows\System\NcNXCEw.exe

MD5 98c61f93152d82cddb872052ffbf2d1f
SHA1 1e9532abe7e75feaf0a9ab332ca58c9e6679f56e
SHA256 d9ce219106b3393bf822f4b0d3c80e55f0e796a9cf299554cc3f52144b5720c2
SHA512 f0a209c1a92e156b1f59e87b393ec4941df2066b234b93b2fc4dcc4b07f5e8738f799ca3529852f2ed8a9219ede668037fdb24f71fcd38df04d6704333d07358

memory/3512-32-0x00007FF746590000-0x00007FF7468E4000-memory.dmp

C:\Windows\System\yfpxxJz.exe

MD5 021ad7d8044f7c748da37929b04e30f3
SHA1 5fb984510c607d1fca674cc7e2dfd089fa84e2e2
SHA256 ec9f18bb3f67c7692f0915140f0cfa8e464d589fe00a8fc39901fcb73d732523
SHA512 0a0c82e2845835454e7f7835712510393e412daf599145fc042df26b579404e0e84fb33e3c99e005cf1cea340db4ae1a6a5289751ac165ea1b3d2d6989a6fd91

memory/2000-37-0x00007FF680A80000-0x00007FF680DD4000-memory.dmp

C:\Windows\System\YUxzbOF.exe

MD5 67a424fe644ffdf590cab7088c26ee03
SHA1 686babe407d99d1e4820a1771ee18dab41ea2d0a
SHA256 32b8317c72eaa795c700ad3589a6fa20a1222770b6c395edc14d5d8152029dd0
SHA512 56db9431ae83b94f6e3fb0edf3f5151c7c5159e4715f051724abfaf2a2f9159060eaec7a7dc611c01ac5b8b12c0859d628be8ff29cdf2378780c87993934a71c

C:\Windows\System\yeltZfN.exe

MD5 1a6e63d04e7a5da05a75e0274717d896
SHA1 6bc2e9f5199f989a6733a948356bde0589a95a7b
SHA256 dd0316d8e417daf002042536f52c06e099935c8a21568cbbca0c7c0bb766dbfc
SHA512 4d503dd2e22139fc2c7f8de8d749b19b62e1381f98e6dd25fe574aa095660ee05b9be5caaacf5894f7c592676ad2ddced9f3cb9922eaafd4bdd7f9e14fe63e1c

memory/1056-44-0x00007FF67C450000-0x00007FF67C7A4000-memory.dmp

memory/228-52-0x00007FF622290000-0x00007FF6225E4000-memory.dmp

C:\Windows\System\XHkRgsN.exe

MD5 65f297156825a4bc0b2683bb90951441
SHA1 70d19f5169708494f538768cca082ed456fd067c
SHA256 226f5f528eb990cc3f6b88db856d44946c2b1b5b9071e9a9fbd4e08bc751af32
SHA512 826d67f8064464e969f69701815d81e848a9a2fad90f56e9492116d07045fca75e3d009e1e2d405d2f50634ae2d1a264fb87b6323a98a1404ed3364e1ef92e72

C:\Windows\System\eUFikpq.exe

MD5 4d6e176365f8af102acf872399eec203
SHA1 ab9e87ab335041078491451b1e04fef14dc7303b
SHA256 9560fc1da0a7a6a35e663a7dcbe12919b39231b09c3e0de2a2a148e463fe2c25
SHA512 71d154f8479c94866ec80c892ad750c59a47b3fdc685010aad7392c20a18361f44b742b7d0cac8615249eeed03278019da78f59b44a90e7ba6cc1adb680007c9

C:\Windows\System\xzHQXcG.exe

MD5 cd5720d9c25ab356baf78c156e0d990b
SHA1 bd844f405a87ec8f93ce00dc134827f5de23592b
SHA256 8978d429750fd2e489cc1dcce4994e865f818e7c56fe4ef73303fbee6b563b42
SHA512 00997b98263ce104c6a68b431ffab558eda862c1a83e382aba44c35fdddde38e114b03fb527a4f35a9ed694be8e5af367237c3c691b224a78c16e6b8d86e9a3b

C:\Windows\System\ymtyuIa.exe

MD5 a8417fee54d733d3aa3ceb21d08aab69
SHA1 5adcb561fd8f595c7ecac82c8d0adc779ee71456
SHA256 f9bb8cef5e0894f8077521dc182f26ac53dc53620bfcef8fd97dfa3d05e0ec96
SHA512 f9abbbebdd06dcdb6c6a2b5d219f6f5c8d5ec02fa7200de141e3ac801a376b15e11ce5137304c5e3af316ff0ca949f32a343960d8cc431f1e05c3e5afb2cf8cd

C:\Windows\System\qniVQLO.exe

MD5 72bb5a9c4f85d9c592f5b292bb0fc735
SHA1 2f85aa2a0dc118edcccda974dffdfef83751b30e
SHA256 6e3e883252112e2a1237dae1f43f95c3095c65ff7f8c749764828000105b6b14
SHA512 11930923f66641810036b9179211415a48931f2a195aaf21da690c925c97ffa13e04faa70d88b8ed61fbd60ca73494c5f6ce6679d0870d2bef87023d449f54d5

C:\Windows\System\AIpjiOp.exe

MD5 7c5b521f2e5170328d029545b341c90a
SHA1 3b5eca36d2d34a5c070aee452319c35052d0bf0e
SHA256 a327acbd6c5400deb9342cf0fe4f0b7153d7c613c2b6910ffbd6150fbec9f9de
SHA512 331951350c8588e49967b026e08c0a300467696a347bfb33e2ff1733b82129f0a7a4a119e91e075a0a706e21bcb7b6040324355a3a609e8572c0932a9350dc29

memory/1596-100-0x00007FF6FC850000-0x00007FF6FCBA4000-memory.dmp

memory/2792-105-0x00007FF699110000-0x00007FF699464000-memory.dmp

memory/2532-106-0x00007FF74DC10000-0x00007FF74DF64000-memory.dmp

C:\Windows\System\nFMKupL.exe

MD5 337ee9fbe79d29ae222048a1d0640bbc
SHA1 1bcd55d3f10f14f8264e8056fb5dd0a85774b942
SHA256 f4036021b8dff62f12b38eba7684372d67d251d75ede1a1dca3a25a000ad6807
SHA512 c7de05a32b15154942d511e45fef71ada591af02b4709b10114e2d1da6ae79708c03c256549750b46144abdf6167860e33ffc325840e33ff05db14c56c71b3a8

C:\Windows\System\GOWkOzh.exe

MD5 667a74f8021c84a8de1eec58d9e4dabe
SHA1 3f8108d75bbb2c8f657927a9f49086715009cd47
SHA256 8e2dab14422463b02d140462da43fe070b6e40703de21d3305c27ffeef82d48e
SHA512 2dcb6fdf695b3e25b0fc32b077a38d307c4399ff803e997afcd2b86f5486a3253ed1c83302812542ced920c634f69d7bafd431a9b38c105d7272db4d5e0d983c

C:\Windows\System\NyBhMGW.exe

MD5 b8fcfa2d18764593d68e6a2d816e7424
SHA1 743783a0822f9b0a4da462c84e2b6b6e48fd9112
SHA256 b169ff32f69664183031b579d9e7fcc66959e97b75718e5778a00063549b4e4d
SHA512 f32a8180034fd8c1361d6f874837ad59f2823f781011fe51b2460ee6acdffdd82d15acb4ff1d9863a70627d950e196aec936a0fee1af046708eb5822e7a914b7

C:\Windows\System\xTJEzvY.exe

MD5 f7332c20e6d45c7f0d2154f7bc9abb32
SHA1 1a6a234946cca1e42cd82db31257cf19e3fb591b
SHA256 a1d32257516b0ca995f6037737c7a28bf48436ce4cc8e9e4b0c30dc06f8473f8
SHA512 18cf6ca2fc10455ceb6dad971df69ecfc966c3d826e67686e6da08124788d1321b62fad1dcc9dc341f6362a686f532a54036b9f9087492ffa56d8c49043c4aab

memory/992-104-0x00007FF73F720000-0x00007FF73FA74000-memory.dmp

memory/1072-101-0x00007FF7DC360000-0x00007FF7DC6B4000-memory.dmp

memory/2328-99-0x00007FF6301F0000-0x00007FF630544000-memory.dmp

C:\Windows\System\iZkRikm.exe

MD5 ba99f3710bc066bab748c7c1e2136b76
SHA1 340c1e7f0be1497add38b731718ce62b8c283b5e
SHA256 40378e43143f44610ce9b8672f2bb3d7f46d10edc3a2ef50153e8879d98008ab
SHA512 935a30abf1fde73cfab36b233b723176fa5ba80aad8f7d97c8f62054f8bc576a7b129d02cebaa9b71dd7104497ca2791c1d30132cab4a61c1e9640672b44d67c

C:\Windows\System\PWhBuOf.exe

MD5 7ed8c3ba659f1d18bd01b7cc1827cdba
SHA1 dcf3d6d108c281d0b677ec0a354964e380412aee
SHA256 b5f322c8a54fe3c6f962ea409602ed6add40691ec9a7575bdbaeecdb7cdb2d4c
SHA512 7e816f7c877d3b76e6c176a56f944107bba7724db3242ea167ee7ea0f849886221ca6f9e571909a5ff98fa4a626d3e509a6f516025d34828050cca70ca4673c6

memory/2184-72-0x00007FF690FB0000-0x00007FF691304000-memory.dmp

memory/4576-71-0x00007FF672780000-0x00007FF672AD4000-memory.dmp

C:\Windows\System\tDduVPR.exe

MD5 4b35b2f6cdcfd3bab0fced0308617f72
SHA1 1d3316c9b93c7a914297b193b24daa8dfe46d4ff
SHA256 fc82cfb3b9aa7f16455ce20d6adf7cf3c013e77d8726912a9d3797d03f54fb51
SHA512 2bf5fd83eb0f585c5e91f529f98d27de08da05346c7ae59d65b7e86864998a0d602cc4d43f450a0ee65fd9cd787cf65dcc6640f276df55c32e18accb2699c16b

memory/4240-60-0x00007FF7D1AD0000-0x00007FF7D1E24000-memory.dmp

memory/1796-58-0x00007FF7D9210000-0x00007FF7D9564000-memory.dmp

memory/4348-57-0x00007FF643FE0000-0x00007FF644334000-memory.dmp

memory/464-128-0x00007FF7AA030000-0x00007FF7AA384000-memory.dmp

memory/4464-127-0x00007FF670BE0000-0x00007FF670F34000-memory.dmp

memory/1096-126-0x00007FF74BA50000-0x00007FF74BDA4000-memory.dmp

memory/4048-130-0x00007FF673E80000-0x00007FF6741D4000-memory.dmp

memory/4588-129-0x00007FF6F1F90000-0x00007FF6F22E4000-memory.dmp

memory/3512-131-0x00007FF746590000-0x00007FF7468E4000-memory.dmp

memory/2000-132-0x00007FF680A80000-0x00007FF680DD4000-memory.dmp

memory/4348-133-0x00007FF643FE0000-0x00007FF644334000-memory.dmp

memory/4240-134-0x00007FF7D1AD0000-0x00007FF7D1E24000-memory.dmp

memory/2328-135-0x00007FF6301F0000-0x00007FF630544000-memory.dmp

memory/2184-136-0x00007FF690FB0000-0x00007FF691304000-memory.dmp

memory/4576-137-0x00007FF672780000-0x00007FF672AD4000-memory.dmp

memory/4944-138-0x00007FF795D90000-0x00007FF7960E4000-memory.dmp

memory/1096-139-0x00007FF74BA50000-0x00007FF74BDA4000-memory.dmp

memory/3204-140-0x00007FF62EF90000-0x00007FF62F2E4000-memory.dmp

memory/3512-141-0x00007FF746590000-0x00007FF7468E4000-memory.dmp

memory/2000-142-0x00007FF680A80000-0x00007FF680DD4000-memory.dmp

memory/1056-143-0x00007FF67C450000-0x00007FF67C7A4000-memory.dmp

memory/228-144-0x00007FF622290000-0x00007FF6225E4000-memory.dmp

memory/4240-145-0x00007FF7D1AD0000-0x00007FF7D1E24000-memory.dmp

memory/4348-146-0x00007FF643FE0000-0x00007FF644334000-memory.dmp

memory/2184-147-0x00007FF690FB0000-0x00007FF691304000-memory.dmp

memory/2328-148-0x00007FF6301F0000-0x00007FF630544000-memory.dmp

memory/2532-149-0x00007FF74DC10000-0x00007FF74DF64000-memory.dmp

memory/1596-150-0x00007FF6FC850000-0x00007FF6FCBA4000-memory.dmp

memory/992-151-0x00007FF73F720000-0x00007FF73FA74000-memory.dmp

memory/1072-152-0x00007FF7DC360000-0x00007FF7DC6B4000-memory.dmp

memory/2792-153-0x00007FF699110000-0x00007FF699464000-memory.dmp

memory/4464-154-0x00007FF670BE0000-0x00007FF670F34000-memory.dmp

memory/464-155-0x00007FF7AA030000-0x00007FF7AA384000-memory.dmp

memory/4588-156-0x00007FF6F1F90000-0x00007FF6F22E4000-memory.dmp

memory/4048-157-0x00007FF673E80000-0x00007FF6741D4000-memory.dmp