Malware Analysis Report

2024-10-16 03:06

Sample ID 240609-dew7dsdc78
Target 2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike
SHA256 1c636cc611ad32eb2e65a0b5d75bea3410638e6f6e2b49661e650eae9a501413
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1c636cc611ad32eb2e65a0b5d75bea3410638e6f6e2b49661e650eae9a501413

Threat Level: Known bad

The file 2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobaltstrike family

XMRig Miner payload

Xmrig family

UPX dump on OEP (original entry point)

xmrig

Cobalt Strike reflective loader

Detects Reflective DLL injection artifacts

Cobaltstrike

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

XMRig Miner payload

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-09 02:56

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-09 02:55

Reported

2024-06-09 02:59

Platform

win7-20240220-en

Max time kernel

133s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\EpdTDyo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fAZiJBd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rHeWrji.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gSflHYg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bGuAJWW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\embgdRH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\slEDbeo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VaBiJiS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RkfqrrM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RpwIcPT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RVXQEol.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vUCbbsh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IwNGDxb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\POixSfg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TYQAnDb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CrTKOmt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WiBbcTU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SzQlZlv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bRiWySn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kMINxzr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZFlVXfA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1976 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\vUCbbsh.exe
PID 1976 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\vUCbbsh.exe
PID 1976 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\vUCbbsh.exe
PID 1976 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\IwNGDxb.exe
PID 1976 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\IwNGDxb.exe
PID 1976 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\IwNGDxb.exe
PID 1976 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\embgdRH.exe
PID 1976 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\embgdRH.exe
PID 1976 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\embgdRH.exe
PID 1976 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\kMINxzr.exe
PID 1976 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\kMINxzr.exe
PID 1976 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\kMINxzr.exe
PID 1976 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\gSflHYg.exe
PID 1976 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\gSflHYg.exe
PID 1976 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\gSflHYg.exe
PID 1976 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\bGuAJWW.exe
PID 1976 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\bGuAJWW.exe
PID 1976 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\bGuAJWW.exe
PID 1976 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\slEDbeo.exe
PID 1976 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\slEDbeo.exe
PID 1976 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\slEDbeo.exe
PID 1976 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\VaBiJiS.exe
PID 1976 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\VaBiJiS.exe
PID 1976 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\VaBiJiS.exe
PID 1976 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZFlVXfA.exe
PID 1976 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZFlVXfA.exe
PID 1976 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZFlVXfA.exe
PID 1976 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\CrTKOmt.exe
PID 1976 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\CrTKOmt.exe
PID 1976 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\CrTKOmt.exe
PID 1976 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\RkfqrrM.exe
PID 1976 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\RkfqrrM.exe
PID 1976 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\RkfqrrM.exe
PID 1976 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\WiBbcTU.exe
PID 1976 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\WiBbcTU.exe
PID 1976 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\WiBbcTU.exe
PID 1976 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\RpwIcPT.exe
PID 1976 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\RpwIcPT.exe
PID 1976 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\RpwIcPT.exe
PID 1976 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\EpdTDyo.exe
PID 1976 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\EpdTDyo.exe
PID 1976 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\EpdTDyo.exe
PID 1976 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\SzQlZlv.exe
PID 1976 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\SzQlZlv.exe
PID 1976 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\SzQlZlv.exe
PID 1976 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\fAZiJBd.exe
PID 1976 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\fAZiJBd.exe
PID 1976 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\fAZiJBd.exe
PID 1976 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\RVXQEol.exe
PID 1976 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\RVXQEol.exe
PID 1976 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\RVXQEol.exe
PID 1976 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\POixSfg.exe
PID 1976 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\POixSfg.exe
PID 1976 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\POixSfg.exe
PID 1976 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\rHeWrji.exe
PID 1976 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\rHeWrji.exe
PID 1976 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\rHeWrji.exe
PID 1976 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\bRiWySn.exe
PID 1976 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\bRiWySn.exe
PID 1976 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\bRiWySn.exe
PID 1976 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\TYQAnDb.exe
PID 1976 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\TYQAnDb.exe
PID 1976 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\TYQAnDb.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\vUCbbsh.exe

C:\Windows\System\vUCbbsh.exe

C:\Windows\System\IwNGDxb.exe

C:\Windows\System\IwNGDxb.exe

C:\Windows\System\embgdRH.exe

C:\Windows\System\embgdRH.exe

C:\Windows\System\kMINxzr.exe

C:\Windows\System\kMINxzr.exe

C:\Windows\System\gSflHYg.exe

C:\Windows\System\gSflHYg.exe

C:\Windows\System\bGuAJWW.exe

C:\Windows\System\bGuAJWW.exe

C:\Windows\System\slEDbeo.exe

C:\Windows\System\slEDbeo.exe

C:\Windows\System\VaBiJiS.exe

C:\Windows\System\VaBiJiS.exe

C:\Windows\System\ZFlVXfA.exe

C:\Windows\System\ZFlVXfA.exe

C:\Windows\System\CrTKOmt.exe

C:\Windows\System\CrTKOmt.exe

C:\Windows\System\RkfqrrM.exe

C:\Windows\System\RkfqrrM.exe

C:\Windows\System\WiBbcTU.exe

C:\Windows\System\WiBbcTU.exe

C:\Windows\System\RpwIcPT.exe

C:\Windows\System\RpwIcPT.exe

C:\Windows\System\EpdTDyo.exe

C:\Windows\System\EpdTDyo.exe

C:\Windows\System\SzQlZlv.exe

C:\Windows\System\SzQlZlv.exe

C:\Windows\System\fAZiJBd.exe

C:\Windows\System\fAZiJBd.exe

C:\Windows\System\RVXQEol.exe

C:\Windows\System\RVXQEol.exe

C:\Windows\System\POixSfg.exe

C:\Windows\System\POixSfg.exe

C:\Windows\System\rHeWrji.exe

C:\Windows\System\rHeWrji.exe

C:\Windows\System\bRiWySn.exe

C:\Windows\System\bRiWySn.exe

C:\Windows\System\TYQAnDb.exe

C:\Windows\System\TYQAnDb.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1976-0-0x000000013F490000-0x000000013F7E4000-memory.dmp

memory/1976-1-0x00000000002F0000-0x0000000000300000-memory.dmp

\Windows\system\vUCbbsh.exe

MD5 7a477c404ee368391e14ae96ab800c2c
SHA1 f43314c0bad197c27485e3455487a1e77aef08ad
SHA256 c38f785c2478951eb90930859297fe92a185f7fe6503e101389997f5ed79b9af
SHA512 ae5e3a4dbb63bf65bc3e9da3d58d7b07f203205e7a6569616bad0538e7a9275305eb91949de9872e711fff136d102dd5f43e2a1cb32bf873e0a95d83054cd0d2

\Windows\system\IwNGDxb.exe

MD5 f505e9632fbd4a5d58adc9e4173d1271
SHA1 1bde162a3fb4ccb17e2151f596876ce0481e68a3
SHA256 470c9e84848117759613eb687b446759f7d07a7f41d04dc436b012f7f509e2e6
SHA512 e198372dce29bd351d9034837bc88bf336ab45518f945c233b0df8303eb7db6dfe81aa40e79300136ac6bc7ee0344b1f19f04eb515a02bbb33d814e047faaccf

C:\Windows\system\IwNGDxb.exe

MD5 2c71960793488b638ad0c9c1e8da1378
SHA1 4ef43f39dbc6792c6fdf021639668e76fa9fecad
SHA256 f461ceb92df665d0d703f1cab87307d7a1b22fb8aae1777eb9625e8f083de726
SHA512 0d0662996e778c9fbfbd5df1577a283eab6295e68d2c64b5e15cff68e6b4fd86c90a2b46e79bb77978b8b561ee20bfd993b7a98f95697d0cd20101e1afd66a38

C:\Windows\system\vUCbbsh.exe

MD5 1e2459942327eb396bd8cd9cbc885d14
SHA1 b979cbcb517509c30843efb1d91bef30f1f24a44
SHA256 54a03d5d208d751b31e23b71307944c1879786db4797c4e135ceee676e41235a
SHA512 62534d80e6c8c22bb311b0a7f5fb302c5a153d567d6f207a17c6fee8290718e68d1dc2dc16c134b4032b4de9f3329105695e611408c440b9aa805aa38dc8aaf7

C:\Windows\system\embgdRH.exe

MD5 6fb6863d9548f3879b1ba1b64fc45a68
SHA1 0dc40616de903c417cc9a8b581f9078af09ea60a
SHA256 b26b72ca0ef6d18aef032253470a78a13f48dcd486b2eb6e1570c96324293e82
SHA512 cf09c13915872b96dcf1f62eac8174c1c1dfa4aabd64fb9272008df1f24e451a988f1edb48cb6ca8b7ef84d58508cf13cc3d0e709b84acf2687dd5617c6c3a61

\Windows\system\embgdRH.exe

MD5 378d650191fa42a503a6d000e70c049c
SHA1 2101b33a2643c5e6f0d1f93c815a32ff82bcade1
SHA256 336ca01f9971cc9847ba1c0b15b9f3253cf4bef083bcb8031e5ed06146fd0730
SHA512 4f5614d7e1039eadf842e4b99f89ab12b24fbf17898e497cb1915ee819e9dda4b5c0bfee3f6aad8a8f565e5d191ab5482fb91d71208410e6f71c5fc19c00db29

C:\Windows\system\embgdRH.exe

MD5 6fc1d2a6aa4e5fec1598640195150caa
SHA1 163971d08fea512c74e8dc6194438875b3a4e2dd
SHA256 c7702a558c524dcd71e1b49a725b4d00424bcfa78922fa47fa3df7ad8780489b
SHA512 32242bb3972b6c84fe04251d691d74728217a6789799a7b9b70417f9c92fed40204f2a0597f504eb1e15f95e5fdd6bfa9b9cbc89671f004164b2844ac1ca4ae4

memory/2892-19-0x000000013FF60000-0x00000001402B4000-memory.dmp

C:\Windows\system\kMINxzr.exe

MD5 7ca4c7d08ec840a69d3101c638d4b72f
SHA1 9a0bd3c709f755b63121fadc936f446aec1e7ee6
SHA256 ad375c6a067690acfdb9ba070a3a7e26450ca7423af526c703ce192d7173f7e7
SHA512 93ae69558c6397f1d10b68fc7e156b1c23dffe4348c43264d4d2484e88db3346ef1d13b6b607cc291558edc2cbc35a0667021d52c5cf7e17eeb41ed495e23c3b

C:\Windows\system\bGuAJWW.exe

MD5 1d51a6f9f8f706d40a78f27cac287065
SHA1 981c2096ede4558d1ebc91ef5d6ea849a5e05a26
SHA256 15b21f96ab3bc949c328ae89ca4b8971cb600187d8a414a03ad62deea81f4ef1
SHA512 f88e4c79c055461a937a826fa6bbc551f208f7399466fa47521581ae4db3bc5d256e1bf01ae134b570a11c9d09f89930e6add7d4c8135ba334d8b29af2c44c97

memory/1976-39-0x000000013FFA0000-0x00000001402F4000-memory.dmp

memory/1976-41-0x000000013FE40000-0x0000000140194000-memory.dmp

memory/2576-43-0x000000013F370000-0x000000013F6C4000-memory.dmp

C:\Windows\system\slEDbeo.exe

MD5 e7046aead433b65a5b7848898cc1c597
SHA1 ec137b58d48f1bb1c80e719cf108cd820f61d91c
SHA256 484bdf1b695ada73dce73634e788796e5aaf79f06fce3e8a654abbeb15338285
SHA512 f9de9aa529e039714651d19c39ae5a7b7a5f59dad3570ef24c8bca7b7c66e161467af663106f4035640d035f72a6449b0931152d016f15f1884be5f963af4b1e

C:\Windows\system\VaBiJiS.exe

MD5 8003c8ca1c6255c4a9df50b61d369786
SHA1 ef521c59d5519424152618453d9a1ec413a267cf
SHA256 caa068826195e26df36f4f536e4c6574635de1b7a9a02c85ee8ca5d8d8224bf8
SHA512 0384a1e885e5629a148689a8b4027e18c5b2d083fe94b00bac0956a112bba29ab292c390c9a09436cf2e74109a83853e787b70a1e1be9d9ef015a376f3eba795

C:\Windows\system\ZFlVXfA.exe

MD5 1d3a027708a48a3c73a911f7d1532fca
SHA1 f960fd40bf0cf951600c386a6a9501a01e54ab51
SHA256 f4e703d98029a56b7200ca63aefb85a455d5792cd9407b54a0dc1c4762419eda
SHA512 4c0f2e25c98d407f27d4b0d85d2fe06ea754e657bc939feb907f00109c3d9db11707e7ca2d3e02171201afd527ee2b1673e434c274c030dde555dbb27b53e539

C:\Windows\system\CrTKOmt.exe

MD5 992e15ebc2245cf970acce9948576d6c
SHA1 3322f50d4aebf915abc8a5277cd07a23adf5f127
SHA256 34aca34b8538d4e7f9b5ca1806b2281a0382769188fd9d2c13b1e312e96b00f5
SHA512 2299491ec9c9bd4a6ac0a40bf192f660f0f17c74b61aa4e0097b4c4f83a6d479f7a76f02af36d33e9826debb7591943213a22619c67db9751ef075d87dd44bf7

\Windows\system\TYQAnDb.exe

MD5 f6cdfb3d88537b367792cbd894bd98ed
SHA1 3d3f99c94c72c456dffcf949bc5d30603a7e936c
SHA256 05dd3d926d8f7a6b3411e38a31ef4f8229eb7d780b830e3fca3bbab5124eef86
SHA512 0da483abd45f0fc31271e46184ea3a074b58fa3e0dc6bb0072318eee13b5c0ffc1280f1aa582bb4e78cf8a2c355408182d9725282b3a73e6e2dadc9f4f43faa3

memory/2580-118-0x000000013FAF0000-0x000000013FE44000-memory.dmp

C:\Windows\system\bRiWySn.exe

MD5 968a7e053a9ff2f65fb0d430878c056f
SHA1 5f9bf70d967f6c88c2561445b0ac59deabc4c2e4
SHA256 46270d8caf30ce42b3d4ca5e7f52c493abfc28460ca624e179641d7702530c43
SHA512 166ea6d8b6a5c04a9ff1c49130fa4ff49bc1251eb2190c57be0a30ebce6a606be5a4b449a52a2479a02a07b7e49776fb533303da5f1499084dca57c520bdfbac

\Windows\system\bRiWySn.exe

MD5 c5f33c208b8352c92ff94fbc2b599111
SHA1 0842e8833ca026da14c777f19216ac8823767900
SHA256 6fd2df6d3131682515e5fc159d81918ada218168622149be278bff78e6839f6f
SHA512 62f9100bcb029dacf5e5850ff2c364497a0db747c663dacd840839ef6bb501ef0b8fddc8b075af9a33043a07665b866db4f1c551c78513d6efa407abe8c56db5

C:\Windows\system\rHeWrji.exe

MD5 93bacfc3d845f374627b012c3a61a1e5
SHA1 f08219d5f19196fbc7a3a1e7ffbfb44e344c21ae
SHA256 4fd1d5231f529c0710d6a6cd40036ebe10563700b5f25c50aacacf0ccbeb0b9d
SHA512 63e909e0f694f7072b09c22815e6279a7448ff3ee9b219e1f03fa23b70411a9de5cd54205f2b9fac218aee1fe5bb1761b1d6308bcade318f7b85c7b720112b83

C:\Windows\system\POixSfg.exe

MD5 96abd1f04d2ad74b6c669a05b9c07c59
SHA1 9b9b2bc96df84cdfe768934b33e87abe3d45de1f
SHA256 50dcfdfff4fc2e88212e9e4176aab9884e9ed04e443cde4e9cf2d27a02c259bb
SHA512 fbf35803710db649ccf41a43b628ba040fa195e722672e71b3494beee885384fa717235cb1a53e6065b72eab2e9db6ae66b817c94ecd902c6d08c2cf687945a5

\Windows\system\RVXQEol.exe

MD5 d087d60bee972482ba414dde57d94064
SHA1 0e58102d75409e85387c950e86f4cc96da371515
SHA256 1ee51685b7af314df3c8f01c4b39b91c739a420b0c8968c9cd986b716fd08dc9
SHA512 500b3e00dc02005c17b03b8494021fddbab5916723a913433d6ef89aa2cf4e6e68fc4172636b2bd68c73de2d44f0d00b4e792d1f453e109ae727ef66e97b6e2b

memory/1976-119-0x0000000002300000-0x0000000002654000-memory.dmp

memory/2624-120-0x000000013F1E0000-0x000000013F534000-memory.dmp

memory/2300-122-0x000000013F220000-0x000000013F574000-memory.dmp

memory/1976-125-0x000000013F8E0000-0x000000013FC34000-memory.dmp

memory/2540-131-0x000000013FE40000-0x0000000140194000-memory.dmp

memory/1976-132-0x000000013FAF0000-0x000000013FE44000-memory.dmp

memory/1276-130-0x000000013F9E0000-0x000000013FD34000-memory.dmp

memory/1976-129-0x000000013F9E0000-0x000000013FD34000-memory.dmp

memory/1656-128-0x000000013FF00000-0x0000000140254000-memory.dmp

memory/1976-127-0x000000013FF00000-0x0000000140254000-memory.dmp

memory/2456-124-0x000000013F880000-0x000000013FBD4000-memory.dmp

memory/1448-126-0x000000013F8E0000-0x000000013FC34000-memory.dmp

memory/1976-123-0x000000013F880000-0x000000013FBD4000-memory.dmp

memory/2444-121-0x000000013F430000-0x000000013F784000-memory.dmp

C:\Windows\system\fAZiJBd.exe

MD5 984a8cf637fc9f46a5be1646493a183b
SHA1 eff3045fcb5d0b4a9321004fdd3e94f3f336f5af
SHA256 0d4a824efda706db87b77805c320758f4772451fa0404efc091a4e3040c61068
SHA512 f10e98d33b97922d86b629662f92ca9b0747603db9cee26627e84885ca9797232c0f5349bf7b35b6812a24bc6e60bd825c6020365d2a762c823adc6158a78b7d

\Windows\system\fAZiJBd.exe

MD5 711965c0ed770375b388ea9b5ea57c70
SHA1 21f7ffc0c96b29ee6bc8176dc97f6fd049d110a2
SHA256 c07d701eb04ab4f8699484a3bd23da869373ffe5abb89855dad47bf019625666
SHA512 1805d8628649a043140bc3aafe1e7909e2e2c4d13967ba772fc49046b58f359c9204953c678c902e0a7afe7ca922f35fcfea6266309db91efb45c72ff619c428

C:\Windows\system\SzQlZlv.exe

MD5 ca2c8fc23ac2c4dd58545d16927e5bef
SHA1 b94b35150eb75787af3ce6aea401e04f2ec70fc4
SHA256 51b2f421412d1c153d42b830056e97b87fc530680dc92b4e38ffc670147a2fef
SHA512 1d2438ad0849ebaa3adb73c2fd279bcc7d191070217788022edef321689dfafee2b67a7644710d778788f25a062e16a16f37020f5aabaf59a89fd5b4e304a9ce

\Windows\system\RkfqrrM.exe

MD5 2e820f8af7aa3bf225d37608a0a87341
SHA1 b813ceb09756bee341a57c9525bd3abdbe863ab8
SHA256 de3ecb3b5fcb41244e0ad238c42dbdcdb420cd69a0a9fd4969c3c2c21a4688aa
SHA512 94100e338184f7a3ae15a222a1475fa5698953edd851085d3fd0ba1cff9c8ac4fea1d0ffc946527b9efc401e37d9d7afc7e865918e1dcb595782d3b4242cf2f4

\Windows\system\CrTKOmt.exe

MD5 2c29c56557704a5af675ac862b6acadc
SHA1 8095e9a472d534a6ef5dc3ab384273149ae12d48
SHA256 ad78076137bb51fd4326f7a646d70c5d984effb3c1176184b92e2481afe8ee9d
SHA512 f76c7cafe7089612bd2c5136e03dfbe423618b3b68e64692820e5dfa2eb3d816fbca1bfa4bd5be14823ba5172f77c777b526463c4d46646574bc76ae1535f049

memory/1976-42-0x0000000002300000-0x0000000002654000-memory.dmp

memory/1976-40-0x0000000002300000-0x0000000002654000-memory.dmp

C:\Windows\system\gSflHYg.exe

MD5 59bc2da882352bbbeaccd9b8ea365bfe
SHA1 97686320dd0efc49fdf6beb64701031918994485
SHA256 2c61721dbf26b445473bc380fecd89ffaf1d3b6d34e4d4152a99584fba9b560a
SHA512 ede6d82a6254ed24eae36fcc532b59ee4a6cb9bfb80c72bb571a1fe77de0136bedb77288e56ffa56656936b233795d5bc335ab00c317628a760e6a31c2e8b7d3

memory/1976-35-0x0000000002300000-0x0000000002654000-memory.dmp

memory/2620-28-0x000000013FFA0000-0x00000001402F4000-memory.dmp

memory/2616-31-0x000000013F5E0000-0x000000013F934000-memory.dmp

\Windows\system\bGuAJWW.exe

MD5 4b7216d89e20f49e9c16c0253cc47511
SHA1 2897390157f4ddd1aa5b6b0434e8fd2685151896
SHA256 04a2e3581379ca63394646169e2f7cb8764608261eb5b43957d0130fd0e5013f
SHA512 f54f6e029123d95222d09bc2138897f709e3650dbd2270183df96ad9e927ef303c0844f40a0b5cc26ee82536f2274eb38af1088d33729d685b4f9415ecb7be84

memory/2888-23-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

\Windows\system\kMINxzr.exe

MD5 14810b70aa2af5c3bf4e7b0e6fef632e
SHA1 84c74e2c73aae7f90a03ce5c313016ad83d854c0
SHA256 6c5a5578deac5ba7c4ae098a24c67d5c93c3a459ff83769e9808b908635457f0
SHA512 b0ec81c92cde61cfabd4c5d97fdaa84d46b1b6f378b33b5b06a3ab866a01696ea5726db2a0328107d45918ff4d5953769f748b8a4ac51112027bd1d71cb0be56

memory/1976-13-0x000000013FF60000-0x00000001402B4000-memory.dmp

memory/2616-133-0x000000013F5E0000-0x000000013F934000-memory.dmp

memory/1976-134-0x000000013F490000-0x000000013F7E4000-memory.dmp

memory/2888-136-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

memory/2620-137-0x000000013FFA0000-0x00000001402F4000-memory.dmp

memory/2892-135-0x000000013FF60000-0x00000001402B4000-memory.dmp

memory/2576-139-0x000000013F370000-0x000000013F6C4000-memory.dmp

memory/2540-140-0x000000013FE40000-0x0000000140194000-memory.dmp

memory/2616-138-0x000000013F5E0000-0x000000013F934000-memory.dmp

memory/2580-141-0x000000013FAF0000-0x000000013FE44000-memory.dmp

memory/2624-142-0x000000013F1E0000-0x000000013F534000-memory.dmp

memory/2444-143-0x000000013F430000-0x000000013F784000-memory.dmp

memory/2300-144-0x000000013F220000-0x000000013F574000-memory.dmp

memory/2456-145-0x000000013F880000-0x000000013FBD4000-memory.dmp

memory/1448-146-0x000000013F8E0000-0x000000013FC34000-memory.dmp

memory/1276-148-0x000000013F9E0000-0x000000013FD34000-memory.dmp

memory/1656-147-0x000000013FF00000-0x0000000140254000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-09 02:55

Reported

2024-06-09 02:59

Platform

win10v2004-20240426-en

Max time kernel

134s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\bqklLxC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WIxJIBD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XyMUwUF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RXBidsf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VnHGFgQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NdDLmbS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KLmYSac.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uWCnTUx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MLFxaEt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cpejiCz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ieczhKQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jJQAvPk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oqumGkv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nwLHeeH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gDjyJVL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oYFmYcg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fSYXvOA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yxePtTa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xtcgUxb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eYYoXDi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WRlTXqW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3528 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\yxePtTa.exe
PID 3528 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\yxePtTa.exe
PID 3528 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\VnHGFgQ.exe
PID 3528 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\VnHGFgQ.exe
PID 3528 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\NdDLmbS.exe
PID 3528 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\NdDLmbS.exe
PID 3528 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\KLmYSac.exe
PID 3528 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\KLmYSac.exe
PID 3528 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\xtcgUxb.exe
PID 3528 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\xtcgUxb.exe
PID 3528 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\eYYoXDi.exe
PID 3528 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\eYYoXDi.exe
PID 3528 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\uWCnTUx.exe
PID 3528 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\uWCnTUx.exe
PID 3528 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\oqumGkv.exe
PID 3528 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\oqumGkv.exe
PID 3528 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\bqklLxC.exe
PID 3528 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\bqklLxC.exe
PID 3528 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\WRlTXqW.exe
PID 3528 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\WRlTXqW.exe
PID 3528 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\nwLHeeH.exe
PID 3528 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\nwLHeeH.exe
PID 3528 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\WIxJIBD.exe
PID 3528 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\WIxJIBD.exe
PID 3528 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\XyMUwUF.exe
PID 3528 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\XyMUwUF.exe
PID 3528 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\gDjyJVL.exe
PID 3528 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\gDjyJVL.exe
PID 3528 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\RXBidsf.exe
PID 3528 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\RXBidsf.exe
PID 3528 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\oYFmYcg.exe
PID 3528 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\oYFmYcg.exe
PID 3528 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\ieczhKQ.exe
PID 3528 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\ieczhKQ.exe
PID 3528 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\MLFxaEt.exe
PID 3528 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\MLFxaEt.exe
PID 3528 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\cpejiCz.exe
PID 3528 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\cpejiCz.exe
PID 3528 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\jJQAvPk.exe
PID 3528 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\jJQAvPk.exe
PID 3528 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\fSYXvOA.exe
PID 3528 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe C:\Windows\System\fSYXvOA.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\yxePtTa.exe

C:\Windows\System\yxePtTa.exe

C:\Windows\System\VnHGFgQ.exe

C:\Windows\System\VnHGFgQ.exe

C:\Windows\System\NdDLmbS.exe

C:\Windows\System\NdDLmbS.exe

C:\Windows\System\KLmYSac.exe

C:\Windows\System\KLmYSac.exe

C:\Windows\System\xtcgUxb.exe

C:\Windows\System\xtcgUxb.exe

C:\Windows\System\eYYoXDi.exe

C:\Windows\System\eYYoXDi.exe

C:\Windows\System\uWCnTUx.exe

C:\Windows\System\uWCnTUx.exe

C:\Windows\System\oqumGkv.exe

C:\Windows\System\oqumGkv.exe

C:\Windows\System\bqklLxC.exe

C:\Windows\System\bqklLxC.exe

C:\Windows\System\WRlTXqW.exe

C:\Windows\System\WRlTXqW.exe

C:\Windows\System\nwLHeeH.exe

C:\Windows\System\nwLHeeH.exe

C:\Windows\System\WIxJIBD.exe

C:\Windows\System\WIxJIBD.exe

C:\Windows\System\XyMUwUF.exe

C:\Windows\System\XyMUwUF.exe

C:\Windows\System\gDjyJVL.exe

C:\Windows\System\gDjyJVL.exe

C:\Windows\System\RXBidsf.exe

C:\Windows\System\RXBidsf.exe

C:\Windows\System\oYFmYcg.exe

C:\Windows\System\oYFmYcg.exe

C:\Windows\System\ieczhKQ.exe

C:\Windows\System\ieczhKQ.exe

C:\Windows\System\MLFxaEt.exe

C:\Windows\System\MLFxaEt.exe

C:\Windows\System\cpejiCz.exe

C:\Windows\System\cpejiCz.exe

C:\Windows\System\jJQAvPk.exe

C:\Windows\System\jJQAvPk.exe

C:\Windows\System\fSYXvOA.exe

C:\Windows\System\fSYXvOA.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3528-0-0x00007FF6EF390000-0x00007FF6EF6E4000-memory.dmp

memory/3528-1-0x0000026AB2690000-0x0000026AB26A0000-memory.dmp

C:\Windows\System\yxePtTa.exe

MD5 4ebd1901e669a14d40cee031fd206e82
SHA1 48b4d9303ce77228a3ead5a9a71386291542a98f
SHA256 877be2224a2b649da5f78203ecb3453feb6fa6bbbc2d6c8d511c50eacb8915e1
SHA512 c4c64ecded98a2388cd280fbf03b1c4943ae108cca32936b19ec1dc9b1e2275f8c7fb5cb86b3ef39ae05d629ddb91ee9822452b1bc6582399603f35642ecf087

C:\Windows\System\yxePtTa.exe

MD5 8003c8ca1c6255c4a9df50b61d369786
SHA1 ef521c59d5519424152618453d9a1ec413a267cf
SHA256 caa068826195e26df36f4f536e4c6574635de1b7a9a02c85ee8ca5d8d8224bf8
SHA512 0384a1e885e5629a148689a8b4027e18c5b2d083fe94b00bac0956a112bba29ab292c390c9a09436cf2e74109a83853e787b70a1e1be9d9ef015a376f3eba795

memory/2448-14-0x00007FF6A4AC0000-0x00007FF6A4E14000-memory.dmp

C:\Windows\System\NdDLmbS.exe

MD5 0628374c349921c969043e8b725a574d
SHA1 d4d4b61d7abb11c25e423140f9a833a035819e3d
SHA256 6f83751bb7dc13a49d7ca6c6a874635ca4829b15e2d7e8a8c8ddaf2890ac09c0
SHA512 2db578fa7a962b14aae5c857e6974664cd647108bf44f83523c1fc47be8f0f23756b21e5f42a2231cc51d1daf9889177945ad8eab23827274ef49200ad4dd7a1

memory/4036-26-0x00007FF637C10000-0x00007FF637F64000-memory.dmp

C:\Windows\System\xtcgUxb.exe

MD5 ce95ecfd82cad989d07f01bb5a4e0e62
SHA1 9c404e62c6a147d88e2c4214a4a0c1206972e9c1
SHA256 593e7bd118d819d8e39ef2651ab132601260307c705634ada0a2db317b292576
SHA512 c2ff795a22229b7c15805b1e961a5dfe271dec3d9731c58be06511c88be95cff0caaac2a29a6db9c14604bb11c8d799f874a0f83a490e055a4995d26515db084

memory/3180-32-0x00007FF6FC8A0000-0x00007FF6FCBF4000-memory.dmp

C:\Windows\System\eYYoXDi.exe

MD5 984a8cf637fc9f46a5be1646493a183b
SHA1 eff3045fcb5d0b4a9321004fdd3e94f3f336f5af
SHA256 0d4a824efda706db87b77805c320758f4772451fa0404efc091a4e3040c61068
SHA512 f10e98d33b97922d86b629662f92ca9b0747603db9cee26627e84885ca9797232c0f5349bf7b35b6812a24bc6e60bd825c6020365d2a762c823adc6158a78b7d

memory/2028-38-0x00007FF6BBD90000-0x00007FF6BC0E4000-memory.dmp

C:\Windows\System\uWCnTUx.exe

MD5 69d7ee9b0d716abad2eff7cee9da48af
SHA1 52dd695f69c3116199894ecce623629213d32a22
SHA256 8bf48befa7dd1a7272e8581723a78645da5b0ddf1480ef983b48c0e8336c1d82
SHA512 66e510f0eb1d39c82516e4145dfd273984b91a1f5eb768ce542b6731d69925bdd8d2d75aeeb0f6dff09164d9adb7e1cc6a4ff94270bb5527273c77fd7a1e5ffa

memory/1936-44-0x00007FF746D70000-0x00007FF7470C4000-memory.dmp

C:\Windows\System\oqumGkv.exe

MD5 f6cdfb3d88537b367792cbd894bd98ed
SHA1 3d3f99c94c72c456dffcf949bc5d30603a7e936c
SHA256 05dd3d926d8f7a6b3411e38a31ef4f8229eb7d780b830e3fca3bbab5124eef86
SHA512 0da483abd45f0fc31271e46184ea3a074b58fa3e0dc6bb0072318eee13b5c0ffc1280f1aa582bb4e78cf8a2c355408182d9725282b3a73e6e2dadc9f4f43faa3

C:\Windows\System\XyMUwUF.exe

MD5 1e2459942327eb396bd8cd9cbc885d14
SHA1 b979cbcb517509c30843efb1d91bef30f1f24a44
SHA256 54a03d5d208d751b31e23b71307944c1879786db4797c4e135ceee676e41235a
SHA512 62534d80e6c8c22bb311b0a7f5fb302c5a153d567d6f207a17c6fee8290718e68d1dc2dc16c134b4032b4de9f3329105695e611408c440b9aa805aa38dc8aaf7

memory/2512-90-0x00007FF7E9A30000-0x00007FF7E9D84000-memory.dmp

memory/1936-110-0x00007FF746D70000-0x00007FF7470C4000-memory.dmp

memory/1312-117-0x00007FF77A6A0000-0x00007FF77A9F4000-memory.dmp

memory/4360-119-0x00007FF625040000-0x00007FF625394000-memory.dmp

memory/4900-125-0x00007FF6BA780000-0x00007FF6BAAD4000-memory.dmp

C:\Windows\System\fSYXvOA.exe

MD5 e8c4508a392ccf08590d3627a36cc3c3
SHA1 3a57dd6c92ebc54582acaafd15cc9311eb0d15a2
SHA256 cea51cc96156d8e8255e2ccada29ae7300a3315f995e7ba6d44446f87dc9a09d
SHA512 f92387e78f5fe98543d9e60ae371868a188c86c9137b7d0a0d3bf28026dbd3fc59a4eb30687c1a9721f81959fcdee80d280162f492d355d2ec0e6a7c5d939410

memory/1188-116-0x00007FF6ADE70000-0x00007FF6AE1C4000-memory.dmp

memory/2920-131-0x00007FF666EA0000-0x00007FF6671F4000-memory.dmp

C:\Windows\System\ieczhKQ.exe

MD5 38e1b7b0b9aa649f5c14f03127a6d132
SHA1 3917ca36707cd2c4dba6b6926d34a14a7bb117b1
SHA256 ddb3f57945f3929208b2b32e9fb1bc992b84f62c9f6d825404b952bbb20eee72
SHA512 47f8cf2986d63387cdc2751aeb8271afa2f9ce56ab0a21337ea9677985ff041ab00a0daf7ea6b9731948111f864f618de503be2edb6c7c0b58599566140c22a0

memory/1916-99-0x00007FF77F230000-0x00007FF77F584000-memory.dmp

memory/1772-94-0x00007FF6B0C90000-0x00007FF6B0FE4000-memory.dmp

C:\Windows\System\RXBidsf.exe

MD5 93bacfc3d845f374627b012c3a61a1e5
SHA1 f08219d5f19196fbc7a3a1e7ffbfb44e344c21ae
SHA256 4fd1d5231f529c0710d6a6cd40036ebe10563700b5f25c50aacacf0ccbeb0b9d
SHA512 63e909e0f694f7072b09c22815e6279a7448ff3ee9b219e1f03fa23b70411a9de5cd54205f2b9fac218aee1fe5bb1761b1d6308bcade318f7b85c7b720112b83

memory/3180-91-0x00007FF6FC8A0000-0x00007FF6FCBF4000-memory.dmp

memory/3424-78-0x00007FF68EF10000-0x00007FF68F264000-memory.dmp

memory/2488-76-0x00007FF7F3E00000-0x00007FF7F4154000-memory.dmp

memory/2448-73-0x00007FF6A4AC0000-0x00007FF6A4E14000-memory.dmp

memory/1660-69-0x00007FF63B7B0000-0x00007FF63BB04000-memory.dmp

C:\Windows\System\nwLHeeH.exe

MD5 a49475a019a08da6f6942731e90a6fd0
SHA1 182c31693759881d5a23217c3ecf696274718eb3
SHA256 02110ff63bc998bf20894ba62460ccdfb4993b8ae08a717410a78d3ef950ff0b
SHA512 3d5bf2158300ae50fcf1c5c50dbb58594bb8def1f8bf248bf78719b9afb2f1617609d45ec40cd28fa46807fa29d44b06e9f0cafece3e054ddd76c6fdfec2378d

memory/4248-65-0x00007FF6F92C0000-0x00007FF6F9614000-memory.dmp

memory/3528-61-0x00007FF6EF390000-0x00007FF6EF6E4000-memory.dmp

memory/3952-56-0x00007FF6CAF10000-0x00007FF6CB264000-memory.dmp

memory/2768-50-0x00007FF7FD8D0000-0x00007FF7FDC24000-memory.dmp

C:\Windows\System\oqumGkv.exe

MD5 c83a72fd32d1ea03c4c25e0b40a06534
SHA1 de2f9cae4aaddd2cc18d23899ecdd1c809f91cc1
SHA256 c7c33166fb7303a687223dfb582067f939bce709fca5c41b819da2f4a6dcb359
SHA512 01b6c66abfddb5df6a71e9a20ac803480a15bd6d8e038d46a607a93dd9ea600234a78f6bd587ad7d5b0616a8419e74ad1e4f1e4566d73f0ec035b67591e1923c

C:\Windows\System\xtcgUxb.exe

MD5 1d7117e100c84fe148f913c1efd23ea0
SHA1 00ae97018ac9c894e11784ee5a7139020bf266fd
SHA256 0d79b1fe76aff8139b029a14367e5c71c5bee7d3b6cff346c6abdc90f431b846
SHA512 53da86cfe634be541c3b3aa1cb10d31f5a00ede620305501a2a532f4c566b640a0610f6a4e4b47b688e9d6868872a5332655fb1dcda61c3178c286912a98cc81

memory/2888-20-0x00007FF6C3D30000-0x00007FF6C4084000-memory.dmp

memory/2420-8-0x00007FF7CCCB0000-0x00007FF7CD004000-memory.dmp

memory/2488-132-0x00007FF7F3E00000-0x00007FF7F4154000-memory.dmp

memory/3424-133-0x00007FF68EF10000-0x00007FF68F264000-memory.dmp

memory/2512-134-0x00007FF7E9A30000-0x00007FF7E9D84000-memory.dmp

memory/1772-135-0x00007FF6B0C90000-0x00007FF6B0FE4000-memory.dmp

memory/1916-136-0x00007FF77F230000-0x00007FF77F584000-memory.dmp

memory/4360-137-0x00007FF625040000-0x00007FF625394000-memory.dmp

memory/2420-138-0x00007FF7CCCB0000-0x00007FF7CD004000-memory.dmp

memory/2448-139-0x00007FF6A4AC0000-0x00007FF6A4E14000-memory.dmp

memory/2888-140-0x00007FF6C3D30000-0x00007FF6C4084000-memory.dmp

memory/4036-141-0x00007FF637C10000-0x00007FF637F64000-memory.dmp

memory/2028-143-0x00007FF6BBD90000-0x00007FF6BC0E4000-memory.dmp

memory/1936-144-0x00007FF746D70000-0x00007FF7470C4000-memory.dmp

memory/3180-142-0x00007FF6FC8A0000-0x00007FF6FCBF4000-memory.dmp

memory/2768-145-0x00007FF7FD8D0000-0x00007FF7FDC24000-memory.dmp

memory/3952-146-0x00007FF6CAF10000-0x00007FF6CB264000-memory.dmp

memory/1660-148-0x00007FF63B7B0000-0x00007FF63BB04000-memory.dmp

memory/4248-147-0x00007FF6F92C0000-0x00007FF6F9614000-memory.dmp

memory/3424-150-0x00007FF68EF10000-0x00007FF68F264000-memory.dmp

memory/2488-149-0x00007FF7F3E00000-0x00007FF7F4154000-memory.dmp

memory/1772-152-0x00007FF6B0C90000-0x00007FF6B0FE4000-memory.dmp

memory/2512-151-0x00007FF7E9A30000-0x00007FF7E9D84000-memory.dmp

memory/1188-153-0x00007FF6ADE70000-0x00007FF6AE1C4000-memory.dmp

memory/1916-154-0x00007FF77F230000-0x00007FF77F584000-memory.dmp

memory/1312-155-0x00007FF77A6A0000-0x00007FF77A9F4000-memory.dmp

memory/4360-157-0x00007FF625040000-0x00007FF625394000-memory.dmp

memory/4900-156-0x00007FF6BA780000-0x00007FF6BAAD4000-memory.dmp

memory/2920-158-0x00007FF666EA0000-0x00007FF6671F4000-memory.dmp