Malware Analysis Report

2024-10-16 03:05

Sample ID 240610-bcm5laad55
Target 2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike
SHA256 4eaf306a8b4688e5b8989235c9f6287cde6e0ced04608df11cea649cb68836c6
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4eaf306a8b4688e5b8989235c9f6287cde6e0ced04608df11cea649cb68836c6

Threat Level: Known bad

The file 2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobaltstrike family

UPX dump on OEP (original entry point)

XMRig Miner payload

xmrig

Detects Reflective DLL injection artifacts

Xmrig family

Cobaltstrike

Cobalt Strike reflective loader

Detects Reflective DLL injection artifacts

XMRig Miner payload

UPX dump on OEP (original entry point)

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-10 01:00

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 01:00

Reported

2024-06-10 01:02

Platform

win7-20240508-en

Max time kernel

145s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\LdNvNXg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yAabasP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HiZDbEu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FNGGQSJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VLyIBdm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fBKxEtW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ezXDiok.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xadsUhw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pfipOuZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ByvVqGZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EWDVPEa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RZlwRsI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jiHcTlI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DBJrkgj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KPKQety.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qtKCuFI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iJkbyYG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ssydZOo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xHyjyIb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VsMTImi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BzlFonk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2576 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\ssydZOo.exe
PID 2576 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\ssydZOo.exe
PID 2576 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\ssydZOo.exe
PID 2576 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\DBJrkgj.exe
PID 2576 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\DBJrkgj.exe
PID 2576 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\DBJrkgj.exe
PID 2576 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\ByvVqGZ.exe
PID 2576 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\ByvVqGZ.exe
PID 2576 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\ByvVqGZ.exe
PID 2576 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\EWDVPEa.exe
PID 2576 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\EWDVPEa.exe
PID 2576 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\EWDVPEa.exe
PID 2576 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\xHyjyIb.exe
PID 2576 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\xHyjyIb.exe
PID 2576 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\xHyjyIb.exe
PID 2576 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\VsMTImi.exe
PID 2576 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\VsMTImi.exe
PID 2576 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\VsMTImi.exe
PID 2576 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\RZlwRsI.exe
PID 2576 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\RZlwRsI.exe
PID 2576 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\RZlwRsI.exe
PID 2576 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\BzlFonk.exe
PID 2576 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\BzlFonk.exe
PID 2576 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\BzlFonk.exe
PID 2576 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\HiZDbEu.exe
PID 2576 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\HiZDbEu.exe
PID 2576 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\HiZDbEu.exe
PID 2576 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\FNGGQSJ.exe
PID 2576 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\FNGGQSJ.exe
PID 2576 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\FNGGQSJ.exe
PID 2576 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\KPKQety.exe
PID 2576 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\KPKQety.exe
PID 2576 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\KPKQety.exe
PID 2576 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\qtKCuFI.exe
PID 2576 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\qtKCuFI.exe
PID 2576 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\qtKCuFI.exe
PID 2576 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\jiHcTlI.exe
PID 2576 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\jiHcTlI.exe
PID 2576 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\jiHcTlI.exe
PID 2576 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\ezXDiok.exe
PID 2576 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\ezXDiok.exe
PID 2576 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\ezXDiok.exe
PID 2576 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\VLyIBdm.exe
PID 2576 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\VLyIBdm.exe
PID 2576 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\VLyIBdm.exe
PID 2576 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\iJkbyYG.exe
PID 2576 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\iJkbyYG.exe
PID 2576 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\iJkbyYG.exe
PID 2576 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\fBKxEtW.exe
PID 2576 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\fBKxEtW.exe
PID 2576 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\fBKxEtW.exe
PID 2576 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\xadsUhw.exe
PID 2576 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\xadsUhw.exe
PID 2576 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\xadsUhw.exe
PID 2576 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\pfipOuZ.exe
PID 2576 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\pfipOuZ.exe
PID 2576 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\pfipOuZ.exe
PID 2576 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\LdNvNXg.exe
PID 2576 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\LdNvNXg.exe
PID 2576 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\LdNvNXg.exe
PID 2576 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\yAabasP.exe
PID 2576 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\yAabasP.exe
PID 2576 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\yAabasP.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\ssydZOo.exe

C:\Windows\System\ssydZOo.exe

C:\Windows\System\DBJrkgj.exe

C:\Windows\System\DBJrkgj.exe

C:\Windows\System\ByvVqGZ.exe

C:\Windows\System\ByvVqGZ.exe

C:\Windows\System\EWDVPEa.exe

C:\Windows\System\EWDVPEa.exe

C:\Windows\System\xHyjyIb.exe

C:\Windows\System\xHyjyIb.exe

C:\Windows\System\VsMTImi.exe

C:\Windows\System\VsMTImi.exe

C:\Windows\System\RZlwRsI.exe

C:\Windows\System\RZlwRsI.exe

C:\Windows\System\BzlFonk.exe

C:\Windows\System\BzlFonk.exe

C:\Windows\System\HiZDbEu.exe

C:\Windows\System\HiZDbEu.exe

C:\Windows\System\FNGGQSJ.exe

C:\Windows\System\FNGGQSJ.exe

C:\Windows\System\KPKQety.exe

C:\Windows\System\KPKQety.exe

C:\Windows\System\qtKCuFI.exe

C:\Windows\System\qtKCuFI.exe

C:\Windows\System\jiHcTlI.exe

C:\Windows\System\jiHcTlI.exe

C:\Windows\System\ezXDiok.exe

C:\Windows\System\ezXDiok.exe

C:\Windows\System\VLyIBdm.exe

C:\Windows\System\VLyIBdm.exe

C:\Windows\System\iJkbyYG.exe

C:\Windows\System\iJkbyYG.exe

C:\Windows\System\fBKxEtW.exe

C:\Windows\System\fBKxEtW.exe

C:\Windows\System\xadsUhw.exe

C:\Windows\System\xadsUhw.exe

C:\Windows\System\pfipOuZ.exe

C:\Windows\System\pfipOuZ.exe

C:\Windows\System\LdNvNXg.exe

C:\Windows\System\LdNvNXg.exe

C:\Windows\System\yAabasP.exe

C:\Windows\System\yAabasP.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2576-0-0x000000013F8F0000-0x000000013FC44000-memory.dmp

memory/2576-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\ssydZOo.exe

MD5 328d6d193bc21f5089f92ad82e93f0fc
SHA1 575a5b53ec09a38e28f39c98885c63d4d4335003
SHA256 efdf2ff42216c32fe0a7c86e0e1790ff3d18c83e9191a726f4f4d155cafe6a52
SHA512 9da1a3ab3c85bc281cf3aeb9de978cf2fac74fdaf5b14e6cb90f8bba4f392a5c9bdc251de7ddf012cb7c17f04d7171fdd131d15ffd1a0d233b0a608f1cc6d744

\Windows\system\DBJrkgj.exe

MD5 b61144a591dc5935b292b52e11ea4beb
SHA1 493b48003dae6811678c52251fb3092258f1fb0a
SHA256 61adeff04079b166fee83eb25fe3268008c93579b49444ceb2af04ee696800ad
SHA512 f54135054422f2370d2ace65a73b363076702813d19ca57d1b7a7dd0ca5eb72577af929b0a34557b82f0a6e5b48fd67a845b0f8b075b9761f019d0621a3a6e2e

memory/1220-15-0x000000013F620000-0x000000013F974000-memory.dmp

memory/2152-14-0x000000013F220000-0x000000013F574000-memory.dmp

memory/2576-12-0x000000013F220000-0x000000013F574000-memory.dmp

C:\Windows\system\ByvVqGZ.exe

MD5 8a010a0659226a6e923c45c4a3c92aad
SHA1 68b25daf689af7ff1de2e0a3647a5d8119748acb
SHA256 f946fa3c6022c13340c563b50c30e3e993d894fee4af88dc7b2b6fb4683f395f
SHA512 48f33fb19929a96225cadd98ba85ac33c63400a27ab681484b644ef47431c29b81d26b0749212307c68d4c51838ea3ad72188357ace911fcc4097bc6dceb5109

C:\Windows\system\xHyjyIb.exe

MD5 00b24965487368678135a26b97f09519
SHA1 83aeca90850e1783d2147ac9d6bf6f5d32deffcd
SHA256 3c1b1857890888d422507684ee8bce805c21f207417c8707f69b93eb2bce6414
SHA512 428e08ea54756ac43f55d0b1dba9dc02d31a298c46f1986f728384c62bc4a7eae63f9a89f1ee9754fcbe03a4d70f4a94e41c16fc47a6c538d964011b0acfc05f

memory/2576-27-0x0000000002270000-0x00000000025C4000-memory.dmp

\Windows\system\VsMTImi.exe

MD5 2aa72be440c0224d945e338232661504
SHA1 05c9a07f76220c800baed91d59897249fbad04a8
SHA256 c8a371478f7832088c106afb390fceea5d7769e86c934e8291d1a724e6c23556
SHA512 96c37287d8b8b5b1bb15dd4facdc2a4b74de4e788bda1e21467ca3d634b5e77ca71ddaaa1da2df256174d50d371c79532f8ab6465f0eee064dae4af227e7f1ad

memory/2684-61-0x000000013FD90000-0x00000001400E4000-memory.dmp

C:\Windows\system\BzlFonk.exe

MD5 c29e44f38bb264d0fffc87e0f8b321b0
SHA1 cdbb47923edd8e5b4b1f63d269853f121bb8faed
SHA256 fc8d7e7456f46933f5c7f943fdd03480d38f701466843b90c69f5267684642ea
SHA512 157deed46804ed7989582f9650a6dbd1b19026abd44608db9177a401c1667b09c741322a37d40b28b1939e30b5b0ae190bf478e0be1d8b14d780cf1a23558af8

memory/2192-78-0x000000013F590000-0x000000013F8E4000-memory.dmp

C:\Windows\system\ezXDiok.exe

MD5 55870c7f111ba611e02f2eddec7b8ec5
SHA1 fb70993bada754d964c873a26f403b8cd7961f4e
SHA256 cae93ae28553e95be7836406469ed25d3fdbe03b67d6484810bd8e0b2f6d4fa0
SHA512 6109d3b5de74f9d41b0eb846d4df6598e19d334a7dd2d27ef5595e58d648591755211540867dd9c949122795ab08d914723d5ba6c40e57a2357899a803054898

\Windows\system\iJkbyYG.exe

MD5 79e53b687d1079dbcd81cfebd9fae6aa
SHA1 ab69a4b5c7759f62dcefbcc85094fb985b0fc625
SHA256 cec586d2b86e88aee5d46d6c828c198add68ee67986af89056c97fc3380720e6
SHA512 6bdb20519772ac156568780f48b854d0a4c7da9083799a9507850251876ae91165d400779d9336874f6a0b9a97e2602355045ed11c9d1b436622f336535980fe

C:\Windows\system\yAabasP.exe

MD5 a3e6616d5ceb2a256e0f624c27152d94
SHA1 5642351dce30e501529634ebe260acb4cbe64cc1
SHA256 87b07986a940f19d25564008ad2b5159c42d01baf42a9572fbd43350dfd8ee9a
SHA512 0c25c59651fd37e3ca164b092712aadbfe0013995de5a649ef6fc78533c5c92236253f5ceda7b98fb13f5d0d3b365f7d124fd7f7ff06bdca59b7229916e232ea

C:\Windows\system\LdNvNXg.exe

MD5 6efa1f99959e22e06372ac2cf6b1916e
SHA1 f898b6ba298060372276c90845a84a95128d26cb
SHA256 bf796935ab34729b8045c7a7684b53ecdefe0232588b64fc5b00e1534d3ec73a
SHA512 5e9cb15dc89d21abb34eb2bd48df702bad4c961aa44bcdd4e3668846ff6c819131cf9bcebfaa74630ec8f2af0b566c1b4287a2d74215874eb21fef8d90bb8543

C:\Windows\system\xadsUhw.exe

MD5 fd7945ba89193d5d414b3b7c9d474acd
SHA1 6bbb3471ae656765f2de3950cf04c12019fcfe0d
SHA256 879f08b43d6f8ad3374ab93e98a7dbe0561d49975abd1c5f929339daffd524ad
SHA512 0d4e3b39c98f0195620c61613e54277fac5db65cee4b5f65c2947e5940b0ce1fd42c79caa9c4a4ae9786f58b23e95dda78c7773ca7ff018e65a3cd508403bc83

C:\Windows\system\pfipOuZ.exe

MD5 cde11d0be2687d25dfc42480a3c4e04b
SHA1 dd284567ff04a8192c067c1aa7102bfc8b8f8295
SHA256 9243744c8ddc26071e84701fe8db53553ff6f091748b6449954a4f3681199c4a
SHA512 3a8dcdba6efe939900b188e85725a0c8be33a47e4846036a6b50c80e2bf1e613e14f20d4dd17fc2c4bddb01457c61ad8f96a6a9b5b6788382cba6374ee991cf9

C:\Windows\system\fBKxEtW.exe

MD5 d2c46ed1507e99855a0923efb7f240e7
SHA1 2c0e758bb78dd47f1b24c702f947061351a4e2ba
SHA256 8f37eec8a5cd0b5e84bc12a0fc56ba3bd3ffe8a6b979f52d28e463ac8557228a
SHA512 440031a698cc04b21e69246064963a1af238bf8057017c7a196b3e2a5a11b1fe51f06639228d83e602b2f3cd100634ad370e9590ddc1c39c25ada9d9523d7b30

memory/2576-106-0x000000013F560000-0x000000013F8B4000-memory.dmp

memory/2616-137-0x000000013F3D0000-0x000000013F724000-memory.dmp

memory/2812-101-0x000000013F8D0000-0x000000013FC24000-memory.dmp

memory/2576-100-0x0000000002270000-0x00000000025C4000-memory.dmp

C:\Windows\system\VLyIBdm.exe

MD5 b35cb72e09688d7ca0c99d282f1bfcc5
SHA1 c97f43f840142652b0fcc6ec3bac25fdb491ea89
SHA256 42f6a3ab67eaa84426582c02de973af380dc187268005cccd8acea8a479d731e
SHA512 3cb4d20ab4acdc2f2600012fa683d115ab87e2874f43041c3dae71ffb930122fd348d3d1c376f4406aa07acc4fed9799dee30234890fb3224abf640c33323485

memory/2560-94-0x000000013F720000-0x000000013FA74000-memory.dmp

memory/2576-93-0x0000000002270000-0x00000000025C4000-memory.dmp

memory/2592-92-0x000000013F910000-0x000000013FC64000-memory.dmp

memory/1180-91-0x000000013F560000-0x000000013F8B4000-memory.dmp

C:\Windows\system\jiHcTlI.exe

MD5 b97c239293c30d40ccf5616a346cc26a
SHA1 ccbfa0dae0365a45ba2564dd270eb5653c72f8ca
SHA256 b60988f664a8698a2788c3fe2311b8eb4c7c65a39c09fed94db6aa87aee3f367
SHA512 40874d848dd25e56692ef402f846eb21b0ecfb63ff667217590c60e571f8786a82509ebbe5a9a18d7297ebf9dfdf01c56cbf886dbef0b33f3b22b487fe155079

memory/2256-85-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

memory/2576-84-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

C:\Windows\system\qtKCuFI.exe

MD5 eb5b2dcdbbd994ca1af69ad7e0e39b33
SHA1 c5ed281fef66a60f9d8a47ece967917740789587
SHA256 495ad6c9e1437b461ecf2c5e92fcf998d01985da682f0ad4068c682bf6acd72f
SHA512 83d01f23485353e0e4555d19cc79168b50f84b697cfe602058f7410b829b7a6149f762fd963febeb4b02ead011131f9ba12faae9939d78cdc5dbae9589968da8

memory/2152-77-0x000000013F220000-0x000000013F574000-memory.dmp

C:\Windows\system\KPKQety.exe

MD5 d9337cfd29375c9f56f72ac2b53136de
SHA1 ec3b0905f1c2c887db6f2ac1be053b190ed496ff
SHA256 be25739053412942b5fd804288794eb582891f8a78018f1e726dc7af4a5cd211
SHA512 827af2cc8761ac15cc5e126574217c305683226df2d78448ed50fe8308adf83458c8ccc4739cdb0ef5fb96254a6acc1a7b212720110169be85033fcd5a47b659

memory/2504-71-0x000000013FE90000-0x00000001401E4000-memory.dmp

memory/2576-70-0x000000013F8F0000-0x000000013FC44000-memory.dmp

C:\Windows\system\FNGGQSJ.exe

MD5 9b993a2f66c76122f00d4fd31fe8f091
SHA1 fe29f527456c64481694384a0be5634d73b87586
SHA256 565a10a842c7f417c0f62146ce7f576c39d4e101aa04ad14321b6d3459195688
SHA512 6410acc9a5fddfa8811447ecdf922b2a83352643cba46341263eda74734d862c535323319e5d1f15e9bb281b2d9132549d98fdd84db7f28247385c299939dd00

memory/2180-63-0x000000013F030000-0x000000013F384000-memory.dmp

memory/2576-62-0x000000013F030000-0x000000013F384000-memory.dmp

C:\Windows\system\HiZDbEu.exe

MD5 924545f1f4f1aaf7c62a2ecbbdd0a72f
SHA1 850ac3d6734053b69bb6942ab54db805b997e5fb
SHA256 98293a249162a38262068d49a6ce93c63e868232a1adceb46d77367d504bc501
SHA512 a4fde131ad371048b7fa86219d938055d06eeb9f78ea026d9d18961c8b2fd90ffce6d5575abda8a04b3e15cddbb391608445122c93dffd35aee4ff2304549903

memory/2576-59-0x000000013FD90000-0x00000001400E4000-memory.dmp

memory/2868-50-0x000000013FD60000-0x00000001400B4000-memory.dmp

memory/2576-49-0x000000013FD60000-0x00000001400B4000-memory.dmp

C:\Windows\system\RZlwRsI.exe

MD5 e34ddb39c569a92013236e7901b5bab5
SHA1 f95c6c35242c71f1f273027f924ce2da1f41f8df
SHA256 71c65dbaa7444c8d2da672104c4352d0ed8acd1be9efcdcf195c9b8fd5857e51
SHA512 04a22a3fcf545fe8f73b1a2c014e3f9f14cad1171a562e992a5437a7edea33981de60d3fe370bac437ee1c0c155b726228ec02efc828919bd613de675397e27d

memory/2616-41-0x000000013F3D0000-0x000000013F724000-memory.dmp

memory/2576-39-0x000000013F3D0000-0x000000013F724000-memory.dmp

memory/2728-38-0x000000013FF20000-0x0000000140274000-memory.dmp

memory/2576-37-0x000000013FF20000-0x0000000140274000-memory.dmp

memory/2592-28-0x000000013F910000-0x000000013FC64000-memory.dmp

C:\Windows\system\EWDVPEa.exe

MD5 3a6e2467dcdc80756290176c9f380d03
SHA1 332c1271c04429c7cfd0a4526ed6565c1b42189d
SHA256 d114337a7bcceb67a44db29bc4e34956a1a6f3f924a0029d8327d3d0b696d4c1
SHA512 9f7b34e34452ae945c44835bab4c8ad68fb62a20eb7ad3a08df58fa7bf2c63c03dbfaae4aeb1c29cc00e082c9d44003dac082bcc1fcc35b2acde5f60a1142fc9

memory/1180-22-0x000000013F560000-0x000000013F8B4000-memory.dmp

memory/2576-20-0x000000013F560000-0x000000013F8B4000-memory.dmp

memory/2180-138-0x000000013F030000-0x000000013F384000-memory.dmp

memory/2576-139-0x000000013F590000-0x000000013F8E4000-memory.dmp

memory/2576-140-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

memory/2576-141-0x0000000002270000-0x00000000025C4000-memory.dmp

memory/2576-142-0x000000013F560000-0x000000013F8B4000-memory.dmp

memory/1220-143-0x000000013F620000-0x000000013F974000-memory.dmp

memory/2152-144-0x000000013F220000-0x000000013F574000-memory.dmp

memory/1180-145-0x000000013F560000-0x000000013F8B4000-memory.dmp

memory/2728-147-0x000000013FF20000-0x0000000140274000-memory.dmp

memory/2592-146-0x000000013F910000-0x000000013FC64000-memory.dmp

memory/2868-148-0x000000013FD60000-0x00000001400B4000-memory.dmp

memory/2616-149-0x000000013F3D0000-0x000000013F724000-memory.dmp

memory/2684-150-0x000000013FD90000-0x00000001400E4000-memory.dmp

memory/2180-151-0x000000013F030000-0x000000013F384000-memory.dmp

memory/2504-152-0x000000013FE90000-0x00000001401E4000-memory.dmp

memory/2192-153-0x000000013F590000-0x000000013F8E4000-memory.dmp

memory/2256-154-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

memory/2560-155-0x000000013F720000-0x000000013FA74000-memory.dmp

memory/2812-156-0x000000013F8D0000-0x000000013FC24000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 01:00

Reported

2024-06-10 01:02

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\MjjFwsW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rhYnOHA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uWHscGB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KtiqiDg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kpWAzQc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YBqHWTv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qLGlanq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ojqoZot.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pqgnnqu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GMcioTy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aKagJaS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TOWJlpF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oKYoaPJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aEjCMVy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aNvZCTk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vUaJjph.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XkDrmHY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mehfkgU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NiveUhW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JSRSIWw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZnPORWm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4812 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\vUaJjph.exe
PID 4812 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\vUaJjph.exe
PID 4812 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\XkDrmHY.exe
PID 4812 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\XkDrmHY.exe
PID 4812 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\kpWAzQc.exe
PID 4812 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\kpWAzQc.exe
PID 4812 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\mehfkgU.exe
PID 4812 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\mehfkgU.exe
PID 4812 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\NiveUhW.exe
PID 4812 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\NiveUhW.exe
PID 4812 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\YBqHWTv.exe
PID 4812 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\YBqHWTv.exe
PID 4812 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\aKagJaS.exe
PID 4812 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\aKagJaS.exe
PID 4812 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\TOWJlpF.exe
PID 4812 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\TOWJlpF.exe
PID 4812 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\JSRSIWw.exe
PID 4812 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\JSRSIWw.exe
PID 4812 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZnPORWm.exe
PID 4812 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZnPORWm.exe
PID 4812 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\ojqoZot.exe
PID 4812 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\ojqoZot.exe
PID 4812 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\qLGlanq.exe
PID 4812 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\qLGlanq.exe
PID 4812 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\pqgnnqu.exe
PID 4812 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\pqgnnqu.exe
PID 4812 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\GMcioTy.exe
PID 4812 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\GMcioTy.exe
PID 4812 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\MjjFwsW.exe
PID 4812 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\MjjFwsW.exe
PID 4812 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\rhYnOHA.exe
PID 4812 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\rhYnOHA.exe
PID 4812 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\oKYoaPJ.exe
PID 4812 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\oKYoaPJ.exe
PID 4812 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\uWHscGB.exe
PID 4812 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\uWHscGB.exe
PID 4812 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\aEjCMVy.exe
PID 4812 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\aEjCMVy.exe
PID 4812 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\aNvZCTk.exe
PID 4812 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\aNvZCTk.exe
PID 4812 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\KtiqiDg.exe
PID 4812 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe C:\Windows\System\KtiqiDg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_34d9c275e70564a58572267fe1541f5a_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\vUaJjph.exe

C:\Windows\System\vUaJjph.exe

C:\Windows\System\XkDrmHY.exe

C:\Windows\System\XkDrmHY.exe

C:\Windows\System\kpWAzQc.exe

C:\Windows\System\kpWAzQc.exe

C:\Windows\System\mehfkgU.exe

C:\Windows\System\mehfkgU.exe

C:\Windows\System\NiveUhW.exe

C:\Windows\System\NiveUhW.exe

C:\Windows\System\YBqHWTv.exe

C:\Windows\System\YBqHWTv.exe

C:\Windows\System\aKagJaS.exe

C:\Windows\System\aKagJaS.exe

C:\Windows\System\TOWJlpF.exe

C:\Windows\System\TOWJlpF.exe

C:\Windows\System\JSRSIWw.exe

C:\Windows\System\JSRSIWw.exe

C:\Windows\System\ZnPORWm.exe

C:\Windows\System\ZnPORWm.exe

C:\Windows\System\ojqoZot.exe

C:\Windows\System\ojqoZot.exe

C:\Windows\System\qLGlanq.exe

C:\Windows\System\qLGlanq.exe

C:\Windows\System\pqgnnqu.exe

C:\Windows\System\pqgnnqu.exe

C:\Windows\System\GMcioTy.exe

C:\Windows\System\GMcioTy.exe

C:\Windows\System\MjjFwsW.exe

C:\Windows\System\MjjFwsW.exe

C:\Windows\System\rhYnOHA.exe

C:\Windows\System\rhYnOHA.exe

C:\Windows\System\oKYoaPJ.exe

C:\Windows\System\oKYoaPJ.exe

C:\Windows\System\uWHscGB.exe

C:\Windows\System\uWHscGB.exe

C:\Windows\System\aEjCMVy.exe

C:\Windows\System\aEjCMVy.exe

C:\Windows\System\aNvZCTk.exe

C:\Windows\System\aNvZCTk.exe

C:\Windows\System\KtiqiDg.exe

C:\Windows\System\KtiqiDg.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 171.117.168.52.in-addr.arpa udp

Files

memory/4812-0-0x00007FF7CEFE0000-0x00007FF7CF334000-memory.dmp

memory/4812-1-0x00000150DA710000-0x00000150DA720000-memory.dmp

C:\Windows\System\vUaJjph.exe

MD5 e1e3f0424ca65c007cf1437d14e3286f
SHA1 139882ef7b0399a5b4f1566af22b40796f38cb19
SHA256 85bc0e57730a335d6adb7de370acd084efcbc38accd54ee8f3a73ee5ceb5135b
SHA512 aff670619ff747c2750cbee2df674d6e1df56731a7b6a9b1fc0952a378ab67a332d4f6993d072d492d0ea35f85d84c9c2f592b2e64cbe5ce4ca7358db41f230e

memory/4076-8-0x00007FF6FCE70000-0x00007FF6FD1C4000-memory.dmp

C:\Windows\System\XkDrmHY.exe

MD5 0f4faf0ff85216d8a75f2343353594ad
SHA1 35fa880e48d3650c1d368db2ba449a520f67cb60
SHA256 d09943cf36ab03a9a6cebf571e265f08d38a8dfa4bba557d02e364fd59eb6a61
SHA512 20ff9c60a7b8d2b937acf0899159a5e17549d0e76cefbc86280d0c2b16315ad2e9df14e2025ba5e6d8667dc3675b7a114e00162b0899798ec322404fffbdba90

C:\Windows\System\kpWAzQc.exe

MD5 a1bd48055f1f0aecfa11f4c9ef5f8807
SHA1 2872a70b4deed4223ee4dbb5f5b7283aee7322e3
SHA256 93b90e7f70553632098fc202fcaeee4691cc6c7d650c3eebb6c3f3318739e977
SHA512 4bf6b89a60694213546da3eb34a1f1033a47979ab608c09f735ca159026c5888b27bee760b785063cce810a5fc862f7c98bc8723769b47e79d1f3dc6ab7f03a8

memory/1636-14-0x00007FF612CF0000-0x00007FF613044000-memory.dmp

memory/760-18-0x00007FF6BC410000-0x00007FF6BC764000-memory.dmp

C:\Windows\System\mehfkgU.exe

MD5 e5809d8ed903d5706f2960e275129b1e
SHA1 d5df1af9530e31e2bb44ce825bcaa19a6a1d06e1
SHA256 1e08514c08b290a028914b16be2d4683550bb98dfa21dd5518edc48efdab8f49
SHA512 b17df123df0863220bc8f254b75663dcdf28aec3608691b143281279bd3a79f369a917f574c05f8130ae034c09381306323c0f1df6fab2745e12e9b213b2663f

memory/3988-33-0x00007FF6FA820000-0x00007FF6FAB74000-memory.dmp

C:\Windows\System\YBqHWTv.exe

MD5 a23b7b4df42d9c3ace130799f88f3b90
SHA1 c3497a73a22bcba556859a0b147e1f758b728e2a
SHA256 75d9540f827d7dc6415298a8f2d0e41a7349bad2a6e7d4f605accb1759e21598
SHA512 397b8242952223c5ec07bc5a912d881a997244c5db7c5f972a376d04e955e9cffbf945de59008b22eef42f2c15a3a95f9ce1ddf368d41ab64d91daad311c5768

memory/2280-37-0x00007FF7C07F0000-0x00007FF7C0B44000-memory.dmp

memory/4960-38-0x00007FF797F80000-0x00007FF7982D4000-memory.dmp

C:\Windows\System\NiveUhW.exe

MD5 6220ad037bb5f069ffbc0bbf70397e8e
SHA1 0a0c1968cf326027672705f53e15a0315ef8650d
SHA256 99cb80322af2982813db3e1c040f3107d67865e8da04720e8b026cb21e72086b
SHA512 1388f26daaf4969c156f9a76949e3355bb5e49500c19aacdf2b31d82caa01db7ab3e93924383fb706dbe34c2086448052a8b21ab6b96f2fbeab1cdb639f0b3ca

C:\Windows\System\aKagJaS.exe

MD5 e953ad18fb272fd4a1ecfda3b7095c41
SHA1 337c5705191aa1e57ef10025525ec16d5b1485a9
SHA256 2d77ae7a957be34eb0279a1200b770f52fed2fc6f517f62b90369d3cc1413546
SHA512 e9ef64357599c3e494892789356adcbda21b55ebbb7a99ca5ebf4f96d17d1b864c1073c29e1608a40a80e73deece0ddf937b71a46a17c24a512b3f5946dcb4eb

memory/4380-42-0x00007FF7E0E50000-0x00007FF7E11A4000-memory.dmp

C:\Windows\System\TOWJlpF.exe

MD5 d72367c880a688b95e3fb359395bac29
SHA1 cf74ed87c1f992dd7a94d4457e04593ce72daa15
SHA256 6fb5983fda33ebc7ea5981eae908bd4a7a4b027111c2e43ce36ecc348f4411b5
SHA512 57798c016cfd0d930fd8ba6cb367b26033d45511b8306f87cec00c83985f4665bb33633c310f4ac5f520cc427a7765488a767efe2aa6e9a54bb2336d1dfcc688

memory/1540-48-0x00007FF703FE0000-0x00007FF704334000-memory.dmp

C:\Windows\System\JSRSIWw.exe

MD5 9ac3f25ea16952269930fedd608af310
SHA1 46f8a901fb099f4af655fd1335d6a2c09b207de9
SHA256 326e8d8d4ef9e432ca88c39d3488a7808840918b1e35c5d73f11d60b64ff5264
SHA512 7ba91bd9e6fccea4e22bce69f9ba8712cbadb060e6d7c7cfa6530bb2f391fa5e932838f6c0e0a3ef195b8095eed07bf1462e90f52e7ee1594e151618e57f4c89

memory/800-56-0x00007FF766B70000-0x00007FF766EC4000-memory.dmp

C:\Windows\System\ZnPORWm.exe

MD5 007df26857e8239e37a3bf776bf7b5d6
SHA1 03b584e1fc3b8192d86ddfba5b0cf4d4d2cca2cc
SHA256 c9d2e425eb6fe381b1a5add56f404f83322cb681aea07b0cfb343f9bd95ff834
SHA512 05c828343f1174d8d6529c708c84662b81bbd77bd870689814e0045d7af03ac5db48c5e50945b660096e8bef1afd52369b76638ac66b65fdac7d1e588053b5c7

memory/4832-60-0x00007FF699B20000-0x00007FF699E74000-memory.dmp

C:\Windows\System\ojqoZot.exe

MD5 a7f9df33761720f4cdcd08ebcad6eac4
SHA1 2f1ed09a0f516fc0ea52246e6f51fc242bc3e115
SHA256 1cc12942584559a20c77adecac3116ed56dde6de9ff47fe7004640e873b6fce1
SHA512 c2e847792a184735ce0337c8fee29e0572e127c2bd6bc441aa8431799c9dd4a26502149bb54a33ca3eb41737ec333844cb697d5e4259ff1418aec56dbe9f4550

memory/4732-69-0x00007FF675790000-0x00007FF675AE4000-memory.dmp

memory/4812-68-0x00007FF7CEFE0000-0x00007FF7CF334000-memory.dmp

memory/4076-73-0x00007FF6FCE70000-0x00007FF6FD1C4000-memory.dmp

C:\Windows\System\pqgnnqu.exe

MD5 e855f3c4c4fb630e180ae9af0b493483
SHA1 32dcd3920c8bffea52452e66d9b4ef95a18a7954
SHA256 b41c65821613f2a3be30b8a7611c778cee713c5b85bae91d0cfd189a89d6c2fc
SHA512 5055f245284676447ec81d792639417631a93e95e3bd176b2e073eae866fdbea5a21dc92562705692dbee5db160d40dd5afa7cfc451d50165fed3e14501577fd

C:\Windows\System\qLGlanq.exe

MD5 387681543b895423ad767e90a79581db
SHA1 08ece7301019411b83bf80c77c7035b41e8f92e7
SHA256 4a9f2153d935873d70db195afafce52524b476d53ed0375155871785469a0315
SHA512 13824ce2367fbbe01f636ec8cafb8885ebf157975aab2c26f4b27e5cbd35305afa30356bfc97f9e6edc0db2bc8332ba533a8eceeed4cf3421e9274fd07bf19a0

memory/3732-74-0x00007FF6C1220000-0x00007FF6C1574000-memory.dmp

memory/4708-82-0x00007FF7CB9A0000-0x00007FF7CBCF4000-memory.dmp

C:\Windows\System\GMcioTy.exe

MD5 a444f96be2b81d1df6eaf7287327baf7
SHA1 80462de37201ee7b55eca5cb600f455d5b384bfc
SHA256 5600e50c6feb446bae45ed4ce2fa0b4bef24e8e27d3ee6a7952d4b889bc32a0d
SHA512 00f6e99d63a8dc6fa890d5f167586c5060fa807f6fbb98abe6a52f5a617b33782434f1374edb8fbb4cf9490a8de3d986e87ba758c7d2e0105e882a6c64de5d04

C:\Windows\System\MjjFwsW.exe

MD5 338c7b0a8edb5db83b1058b1ed880f9c
SHA1 bb6ae1552aa3461ab541124c8e8c3e06f1cbac82
SHA256 1d7717f6f1681c2a128854999578bf02e8a623c926fba160079c0c80c805f683
SHA512 9651e493241a5871443aacf04e808f508b7b0af816f6a53c5b5334784030e95a7d5c3c3ab468ff788202afae872d71ece19c4ef9b95977e6ddb1f987a8a08c39

memory/2880-89-0x00007FF68D860000-0x00007FF68DBB4000-memory.dmp

memory/4380-107-0x00007FF7E0E50000-0x00007FF7E11A4000-memory.dmp

memory/1540-110-0x00007FF703FE0000-0x00007FF704334000-memory.dmp

memory/4208-109-0x00007FF6E7D80000-0x00007FF6E80D4000-memory.dmp

C:\Windows\System\uWHscGB.exe

MD5 164638357b733ec4004109c858d9b7ca
SHA1 f392e2c8df31ce3e5d64b917363e88d775740d92
SHA256 6e68fba0e9d3e3cc5f03aaa4fee9e031b549972d9873210b81706a8f48eed24e
SHA512 35776b29c909cd8494f91f5647e67f171dbd75fca46314cbc3bef8eaad4acd0464f79dfe0906d401517445be9d3bf369bf4400aa2c3b29994597b7f6687352f4

memory/4680-106-0x00007FF7C3260000-0x00007FF7C35B4000-memory.dmp

C:\Windows\System\oKYoaPJ.exe

MD5 a097e30f6d825a8e428597af7e390918
SHA1 9c59edf61f4fa7ac149d8968513fe4fa4e406f13
SHA256 114ad7c93e3990387ddb047a31ef1d344a2013fae215b5ec704ca322ae0ff3d3
SHA512 aff6d81943ea3eb9cfb83a505201ecb451e78f04485cb8d73a4a8b071fd089f55dca60fdfe2bccb3aea47f31986aec4dee6375723b0c2d383c87432b38919a61

memory/800-122-0x00007FF766B70000-0x00007FF766EC4000-memory.dmp

C:\Windows\System\aNvZCTk.exe

MD5 7a325b36da585f4d6b6dc230dc99d25b
SHA1 50cdb9749072e9f95487648ec3106622a1c01e8c
SHA256 8f6545cf1fe00517ee45f48fd24804d010f05cdd78b0105cb9f3a4d56bbe5311
SHA512 7c20c3b0020c72f1b8632adf131f18367a0373c2f404e151ae7fd91343c8b431feebb1a82a157c7e2d6bfcc343846247dc15f5e2fbb49e980121e5d9e15329a4

C:\Windows\System\aEjCMVy.exe

MD5 a35b377bb272f24c1a188ffdfe16344d
SHA1 1d15d0ada2615a1b9b75047b764f42d793a86f81
SHA256 6be7796ff869fb188b715a900dbf6539094687621a479343089e403a964d1af7
SHA512 b99da75f2e943092a045d44e4418c04349dca572473a082198db23c142dcb11b31d9b055e691b4afb4b1d7a3fd9f699867d7c959318d2557101b9c393cfdf447

memory/4472-121-0x00007FF738070000-0x00007FF7383C4000-memory.dmp

C:\Windows\System\KtiqiDg.exe

MD5 3e52b333c25fde26f1eb4fabf262cfcd
SHA1 b84b5a891843f87b0af14131f45778f138ae188d
SHA256 fb14182fa41a8b33c51fc158738b3a0b65bb39e8840dfee96837ee2a917da252
SHA512 827f2b48c10efafb9d31c48bb2d8fd0d28dc18df320a47d3c39dfcedc599af72848eb49a6ca18850cb5950efdebb54ffafa3dc5b4d5a62741f3ab7de27a26e28

memory/3648-123-0x00007FF6C3810000-0x00007FF6C3B64000-memory.dmp

C:\Windows\System\rhYnOHA.exe

MD5 08ae979f96857a55b270ecf43cc9f94a
SHA1 af94d132ca82d3b0138186b62588079eec1cc323
SHA256 fcf8368391e7c7f4e8c76f65634fdb0eb1c5ca7d6c1956478822a55fee6434fd
SHA512 52b6dd6e2020e9f96c9f55fce1a269dd2172bad60ff190ff02ec4445099b8aae8c983c5671e81e8f3d3eb32d6fe953270361982945a12845d9b4b04b58f7ce95

memory/2372-93-0x00007FF66BE60000-0x00007FF66C1B4000-memory.dmp

memory/760-88-0x00007FF6BC410000-0x00007FF6BC764000-memory.dmp

memory/4904-132-0x00007FF748CD0000-0x00007FF749024000-memory.dmp

memory/4820-134-0x00007FF721180000-0x00007FF7214D4000-memory.dmp

memory/4832-133-0x00007FF699B20000-0x00007FF699E74000-memory.dmp

memory/3732-135-0x00007FF6C1220000-0x00007FF6C1574000-memory.dmp

memory/2372-136-0x00007FF66BE60000-0x00007FF66C1B4000-memory.dmp

memory/4208-137-0x00007FF6E7D80000-0x00007FF6E80D4000-memory.dmp

memory/4904-138-0x00007FF748CD0000-0x00007FF749024000-memory.dmp

memory/3648-139-0x00007FF6C3810000-0x00007FF6C3B64000-memory.dmp

memory/4076-140-0x00007FF6FCE70000-0x00007FF6FD1C4000-memory.dmp

memory/1636-141-0x00007FF612CF0000-0x00007FF613044000-memory.dmp

memory/3988-142-0x00007FF6FA820000-0x00007FF6FAB74000-memory.dmp

memory/760-143-0x00007FF6BC410000-0x00007FF6BC764000-memory.dmp

memory/2280-144-0x00007FF7C07F0000-0x00007FF7C0B44000-memory.dmp

memory/4960-145-0x00007FF797F80000-0x00007FF7982D4000-memory.dmp

memory/4380-146-0x00007FF7E0E50000-0x00007FF7E11A4000-memory.dmp

memory/1540-147-0x00007FF703FE0000-0x00007FF704334000-memory.dmp

memory/800-148-0x00007FF766B70000-0x00007FF766EC4000-memory.dmp

memory/4832-149-0x00007FF699B20000-0x00007FF699E74000-memory.dmp

memory/4732-150-0x00007FF675790000-0x00007FF675AE4000-memory.dmp

memory/3732-151-0x00007FF6C1220000-0x00007FF6C1574000-memory.dmp

memory/4708-152-0x00007FF7CB9A0000-0x00007FF7CBCF4000-memory.dmp

memory/2880-153-0x00007FF68D860000-0x00007FF68DBB4000-memory.dmp

memory/2372-154-0x00007FF66BE60000-0x00007FF66C1B4000-memory.dmp

memory/4680-155-0x00007FF7C3260000-0x00007FF7C35B4000-memory.dmp

memory/4208-156-0x00007FF6E7D80000-0x00007FF6E80D4000-memory.dmp

memory/4472-157-0x00007FF738070000-0x00007FF7383C4000-memory.dmp

memory/4904-158-0x00007FF748CD0000-0x00007FF749024000-memory.dmp

memory/3648-159-0x00007FF6C3810000-0x00007FF6C3B64000-memory.dmp

memory/4820-160-0x00007FF721180000-0x00007FF7214D4000-memory.dmp