Malware Analysis Report

2024-10-16 03:05

Sample ID 240610-e2977scg47
Target 2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike
SHA256 f885a0ba9a3f5b9ae909f059f1ec21811f5623175385a80fb2a5714f808963d5
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f885a0ba9a3f5b9ae909f059f1ec21811f5623175385a80fb2a5714f808963d5

Threat Level: Known bad

The file 2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobaltstrike family

UPX dump on OEP (original entry point)

xmrig

XMRig Miner payload

Cobalt Strike reflective loader

Detects Reflective DLL injection artifacts

Xmrig family

Cobaltstrike

Detects Reflective DLL injection artifacts

XMRig Miner payload

UPX dump on OEP (original entry point)

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-10 04:27

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 04:27

Reported

2024-06-10 04:30

Platform

win7-20240508-en

Max time kernel

147s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\xRCrwpG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tSvqgVQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MWNfKcX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yrHuWMT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mlqXcnC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bCsHFRC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jIzUfWl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sGGuaKw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EImiAzo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xtQCfdD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OiwIHJU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SqfwRUr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KAQufJP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sannblE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LMvIPBV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CwoaImV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UvZdcdt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zsMFbPH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FwzygAN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xiAmTUl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TuEkLAM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2420 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\EImiAzo.exe
PID 2420 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\EImiAzo.exe
PID 2420 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\EImiAzo.exe
PID 2420 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\LMvIPBV.exe
PID 2420 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\LMvIPBV.exe
PID 2420 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\LMvIPBV.exe
PID 2420 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\CwoaImV.exe
PID 2420 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\CwoaImV.exe
PID 2420 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\CwoaImV.exe
PID 2420 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\tSvqgVQ.exe
PID 2420 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\tSvqgVQ.exe
PID 2420 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\tSvqgVQ.exe
PID 2420 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\UvZdcdt.exe
PID 2420 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\UvZdcdt.exe
PID 2420 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\UvZdcdt.exe
PID 2420 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\FwzygAN.exe
PID 2420 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\FwzygAN.exe
PID 2420 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\FwzygAN.exe
PID 2420 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\xiAmTUl.exe
PID 2420 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\xiAmTUl.exe
PID 2420 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\xiAmTUl.exe
PID 2420 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\SqfwRUr.exe
PID 2420 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\SqfwRUr.exe
PID 2420 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\SqfwRUr.exe
PID 2420 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\KAQufJP.exe
PID 2420 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\KAQufJP.exe
PID 2420 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\KAQufJP.exe
PID 2420 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\TuEkLAM.exe
PID 2420 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\TuEkLAM.exe
PID 2420 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\TuEkLAM.exe
PID 2420 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\xtQCfdD.exe
PID 2420 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\xtQCfdD.exe
PID 2420 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\xtQCfdD.exe
PID 2420 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\MWNfKcX.exe
PID 2420 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\MWNfKcX.exe
PID 2420 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\MWNfKcX.exe
PID 2420 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\OiwIHJU.exe
PID 2420 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\OiwIHJU.exe
PID 2420 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\OiwIHJU.exe
PID 2420 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\mlqXcnC.exe
PID 2420 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\mlqXcnC.exe
PID 2420 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\mlqXcnC.exe
PID 2420 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\sannblE.exe
PID 2420 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\sannblE.exe
PID 2420 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\sannblE.exe
PID 2420 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\yrHuWMT.exe
PID 2420 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\yrHuWMT.exe
PID 2420 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\yrHuWMT.exe
PID 2420 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\zsMFbPH.exe
PID 2420 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\zsMFbPH.exe
PID 2420 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\zsMFbPH.exe
PID 2420 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\bCsHFRC.exe
PID 2420 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\bCsHFRC.exe
PID 2420 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\bCsHFRC.exe
PID 2420 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\jIzUfWl.exe
PID 2420 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\jIzUfWl.exe
PID 2420 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\jIzUfWl.exe
PID 2420 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\sGGuaKw.exe
PID 2420 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\sGGuaKw.exe
PID 2420 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\sGGuaKw.exe
PID 2420 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\xRCrwpG.exe
PID 2420 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\xRCrwpG.exe
PID 2420 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\xRCrwpG.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\EImiAzo.exe

C:\Windows\System\EImiAzo.exe

C:\Windows\System\LMvIPBV.exe

C:\Windows\System\LMvIPBV.exe

C:\Windows\System\CwoaImV.exe

C:\Windows\System\CwoaImV.exe

C:\Windows\System\tSvqgVQ.exe

C:\Windows\System\tSvqgVQ.exe

C:\Windows\System\UvZdcdt.exe

C:\Windows\System\UvZdcdt.exe

C:\Windows\System\FwzygAN.exe

C:\Windows\System\FwzygAN.exe

C:\Windows\System\xiAmTUl.exe

C:\Windows\System\xiAmTUl.exe

C:\Windows\System\SqfwRUr.exe

C:\Windows\System\SqfwRUr.exe

C:\Windows\System\KAQufJP.exe

C:\Windows\System\KAQufJP.exe

C:\Windows\System\TuEkLAM.exe

C:\Windows\System\TuEkLAM.exe

C:\Windows\System\xtQCfdD.exe

C:\Windows\System\xtQCfdD.exe

C:\Windows\System\MWNfKcX.exe

C:\Windows\System\MWNfKcX.exe

C:\Windows\System\OiwIHJU.exe

C:\Windows\System\OiwIHJU.exe

C:\Windows\System\mlqXcnC.exe

C:\Windows\System\mlqXcnC.exe

C:\Windows\System\sannblE.exe

C:\Windows\System\sannblE.exe

C:\Windows\System\yrHuWMT.exe

C:\Windows\System\yrHuWMT.exe

C:\Windows\System\zsMFbPH.exe

C:\Windows\System\zsMFbPH.exe

C:\Windows\System\bCsHFRC.exe

C:\Windows\System\bCsHFRC.exe

C:\Windows\System\jIzUfWl.exe

C:\Windows\System\jIzUfWl.exe

C:\Windows\System\sGGuaKw.exe

C:\Windows\System\sGGuaKw.exe

C:\Windows\System\xRCrwpG.exe

C:\Windows\System\xRCrwpG.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2420-0-0x00000000001F0000-0x0000000000200000-memory.dmp

memory/2420-2-0x000000013F5C0000-0x000000013F914000-memory.dmp

\Windows\system\EImiAzo.exe

MD5 6ad15c2ddaf1e16b02397357496c995d
SHA1 577c459e47bd89594789ed52e79f4263f1576afa
SHA256 5839807b21bd64c6518eedeaea7abfdd0a2a33e0b2b2180e731e1e9bc54d55ed
SHA512 0ba6de01e631bfb431fd68c544d82270c02e49c8fbd01dddfeebf28653d91a6ed7062ce013039a0be11a3ff0e00e9044cdef7eb9d8b5d20390e1d2af78a5e082

C:\Windows\system\LMvIPBV.exe

MD5 00d0e663b1071c7bb24dccce80e425bc
SHA1 0794fe8f307d18f0ed8b34e5a3c48844263bc203
SHA256 144c5227bed6e40c408f34cafa1dcbbcf2ad17a928f826abaacd7349f9acd83c
SHA512 40de189d9896c09e2a3c3fd3602091167af6648393948af97b743e92a5d1258f2dc21753eed4ccb62073b7cced0285783948f3477967f0d31901349616be5c8f

memory/2420-15-0x00000000022F0000-0x0000000002644000-memory.dmp

memory/2884-16-0x000000013F530000-0x000000013F884000-memory.dmp

memory/2052-13-0x000000013F880000-0x000000013FBD4000-memory.dmp

memory/2420-10-0x00000000022F0000-0x0000000002644000-memory.dmp

C:\Windows\system\CwoaImV.exe

MD5 393693125e0daa12e0bf84dc2472cf12
SHA1 759e2902020c6a870f7ed7dd523a9fcbe414bd17
SHA256 c73389cb4b5e29f50324ab4919939fe7dc4a02ec4ae1f02999cde85b2acda943
SHA512 ccf375bbb3fc869f946b0cb81324bd0033478768d5407069014d18da268ded2dde8f21ee56efcd997de4466ef94cda4383e330c117883655010ef11f87872104

C:\Windows\system\tSvqgVQ.exe

MD5 2c2e1059d6a6c7097b60eb94227b58ec
SHA1 33fa77af5917e6998482f4a6bfcd61dab0bec237
SHA256 5f1bd9456821025bec89d5a44a0a317575ad95794ba1d7b48d5c9b52caad4064
SHA512 d85990dd24d3d9ac4378db2bab07cf2edaa97a9a3cae49620f72c873bd10b0e5708023a7f985ff0dcce525109c54a1f602b4b7d805c835c7ee217adf450289a0

memory/2728-28-0x000000013F200000-0x000000013F554000-memory.dmp

C:\Windows\system\UvZdcdt.exe

MD5 919cea352ec8fbcd6f83923ab164807b
SHA1 6b0099309d5299c4ac8e55b8353ad1347782cf25
SHA256 f3f0563b33e55c3d5b0fda79a202c7cddbd2c93c750565fdfbf9b40d46556a32
SHA512 60e1f985737f21a047c59fc423429170783acaf746d4a4f338f66615eb6318f4632905dbf6461cec1d294bcd811a2a79cb44e6bd9b7746ac3f8bbf6e88200862

memory/2420-50-0x00000000022F0000-0x0000000002644000-memory.dmp

memory/2832-45-0x000000013F7C0000-0x000000013FB14000-memory.dmp

C:\Windows\system\MWNfKcX.exe

MD5 7d94c8cd8ec7830d1a1e3892d044fefb
SHA1 77acf06e7ddfdea1b4dd0819f1fd9bcb08e18bb2
SHA256 2dbed0a4ebffe4c937bbc7b355e6afec8c0eb512ea12a8f5316634beefd03c5f
SHA512 3cca2b5aba9e4339d3dc2327b3990bbf64e6df46a40fe476a5b41909279cfe3e5cfd5bf4bc33fc269ff742631989b80574312da03212f30c9a91a2b49231720d

memory/3032-75-0x000000013F070000-0x000000013F3C4000-memory.dmp

memory/2968-87-0x000000013F690000-0x000000013F9E4000-memory.dmp

C:\Windows\system\zsMFbPH.exe

MD5 c71ebc13fcd9f99a715009b346e7ba22
SHA1 0c2d990fed2d1b649dd7b3ffdc07157bf605e36e
SHA256 bc58740d87d73ac1c4f17466dd10bb9ab812a6e73d19717ad975810dff975fad
SHA512 e40123e2a78753a9d273abfca27c7140ca32673923daa99c1f53f40df2f23fdf59e05520ffb8a20298f1d0979c5bfce86caca8c77be8975963f988527234a05d

C:\Windows\system\sGGuaKw.exe

MD5 3696f209711d280f848b20e91146e56a
SHA1 8c329140d9ccc27386352758124b4b8164881eb3
SHA256 40b931f8ed0779799f7511cab7c5c43b0fde2964a3b8cb109a74657080a0c083
SHA512 7c717e6c50e7d8ee544905d3380c29f6e68b393bb92915d9b267980080e2cce371f58f2b6ee62a6da4207ad6ad9ef92899bcb86f2d20c82702b0d8c739bece67

\Windows\system\xRCrwpG.exe

MD5 4b5a78b875ba1c7e9479a9400bd45178
SHA1 09e446a9820d2bc11faad8d0af02b7a1b436a8df
SHA256 f80ad85a57e85d71d477182987f4c8f1c6ef8769fa29c23f3ba89d284acfdb76
SHA512 bc1235cc97642793bf9399282cb72d777251816fe9476d83fbe5d01b0a527045b37f2cfcdfe69085220ff4cfe0e85b3330ed21e4ea259e854a6cce05d2047b20

C:\Windows\system\jIzUfWl.exe

MD5 87c722ec64bf1f507b6691f215b8e727
SHA1 9b3a76ad44fc19d0b09960455f159c7c019348d1
SHA256 b57a550aec758f70fb5b7ecc8a0fc84aeee3a305e0b0d173a16551c73098c778
SHA512 15f4b245ad092f2a1a8f51e8944de64b6864c00e3f12158789d3fd4865e44dddaf7bc0657176337170b15dbafaa5be15be0d25243a9e5b43a287c97cadd88219

C:\Windows\system\bCsHFRC.exe

MD5 11f747495026b4bd9e84b02c1a9cb928
SHA1 a796488ea81e83e720c6ffc1bdfe0891680fcb5c
SHA256 75d4a909a4cc31dbb3f6ef9447fe75e0d71df408a5b915e7c20a2aa9ce701374
SHA512 5db91eeac9c837addf144d7c1294542947e07cfe43a8de2f3c4f765f1cc02a5360632702abb933774e55f8dde46bca6a7382b3a4f4fdaa08d3acf32f0131fe68

C:\Windows\system\yrHuWMT.exe

MD5 c1b7c167c455260ada4bd3e2c5e59fc7
SHA1 f12f8c7e8962ac5e23986522ee6a51f7f041002b
SHA256 57eb86831c8296605be2098d37c66298fcfe31445ff1e8df48f95d5464f39ac1
SHA512 9c227e94ff801b84f653d036239a46526771e095e6a174c23d9a6ef8b556dc787f933ad25de21c93856b1362f85b81614754f5726c5e5ec09aca56cc94a9c074

C:\Windows\system\sannblE.exe

MD5 e6b4c9bd29abf5ec557c4a2781c303e8
SHA1 c7874023da9520c6602f959adcbbf19a5017e8a8
SHA256 9648a51ee0043ed3970cd75e6de334e3dfc393e8907d42ce07c86b8c3964d7c7
SHA512 67d3516156e328712db8e65de68d4744b341c1fa826461e5e0186138da81e7ff0d583e6c78c6cf3051c03d45bd511e99e3a5966ae68cfcb6efbe5ee712b14e81

memory/2420-86-0x00000000022F0000-0x0000000002644000-memory.dmp

C:\Windows\system\mlqXcnC.exe

MD5 8a64a8c256cfde79638d0f7af9154f91
SHA1 e0054a0c5bdbadd5fabd7765164e9b4e46ecfd4f
SHA256 f06cbe48400da535125103cfd15f87b684578241590ff71f42090d7e9418b933
SHA512 4a742a861dfeb8ca98adae313fde92cd3e2411c3415e2183127e7a53cf33f416cd5b088e24dc0401d4a85c50bb377ad2982c391dfd931265134e7eaaf085c585

memory/2992-81-0x000000013FEC0000-0x0000000140214000-memory.dmp

memory/2420-80-0x000000013FEC0000-0x0000000140214000-memory.dmp

C:\Windows\system\OiwIHJU.exe

MD5 baaf0cd1e182a4c35c3b8451e1cc2a78
SHA1 750a6f4c79599b9df7497b4dd1cfdb9aa91a4057
SHA256 47c0c1c5550e68c37e1e6fcbac74eaf73a7626f43f2d3c0aa2e91180e493eb10
SHA512 5d779446d03df4a660d1dbc27da89ce07ce9ce951e2c2782748900fe18bf02c3c5bfbe8427d9b14f4d77e68ab09cdc0c6e2cd9bc23e753816fc2729ab8889fc0

memory/2568-70-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

memory/2420-69-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

memory/2420-68-0x00000000022F0000-0x0000000002644000-memory.dmp

C:\Windows\system\xtQCfdD.exe

MD5 c887648f9272a7a8d3a568b55e8ffc5a
SHA1 393cfd28aad01e5bbf1b50034a84aedde2415bc5
SHA256 8ac5fca3d46ef26a3bbdd72f6d96010424a33d008916b8279d1415753ac150b8
SHA512 191d197cb029291ab310d5cd87496d6f58d9ee812c64290ad377fc71c48d634cd78678dc999ab41f0327c052fb1705c466af75fea10d47ff59243e5f0e1c52dd

memory/2516-63-0x000000013F2B0000-0x000000013F604000-memory.dmp

C:\Windows\system\TuEkLAM.exe

MD5 9a2bc33b8e9e015a2811e1ae983ab999
SHA1 bf71ea301e45361784c8d0bbdeba5baf02050502
SHA256 ac098f6528ea3cf08916368f636daf57c21d471abea6907635e22998bfc8ba03
SHA512 b64dac5c7b8099100d4d66290586362451e2adc0440c1d8ff19e7eb23c1dc15d56d0352cec75909f75a51ae4fb34eef30d69d692acb76fd2233972b50828bc00

memory/2796-57-0x000000013FF60000-0x00000001402B4000-memory.dmp

memory/2420-56-0x00000000022F0000-0x0000000002644000-memory.dmp

memory/2420-55-0x000000013F5C0000-0x000000013F914000-memory.dmp

C:\Windows\system\KAQufJP.exe

MD5 d31454484d86cee6418516419ce12883
SHA1 09ec681718cc792c6b35463ea8a45c98a473de85
SHA256 b4f634eb393ab214fdcf70b5bb8b25fe560f969fd337d9d2307b4826568665b9
SHA512 84433b5a254622499700010ed986ebdbc28c184a49c739c5f4bd94519efc2459e324ce75a292d0921c83faa85b964345afc42d668db7e9e13f91bf27a570bc90

memory/2420-44-0x00000000022F0000-0x0000000002644000-memory.dmp

memory/2696-51-0x000000013F440000-0x000000013F794000-memory.dmp

C:\Windows\system\SqfwRUr.exe

MD5 f63bc6312a8e77a4333b947895e0a420
SHA1 8e4e5f508e4a0acecd831b3494e58122694df204
SHA256 fec579ae4c6f69c41294a85e4f439d154d1f2a240d55399df7e2263d98b588fc
SHA512 5dc7ed75c8751c09e5dfb40258cc68927245eb2d100ea020b75cee5dc7b60f0b4e8615f206cdfac6a76e61e592bd3d73838819bfaeddd812a9da44bb16f2e917

memory/2696-134-0x000000013F440000-0x000000013F794000-memory.dmp

C:\Windows\system\xiAmTUl.exe

MD5 31104f2529b0aa418165dec80e3fb7ac
SHA1 df56b0995d5498a689e34845786493dd768815ab
SHA256 0d6be84f6d74bf1c878f0ce6edc9eb5af46b7f9fb89442e2888d66c4754dc1ce
SHA512 0cba6ee18431f09ed89b01eb6ed9958ff55cb0c20c536c6565c5826036632127cadf4dad019bc5b2398840213e3a1feb16c45049b1ee7321682891bd01dfc1a7

memory/2800-39-0x000000013F7F0000-0x000000013FB44000-memory.dmp

C:\Windows\system\FwzygAN.exe

MD5 f4df100cdd61d7ed29d963ac89c98425
SHA1 3f3c0de286f9a391fbd5ebc7dab47177d2781385
SHA256 39d00b5c73c72036e2cfe16690f0f87634126b5e765fd4e305042d236cdd1b45
SHA512 8b143a91e408b903db609399fb9b9daccdae8832b0bfa58ea257da10482e7acdf4c7e580b0db11ed29fbff7fb587c52accb6a8f7ce1521dc99fb981280b71eac

memory/2672-34-0x000000013FA70000-0x000000013FDC4000-memory.dmp

memory/2420-33-0x000000013FA70000-0x000000013FDC4000-memory.dmp

memory/2420-27-0x000000013F200000-0x000000013F554000-memory.dmp

memory/1388-22-0x000000013FC10000-0x000000013FF64000-memory.dmp

memory/2420-20-0x000000013FC10000-0x000000013FF64000-memory.dmp

memory/2796-135-0x000000013FF60000-0x00000001402B4000-memory.dmp

memory/2516-136-0x000000013F2B0000-0x000000013F604000-memory.dmp

memory/2420-137-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

memory/2568-138-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

memory/2420-139-0x000000013F070000-0x000000013F3C4000-memory.dmp

memory/3032-140-0x000000013F070000-0x000000013F3C4000-memory.dmp

memory/2420-141-0x000000013FEC0000-0x0000000140214000-memory.dmp

memory/2992-142-0x000000013FEC0000-0x0000000140214000-memory.dmp

memory/2420-143-0x00000000022F0000-0x0000000002644000-memory.dmp

memory/2968-144-0x000000013F690000-0x000000013F9E4000-memory.dmp

memory/2420-145-0x000000013FD70000-0x00000001400C4000-memory.dmp

memory/2052-146-0x000000013F880000-0x000000013FBD4000-memory.dmp

memory/2884-147-0x000000013F530000-0x000000013F884000-memory.dmp

memory/2728-149-0x000000013F200000-0x000000013F554000-memory.dmp

memory/2516-151-0x000000013F2B0000-0x000000013F604000-memory.dmp

memory/2968-153-0x000000013F690000-0x000000013F9E4000-memory.dmp

memory/3032-152-0x000000013F070000-0x000000013F3C4000-memory.dmp

memory/2832-156-0x000000013F7C0000-0x000000013FB14000-memory.dmp

memory/2796-157-0x000000013FF60000-0x00000001402B4000-memory.dmp

memory/2992-159-0x000000013FEC0000-0x0000000140214000-memory.dmp

memory/2568-158-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

memory/2672-155-0x000000013FA70000-0x000000013FDC4000-memory.dmp

memory/1388-154-0x000000013FC10000-0x000000013FF64000-memory.dmp

memory/2800-148-0x000000013F7F0000-0x000000013FB44000-memory.dmp

memory/2696-150-0x000000013F440000-0x000000013F794000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 04:27

Reported

2024-06-10 04:30

Platform

win10v2004-20240426-en

Max time kernel

139s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\dvBPdHN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UFRdMLo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SXIaQPm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bzcgDUA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qEBgope.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QwvzDrw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ONzgrBT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KciteBZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\taDTWgv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JFTSSkq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WiWBLDG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pZcsFLt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qeBaaPQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QukCseZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zveJdJS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EWEEesw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\htffbGS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NXAtUIT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\smjQTLz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MgykiHj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EMBnLhq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4900 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\KciteBZ.exe
PID 4900 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\KciteBZ.exe
PID 4900 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\smjQTLz.exe
PID 4900 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\smjQTLz.exe
PID 4900 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\MgykiHj.exe
PID 4900 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\MgykiHj.exe
PID 4900 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\taDTWgv.exe
PID 4900 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\taDTWgv.exe
PID 4900 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\JFTSSkq.exe
PID 4900 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\JFTSSkq.exe
PID 4900 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\SXIaQPm.exe
PID 4900 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\SXIaQPm.exe
PID 4900 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\QwvzDrw.exe
PID 4900 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\QwvzDrw.exe
PID 4900 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\EMBnLhq.exe
PID 4900 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\EMBnLhq.exe
PID 4900 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\ONzgrBT.exe
PID 4900 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\ONzgrBT.exe
PID 4900 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\zveJdJS.exe
PID 4900 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\zveJdJS.exe
PID 4900 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\pZcsFLt.exe
PID 4900 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\pZcsFLt.exe
PID 4900 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\EWEEesw.exe
PID 4900 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\EWEEesw.exe
PID 4900 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\bzcgDUA.exe
PID 4900 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\bzcgDUA.exe
PID 4900 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\qEBgope.exe
PID 4900 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\qEBgope.exe
PID 4900 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\qeBaaPQ.exe
PID 4900 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\qeBaaPQ.exe
PID 4900 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\QukCseZ.exe
PID 4900 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\QukCseZ.exe
PID 4900 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\htffbGS.exe
PID 4900 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\htffbGS.exe
PID 4900 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\dvBPdHN.exe
PID 4900 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\dvBPdHN.exe
PID 4900 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\NXAtUIT.exe
PID 4900 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\NXAtUIT.exe
PID 4900 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\WiWBLDG.exe
PID 4900 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\WiWBLDG.exe
PID 4900 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\UFRdMLo.exe
PID 4900 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe C:\Windows\System\UFRdMLo.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_0a17be03e807f3ec2f4fdf9aa4f075cd_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\KciteBZ.exe

C:\Windows\System\KciteBZ.exe

C:\Windows\System\smjQTLz.exe

C:\Windows\System\smjQTLz.exe

C:\Windows\System\MgykiHj.exe

C:\Windows\System\MgykiHj.exe

C:\Windows\System\taDTWgv.exe

C:\Windows\System\taDTWgv.exe

C:\Windows\System\JFTSSkq.exe

C:\Windows\System\JFTSSkq.exe

C:\Windows\System\SXIaQPm.exe

C:\Windows\System\SXIaQPm.exe

C:\Windows\System\QwvzDrw.exe

C:\Windows\System\QwvzDrw.exe

C:\Windows\System\EMBnLhq.exe

C:\Windows\System\EMBnLhq.exe

C:\Windows\System\ONzgrBT.exe

C:\Windows\System\ONzgrBT.exe

C:\Windows\System\zveJdJS.exe

C:\Windows\System\zveJdJS.exe

C:\Windows\System\pZcsFLt.exe

C:\Windows\System\pZcsFLt.exe

C:\Windows\System\EWEEesw.exe

C:\Windows\System\EWEEesw.exe

C:\Windows\System\bzcgDUA.exe

C:\Windows\System\bzcgDUA.exe

C:\Windows\System\qEBgope.exe

C:\Windows\System\qEBgope.exe

C:\Windows\System\qeBaaPQ.exe

C:\Windows\System\qeBaaPQ.exe

C:\Windows\System\QukCseZ.exe

C:\Windows\System\QukCseZ.exe

C:\Windows\System\htffbGS.exe

C:\Windows\System\htffbGS.exe

C:\Windows\System\dvBPdHN.exe

C:\Windows\System\dvBPdHN.exe

C:\Windows\System\NXAtUIT.exe

C:\Windows\System\NXAtUIT.exe

C:\Windows\System\WiWBLDG.exe

C:\Windows\System\WiWBLDG.exe

C:\Windows\System\UFRdMLo.exe

C:\Windows\System\UFRdMLo.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4900-0-0x00007FF6960B0000-0x00007FF696404000-memory.dmp

memory/4900-1-0x000001A3C5290000-0x000001A3C52A0000-memory.dmp

C:\Windows\System\KciteBZ.exe

MD5 15f4114f51dd8191690d864e275ee0cd
SHA1 945623cebd61bff2ceec2f33d1665eaa5aa804c7
SHA256 10ebc8cae1b64221dd2c4341e7c32a6dc12b3f8399fe6b16959c0019f2583716
SHA512 af68dbb844e6bdd90ec936f4a65be406fd355031c0904697bdb14eeed5b2991bb5f37a673d2c012b75e9287e152b0d2660a90709a49d8be2d9379c45d4e857b4

memory/1696-8-0x00007FF652810000-0x00007FF652B64000-memory.dmp

C:\Windows\System\smjQTLz.exe

MD5 dbbcce0e92916e01759d865790b0febd
SHA1 163563440862f462bc33c9b50ea41b94ae666d96
SHA256 45f1778efe9bd1249ec0a062246201db4a064200a83edcbf8bb1fbf331995cfe
SHA512 38ac2912b44f83dfae6f27a17d64490138a49245fd84285bddc6ecab0a191ab0f259ad78d5480627607a6a88a0060c16cdbf17b097ff3541c52d3502c681c061

C:\Windows\System\MgykiHj.exe

MD5 3c5ee0132c63fe88659aff486487a6aa
SHA1 ea726844b83a80a6819c05537a159b7454870b7b
SHA256 aa790994836331c0c3615a6c92502aa9dc8e703a21a7b30c1ef1de8fec5e725e
SHA512 b247dacb200027515666a40a094e50da21c9fdb04bdd78427d9d66ce2ca32986b4522d59f144178cbacd0fdcdb0326f69601e489e95270ea0d9b81df989c2c81

memory/2784-14-0x00007FF6348F0000-0x00007FF634C44000-memory.dmp

C:\Windows\System\taDTWgv.exe

MD5 00b45d18548416652756e177b2bf05ef
SHA1 28546e633c6adedf239d343680e5fae5afccbc90
SHA256 80f124c19db54f6266f0effcf4934b63a6f0d10817198ac71539d5ea37a21ffe
SHA512 1fd03acacd020b1ac015fe51997885696ef5e523141f9fd4f525c465333d5b347ee969b54855da4b74d11240aabc82e28a09c20fdebc362d7705f43cfea6966a

memory/2012-25-0x00007FF7691F0000-0x00007FF769544000-memory.dmp

C:\Windows\System\JFTSSkq.exe

MD5 ab3b6aca10ee16d48bb68026475ca5d9
SHA1 d7f917327a7b4a358fda73b0c55eef6c02a127d5
SHA256 8d12f2a173583c9362ec789d066a01886d064f85af7a7f8dba7859c7d6ff12ed
SHA512 ada1f1073572a1212ffec12be359c21883fc8f75a05fdc3c80c449bccaa278b7b01406d6994d5ff89f6c708ca71d07867c835cffd0fbc1b10d014ea6a89a7037

C:\Windows\System\SXIaQPm.exe

MD5 ab4f828d1c958a70a0f365fc9bf9c6d5
SHA1 a050b26493b5f001a231b2a876f2577e6e95a467
SHA256 cfc25d1ef8f48734405d53e7379eb0e2c8acbb8358b8660f5c236e49af38f1d5
SHA512 4b28f17706b211dc34cb3078ee113be2b0faabf7ba910ff75538a542ebaa7e69f6eebf033422d098eae577312fbdcf58ee756b7855ab15e027c50253559736d9

memory/5012-34-0x00007FF6DCB50000-0x00007FF6DCEA4000-memory.dmp

memory/4556-26-0x00007FF715700000-0x00007FF715A54000-memory.dmp

memory/536-38-0x00007FF6D85F0000-0x00007FF6D8944000-memory.dmp

C:\Windows\System\QwvzDrw.exe

MD5 df799037fa670ca2069595f88c559ce2
SHA1 3cd50e1eac30761cbd47fc64788f3681dc328b3f
SHA256 b094be82b5f1f9e5c42616a23e1109e64e83fb3d5da9733b62c90b702d5279eb
SHA512 9fe0b2c48cc478b73d4f5a178ce6183b6f24f498c599ad90031061b4df86b61e7ca419297f3f997bc33d315560568166723c89c2e7b30086f56c26c3abdcc4c2

C:\Windows\System\EMBnLhq.exe

MD5 962bd3694f54b8d82ff7ec3ecc32451a
SHA1 460e199783dd7bbf76c4c09988b81b214d9a79fe
SHA256 1c2ad99d75c630cfbe26cb8f9ec4af1df5140ce3ed7e19eadb96f4c193e424fa
SHA512 45e17fe8d20ca459ac78f8406ab7cb745d12f4f5507a58444c66330d3eeb8233dc6c838b3f2d99d45f8f0568b9754bc4f83e5d62f3845e86f108a99386d2406d

memory/3788-44-0x00007FF625A50000-0x00007FF625DA4000-memory.dmp

memory/4740-50-0x00007FF6F8550000-0x00007FF6F88A4000-memory.dmp

C:\Windows\System\ONzgrBT.exe

MD5 8393b2840d9a688ea9594451dbf51274
SHA1 927b2b22e28b33e44c885ad4bdd41fe85372d592
SHA256 8118fd8040ef7b4121ee38af8eab13796f38f1f43da66a1bb7a8c83bfcc55d3a
SHA512 4a036b55eb2df976bca85a1463807ad74458937fb297a713656205b07406742808a99f7279eacbffd5efa51ae49ec7a0b6af7c409eaf140faaf55e748d7c45a2

memory/1768-55-0x00007FF7AFBB0000-0x00007FF7AFF04000-memory.dmp

C:\Windows\System\zveJdJS.exe

MD5 fbcdc50313d3f4947e621b1ba50a1c6b
SHA1 53a0e91bc752f373337aef63c9d31934989b0deb
SHA256 73f1a7ce09375426d15815c59de45bf2feb8ce3a8cc063f44f195fae5b284496
SHA512 86b8f4e95fa95477b7e2658d1b68d4b764cbb13a37e45da7e662006cf0d3a144b349b8cb8affce963d5a8691c0486e4a9e7e7505c3a8da5d5fdba2000fd85818

C:\Windows\System\pZcsFLt.exe

MD5 856e41706037da0d5338074c645764dd
SHA1 4851d8c9e6cd6278445c23027c41fd0f24a45740
SHA256 539f33a8f5a42f7be0515fbee7a022576e3c5d2220d9066c53491cb32013869d
SHA512 4d8b215031dada54db7b8307ca1466c5e6afc4c2700ace5e26e49b9880b8fdacb759ac6d6cae66e20c37a0e0f0ccc013cda90d0b0f10fbae0c69910be4f3dfb6

memory/544-66-0x00007FF686970000-0x00007FF686CC4000-memory.dmp

memory/1956-67-0x00007FF68DD80000-0x00007FF68E0D4000-memory.dmp

memory/4900-62-0x00007FF6960B0000-0x00007FF696404000-memory.dmp

C:\Windows\System\EWEEesw.exe

MD5 d9576bd10e10b05f85f25dd52b835bd7
SHA1 20a779a1caba743aa5e01635e950d789863541d8
SHA256 641ce21253a195c666078e729ab5a0d3bad690957653b68c51bdcf6327b6d7ab
SHA512 db19936ab05074e35c3c706d38b0318d60592524d2d743824c441b34f6fe32758419a89f5ffa63022ab0b33477b01417b44371208dedc11b28806e22c8c38b1d

memory/3564-78-0x00007FF79F3F0000-0x00007FF79F744000-memory.dmp

C:\Windows\System\bzcgDUA.exe

MD5 54e9f8b8c74535073d8d663e8a1c2598
SHA1 6d8efa0bed44d2647d196909efefcb77ec092d16
SHA256 21a63a0047d19659d442fa2086e7d4da4d9b34d3ab6dbda9937cd7a8cf8281b5
SHA512 b3f1677c2b823195ee378a652c95b1be8ba75a5e80f838afaac3cd754c5fa7c00a416c3d48f0598e8c24c8e733d2a7db5da86a6f514b2e74721e24a70df39032

C:\Windows\System\qEBgope.exe

MD5 eabb9d23abcc5f1e863a5087c25522c5
SHA1 f67b9bca35cdcb0b56ef45c6b3d1d73211c571bb
SHA256 34ed383f07e127bab46f4f7ca21b48af17d99e6a767f1fb5bb4b78e332ee19aa
SHA512 4c7f505cc4027b6ddf2be46994d0b59e244038516550699b3d18a50f4dfb0cd35925a4bc1e7c25d3c4020e8256a6b0a0ae697ea66254245e414262e72c28171d

memory/1968-79-0x00007FF705E70000-0x00007FF7061C4000-memory.dmp

memory/4060-89-0x00007FF77DE60000-0x00007FF77E1B4000-memory.dmp

C:\Windows\System\qeBaaPQ.exe

MD5 a540bd0837e5f4baa89af82c658553c0
SHA1 72adb4b2b68905adf6bacb0e64bbaaf17bdfe626
SHA256 8d5c12ddda3bd7650ed97d7438f079e54a645edf63ef639e95c902fbb7bde698
SHA512 6fea099395065caff80efa1f2042d9558a97c611ab2a45d34b02bad0145e4d22bc31ddc8df06b2de8720e0c926105a7242a5c4b60b237c1359493395b512574c

C:\Windows\System\htffbGS.exe

MD5 a16262103b38d391207f22d76bd50dc3
SHA1 f924ac9b00191003fa401474ad65a10d325ef4cf
SHA256 5e932245223e00fc5423dab49c169a8f753931d3e5557021ed3344169c23bb8c
SHA512 fa2f2e479fe0a4a442027b8fee134151774594cf81a365ecad2e0038c700177342bcaf0b6a9f3bc822a2738c1a1c2bdb81e503d7eeeeba6906d2f7e8155401f6

C:\Windows\System\dvBPdHN.exe

MD5 06afb531c748539bb87004e870c1c461
SHA1 5be714dfbf7079ceb961ea0ac2859f321020f4a7
SHA256 e04ff1072690cb5740d105e5a50a4b1c76cd7c85c630cdfc2e84adb0b8e72555
SHA512 d42380e11d4d54f4628d95d9088e4a8277cad5d30a649b6fe79115a13697e09f013a8241a932a1be1a984aded7644e67a600717f456d0165c8f0d9504a914254

memory/1768-110-0x00007FF7AFBB0000-0x00007FF7AFF04000-memory.dmp

memory/5076-109-0x00007FF732BA0000-0x00007FF732EF4000-memory.dmp

memory/2088-103-0x00007FF651AA0000-0x00007FF651DF4000-memory.dmp

C:\Windows\System\QukCseZ.exe

MD5 9070da721642844c32e1a5a2f22fa910
SHA1 8418a216032fc2eea1dd46b91390f2fe809376a5
SHA256 78c8968e42712b751b07835d36292b420021e4d2fe70d9a5bc21f0b3d5947cea
SHA512 352aa069a3e8a3d0794e228ce0933e090bc9c6f3b2d37dfe8f9d949bd620ddb2d7828f3b0dee0268b7b9c9633bd4839d61e937291caae56fc4b1a9ac5a09037b

memory/4844-99-0x00007FF7E0A00000-0x00007FF7E0D54000-memory.dmp

memory/1656-96-0x00007FF659910000-0x00007FF659C64000-memory.dmp

C:\Windows\System\NXAtUIT.exe

MD5 e7d322f1653faae93487d4294fa73050
SHA1 99350aacaf3b38a9c5fb4c80b0860290147379c4
SHA256 cc4c912d57b693e490c6a136cf12020865c3ccb519ce942a8716757be0b9f2dc
SHA512 6a962eb9a62226491d470dd2214ea27a99243d000ff1e8f30849d9eae256ed1729dd690e262e0d441dec937bcb5eef42ec380cae04ba6f1e54f6adde85d86a1f

memory/2408-124-0x00007FF7E21E0000-0x00007FF7E2534000-memory.dmp

C:\Windows\System\WiWBLDG.exe

MD5 38d1229792165d34f4192dc93e69b8a1
SHA1 fe37eb80d756bd2fbfa8d2ce370f05c2ff5bd679
SHA256 83d3f6bb6fb9c249974c5b0ad2561401fbaf021065f44803374f08241d8b7885
SHA512 d25e4be25af1ea30ece55ef16b8f40b718ca2bebc5ce0f2a2c010d022cb625b520f7cc915b428714f88a82f19b6e7d9748c84674eb5e7f64eadddacc15c2c572

memory/3724-118-0x00007FF72B820000-0x00007FF72BB74000-memory.dmp

C:\Windows\System\UFRdMLo.exe

MD5 321acf34847f7945fde1c848299386c5
SHA1 20ce7ec5adf9e05b723c2eaa9b90ade62887bf04
SHA256 69a7500e84970167c53963b7cc7736dc9292fc3fb84d0b9b54fed734d94f2c26
SHA512 54df9672a745715b95e99c2a271755bfe7fe7242d014d083fd98ad92dc389d023609dea2979ed195d599bfbb051781b0bbf0bb9d8451961dcc0afc5cb739b6d0

memory/1956-129-0x00007FF68DD80000-0x00007FF68E0D4000-memory.dmp

memory/4356-130-0x00007FF72FCE0000-0x00007FF730034000-memory.dmp

memory/1968-131-0x00007FF705E70000-0x00007FF7061C4000-memory.dmp

memory/4844-132-0x00007FF7E0A00000-0x00007FF7E0D54000-memory.dmp

memory/2088-133-0x00007FF651AA0000-0x00007FF651DF4000-memory.dmp

memory/5076-134-0x00007FF732BA0000-0x00007FF732EF4000-memory.dmp

memory/3724-135-0x00007FF72B820000-0x00007FF72BB74000-memory.dmp

memory/1696-136-0x00007FF652810000-0x00007FF652B64000-memory.dmp

memory/2784-137-0x00007FF6348F0000-0x00007FF634C44000-memory.dmp

memory/2012-138-0x00007FF7691F0000-0x00007FF769544000-memory.dmp

memory/4556-139-0x00007FF715700000-0x00007FF715A54000-memory.dmp

memory/5012-140-0x00007FF6DCB50000-0x00007FF6DCEA4000-memory.dmp

memory/536-141-0x00007FF6D85F0000-0x00007FF6D8944000-memory.dmp

memory/3788-142-0x00007FF625A50000-0x00007FF625DA4000-memory.dmp

memory/4740-143-0x00007FF6F8550000-0x00007FF6F88A4000-memory.dmp

memory/1768-144-0x00007FF7AFBB0000-0x00007FF7AFF04000-memory.dmp

memory/544-145-0x00007FF686970000-0x00007FF686CC4000-memory.dmp

memory/1956-146-0x00007FF68DD80000-0x00007FF68E0D4000-memory.dmp

memory/3564-147-0x00007FF79F3F0000-0x00007FF79F744000-memory.dmp

memory/4060-149-0x00007FF77DE60000-0x00007FF77E1B4000-memory.dmp

memory/1968-148-0x00007FF705E70000-0x00007FF7061C4000-memory.dmp

memory/1656-150-0x00007FF659910000-0x00007FF659C64000-memory.dmp

memory/4844-151-0x00007FF7E0A00000-0x00007FF7E0D54000-memory.dmp

memory/2088-152-0x00007FF651AA0000-0x00007FF651DF4000-memory.dmp

memory/5076-153-0x00007FF732BA0000-0x00007FF732EF4000-memory.dmp

memory/3724-154-0x00007FF72B820000-0x00007FF72BB74000-memory.dmp

memory/2408-155-0x00007FF7E21E0000-0x00007FF7E2534000-memory.dmp

memory/4356-156-0x00007FF72FCE0000-0x00007FF730034000-memory.dmp