Malware Analysis Report

2024-10-16 03:05

Sample ID 240610-k16raafe76
Target 2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike
SHA256 eab35c15969a9d45b680dc6a91241791e6ecfd4b674b52676918cb73c2476d93
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

eab35c15969a9d45b680dc6a91241791e6ecfd4b674b52676918cb73c2476d93

Threat Level: Known bad

The file 2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Xmrig family

Cobaltstrike family

xmrig

Cobalt Strike reflective loader

Detects Reflective DLL injection artifacts

XMRig Miner payload

UPX dump on OEP (original entry point)

Cobaltstrike

XMRig Miner payload

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-10 09:05

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 09:05

Reported

2024-06-10 09:07

Platform

win7-20240508-en

Max time kernel

143s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\TIyYzwR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RCIHRMJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pNzsWnI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zUlUpJd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DUAMPTK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\biFIXPO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VzrVwXT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\Ohlfhas.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jqkePmK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cHhhkfD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eJflpZt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vXQuuhH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EwVukqZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZDUFkGh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cMAUIBf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IkJDFLB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BhaCgIa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zegaSiz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\flRoBEE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dqUbnOf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\umTOQtg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2108 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\pNzsWnI.exe
PID 2108 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\pNzsWnI.exe
PID 2108 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\pNzsWnI.exe
PID 2108 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\flRoBEE.exe
PID 2108 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\flRoBEE.exe
PID 2108 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\flRoBEE.exe
PID 2108 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\VzrVwXT.exe
PID 2108 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\VzrVwXT.exe
PID 2108 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\VzrVwXT.exe
PID 2108 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\EwVukqZ.exe
PID 2108 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\EwVukqZ.exe
PID 2108 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\EwVukqZ.exe
PID 2108 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\dqUbnOf.exe
PID 2108 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\dqUbnOf.exe
PID 2108 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\dqUbnOf.exe
PID 2108 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\umTOQtg.exe
PID 2108 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\umTOQtg.exe
PID 2108 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\umTOQtg.exe
PID 2108 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\zUlUpJd.exe
PID 2108 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\zUlUpJd.exe
PID 2108 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\zUlUpJd.exe
PID 2108 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZDUFkGh.exe
PID 2108 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZDUFkGh.exe
PID 2108 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZDUFkGh.exe
PID 2108 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\cMAUIBf.exe
PID 2108 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\cMAUIBf.exe
PID 2108 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\cMAUIBf.exe
PID 2108 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\IkJDFLB.exe
PID 2108 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\IkJDFLB.exe
PID 2108 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\IkJDFLB.exe
PID 2108 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\DUAMPTK.exe
PID 2108 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\DUAMPTK.exe
PID 2108 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\DUAMPTK.exe
PID 2108 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\TIyYzwR.exe
PID 2108 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\TIyYzwR.exe
PID 2108 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\TIyYzwR.exe
PID 2108 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\Ohlfhas.exe
PID 2108 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\Ohlfhas.exe
PID 2108 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\Ohlfhas.exe
PID 2108 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\jqkePmK.exe
PID 2108 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\jqkePmK.exe
PID 2108 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\jqkePmK.exe
PID 2108 wrote to memory of 236 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\cHhhkfD.exe
PID 2108 wrote to memory of 236 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\cHhhkfD.exe
PID 2108 wrote to memory of 236 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\cHhhkfD.exe
PID 2108 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\BhaCgIa.exe
PID 2108 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\BhaCgIa.exe
PID 2108 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\BhaCgIa.exe
PID 2108 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\zegaSiz.exe
PID 2108 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\zegaSiz.exe
PID 2108 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\zegaSiz.exe
PID 2108 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\eJflpZt.exe
PID 2108 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\eJflpZt.exe
PID 2108 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\eJflpZt.exe
PID 2108 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\RCIHRMJ.exe
PID 2108 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\RCIHRMJ.exe
PID 2108 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\RCIHRMJ.exe
PID 2108 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\biFIXPO.exe
PID 2108 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\biFIXPO.exe
PID 2108 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\biFIXPO.exe
PID 2108 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\vXQuuhH.exe
PID 2108 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\vXQuuhH.exe
PID 2108 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\vXQuuhH.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\pNzsWnI.exe

C:\Windows\System\pNzsWnI.exe

C:\Windows\System\flRoBEE.exe

C:\Windows\System\flRoBEE.exe

C:\Windows\System\VzrVwXT.exe

C:\Windows\System\VzrVwXT.exe

C:\Windows\System\EwVukqZ.exe

C:\Windows\System\EwVukqZ.exe

C:\Windows\System\dqUbnOf.exe

C:\Windows\System\dqUbnOf.exe

C:\Windows\System\umTOQtg.exe

C:\Windows\System\umTOQtg.exe

C:\Windows\System\zUlUpJd.exe

C:\Windows\System\zUlUpJd.exe

C:\Windows\System\ZDUFkGh.exe

C:\Windows\System\ZDUFkGh.exe

C:\Windows\System\cMAUIBf.exe

C:\Windows\System\cMAUIBf.exe

C:\Windows\System\IkJDFLB.exe

C:\Windows\System\IkJDFLB.exe

C:\Windows\System\DUAMPTK.exe

C:\Windows\System\DUAMPTK.exe

C:\Windows\System\TIyYzwR.exe

C:\Windows\System\TIyYzwR.exe

C:\Windows\System\Ohlfhas.exe

C:\Windows\System\Ohlfhas.exe

C:\Windows\System\jqkePmK.exe

C:\Windows\System\jqkePmK.exe

C:\Windows\System\cHhhkfD.exe

C:\Windows\System\cHhhkfD.exe

C:\Windows\System\BhaCgIa.exe

C:\Windows\System\BhaCgIa.exe

C:\Windows\System\zegaSiz.exe

C:\Windows\System\zegaSiz.exe

C:\Windows\System\eJflpZt.exe

C:\Windows\System\eJflpZt.exe

C:\Windows\System\RCIHRMJ.exe

C:\Windows\System\RCIHRMJ.exe

C:\Windows\System\biFIXPO.exe

C:\Windows\System\biFIXPO.exe

C:\Windows\System\vXQuuhH.exe

C:\Windows\System\vXQuuhH.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2108-0-0x000000013F180000-0x000000013F4D4000-memory.dmp

memory/2108-1-0x0000000000080000-0x0000000000090000-memory.dmp

\Windows\system\pNzsWnI.exe

MD5 935de49f937eae8e95955bd26bd80086
SHA1 0d329ccb158486e593da15ebdf8aeb720fd93418
SHA256 a29b3e5ce67ec520fff78bb417bb85fd99e49ee1085c1a3edf323862a305a872
SHA512 05e965cb72e22114b9b3484ffbb556e8884faf2ae064ece1a42a5f472eca4bf2a4b168c603e5c50ad725f31e100d05f383c2079a43f5fddd80103a122582fab8

memory/2108-8-0x0000000002230000-0x0000000002584000-memory.dmp

memory/1700-12-0x000000013F360000-0x000000013F6B4000-memory.dmp

C:\Windows\system\EwVukqZ.exe

MD5 e3f71a79ca5b63682051553402d7027e
SHA1 73de0f2cb95ce60600a096a0381f1ed4c3cd8055
SHA256 098a760c09850b01a3490f2882821316632efb9e95c0456c083a35cefce04100
SHA512 d857de6b8288dc8d19ef34d934baff3140bb2ba6d39781f32e6f4d3f56a8ab1c0c39a16532829dab89e428bc116c457e204b4f0f9095dd6559c2bb7ed6598ba5

memory/2108-26-0x000000013F7F0000-0x000000013FB44000-memory.dmp

C:\Windows\system\VzrVwXT.exe

MD5 814618d3dab02367a21803a1f6a3953d
SHA1 8d0472d9a4d2c8b54f16b9ead8ed5fb306efb188
SHA256 0e232de81ef25931b356f490fa2eeafc4516c1acb345c0c931f501d7befa3108
SHA512 68cb1bbc5b2af6aa467aa4a5b88b8f41a9efc674105903d7fb3a7c58a21436d010c8d62eccb49934eb91d81ca14397c3b3a1b678998def097f9cb0ea1863d903

C:\Windows\system\umTOQtg.exe

MD5 345ff4588e17e53049aa5e34fd479f30
SHA1 ecdb445a824bed930f9612275685bf3f453b5fc3
SHA256 578b1362803844c463579e61d6edea654776c80d94247098ed78dc7950ac49b3
SHA512 e78bd6fe97a64ab5b020c9d29ea80d1c2de6313fe483c98ea44cab473391f05d55413a347c314d1ca570beb8ad26c57131273a2789a876b764fa5b46cccc54c9

memory/1316-38-0x000000013FF90000-0x00000001402E4000-memory.dmp

\Windows\system\dqUbnOf.exe

MD5 1a6b84cfbf1644f9bbf3ed0f61a78a5b
SHA1 62ba00a8df669063fc73220e300bcb015b935620
SHA256 789d38e2f0131324b1823a447de80cf634a44eedb56f2854256b2f79eea9647a
SHA512 05af46eb31dcfb3906b028b4c9e0622806228161ec2f6e3b0422d717edad21b45fbb3ac85424a5208fa950a52e51b14d96d5056a1f561e2231800b237a8963fb

C:\Windows\system\zUlUpJd.exe

MD5 21f5a348acaf7d8984b5552e1052c713
SHA1 d9ec9e4a22ad8349ad4e96392751c7fa4b5bbcae
SHA256 e92dfaa272f9090d557e6f093f892f6d65a102d671e35ea78418234fcff9cce4
SHA512 bd5e74aa69b15216fd31b85fc22547e04cc7aa8d407ca10da0bf5f674ec2d17475f98a364809e0469763c978833eb9763d68c76b7b81ae6164541811e5354913

C:\Windows\system\ZDUFkGh.exe

MD5 e8981b0ba08bff3d7f9ba2cb412423bb
SHA1 af0e08df921ea66febed30a3498d0df4d812be72
SHA256 1e27a067988c7c12dfe6c7d4df38297198d5210f47e880eacc910459c9260ade
SHA512 d25a0cef068ef732e65d7591a4dcf44baa3c3d66521068a84bdee129c07cad80490635419116a800e3be4586ccbd2385d1f2b90b569b12240ad39fd3ff5fd51a

C:\Windows\system\IkJDFLB.exe

MD5 293e8ab5e5fb24023bbb623d06c53114
SHA1 9fca7c1dd9dcd3793805ac0473341a306bd9487b
SHA256 762b7c35f9345bb0bdfabfe1261e1e5d4e7ab6125511e6da56a877f295276921
SHA512 da759d6706636655721e01ef37cc4560b1ae48631653e1b8d438363542fcb3667eb06444bf455f8a88a7e67b09b31be26fdaeff7a4a4e0675e6acb0247f74867

memory/2672-63-0x000000013FF50000-0x00000001402A4000-memory.dmp

memory/3000-57-0x000000013F8B0000-0x000000013FC04000-memory.dmp

memory/2716-75-0x000000013F7F0000-0x000000013FB44000-memory.dmp

memory/1432-90-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

C:\Windows\system\BhaCgIa.exe

MD5 decf72af444a007a058653f5928677c0
SHA1 50f0ab34c99138728bacb53e8542c948c52d0a8e
SHA256 2f529a976e42617067aba21b6fb38c37202901ac006c50eebb6ad87f1e995db9
SHA512 ab61046b0e69fc7531f4ff363329914fb5276242ac28b5237dc3a5238ba48f96bccded56e848d15e7fe14777be8edcd3ebd182bd4c0d66e82ac09de114567b60

C:\Windows\system\eJflpZt.exe

MD5 16f13dfc4e8b30eef7de6c254deb6c6b
SHA1 631971887aef3a03faed38f6d7234c849b605d2b
SHA256 15482688ed2e8c768a200f70054b7ff275a07f61586b924e379052e9c8af1300
SHA512 9f13315327dc3177e8457b7b19c836054e666675fca0f88eebcf8e43fcb349c17a1190d6c1a696ec084e52b63600f53e457eb00d5e33c5dd662c78f6fcabe355

\Windows\system\vXQuuhH.exe

MD5 f0795d008564909abd7acc429e21fe60
SHA1 065f739b9f213e572e19c9f453dd0b3cd1c10d13
SHA256 2a41d570cd0b22d7b16de70696e842fa6fc8958688a1d344055c4360fa4c1302
SHA512 a695d77a51e3a8155f2db205e6870fb7d50a9d962636883dce5137b376f5bbbbe6d03d03d49205a42412a2e47aebbcb7514acf98d915b5ea3e3952ec9c6f0bdb

C:\Windows\system\RCIHRMJ.exe

MD5 5d4bca88ec75fa4ea19e4ad4dc4c0259
SHA1 1ba3402150ae4f839d1a1ad317d7e96dcf86a21e
SHA256 5fb7a08b1e668c210b110e85763dcd50fe560459b26f3bc3d54fc7f4a5c7a380
SHA512 3e55339ca05451c5c172073c00091ddc9251d8908f762bde1064de4740c1079fa5ab8fa470c22fd366c33e1b08e3428bd699e5dd3fc727dd5854cb328eb9b60d

C:\Windows\system\biFIXPO.exe

MD5 a36feecc26f07f7def14cc181e48eb89
SHA1 df6967e180bb9951dd29cf59dfb72167dc566307
SHA256 b2f23d94d3b4bd2e9198c1519db19fb10405e4accaa786cdbab8484827f46872
SHA512 79a19992c6e7fb9157fe782089a0256eb9e215d4a002aa268d8f8035a81172d49071681cc0b5d43d0301d9b6f3233f27ab85bb5f4d7d9bb3e0ca0fec84f27911

C:\Windows\system\zegaSiz.exe

MD5 c03ad2aef63a7edf4476e93c24d52967
SHA1 6321c12bb4596cf42ed1216aeae96c3e53c145c9
SHA256 145e4eaa75841b5b7f6822275f6952586faf1381e7c2ec4c10d67cd2f3d9adf3
SHA512 60164de847a317f2f9b3bdd827eaa040a04911a15bffec40a1ad9f88be8b67fad13eeb173eb4a082db0a1980b85966ffa84a8863c178c0e58caf9a5a2b0dc741

memory/2656-105-0x000000013F850000-0x000000013FBA4000-memory.dmp

C:\Windows\system\cHhhkfD.exe

MD5 1a52ca6b3d96d261404365b62289dc17
SHA1 87fea92c882d377a324841c33986e4e3f4289f84
SHA256 ecd3717f58ac6443b0ed9d8a014389fd29d68067e450576f072cae84fabb12b6
SHA512 0bb7323e9a43939ef75d64437849a1472c75e8323ad957a7c23b71b3de7fdb53d018030c5c803bba4dfd9f30a2583c6d55eddce3b17d290d8a55d3a7f0dfc515

memory/2784-137-0x000000013F450000-0x000000013F7A4000-memory.dmp

memory/2108-136-0x0000000002230000-0x0000000002584000-memory.dmp

memory/1932-100-0x000000013F2E0000-0x000000013F634000-memory.dmp

memory/1316-99-0x000000013FF90000-0x00000001402E4000-memory.dmp

\Windows\system\Ohlfhas.exe

MD5 93f83c652688278651f0cc2b875ea512
SHA1 c17857a31833e6fa8c4fa9344ddd093f806d1cd2
SHA256 a2fc6620b121f770f6ddb194f31ee719ac206de408c22518ad29302faba4daad
SHA512 3ca7e84e41007b399193788ea27e8e3273a4e55ff8fdb8f2df4e953233dc16567601bfd9fe580e834baa3d96afda9b403d960fcd7b0bd595c5c4b009633dc12a

memory/2108-89-0x0000000002230000-0x0000000002584000-memory.dmp

C:\Windows\system\jqkePmK.exe

MD5 9dd3b97102b937d51cc6fa06792c5c5f
SHA1 4a2a18107655362dfdb0cec4a22e96f5b49d1bcd
SHA256 de69da43b0510fcd8f6cda43a118eba8c58c18612f9cc2fdd02fda359aeb0c3a
SHA512 5fef027c026cd2f0b86fea33761db3bf74b3eedf2efc7b45b791703777de9dbcaf15bc60a6496c41b0df79d3b1675c99b57f6297733576e7436047be9c360318

memory/2224-77-0x000000013F710000-0x000000013FA64000-memory.dmp

memory/2108-76-0x000000013F710000-0x000000013FA64000-memory.dmp

C:\Windows\system\TIyYzwR.exe

MD5 67f83019df85b3dba3efee0dc7a318da
SHA1 a8189537fce9130b690c938c11067a8c189116bf
SHA256 cd816a2e753a7e145a3bfffa79613c5c2f340741356d8d902c55f510b969bc2a
SHA512 1ffba853b10f93cb3bfe67f7df2a6bb590a96be1eaa38482c3cf874c8e52b0c5d04dd497f44d5eb81faf9a6a7a0da8155396437ab34d61a0ae58c4e64544e1d8

memory/2776-138-0x000000013F780000-0x000000013FAD4000-memory.dmp

memory/2520-70-0x000000013F7D0000-0x000000013FB24000-memory.dmp

memory/2108-69-0x000000013F7D0000-0x000000013FB24000-memory.dmp

C:\Windows\system\DUAMPTK.exe

MD5 202c93c39f27332d0ed9b0e302e1548e
SHA1 268dd8dcdd48ebd851775f3f05e0e5cb9cdb4e2f
SHA256 bf7ab8ddca33d7230a5a5020b8086b804c0ac8ced2428dd204f8da339761ea44
SHA512 f46441bd012807e836eb27b2f2a72822c50b08daadccea903f8361d1f6f4cc897605b734f019ad97da9b4c4ad36c33b82650bd3e0b062c1d1a89becbaf97d968

memory/2108-62-0x000000013FF50000-0x00000001402A4000-memory.dmp

memory/2948-61-0x000000013FF20000-0x0000000140274000-memory.dmp

C:\Windows\system\cMAUIBf.exe

MD5 4938293782849ecd50a36ecfa315d1fb
SHA1 b43d72108389b01205b15e8f953846b25d4ca4e8
SHA256 3fdcdfb9d71ab9a54d45b1d9f3cca7baca01c4567a989dc23055ffb14fe5c191
SHA512 62c3586385b4fae7e87e08e716c3e23378b29c7666fb7131ae50387e47a8472f5cab9fddcd4109c8ea7af2f997e5507e075a7fe9332863fa3e4e40c74836613c

memory/2776-52-0x000000013F780000-0x000000013FAD4000-memory.dmp

memory/2784-47-0x000000013F450000-0x000000013F7A4000-memory.dmp

memory/2108-46-0x0000000002230000-0x0000000002584000-memory.dmp

memory/3000-139-0x000000013F8B0000-0x000000013FC04000-memory.dmp

memory/2656-41-0x000000013F850000-0x000000013FBA4000-memory.dmp

memory/2108-37-0x000000013F180000-0x000000013F4D4000-memory.dmp

memory/2108-35-0x000000013FF90000-0x00000001402E4000-memory.dmp

memory/2108-34-0x000000013F850000-0x000000013FBA4000-memory.dmp

C:\Windows\system\flRoBEE.exe

MD5 af17bbfc61965e2d8b2592c83696404a
SHA1 68049f40d05d606eb48dd2c193164c5e72bef7bd
SHA256 3ab451bbc6722b480b62b15d7d15d310707c26031011a80901315034205159b4
SHA512 2f45e5832263e104d8f9d5062c84f1b54425f6cc3dcc66a474c1bf211b0c2235e122d00a11a16024885f45e6adb4fde32847c26140b688125c63a5a22ef1bde7

memory/2108-16-0x000000013FF20000-0x0000000140274000-memory.dmp

memory/2716-28-0x000000013F7F0000-0x000000013FB44000-memory.dmp

memory/2948-25-0x000000013FF20000-0x0000000140274000-memory.dmp

memory/2592-22-0x000000013F850000-0x000000013FBA4000-memory.dmp

memory/2672-141-0x000000013FF50000-0x00000001402A4000-memory.dmp

memory/2108-140-0x000000013FF50000-0x00000001402A4000-memory.dmp

memory/2108-142-0x000000013F7D0000-0x000000013FB24000-memory.dmp

memory/2520-143-0x000000013F7D0000-0x000000013FB24000-memory.dmp

memory/2108-144-0x000000013F710000-0x000000013FA64000-memory.dmp

memory/2224-145-0x000000013F710000-0x000000013FA64000-memory.dmp

memory/2108-146-0x0000000002230000-0x0000000002584000-memory.dmp

memory/1432-147-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

memory/1700-148-0x000000013F360000-0x000000013F6B4000-memory.dmp

memory/2592-149-0x000000013F850000-0x000000013FBA4000-memory.dmp

memory/2948-150-0x000000013FF20000-0x0000000140274000-memory.dmp

memory/1316-152-0x000000013FF90000-0x00000001402E4000-memory.dmp

memory/2224-155-0x000000013F710000-0x000000013FA64000-memory.dmp

memory/2672-154-0x000000013FF50000-0x00000001402A4000-memory.dmp

memory/2716-153-0x000000013F7F0000-0x000000013FB44000-memory.dmp

memory/1432-156-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

memory/2520-160-0x000000013F7D0000-0x000000013FB24000-memory.dmp

memory/1932-161-0x000000013F2E0000-0x000000013F634000-memory.dmp

memory/3000-159-0x000000013F8B0000-0x000000013FC04000-memory.dmp

memory/2784-158-0x000000013F450000-0x000000013F7A4000-memory.dmp

memory/2656-157-0x000000013F850000-0x000000013FBA4000-memory.dmp

memory/2776-151-0x000000013F780000-0x000000013FAD4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 09:05

Reported

2024-06-10 09:07

Platform

win10v2004-20240508-en

Max time kernel

143s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\QfmRwLe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CjJTHej.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qSnmMLT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ewskobZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UqBqCfe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zULoDgt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mEzMFSL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EwyCeTs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sLNJhJL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cLaLOPe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LvqIVKh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TnSffun.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KEOGnjd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\spbXoNB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tRRWBwZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HQYJtsY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZoglCGF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TauPfWI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bFCkyyz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ErSANiW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JxiEazm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2964 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\spbXoNB.exe
PID 2964 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\spbXoNB.exe
PID 2964 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\zULoDgt.exe
PID 2964 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\zULoDgt.exe
PID 2964 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ErSANiW.exe
PID 2964 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ErSANiW.exe
PID 2964 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\mEzMFSL.exe
PID 2964 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\mEzMFSL.exe
PID 2964 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\tRRWBwZ.exe
PID 2964 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\tRRWBwZ.exe
PID 2964 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\EwyCeTs.exe
PID 2964 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\EwyCeTs.exe
PID 2964 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\JxiEazm.exe
PID 2964 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\JxiEazm.exe
PID 2964 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\sLNJhJL.exe
PID 2964 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\sLNJhJL.exe
PID 2964 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ewskobZ.exe
PID 2964 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ewskobZ.exe
PID 2964 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\cLaLOPe.exe
PID 2964 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\cLaLOPe.exe
PID 2964 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZoglCGF.exe
PID 2964 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZoglCGF.exe
PID 2964 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\TauPfWI.exe
PID 2964 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\TauPfWI.exe
PID 2964 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\UqBqCfe.exe
PID 2964 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\UqBqCfe.exe
PID 2964 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\LvqIVKh.exe
PID 2964 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\LvqIVKh.exe
PID 2964 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\TnSffun.exe
PID 2964 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\TnSffun.exe
PID 2964 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\KEOGnjd.exe
PID 2964 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\KEOGnjd.exe
PID 2964 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\QfmRwLe.exe
PID 2964 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\QfmRwLe.exe
PID 2964 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\bFCkyyz.exe
PID 2964 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\bFCkyyz.exe
PID 2964 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\CjJTHej.exe
PID 2964 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\CjJTHej.exe
PID 2964 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\qSnmMLT.exe
PID 2964 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\qSnmMLT.exe
PID 2964 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\HQYJtsY.exe
PID 2964 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe C:\Windows\System\HQYJtsY.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_f7393f277c11f74e8ee000333a8a5aa9_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\spbXoNB.exe

C:\Windows\System\spbXoNB.exe

C:\Windows\System\zULoDgt.exe

C:\Windows\System\zULoDgt.exe

C:\Windows\System\ErSANiW.exe

C:\Windows\System\ErSANiW.exe

C:\Windows\System\mEzMFSL.exe

C:\Windows\System\mEzMFSL.exe

C:\Windows\System\tRRWBwZ.exe

C:\Windows\System\tRRWBwZ.exe

C:\Windows\System\EwyCeTs.exe

C:\Windows\System\EwyCeTs.exe

C:\Windows\System\JxiEazm.exe

C:\Windows\System\JxiEazm.exe

C:\Windows\System\sLNJhJL.exe

C:\Windows\System\sLNJhJL.exe

C:\Windows\System\ewskobZ.exe

C:\Windows\System\ewskobZ.exe

C:\Windows\System\cLaLOPe.exe

C:\Windows\System\cLaLOPe.exe

C:\Windows\System\ZoglCGF.exe

C:\Windows\System\ZoglCGF.exe

C:\Windows\System\TauPfWI.exe

C:\Windows\System\TauPfWI.exe

C:\Windows\System\UqBqCfe.exe

C:\Windows\System\UqBqCfe.exe

C:\Windows\System\LvqIVKh.exe

C:\Windows\System\LvqIVKh.exe

C:\Windows\System\TnSffun.exe

C:\Windows\System\TnSffun.exe

C:\Windows\System\KEOGnjd.exe

C:\Windows\System\KEOGnjd.exe

C:\Windows\System\QfmRwLe.exe

C:\Windows\System\QfmRwLe.exe

C:\Windows\System\bFCkyyz.exe

C:\Windows\System\bFCkyyz.exe

C:\Windows\System\CjJTHej.exe

C:\Windows\System\CjJTHej.exe

C:\Windows\System\qSnmMLT.exe

C:\Windows\System\qSnmMLT.exe

C:\Windows\System\HQYJtsY.exe

C:\Windows\System\HQYJtsY.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 97.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2964-0-0x00007FF66F9B0000-0x00007FF66FD04000-memory.dmp

memory/2964-1-0x000001832BDF0000-0x000001832BE00000-memory.dmp

C:\Windows\System\spbXoNB.exe

MD5 1cf0ac145ee390442d37c6c87a186365
SHA1 7ca17c4d2552afde195651cde9ccbf85f1eb2cb3
SHA256 c1df963dde6493868888e806e122918cf8a4d4a2a8c12026c6eadcb4e5e11bfd
SHA512 e18fb15ae01e0d6f0d1a3f25cd241453e142555538a252190ce4bea381adaee2e799830bf8ace1f08cdf3e9d68a7d0f5cf1d5bbe669600e5e5871a297d1f8efe

memory/916-8-0x00007FF6D23E0000-0x00007FF6D2734000-memory.dmp

C:\Windows\System\ErSANiW.exe

MD5 6a98e9869089ad014a47a8a11c75205b
SHA1 f9f9a9f37fdd210cc39cff459314076b70ccab63
SHA256 c6402a8bc2d8bcb5a30e30e3ad7cb6bde9c044a317a73c3d2a5ebb733b1cf595
SHA512 557f0b2b8a14691ba6bcce19b05cbf1a78e8a2118caa1f8a876d4bd7317fd97c2bdba062155864bcdf5c40ba0f2a9fab9a92f2d8450576ce4ab06d961b7ba18b

C:\Windows\System\zULoDgt.exe

MD5 b48193a5e4d07a9f30cf631accf4e3ec
SHA1 be92ecc8ea9627057412ed0365a1abe7a5172d53
SHA256 8b956ffc339b08b34c1f2f2bb1741113d390405ee0239e9efe10ffed32bda015
SHA512 cdba4bef032c730b25ce4bfe4bf9dfcf6c32aa56766a7baeed2bc5569a9b0d3696e0c5e4549d46b5ba4abd099fdfbfc5347dcfb18dbd6dc467650c57d8443db2

memory/2756-14-0x00007FF7D3820000-0x00007FF7D3B74000-memory.dmp

memory/2704-20-0x00007FF6FAEB0000-0x00007FF6FB204000-memory.dmp

C:\Windows\System\mEzMFSL.exe

MD5 4d9c8dd88faceb5ff8e2af87c8cd546c
SHA1 994ff3c96e8734a2e460052eaec5f9c1fa166dfc
SHA256 94adab9d42f0801b3ffd05de05d4e5599cfccadbadacff5559cf30869a5880dd
SHA512 f5456726a6513d08fc5f521fec80b14edc3f21ee1242a7b0a6f9cab99229febed0a8b10643048c9b81dcd902df31bb94dc24ce9f304b0ef142f49954563bf089

C:\Windows\System\tRRWBwZ.exe

MD5 a10fb387d037c6ffec1b7a916049bc34
SHA1 944b0ef2307157ea6998c8aad740ae4edae1e9d0
SHA256 c80b3a22dde3e95477408d13c2eb1022718d5d3ee5dea3487d9df4dc93b1e17d
SHA512 531118e25119b0a0ad9ae1b8ce95e48f7a233bee70c9d4bcb87e2ab10418fdaa52169c41a9ea622855ab52ea048d72356ad3a848c8e8269fa58a6fc276167e80

C:\Windows\System\EwyCeTs.exe

MD5 064eb49f692fb515cae0228deef0f6a3
SHA1 6f08e051412ab5a27fc9f336c8ecff8da2835d9f
SHA256 e3c72092ac70e34f962cca2ceefa5e4d37c569b903a5aa9c80318f90cf18574d
SHA512 a98e20bea442006bd0de4e2e57452e6e334b94e918501e188d82c1f3796bfdb72ead1f8f6b7f97ead3d18c2752157cfc85a560fdeb0302ccb689455d38835b5a

C:\Windows\System\JxiEazm.exe

MD5 5242d4f6830ffa7af4413f6a21e98d6a
SHA1 b73e6fa9e2507e83a11c98e72cdb9e4e3a3e710d
SHA256 98f8e1303e9828ce91ca4c65de3889ff12f01cff0475dee85751a74d0d6e43c0
SHA512 3d1bb7cc2b493aabc639951a21d2889d9e136a3740b4a95a8d113cf988387b9b1826ab0a9c146c47406c7f7d9711d259b839983b11c4bd8f0f2e883e6d2ac306

memory/4320-49-0x00007FF755060000-0x00007FF7553B4000-memory.dmp

memory/5080-54-0x00007FF749BF0000-0x00007FF749F44000-memory.dmp

memory/4260-59-0x00007FF664BC0000-0x00007FF664F14000-memory.dmp

C:\Windows\System\cLaLOPe.exe

MD5 7efaca95340326388c3720f14f9c7ff9
SHA1 e033110022e53a763a258256bbc20643515ee3ec
SHA256 66e0b4e44d6d5a459571a79621252d688c90b5ad458dbfb37aba0476557184a0
SHA512 74264de012ebd197bed9d12611feadf4ddf4b065593754c096e25de9074111106c9994f20937feac2c796a0c92ff1d4199d0753c07a6b7dfad5550964c6358f2

memory/332-60-0x00007FF6C2520000-0x00007FF6C2874000-memory.dmp

C:\Windows\System\ewskobZ.exe

MD5 d939e1980f520508cf4a28aedfbfa637
SHA1 42d0be31e9f7e986f10bf36537290016ef218ea5
SHA256 5da832c18efd0e3b048c3906d92ff1fb85ccd14a750d0ad242b2c5268e3e62c4
SHA512 c41735d264fb4ff7343b05d6a80a63f51cd4a503582f056448a04066eb7b5912219ce3ed9994669c0a17b5a8f69d0633fbe3d978e044249c017ee312a6168d94

C:\Windows\System\TauPfWI.exe

MD5 9eec65f559f307c3c8712478cb16281e
SHA1 6b4cb97508310412b72567ffdc9172928d5e1029
SHA256 abe227a0fb0dcd5217c58f6cf49949a64be1fe6bb33aa306992f8f57bf0000cf
SHA512 c4a7bc1c566e20fc1894d74dabddfe29659642cb3512fc8d5cf330d4ac134a326dc6f2573848218d79fdb5833f279943a9e54fafad73cfa55535e7a0af773c2c

C:\Windows\System\TnSffun.exe

MD5 510c02608b1550ae74bcc676d09039b0
SHA1 de844bc4e6742be212342e9cefc473de8b4236ca
SHA256 fbfe50c52bc5a16e57f66365945e0e5a16273089a138b9648af47aea03dafe9f
SHA512 c9d409eef13978d51f659642b013086d3e521837918f6aba74f99f8ab93d7c7f0de71ba38866bd5d897eefb9b218e3f96e488ff97307006180123d78763d885f

C:\Windows\System\KEOGnjd.exe

MD5 4898f408bd1e61e89a8559a6e6fb640e
SHA1 e63cead56661d7a832ef994c49840f98b5e356e4
SHA256 38c6fe9e53cad8504f4c0cb71ab08fcf190ef9c675a8bbdb3fdde302ec0b4c3e
SHA512 1616dc79664872a5d547f8857df68881f5c7839043adad820903a568df38e570c28e71bc48d2042f7f8d617f19eed38939823449a26c5a63edc9892613c322de

C:\Windows\System\CjJTHej.exe

MD5 7afa1b058c314fc5629a014c9a1e1466
SHA1 393416b9631fd8da63d9012784d7488f03d74faa
SHA256 814f64791ad00ec6caa28ec356d193dcd4c3e541ad6327f50cd31edb948c51a4
SHA512 6260cdc981c0c3b6678de1316e92d956a3eeb1a4bf0dae0c2b210062a19cc9714950bd75d6db5a09315bc174197041689994dd42177dd69d61cf4bdbbb93d282

C:\Windows\System\qSnmMLT.exe

MD5 5a575ac78a214f069b0ec31ac10371e0
SHA1 61853af62988c2b0c090d262cee1ff5012625001
SHA256 8194ed21b55b0af6084ce156d2e2b06cd11e594a37818a1c016a26fc9bcfb1c2
SHA512 50ec9ce9ae2469ce5abc5982fedff5bc18687e7d3ae45854eb8892deb838ecb3fd3611f8fb0558001345590941724bf9a8f63c7c32698be968fcef1a2f57479c

memory/4072-120-0x00007FF654770000-0x00007FF654AC4000-memory.dmp

memory/3600-122-0x00007FF7665D0000-0x00007FF766924000-memory.dmp

C:\Windows\System\HQYJtsY.exe

MD5 336de0a0e5e03c5affab469c3a655d8c
SHA1 1b18b91d09d907ec3647822fccd680102b04a52b
SHA256 c32686f2af6e2596e07fad6bc549e70e76aee7557b568e138c40749a12bd2f7d
SHA512 455ff176e465b37b106dfb36a74ee89837b81435f9e0d1d859c4507baf5de07b2bdfdbc233079ca844a48c3edf14057ffe01de6275105c88fb664c015a534fe2

memory/3100-121-0x00007FF743B80000-0x00007FF743ED4000-memory.dmp

memory/2816-119-0x00007FF6AF170000-0x00007FF6AF4C4000-memory.dmp

memory/532-118-0x00007FF6A5340000-0x00007FF6A5694000-memory.dmp

memory/4796-117-0x00007FF778820000-0x00007FF778B74000-memory.dmp

memory/2500-112-0x00007FF666420000-0x00007FF666774000-memory.dmp

memory/1136-111-0x00007FF6E40D0000-0x00007FF6E4424000-memory.dmp

C:\Windows\System\bFCkyyz.exe

MD5 e4db1964a72485333aa362f7f9983c46
SHA1 3d32d222851d5097424d76703249625a13899202
SHA256 624e523717f10998ffc97fd6a36b60feb263257c2e9f212655246e70b802b23a
SHA512 3da85afc069256518b3b13a1f6bf93a731aa324b453cde4597eafb050cd8d9e89d2afa93bd60f60e53039715d17bfe6ac1815943253edc34bd8f676cdd535566

C:\Windows\System\QfmRwLe.exe

MD5 52d4711ac207638b740c33bfc67a6331
SHA1 b6b61595ae11b7f3592d320e7ae6fa641ec8b8ae
SHA256 f49e21bfa4e3513fddfe9d8a39571a8c055c7979d86981744bb40fba3406e717
SHA512 ab1d6e906052f235714bc72191f60d0874a363ecb6005d6ef9386d823f1363c14fb42122a93b1102cc3689887c051496b5a6dd4c25eac3a6cd6842f8730904d1

memory/4556-106-0x00007FF7F6B10000-0x00007FF7F6E64000-memory.dmp

memory/1932-103-0x00007FF743220000-0x00007FF743574000-memory.dmp

C:\Windows\System\LvqIVKh.exe

MD5 fb0d7def63a56f929dbd4e807a53d5d0
SHA1 f1ff2bbc059359fa8b7ff832ffb3227644f5b0e1
SHA256 cd9e4715fecbc9bde798909834c598013339134b335d195a5055a40551037e34
SHA512 f494a97df877da7e5342d7b0747ddf03f5948c0f9886b3f346d1fb1d7498315a79bda078414dedcb81a3f0b0780ba870bd1881bc9e371141f75fa8362803d130

C:\Windows\System\UqBqCfe.exe

MD5 50140fe6d40bd1a90a0ddf66e3f2ffc3
SHA1 2e73c2fa8cebacae11691fea092d62ad970c351b
SHA256 66b1a6ecbfe73dad756b4a553821a75ddb31540415f31c162dcd41940a7cd792
SHA512 a8953ae38e89831c209b7ba0e77ba172f5399b1d23180188990dd3214400127f877804b3fa3ccfd82dd4f73719fb1ba15ab3ee4e6c57b7a481e4c16f5c32e691

C:\Windows\System\ZoglCGF.exe

MD5 b89b6f925eee1feea5dd1171df654833
SHA1 648d30f6548516bb01a80a270770a1575b5f21b9
SHA256 d3e07a63304fbd80d8ee4ac7c277502a1979902c07d6df3a8b496e355ea61a7e
SHA512 e6a24e9562d27e5f3b8eb4e342aa0a66ffec3db912c57b4637b5af09a648c2b1cdd0807089a3883dc39c875bf5eacc4621d1b2cd403548e510b7d02d5d5552c4

memory/3824-55-0x00007FF68D2F0000-0x00007FF68D644000-memory.dmp

C:\Windows\System\sLNJhJL.exe

MD5 bcfb99f34817755beb7bc5f6f767d95b
SHA1 9d643bdb004405120372c5b6313b08e2139a94f6
SHA256 352f259fe358f1d2a81f76381e71ab2de2e9bb375ac90d05c90acdb801312bef
SHA512 f88f2dcc9106b0f3d902ac3a7e1c94a14d93acd80d52eb2ebdfcbe4308ca8c82f5d1065f5f9f2b36462ed284269af3cbdebe0c82307ba82bc17d5650591237a1

memory/4560-44-0x00007FF652F30000-0x00007FF653284000-memory.dmp

memory/2008-32-0x00007FF65B500000-0x00007FF65B854000-memory.dmp

memory/2964-127-0x00007FF66F9B0000-0x00007FF66FD04000-memory.dmp

memory/2204-128-0x00007FF774FB0000-0x00007FF775304000-memory.dmp

memory/916-129-0x00007FF6D23E0000-0x00007FF6D2734000-memory.dmp

memory/2756-130-0x00007FF7D3820000-0x00007FF7D3B74000-memory.dmp

memory/2704-131-0x00007FF6FAEB0000-0x00007FF6FB204000-memory.dmp

memory/5080-132-0x00007FF749BF0000-0x00007FF749F44000-memory.dmp

memory/332-133-0x00007FF6C2520000-0x00007FF6C2874000-memory.dmp

memory/916-134-0x00007FF6D23E0000-0x00007FF6D2734000-memory.dmp

memory/2756-135-0x00007FF7D3820000-0x00007FF7D3B74000-memory.dmp

memory/2704-136-0x00007FF6FAEB0000-0x00007FF6FB204000-memory.dmp

memory/2008-137-0x00007FF65B500000-0x00007FF65B854000-memory.dmp

memory/4560-138-0x00007FF652F30000-0x00007FF653284000-memory.dmp

memory/4320-139-0x00007FF755060000-0x00007FF7553B4000-memory.dmp

memory/3824-140-0x00007FF68D2F0000-0x00007FF68D644000-memory.dmp

memory/4260-141-0x00007FF664BC0000-0x00007FF664F14000-memory.dmp

memory/5080-142-0x00007FF749BF0000-0x00007FF749F44000-memory.dmp

memory/332-143-0x00007FF6C2520000-0x00007FF6C2874000-memory.dmp

memory/1932-144-0x00007FF743220000-0x00007FF743574000-memory.dmp

memory/4556-145-0x00007FF7F6B10000-0x00007FF7F6E64000-memory.dmp

memory/1136-146-0x00007FF6E40D0000-0x00007FF6E4424000-memory.dmp

memory/2500-147-0x00007FF666420000-0x00007FF666774000-memory.dmp

memory/4796-148-0x00007FF778820000-0x00007FF778B74000-memory.dmp

memory/532-151-0x00007FF6A5340000-0x00007FF6A5694000-memory.dmp

memory/2816-150-0x00007FF6AF170000-0x00007FF6AF4C4000-memory.dmp

memory/4072-149-0x00007FF654770000-0x00007FF654AC4000-memory.dmp

memory/3600-153-0x00007FF7665D0000-0x00007FF766924000-memory.dmp

memory/3100-152-0x00007FF743B80000-0x00007FF743ED4000-memory.dmp

memory/2204-154-0x00007FF774FB0000-0x00007FF775304000-memory.dmp