Malware Analysis Report

2024-10-16 03:05

Sample ID 240610-kgavhafb58
Target 2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike
SHA256 b0edf5228f688fdf6e7bca7d0e2333931b98ba6905ee9634ce55a22a58f61e38
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b0edf5228f688fdf6e7bca7d0e2333931b98ba6905ee9634ce55a22a58f61e38

Threat Level: Known bad

The file 2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

UPX dump on OEP (original entry point)

xmrig

Cobalt Strike reflective loader

Detects Reflective DLL injection artifacts

XMRig Miner payload

Cobaltstrike

Xmrig family

Cobaltstrike family

XMRig Miner payload

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-10 08:33

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 08:33

Reported

2024-06-10 08:36

Platform

win7-20240221-en

Max time kernel

138s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\Ovsbxfu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GRrQeQV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qEMpiuA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jrvEfXa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SRqPvyB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vxQjQqC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PxZUauk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ghcIsyJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GITggoi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RvyQcAA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LaIGXyt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gUvsFvC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\etikcPx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QZwYMIX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XJdhjPh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wkEbXDO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pacrUQW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dovlXIj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ldIMvcQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QUpJfoX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RPZmduf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3000 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\SRqPvyB.exe
PID 3000 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\SRqPvyB.exe
PID 3000 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\SRqPvyB.exe
PID 3000 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\wkEbXDO.exe
PID 3000 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\wkEbXDO.exe
PID 3000 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\wkEbXDO.exe
PID 3000 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\vxQjQqC.exe
PID 3000 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\vxQjQqC.exe
PID 3000 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\vxQjQqC.exe
PID 3000 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\LaIGXyt.exe
PID 3000 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\LaIGXyt.exe
PID 3000 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\LaIGXyt.exe
PID 3000 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\Ovsbxfu.exe
PID 3000 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\Ovsbxfu.exe
PID 3000 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\Ovsbxfu.exe
PID 3000 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\pacrUQW.exe
PID 3000 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\pacrUQW.exe
PID 3000 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\pacrUQW.exe
PID 3000 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\dovlXIj.exe
PID 3000 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\dovlXIj.exe
PID 3000 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\dovlXIj.exe
PID 3000 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\ldIMvcQ.exe
PID 3000 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\ldIMvcQ.exe
PID 3000 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\ldIMvcQ.exe
PID 3000 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\GRrQeQV.exe
PID 3000 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\GRrQeQV.exe
PID 3000 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\GRrQeQV.exe
PID 3000 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\PxZUauk.exe
PID 3000 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\PxZUauk.exe
PID 3000 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\PxZUauk.exe
PID 3000 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\ghcIsyJ.exe
PID 3000 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\ghcIsyJ.exe
PID 3000 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\ghcIsyJ.exe
PID 3000 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\QUpJfoX.exe
PID 3000 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\QUpJfoX.exe
PID 3000 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\QUpJfoX.exe
PID 3000 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\GITggoi.exe
PID 3000 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\GITggoi.exe
PID 3000 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\GITggoi.exe
PID 3000 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\gUvsFvC.exe
PID 3000 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\gUvsFvC.exe
PID 3000 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\gUvsFvC.exe
PID 3000 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\qEMpiuA.exe
PID 3000 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\qEMpiuA.exe
PID 3000 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\qEMpiuA.exe
PID 3000 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\etikcPx.exe
PID 3000 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\etikcPx.exe
PID 3000 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\etikcPx.exe
PID 3000 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\RvyQcAA.exe
PID 3000 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\RvyQcAA.exe
PID 3000 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\RvyQcAA.exe
PID 3000 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\jrvEfXa.exe
PID 3000 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\jrvEfXa.exe
PID 3000 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\jrvEfXa.exe
PID 3000 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\QZwYMIX.exe
PID 3000 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\QZwYMIX.exe
PID 3000 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\QZwYMIX.exe
PID 3000 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\XJdhjPh.exe
PID 3000 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\XJdhjPh.exe
PID 3000 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\XJdhjPh.exe
PID 3000 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\RPZmduf.exe
PID 3000 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\RPZmduf.exe
PID 3000 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\RPZmduf.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\SRqPvyB.exe

C:\Windows\System\SRqPvyB.exe

C:\Windows\System\wkEbXDO.exe

C:\Windows\System\wkEbXDO.exe

C:\Windows\System\vxQjQqC.exe

C:\Windows\System\vxQjQqC.exe

C:\Windows\System\LaIGXyt.exe

C:\Windows\System\LaIGXyt.exe

C:\Windows\System\Ovsbxfu.exe

C:\Windows\System\Ovsbxfu.exe

C:\Windows\System\pacrUQW.exe

C:\Windows\System\pacrUQW.exe

C:\Windows\System\dovlXIj.exe

C:\Windows\System\dovlXIj.exe

C:\Windows\System\ldIMvcQ.exe

C:\Windows\System\ldIMvcQ.exe

C:\Windows\System\GRrQeQV.exe

C:\Windows\System\GRrQeQV.exe

C:\Windows\System\PxZUauk.exe

C:\Windows\System\PxZUauk.exe

C:\Windows\System\ghcIsyJ.exe

C:\Windows\System\ghcIsyJ.exe

C:\Windows\System\QUpJfoX.exe

C:\Windows\System\QUpJfoX.exe

C:\Windows\System\GITggoi.exe

C:\Windows\System\GITggoi.exe

C:\Windows\System\gUvsFvC.exe

C:\Windows\System\gUvsFvC.exe

C:\Windows\System\qEMpiuA.exe

C:\Windows\System\qEMpiuA.exe

C:\Windows\System\etikcPx.exe

C:\Windows\System\etikcPx.exe

C:\Windows\System\RvyQcAA.exe

C:\Windows\System\RvyQcAA.exe

C:\Windows\System\jrvEfXa.exe

C:\Windows\System\jrvEfXa.exe

C:\Windows\System\QZwYMIX.exe

C:\Windows\System\QZwYMIX.exe

C:\Windows\System\XJdhjPh.exe

C:\Windows\System\XJdhjPh.exe

C:\Windows\System\RPZmduf.exe

C:\Windows\System\RPZmduf.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3000-0-0x000000013F8F0000-0x000000013FC44000-memory.dmp

memory/3000-1-0x00000000001F0000-0x0000000000200000-memory.dmp

\Windows\system\SRqPvyB.exe

MD5 b06eaf61e95b8cbc7a8df83589f7a35e
SHA1 cd93746b9e91d588698f5b26f14d4b1ef81c124e
SHA256 047c3c42f2ce52079e70f1e95ceeaa59518babab081b0d544594ef4d34cca1ab
SHA512 bc7c5bc756dff6cc940563446bdeaa46a6ae7d7b3c802a49db5175eb81eac9aebf5400d84f4c32a625575a53a9187b25447d1cf0a01ffaf71cab84be8ce08200

\Windows\system\wkEbXDO.exe

MD5 74eaca9f21a52b42f00b1fb9448a5aa7
SHA1 df2d5df9ae6a6bea8afa9093d11cc0baf6fdab29
SHA256 a49c2585033c46d9ac96196fd09e22523403b0b5f321e67668dd72bd3da0bef3
SHA512 dd0b9a9bf234f3a89654b0695a1a8af8f60d3a929ae099cd703702ac45fd6ef75c89e73e9a8c566a3b70c766b83d00e866cccae0feb3a8b749c330152f2ef7ab

memory/1072-12-0x000000013F720000-0x000000013FA74000-memory.dmp

memory/2828-14-0x000000013FF20000-0x0000000140274000-memory.dmp

memory/3000-8-0x0000000002260000-0x00000000025B4000-memory.dmp

C:\Windows\system\vxQjQqC.exe

MD5 90019705c78c3c187c676b3905b4bbe9
SHA1 788a996d922a35a4ae63aacb258a17469d1f7777
SHA256 d94c6092d4c6e5361ac7503617ed1b8c6d8f800c083e2ddf734b3823a946fcd5
SHA512 76b6f52a45d8cdfd258846f77115813c86508cad241979d981128c0eaa7cd06fe26123e75265a6e5d810ed3edc918f072c1cdbd58dbe140408434e8a5e7b93a8

memory/1664-21-0x000000013F440000-0x000000013F794000-memory.dmp

memory/3000-17-0x000000013F440000-0x000000013F794000-memory.dmp

C:\Windows\system\LaIGXyt.exe

MD5 18c36091d128eb704f86a723d10be89a
SHA1 f67b0ea592f421bb45b08e5105b49d50a4754706
SHA256 bbcea96678a5a0ef933f8b67c00ccc6dc0644465f0cd222dc278a59737fe97e4
SHA512 cb66711ee837acad8f35c667126ae54a76e6e77018a85d90b4c40d16e837bb453d11acecffb66c4de3ff5697739b630be8901209b4f5134c1c05600f12e9b4f2

\Windows\system\Ovsbxfu.exe

MD5 84056270d876bee7ec0f1c866a7071ac
SHA1 fdcf54350e7f9529b82aaaf046acc2bbb096b0e8
SHA256 ab5be699af289bd17e2d1de873a92697d4b4baeb0bacbdf44dd33b7b08b3cafd
SHA512 087a1fac5ef4b2f7878d764dfd14e492d98efe2f6eede6ec8cdf1626644cd510bc7e5b57fa209f11085a3e97f80e91cd7d8cddef6351eca6ca3abff524959b4d

\Windows\system\pacrUQW.exe

MD5 021841b44c136345fef587c9a048f049
SHA1 dcb2038e58bc5f6035204c99ebb01f766e7cc8a9
SHA256 8a9703fb50d37ff0cd0d5253fe97b674eccb8bb7387b69467969be0a35ed0ead
SHA512 490fec80adfa3bef7deb33a91001f1dc92233130cbdb454283c2a10f8e275d67af0c90e7e4c09324a58fb797f7b4572f2776c5cd8c53881ffb7a5ec3d5a782f0

C:\Windows\system\dovlXIj.exe

MD5 ec88e9e99c491e5b233f0f0e13d9ab94
SHA1 e9595a884d2ea56f4ea1f78ef31201274fbbc581
SHA256 73d58cb61229ce6d6da5e793d1dbc2ddcb3e2bb0d479cc6f56679e9d4ca45b23
SHA512 e100e3cfba47052326a949dd39e130898194b4268c8ad3449e73c3536f9c6c6662781fd598a44e35bc529030732974cb5c114c792e5aa136c3f5be025c213c6f

C:\Windows\system\PxZUauk.exe

MD5 f5c35f3abf35824aa511b6f223deba12
SHA1 8716f9ebf3586774c668df3d2f3584e42ac66db2
SHA256 d4613210544e964d1a2403ea0d4346ffc0a89eeb698d342344381a9581aac97f
SHA512 0665ac5c14bf287d1bce916f76bd0f488a8c23d22870182ae963e7bcd2f6a86422cd4b870548474e1f53a1e3cb232016cd99e56f75392ced1bdb056d41e68ef8

\Windows\system\QUpJfoX.exe

MD5 4b18c8bc18cafaa28869ae1b0604aa9e
SHA1 522247484ea3ca46e2c7153b1c0110512561b840
SHA256 815ab0f68c2c256c8bf51d010cb144e0bd029e5e41f45a3760b4cd341ca602cf
SHA512 fdf1de2576c884435a9d4e384afec10567bd9f59dc8956b4e0fe8c09285a6fa0c6882f2225f51203da38e9a521231011f0988bbd058244e44471d5dc763f79b9

C:\Windows\system\etikcPx.exe

MD5 9c6ed1ee90d058602ea891ac49057c25
SHA1 432807b4bd164a1ee78dd599645ea53add1b8a27
SHA256 990f085ff1f283e012d33d0276278401b7bb7c901e04f7917d13165f9eb0b004
SHA512 2415f1bd42f4ff763d772a2d90df5e6279cc7519235c699f3f5b0a015a9dc945d27b8214ef1d1d3aa47df8b8c72d42c29829f2f5f36a90028ee2479435a74ca3

C:\Windows\system\RvyQcAA.exe

MD5 afcdcdd14d14b02f26f6f3d1051e149f
SHA1 9086d92bea3ce85f9efce8e966eab8672ff7e35e
SHA256 cf8da61b72a383d4075b6c42313281181e183f199aca264695da16fe6d19ee08
SHA512 2084f012da94d9d6d27896da5f5793833d94074cfde3fa30bc07405edda13b0fd81f899fe4485dccd5345812b184f82bf1fb05c3f8dbea590879be590583898e

C:\Windows\system\XJdhjPh.exe

MD5 92c9921fe2b1e60cbcfede7cc9286bc9
SHA1 8e0baf2aa68eae67653a415f4a3888e42fddb199
SHA256 abeb01fb8b198f5e7640131bcf7665b3aa1729cd75a62a43db06e25e2f5cafc5
SHA512 e2391edbc125e20abb863e099dcf8d1cc8e84a1071565835be4920ab22b6927daec6f0b0e27bc5bf4024b6981a6c5086956dfdd81e5cb6c63041e65ddc88ccf5

\Windows\system\RPZmduf.exe

MD5 0f9759ab3f10c367077d9c283064da33
SHA1 a22a2baeff26161a877bcf36133526461dd5eab3
SHA256 d656cf45005a3297a78f1c0afb77e1fd7270f606f8e71333a6d9d8daaf8f02be
SHA512 fca2b0e32aa6d5fe7fec9a643a92c746b5f8dd973308bb405c70dee80758ea372bce1844bde4957952a341ee1bbbcc32a8f0bcc4a4c1d8caf098d85a5685e413

C:\Windows\system\QZwYMIX.exe

MD5 317c844baada6b78d2757ae01dd60b77
SHA1 4dc601feaaa0331c37e7f75503e45350afcbf034
SHA256 7b1ca10d37c7cca91bad1bc27694f1c0799776e35626c542ebc477dc8da76ead
SHA512 81df45d32913bfd19d058c0274d6bc8b4a89330449fd63c40224d8ae11a58c5500f2e843806b033ecbd961ee038ab897b7f469be359672ed19aaa86d7987b9a6

C:\Windows\system\jrvEfXa.exe

MD5 d1176e200522e57402d151466a2133ab
SHA1 5c1b178a3bbdc74cf7e69f6d21088dff44ac5719
SHA256 5a171031e89580f117f95c17d41be110f7cd840da02e869fb41208853197659a
SHA512 45080887f750c353aa0b660984560198334e3e311514c7e42d9b4e9a0dbf921dfa2593a40ed67694cd503ff514e7efe8ccd763d0e944bfa5165c50fa0a6facb1

C:\Windows\system\qEMpiuA.exe

MD5 246134a244cc801bacddde31e680232d
SHA1 3ffce6ece24b444661fab50765acd10699920ab4
SHA256 b25e35546621dcaf182b949c42fc28a1f5ad087bc2ef445a50caeeea53ddc837
SHA512 8a3f4d097011e44d03b2423ab45f62daebc3d88432d83e41d0cebad2792a529dbf8c641f5bfe4e0d61557e22a54937a624153192ab5a1684147614a7b92a1c25

C:\Windows\system\GITggoi.exe

MD5 88acbbd842967a06f60915a927f33e3f
SHA1 45cf0f7dcc81f28857469e474654ca5868979afe
SHA256 07b72327afe27fc88c8be8cca5d7b02bd6705dcf41bf63eda843df8081f388df
SHA512 6c05d9a651ee48239f4cd9edb73e91c7ef83e9d14c4b9d195e2cf69bfba572c61562688a2f943dd3d33c2549bba329e6c2cb2e7e42bddb33c0e26f8fee40246c

C:\Windows\system\gUvsFvC.exe

MD5 5b6c03b6cf4ce4bf2fc7278af61f2d54
SHA1 12c13ffc5efd638bfbbd9ab54dfc4d7e91e1a038
SHA256 9ca55556c92ac76c0af0e9dd774a3708fb5b2940247b31056b477c369b565e2d
SHA512 088f1fb11413bb0ad8acdf370bdd2c385d187b4831a5203e333dfebc0c12bd4659a390e5649dcbfa2dea0117222e89955c8a2928bb0bbaf39737c2a9e14284f8

C:\Windows\system\ghcIsyJ.exe

MD5 970633dd2b2b84a5303cdd37eed46f47
SHA1 69ec83062d4f5696426d82f75edf3adeaed8b708
SHA256 c666036451c022798272e66e57423a398db53b0484a387a5dbd77fe4f6270fc7
SHA512 e6a8b877e9671c75de353404560339bd6e1f3d74cd83983cb439fb0a9501d37a28494166d97bcb4d4de3f46a8ba773c5877c3507f95ed94d02e9eceb73e44124

C:\Windows\system\GRrQeQV.exe

MD5 3daa8cfdbca1d9d351266d967ce3e4fb
SHA1 a627c53b1ffd75984e6a84b348a49af60b803b2b
SHA256 3477036d2790bcd3cb1cd438499b57c00855a13632df78c30c08c6aa59f4dbda
SHA512 d0bbbecc8d4362eb1cad526bd1b27ea8e948b666ef80837a8602ce7f0fb4bf1bec051f343cfd67c800366d8d50d01e7281e0a426ea0fc6000f06d5486f4c6d0e

C:\Windows\system\ldIMvcQ.exe

MD5 315d2b762e256d99d449c19ada1a716b
SHA1 81746afa982c423cff1acd7fb2d992c5962c13a8
SHA256 bf939f03ef31bc8ad4b45db0e279eebe4c51f820e905689d20308a279a9c41b9
SHA512 c502e4de4f21586fa707b7f4b8b3e6780cb5decdb820b0a597c1c2618a22073969a9020c51eddb6fdc4c64b68934564407d37a9cae62f2bb0adb09a991d00d0e

memory/2584-116-0x000000013FBE0000-0x000000013FF34000-memory.dmp

memory/2640-115-0x000000013F2C0000-0x000000013F614000-memory.dmp

memory/2260-114-0x000000013F6B0000-0x000000013FA04000-memory.dmp

memory/3000-113-0x0000000002260000-0x00000000025B4000-memory.dmp

memory/2528-111-0x000000013F120000-0x000000013F474000-memory.dmp

memory/2588-118-0x000000013F920000-0x000000013FC74000-memory.dmp

memory/2456-121-0x000000013F2C0000-0x000000013F614000-memory.dmp

memory/1152-125-0x000000013F030000-0x000000013F384000-memory.dmp

memory/1644-127-0x000000013FD70000-0x00000001400C4000-memory.dmp

memory/3000-128-0x000000013F2C0000-0x000000013F614000-memory.dmp

memory/3000-126-0x000000013FD70000-0x00000001400C4000-memory.dmp

memory/3000-124-0x000000013F030000-0x000000013F384000-memory.dmp

memory/2592-123-0x000000013FC80000-0x000000013FFD4000-memory.dmp

memory/3000-122-0x000000013FC80000-0x000000013FFD4000-memory.dmp

memory/3000-120-0x000000013F2C0000-0x000000013F614000-memory.dmp

memory/2596-119-0x000000013F660000-0x000000013F9B4000-memory.dmp

memory/2808-117-0x000000013F5D0000-0x000000013F924000-memory.dmp

memory/3000-129-0x000000013F8F0000-0x000000013FC44000-memory.dmp

memory/2828-130-0x000000013FF20000-0x0000000140274000-memory.dmp

memory/1664-131-0x000000013F440000-0x000000013F794000-memory.dmp

memory/1072-132-0x000000013F720000-0x000000013FA74000-memory.dmp

memory/2828-133-0x000000013FF20000-0x0000000140274000-memory.dmp

memory/1664-134-0x000000013F440000-0x000000013F794000-memory.dmp

memory/2528-135-0x000000013F120000-0x000000013F474000-memory.dmp

memory/2808-136-0x000000013F5D0000-0x000000013F924000-memory.dmp

memory/2640-138-0x000000013F2C0000-0x000000013F614000-memory.dmp

memory/2584-137-0x000000013FBE0000-0x000000013FF34000-memory.dmp

memory/2596-140-0x000000013F660000-0x000000013F9B4000-memory.dmp

memory/2588-139-0x000000013F920000-0x000000013FC74000-memory.dmp

memory/2456-141-0x000000013F2C0000-0x000000013F614000-memory.dmp

memory/2592-142-0x000000013FC80000-0x000000013FFD4000-memory.dmp

memory/1152-143-0x000000013F030000-0x000000013F384000-memory.dmp

memory/1644-144-0x000000013FD70000-0x00000001400C4000-memory.dmp

memory/2260-145-0x000000013F6B0000-0x000000013FA04000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 08:33

Reported

2024-06-10 08:36

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\SRqPvyB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\etikcPx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jrvEfXa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gUvsFvC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RvyQcAA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XJdhjPh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RPZmduf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vxQjQqC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GRrQeQV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ghcIsyJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QUpJfoX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ldIMvcQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GITggoi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QZwYMIX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wkEbXDO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LaIGXyt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\Ovsbxfu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dovlXIj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pacrUQW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PxZUauk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qEMpiuA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4016 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\SRqPvyB.exe
PID 4016 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\SRqPvyB.exe
PID 4016 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\wkEbXDO.exe
PID 4016 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\wkEbXDO.exe
PID 4016 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\vxQjQqC.exe
PID 4016 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\vxQjQqC.exe
PID 4016 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\LaIGXyt.exe
PID 4016 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\LaIGXyt.exe
PID 4016 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\Ovsbxfu.exe
PID 4016 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\Ovsbxfu.exe
PID 4016 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\pacrUQW.exe
PID 4016 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\pacrUQW.exe
PID 4016 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\dovlXIj.exe
PID 4016 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\dovlXIj.exe
PID 4016 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\ldIMvcQ.exe
PID 4016 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\ldIMvcQ.exe
PID 4016 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\GRrQeQV.exe
PID 4016 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\GRrQeQV.exe
PID 4016 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\PxZUauk.exe
PID 4016 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\PxZUauk.exe
PID 4016 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\ghcIsyJ.exe
PID 4016 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\ghcIsyJ.exe
PID 4016 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\QUpJfoX.exe
PID 4016 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\QUpJfoX.exe
PID 4016 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\GITggoi.exe
PID 4016 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\GITggoi.exe
PID 4016 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\gUvsFvC.exe
PID 4016 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\gUvsFvC.exe
PID 4016 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\qEMpiuA.exe
PID 4016 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\qEMpiuA.exe
PID 4016 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\etikcPx.exe
PID 4016 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\etikcPx.exe
PID 4016 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\RvyQcAA.exe
PID 4016 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\RvyQcAA.exe
PID 4016 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\jrvEfXa.exe
PID 4016 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\jrvEfXa.exe
PID 4016 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\QZwYMIX.exe
PID 4016 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\QZwYMIX.exe
PID 4016 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\XJdhjPh.exe
PID 4016 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\XJdhjPh.exe
PID 4016 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\RPZmduf.exe
PID 4016 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe C:\Windows\System\RPZmduf.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_bb5c16352df9303191a68f54eb060f00_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\SRqPvyB.exe

C:\Windows\System\SRqPvyB.exe

C:\Windows\System\wkEbXDO.exe

C:\Windows\System\wkEbXDO.exe

C:\Windows\System\vxQjQqC.exe

C:\Windows\System\vxQjQqC.exe

C:\Windows\System\LaIGXyt.exe

C:\Windows\System\LaIGXyt.exe

C:\Windows\System\Ovsbxfu.exe

C:\Windows\System\Ovsbxfu.exe

C:\Windows\System\pacrUQW.exe

C:\Windows\System\pacrUQW.exe

C:\Windows\System\dovlXIj.exe

C:\Windows\System\dovlXIj.exe

C:\Windows\System\ldIMvcQ.exe

C:\Windows\System\ldIMvcQ.exe

C:\Windows\System\GRrQeQV.exe

C:\Windows\System\GRrQeQV.exe

C:\Windows\System\PxZUauk.exe

C:\Windows\System\PxZUauk.exe

C:\Windows\System\ghcIsyJ.exe

C:\Windows\System\ghcIsyJ.exe

C:\Windows\System\QUpJfoX.exe

C:\Windows\System\QUpJfoX.exe

C:\Windows\System\GITggoi.exe

C:\Windows\System\GITggoi.exe

C:\Windows\System\gUvsFvC.exe

C:\Windows\System\gUvsFvC.exe

C:\Windows\System\qEMpiuA.exe

C:\Windows\System\qEMpiuA.exe

C:\Windows\System\etikcPx.exe

C:\Windows\System\etikcPx.exe

C:\Windows\System\RvyQcAA.exe

C:\Windows\System\RvyQcAA.exe

C:\Windows\System\jrvEfXa.exe

C:\Windows\System\jrvEfXa.exe

C:\Windows\System\QZwYMIX.exe

C:\Windows\System\QZwYMIX.exe

C:\Windows\System\XJdhjPh.exe

C:\Windows\System\XJdhjPh.exe

C:\Windows\System\RPZmduf.exe

C:\Windows\System\RPZmduf.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 16.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4016-0-0x00007FF7BEE90000-0x00007FF7BF1E4000-memory.dmp

memory/4016-1-0x000001F64D6A0000-0x000001F64D6B0000-memory.dmp

C:\Windows\System\SRqPvyB.exe

MD5 b06eaf61e95b8cbc7a8df83589f7a35e
SHA1 cd93746b9e91d588698f5b26f14d4b1ef81c124e
SHA256 047c3c42f2ce52079e70f1e95ceeaa59518babab081b0d544594ef4d34cca1ab
SHA512 bc7c5bc756dff6cc940563446bdeaa46a6ae7d7b3c802a49db5175eb81eac9aebf5400d84f4c32a625575a53a9187b25447d1cf0a01ffaf71cab84be8ce08200

C:\Windows\System\vxQjQqC.exe

MD5 90019705c78c3c187c676b3905b4bbe9
SHA1 788a996d922a35a4ae63aacb258a17469d1f7777
SHA256 d94c6092d4c6e5361ac7503617ed1b8c6d8f800c083e2ddf734b3823a946fcd5
SHA512 76b6f52a45d8cdfd258846f77115813c86508cad241979d981128c0eaa7cd06fe26123e75265a6e5d810ed3edc918f072c1cdbd58dbe140408434e8a5e7b93a8

C:\Windows\System\wkEbXDO.exe

MD5 74eaca9f21a52b42f00b1fb9448a5aa7
SHA1 df2d5df9ae6a6bea8afa9093d11cc0baf6fdab29
SHA256 a49c2585033c46d9ac96196fd09e22523403b0b5f321e67668dd72bd3da0bef3
SHA512 dd0b9a9bf234f3a89654b0695a1a8af8f60d3a929ae099cd703702ac45fd6ef75c89e73e9a8c566a3b70c766b83d00e866cccae0feb3a8b749c330152f2ef7ab

C:\Windows\System\Ovsbxfu.exe

MD5 84056270d876bee7ec0f1c866a7071ac
SHA1 fdcf54350e7f9529b82aaaf046acc2bbb096b0e8
SHA256 ab5be699af289bd17e2d1de873a92697d4b4baeb0bacbdf44dd33b7b08b3cafd
SHA512 087a1fac5ef4b2f7878d764dfd14e492d98efe2f6eede6ec8cdf1626644cd510bc7e5b57fa209f11085a3e97f80e91cd7d8cddef6351eca6ca3abff524959b4d

C:\Windows\System\LaIGXyt.exe

MD5 18c36091d128eb704f86a723d10be89a
SHA1 f67b0ea592f421bb45b08e5105b49d50a4754706
SHA256 bbcea96678a5a0ef933f8b67c00ccc6dc0644465f0cd222dc278a59737fe97e4
SHA512 cb66711ee837acad8f35c667126ae54a76e6e77018a85d90b4c40d16e837bb453d11acecffb66c4de3ff5697739b630be8901209b4f5134c1c05600f12e9b4f2

C:\Windows\System\pacrUQW.exe

MD5 021841b44c136345fef587c9a048f049
SHA1 dcb2038e58bc5f6035204c99ebb01f766e7cc8a9
SHA256 8a9703fb50d37ff0cd0d5253fe97b674eccb8bb7387b69467969be0a35ed0ead
SHA512 490fec80adfa3bef7deb33a91001f1dc92233130cbdb454283c2a10f8e275d67af0c90e7e4c09324a58fb797f7b4572f2776c5cd8c53881ffb7a5ec3d5a782f0

memory/2424-50-0x00007FF759130000-0x00007FF759484000-memory.dmp

memory/4308-54-0x00007FF693250000-0x00007FF6935A4000-memory.dmp

C:\Windows\System\GRrQeQV.exe

MD5 3daa8cfdbca1d9d351266d967ce3e4fb
SHA1 a627c53b1ffd75984e6a84b348a49af60b803b2b
SHA256 3477036d2790bcd3cb1cd438499b57c00855a13632df78c30c08c6aa59f4dbda
SHA512 d0bbbecc8d4362eb1cad526bd1b27ea8e948b666ef80837a8602ce7f0fb4bf1bec051f343cfd67c800366d8d50d01e7281e0a426ea0fc6000f06d5486f4c6d0e

C:\Windows\System\dovlXIj.exe

MD5 ec88e9e99c491e5b233f0f0e13d9ab94
SHA1 e9595a884d2ea56f4ea1f78ef31201274fbbc581
SHA256 73d58cb61229ce6d6da5e793d1dbc2ddcb3e2bb0d479cc6f56679e9d4ca45b23
SHA512 e100e3cfba47052326a949dd39e130898194b4268c8ad3449e73c3536f9c6c6662781fd598a44e35bc529030732974cb5c114c792e5aa136c3f5be025c213c6f

memory/4488-51-0x00007FF6AA120000-0x00007FF6AA474000-memory.dmp

C:\Windows\System\ldIMvcQ.exe

MD5 315d2b762e256d99d449c19ada1a716b
SHA1 81746afa982c423cff1acd7fb2d992c5962c13a8
SHA256 bf939f03ef31bc8ad4b45db0e279eebe4c51f820e905689d20308a279a9c41b9
SHA512 c502e4de4f21586fa707b7f4b8b3e6780cb5decdb820b0a597c1c2618a22073969a9020c51eddb6fdc4c64b68934564407d37a9cae62f2bb0adb09a991d00d0e

memory/3148-43-0x00007FF663560000-0x00007FF6638B4000-memory.dmp

memory/4196-37-0x00007FF6B7290000-0x00007FF6B75E4000-memory.dmp

memory/2164-30-0x00007FF7420B0000-0x00007FF742404000-memory.dmp

memory/4600-27-0x00007FF775150000-0x00007FF7754A4000-memory.dmp

memory/1812-18-0x00007FF725490000-0x00007FF7257E4000-memory.dmp

memory/2068-7-0x00007FF704AF0000-0x00007FF704E44000-memory.dmp

C:\Windows\System\PxZUauk.exe

MD5 f5c35f3abf35824aa511b6f223deba12
SHA1 8716f9ebf3586774c668df3d2f3584e42ac66db2
SHA256 d4613210544e964d1a2403ea0d4346ffc0a89eeb698d342344381a9581aac97f
SHA512 0665ac5c14bf287d1bce916f76bd0f488a8c23d22870182ae963e7bcd2f6a86422cd4b870548474e1f53a1e3cb232016cd99e56f75392ced1bdb056d41e68ef8

C:\Windows\System\ghcIsyJ.exe

MD5 970633dd2b2b84a5303cdd37eed46f47
SHA1 69ec83062d4f5696426d82f75edf3adeaed8b708
SHA256 c666036451c022798272e66e57423a398db53b0484a387a5dbd77fe4f6270fc7
SHA512 e6a8b877e9671c75de353404560339bd6e1f3d74cd83983cb439fb0a9501d37a28494166d97bcb4d4de3f46a8ba773c5877c3507f95ed94d02e9eceb73e44124

C:\Windows\System\GITggoi.exe

MD5 88acbbd842967a06f60915a927f33e3f
SHA1 45cf0f7dcc81f28857469e474654ca5868979afe
SHA256 07b72327afe27fc88c8be8cca5d7b02bd6705dcf41bf63eda843df8081f388df
SHA512 6c05d9a651ee48239f4cd9edb73e91c7ef83e9d14c4b9d195e2cf69bfba572c61562688a2f943dd3d33c2549bba329e6c2cb2e7e42bddb33c0e26f8fee40246c

C:\Windows\System\QUpJfoX.exe

MD5 4b18c8bc18cafaa28869ae1b0604aa9e
SHA1 522247484ea3ca46e2c7153b1c0110512561b840
SHA256 815ab0f68c2c256c8bf51d010cb144e0bd029e5e41f45a3760b4cd341ca602cf
SHA512 fdf1de2576c884435a9d4e384afec10567bd9f59dc8956b4e0fe8c09285a6fa0c6882f2225f51203da38e9a521231011f0988bbd058244e44471d5dc763f79b9

C:\Windows\System\qEMpiuA.exe

MD5 246134a244cc801bacddde31e680232d
SHA1 3ffce6ece24b444661fab50765acd10699920ab4
SHA256 b25e35546621dcaf182b949c42fc28a1f5ad087bc2ef445a50caeeea53ddc837
SHA512 8a3f4d097011e44d03b2423ab45f62daebc3d88432d83e41d0cebad2792a529dbf8c641f5bfe4e0d61557e22a54937a624153192ab5a1684147614a7b92a1c25

memory/4028-91-0x00007FF788D80000-0x00007FF7890D4000-memory.dmp

C:\Windows\System\RvyQcAA.exe

MD5 afcdcdd14d14b02f26f6f3d1051e149f
SHA1 9086d92bea3ce85f9efce8e966eab8672ff7e35e
SHA256 cf8da61b72a383d4075b6c42313281181e183f199aca264695da16fe6d19ee08
SHA512 2084f012da94d9d6d27896da5f5793833d94074cfde3fa30bc07405edda13b0fd81f899fe4485dccd5345812b184f82bf1fb05c3f8dbea590879be590583898e

memory/2068-98-0x00007FF704AF0000-0x00007FF704E44000-memory.dmp

C:\Windows\System\jrvEfXa.exe

MD5 d1176e200522e57402d151466a2133ab
SHA1 5c1b178a3bbdc74cf7e69f6d21088dff44ac5719
SHA256 5a171031e89580f117f95c17d41be110f7cd840da02e869fb41208853197659a
SHA512 45080887f750c353aa0b660984560198334e3e311514c7e42d9b4e9a0dbf921dfa2593a40ed67694cd503ff514e7efe8ccd763d0e944bfa5165c50fa0a6facb1

memory/4184-111-0x00007FF6A68B0000-0x00007FF6A6C04000-memory.dmp

memory/2164-110-0x00007FF7420B0000-0x00007FF742404000-memory.dmp

C:\Windows\System\etikcPx.exe

MD5 9c6ed1ee90d058602ea891ac49057c25
SHA1 432807b4bd164a1ee78dd599645ea53add1b8a27
SHA256 990f085ff1f283e012d33d0276278401b7bb7c901e04f7917d13165f9eb0b004
SHA512 2415f1bd42f4ff763d772a2d90df5e6279cc7519235c699f3f5b0a015a9dc945d27b8214ef1d1d3aa47df8b8c72d42c29829f2f5f36a90028ee2479435a74ca3

memory/640-102-0x00007FF7BA670000-0x00007FF7BA9C4000-memory.dmp

memory/3972-96-0x00007FF7D6D60000-0x00007FF7D70B4000-memory.dmp

C:\Windows\System\gUvsFvC.exe

MD5 5b6c03b6cf4ce4bf2fc7278af61f2d54
SHA1 12c13ffc5efd638bfbbd9ab54dfc4d7e91e1a038
SHA256 9ca55556c92ac76c0af0e9dd774a3708fb5b2940247b31056b477c369b565e2d
SHA512 088f1fb11413bb0ad8acdf370bdd2c385d187b4831a5203e333dfebc0c12bd4659a390e5649dcbfa2dea0117222e89955c8a2928bb0bbaf39737c2a9e14284f8

memory/1564-93-0x00007FF69BB00000-0x00007FF69BE54000-memory.dmp

memory/4016-90-0x00007FF7BEE90000-0x00007FF7BF1E4000-memory.dmp

memory/1208-83-0x00007FF71AB30000-0x00007FF71AE84000-memory.dmp

memory/1788-78-0x00007FF6B1CB0000-0x00007FF6B2004000-memory.dmp

memory/3724-76-0x00007FF6C69D0000-0x00007FF6C6D24000-memory.dmp

memory/2308-66-0x00007FF662EF0000-0x00007FF663244000-memory.dmp

C:\Windows\System\QZwYMIX.exe

MD5 317c844baada6b78d2757ae01dd60b77
SHA1 4dc601feaaa0331c37e7f75503e45350afcbf034
SHA256 7b1ca10d37c7cca91bad1bc27694f1c0799776e35626c542ebc477dc8da76ead
SHA512 81df45d32913bfd19d058c0274d6bc8b4a89330449fd63c40224d8ae11a58c5500f2e843806b033ecbd961ee038ab897b7f469be359672ed19aaa86d7987b9a6

memory/3148-117-0x00007FF663560000-0x00007FF6638B4000-memory.dmp

C:\Windows\System\RPZmduf.exe

MD5 0f9759ab3f10c367077d9c283064da33
SHA1 a22a2baeff26161a877bcf36133526461dd5eab3
SHA256 d656cf45005a3297a78f1c0afb77e1fd7270f606f8e71333a6d9d8daaf8f02be
SHA512 fca2b0e32aa6d5fe7fec9a643a92c746b5f8dd973308bb405c70dee80758ea372bce1844bde4957952a341ee1bbbcc32a8f0bcc4a4c1d8caf098d85a5685e413

memory/4488-128-0x00007FF6AA120000-0x00007FF6AA474000-memory.dmp

memory/5084-127-0x00007FF777460000-0x00007FF7777B4000-memory.dmp

memory/2572-121-0x00007FF7A3D50000-0x00007FF7A40A4000-memory.dmp

C:\Windows\System\XJdhjPh.exe

MD5 92c9921fe2b1e60cbcfede7cc9286bc9
SHA1 8e0baf2aa68eae67653a415f4a3888e42fddb199
SHA256 abeb01fb8b198f5e7640131bcf7665b3aa1729cd75a62a43db06e25e2f5cafc5
SHA512 e2391edbc125e20abb863e099dcf8d1cc8e84a1071565835be4920ab22b6927daec6f0b0e27bc5bf4024b6981a6c5086956dfdd81e5cb6c63041e65ddc88ccf5

memory/1640-132-0x00007FF697650000-0x00007FF6979A4000-memory.dmp

memory/3724-133-0x00007FF6C69D0000-0x00007FF6C6D24000-memory.dmp

memory/1788-134-0x00007FF6B1CB0000-0x00007FF6B2004000-memory.dmp

memory/3972-135-0x00007FF7D6D60000-0x00007FF7D70B4000-memory.dmp

memory/4028-136-0x00007FF788D80000-0x00007FF7890D4000-memory.dmp

memory/1564-137-0x00007FF69BB00000-0x00007FF69BE54000-memory.dmp

memory/640-138-0x00007FF7BA670000-0x00007FF7BA9C4000-memory.dmp

memory/4184-139-0x00007FF6A68B0000-0x00007FF6A6C04000-memory.dmp

memory/2572-140-0x00007FF7A3D50000-0x00007FF7A40A4000-memory.dmp

memory/5084-141-0x00007FF777460000-0x00007FF7777B4000-memory.dmp

memory/1640-142-0x00007FF697650000-0x00007FF6979A4000-memory.dmp

memory/1812-144-0x00007FF725490000-0x00007FF7257E4000-memory.dmp

memory/2068-143-0x00007FF704AF0000-0x00007FF704E44000-memory.dmp

memory/4600-145-0x00007FF775150000-0x00007FF7754A4000-memory.dmp

memory/4196-146-0x00007FF6B7290000-0x00007FF6B75E4000-memory.dmp

memory/2164-147-0x00007FF7420B0000-0x00007FF742404000-memory.dmp

memory/3148-148-0x00007FF663560000-0x00007FF6638B4000-memory.dmp

memory/2424-149-0x00007FF759130000-0x00007FF759484000-memory.dmp

memory/4488-150-0x00007FF6AA120000-0x00007FF6AA474000-memory.dmp

memory/4308-151-0x00007FF693250000-0x00007FF6935A4000-memory.dmp

memory/2308-152-0x00007FF662EF0000-0x00007FF663244000-memory.dmp

memory/1208-153-0x00007FF71AB30000-0x00007FF71AE84000-memory.dmp

memory/3724-154-0x00007FF6C69D0000-0x00007FF6C6D24000-memory.dmp

memory/1788-155-0x00007FF6B1CB0000-0x00007FF6B2004000-memory.dmp

memory/4028-156-0x00007FF788D80000-0x00007FF7890D4000-memory.dmp

memory/3972-158-0x00007FF7D6D60000-0x00007FF7D70B4000-memory.dmp

memory/1564-157-0x00007FF69BB00000-0x00007FF69BE54000-memory.dmp

memory/640-159-0x00007FF7BA670000-0x00007FF7BA9C4000-memory.dmp

memory/4184-160-0x00007FF6A68B0000-0x00007FF6A6C04000-memory.dmp

memory/2572-161-0x00007FF7A3D50000-0x00007FF7A40A4000-memory.dmp

memory/5084-163-0x00007FF777460000-0x00007FF7777B4000-memory.dmp

memory/1640-162-0x00007FF697650000-0x00007FF6979A4000-memory.dmp