Malware Analysis Report

2025-01-22 19:40

Sample ID 240601-h2de1sed48
Target 2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike
SHA256 7d7a08fa42441addadf380179bcf5a3002e8f0652d5faa6d9505d533e5e6728f
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7d7a08fa42441addadf380179bcf5a3002e8f0652d5faa6d9505d533e5e6728f

Threat Level: Known bad

The file 2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

XMRig Miner payload

UPX dump on OEP (original entry point)

xmrig

Cobaltstrike

Detects Reflective DLL injection artifacts

Cobalt Strike reflective loader

Xmrig family

Cobaltstrike family

UPX dump on OEP (original entry point)

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 07:13

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 07:13

Reported

2024-06-01 07:16

Platform

win7-20231129-en

Max time kernel

134s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\eHNBlrS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FpRrzMb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SNVlZCf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CGgjztT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qAAgtDV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HNrhRDD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gNbOaUH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lUfKAVi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fLvDBGs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vCPSsSb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QLxwsNP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\avMpoOW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZPvjeXB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AWRQdgm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JOJDrjq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NQnAuns.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\teqBPnN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tJjYYKU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PHBLOUM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hGDomNT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aFgiwvh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 624 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\tJjYYKU.exe
PID 624 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\tJjYYKU.exe
PID 624 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\tJjYYKU.exe
PID 624 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\HNrhRDD.exe
PID 624 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\HNrhRDD.exe
PID 624 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\HNrhRDD.exe
PID 624 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\PHBLOUM.exe
PID 624 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\PHBLOUM.exe
PID 624 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\PHBLOUM.exe
PID 624 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\gNbOaUH.exe
PID 624 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\gNbOaUH.exe
PID 624 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\gNbOaUH.exe
PID 624 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\eHNBlrS.exe
PID 624 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\eHNBlrS.exe
PID 624 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\eHNBlrS.exe
PID 624 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\FpRrzMb.exe
PID 624 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\FpRrzMb.exe
PID 624 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\FpRrzMb.exe
PID 624 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\SNVlZCf.exe
PID 624 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\SNVlZCf.exe
PID 624 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\SNVlZCf.exe
PID 624 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\CGgjztT.exe
PID 624 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\CGgjztT.exe
PID 624 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\CGgjztT.exe
PID 624 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\avMpoOW.exe
PID 624 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\avMpoOW.exe
PID 624 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\avMpoOW.exe
PID 624 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZPvjeXB.exe
PID 624 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZPvjeXB.exe
PID 624 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZPvjeXB.exe
PID 624 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\lUfKAVi.exe
PID 624 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\lUfKAVi.exe
PID 624 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\lUfKAVi.exe
PID 624 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\AWRQdgm.exe
PID 624 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\AWRQdgm.exe
PID 624 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\AWRQdgm.exe
PID 624 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\hGDomNT.exe
PID 624 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\hGDomNT.exe
PID 624 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\hGDomNT.exe
PID 624 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\qAAgtDV.exe
PID 624 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\qAAgtDV.exe
PID 624 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\qAAgtDV.exe
PID 624 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\JOJDrjq.exe
PID 624 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\JOJDrjq.exe
PID 624 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\JOJDrjq.exe
PID 624 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\fLvDBGs.exe
PID 624 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\fLvDBGs.exe
PID 624 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\fLvDBGs.exe
PID 624 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\NQnAuns.exe
PID 624 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\NQnAuns.exe
PID 624 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\NQnAuns.exe
PID 624 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\teqBPnN.exe
PID 624 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\teqBPnN.exe
PID 624 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\teqBPnN.exe
PID 624 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\vCPSsSb.exe
PID 624 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\vCPSsSb.exe
PID 624 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\vCPSsSb.exe
PID 624 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\QLxwsNP.exe
PID 624 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\QLxwsNP.exe
PID 624 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\QLxwsNP.exe
PID 624 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\aFgiwvh.exe
PID 624 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\aFgiwvh.exe
PID 624 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\aFgiwvh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\tJjYYKU.exe

C:\Windows\System\tJjYYKU.exe

C:\Windows\System\HNrhRDD.exe

C:\Windows\System\HNrhRDD.exe

C:\Windows\System\PHBLOUM.exe

C:\Windows\System\PHBLOUM.exe

C:\Windows\System\gNbOaUH.exe

C:\Windows\System\gNbOaUH.exe

C:\Windows\System\eHNBlrS.exe

C:\Windows\System\eHNBlrS.exe

C:\Windows\System\FpRrzMb.exe

C:\Windows\System\FpRrzMb.exe

C:\Windows\System\SNVlZCf.exe

C:\Windows\System\SNVlZCf.exe

C:\Windows\System\CGgjztT.exe

C:\Windows\System\CGgjztT.exe

C:\Windows\System\avMpoOW.exe

C:\Windows\System\avMpoOW.exe

C:\Windows\System\ZPvjeXB.exe

C:\Windows\System\ZPvjeXB.exe

C:\Windows\System\lUfKAVi.exe

C:\Windows\System\lUfKAVi.exe

C:\Windows\System\AWRQdgm.exe

C:\Windows\System\AWRQdgm.exe

C:\Windows\System\hGDomNT.exe

C:\Windows\System\hGDomNT.exe

C:\Windows\System\qAAgtDV.exe

C:\Windows\System\qAAgtDV.exe

C:\Windows\System\JOJDrjq.exe

C:\Windows\System\JOJDrjq.exe

C:\Windows\System\fLvDBGs.exe

C:\Windows\System\fLvDBGs.exe

C:\Windows\System\NQnAuns.exe

C:\Windows\System\NQnAuns.exe

C:\Windows\System\teqBPnN.exe

C:\Windows\System\teqBPnN.exe

C:\Windows\System\vCPSsSb.exe

C:\Windows\System\vCPSsSb.exe

C:\Windows\System\QLxwsNP.exe

C:\Windows\System\QLxwsNP.exe

C:\Windows\System\aFgiwvh.exe

C:\Windows\System\aFgiwvh.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/624-0-0x000000013FC60000-0x000000013FFB4000-memory.dmp

memory/624-1-0x0000000000180000-0x0000000000190000-memory.dmp

\Windows\system\tJjYYKU.exe

MD5 51436be37dc7b632b49d12afbb3955a9
SHA1 3bfb63f9ae79d105db699bbb82159760574d2f52
SHA256 609d74d066fe5b8f01fa51118b1b137275b0c6be99490bdd5da15dbbd259a927
SHA512 0e913da4c9abf5d7c9ea50358fe15120d15f59648e56e11d9a7d4e3aa201a1bfd50407c0a9441eb34cbed689a11697087782da90ac2f1290e95dfcd8a00aa06c

memory/1996-9-0x000000013F730000-0x000000013FA84000-memory.dmp

memory/624-8-0x000000013F730000-0x000000013FA84000-memory.dmp

\Windows\system\HNrhRDD.exe

MD5 edbcf9e4ab8986625892631468336128
SHA1 69df1f76e6e19bbf8e963f3bde6c20f3dafdf49a
SHA256 9103eb4b09b42af932951711a5efa4354b7e6749d71c9c6f6eaff966de523d8a
SHA512 024070ea06b42ec8f5839b16e9224db24d6c8e8e1fc3ee3f46d26c05eb54b4effec014046a07ac56238fb0ec1eb3178a412c93677436eda9abdf28a043474ba8

C:\Windows\system\PHBLOUM.exe

MD5 5e27284d8a15c38c43ec4b48915fd4b6
SHA1 47faeae6c4aa1d20a086f300c846d72bbee8fa83
SHA256 7f396cc4c9a1dc351455f802436c4da07bce7c477fb4313f20caa47f779865f2
SHA512 a57d00f5a9cd10092f5fd5a5fb5fb5f2fa47f39e52cd88996d81b2055508c617fbad0ebf2e742390ff8dc6ee2857b8505557d9ab9d3b267b5edf3b1adf0994e0

memory/624-24-0x000000013F300000-0x000000013F654000-memory.dmp

memory/1072-29-0x000000013F300000-0x000000013F654000-memory.dmp

memory/624-28-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

memory/2316-27-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

C:\Windows\system\gNbOaUH.exe

MD5 a434904ea16aa5066f24aae5d10f6b44
SHA1 1708e17bcabc7ee5aa938ee094e5b3224a8a7fb9
SHA256 d0d91e3c8c538c862336f886e0a441cb3bbe04ed8fe5b91a2a920cf3850c9a6a
SHA512 11b18dee084781a68c4aa2d513205131098c172461db7e8d6ae1de047bb5e1de09fd897bfd3e8aca45fdbac344c2e786c0910e68d7bd42625b9d4cd06a14b9ae

memory/2140-20-0x000000013F6A0000-0x000000013F9F4000-memory.dmp

memory/624-35-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

C:\Windows\system\eHNBlrS.exe

MD5 27acdc20786d6b259b0745e68c7ace78
SHA1 3a312df1cc70c22fa6af09eb15c9ba17fb98dbbe
SHA256 cce2b6e578701e6df9e28ce8749e2bae64488f348167f72b71e3bd1fb6db76c1
SHA512 f18f02a51e60353a0e1e8b6b989257efdcb2d7d94779e26eca398b49ea398ce7d66da857dd71053ddf93219a531f9b59a582202a53a54456bdb74bec6999cad1

C:\Windows\system\FpRrzMb.exe

MD5 3662584eb2fa50ae4e826332292a7284
SHA1 056d4c95a3e54fac9181fb5b4f05fb17c9b45e4e
SHA256 12a8c68c982cb95cb160d198a057d139471f5554f8da24b4d5337cae044b7569
SHA512 e75528f89dd36fd6080563d39b061356884a26307ec40aa752bcc7cc677174d9293748f81ce3e79a90d5b8526fd7c2c72c893e4d11cd5742ec1aabc3cbd5d409

memory/2608-41-0x000000013FCF0000-0x0000000140044000-memory.dmp

memory/624-40-0x00000000022E0000-0x0000000002634000-memory.dmp

C:\Windows\system\SNVlZCf.exe

MD5 284442e6f1cd53b1ef58ff7a5ee92e2e
SHA1 4c8d82a9cfd41f16efa1bd5dd3fcf8519b91c0be
SHA256 245053a1c3f0bdadf07904bfa248fb9ed23aa2d10f2359b1e243a31d50de60a3
SHA512 8cf748b85520d6957d6c8a8bc9199366a393c7960bdbee958d6f2a278311eab442cae12607959e542eb31e2b6ae48c7c7832f6180d93788b486b770dca99e6b6

C:\Windows\system\CGgjztT.exe

MD5 9327f342668bd03e9c7d9ad7a35865e9
SHA1 3924ea954fef21b04373dddb39f5a3edadb92ce0
SHA256 75607f590a4dc67716eee1780095a82d807e0858cfa387b19c329e92de7e75c3
SHA512 fbe8d38f0395be5e7c79c2bd5d4d9d298df06137d3247b58c3cadb2c8d2274113293d3ab66e827d720474ba488ff984a9a14944fe3bb186103c3a3bac0b306b5

memory/2488-55-0x000000013F470000-0x000000013F7C4000-memory.dmp

\Windows\system\avMpoOW.exe

MD5 01aad594c3ec7dde5eccd9053fe117be
SHA1 138dd51b22d62fb2a3b49069b47e670043623c1a
SHA256 f037a8111c711875fe96dc4e7c634b8015a7f8e6c9d88f0620fbd4ced3c6ab5d
SHA512 e4a7b51ca6a2fcb4a9fef1dc18cd68bd83e3d7214a51c52bb551ccb975ed70f05cd0b5f8b0909cc5899f75642c40c4b338f766b785edc90601dd3416881bb5be

memory/624-54-0x000000013F470000-0x000000013F7C4000-memory.dmp

memory/624-62-0x000000013FC60000-0x000000013FFB4000-memory.dmp

memory/2732-63-0x000000013F510000-0x000000013F864000-memory.dmp

memory/624-59-0x000000013F510000-0x000000013F864000-memory.dmp

memory/2704-49-0x000000013FC90000-0x000000013FFE4000-memory.dmp

memory/624-48-0x00000000022E0000-0x0000000002634000-memory.dmp

memory/624-68-0x000000013F250000-0x000000013F5A4000-memory.dmp

memory/624-67-0x000000013F730000-0x000000013FA84000-memory.dmp

\Windows\system\ZPvjeXB.exe

MD5 565ce84c04fb5d70290d0cd163d953a3
SHA1 f73691a790334bc737b6410df963a0289ae9e283
SHA256 13f8e7a7ba224d95dca4a8b8a5569c747690989d6aec8d1c36ce33de552a05db
SHA512 82c0c1e54eace10d352030a8a3db2eb52c5dacd2fedfdd6436078818b63f2883040422e4fd67d70e0b63d7ba033c449d5a44501f2394701c6fab87b1a870309a

memory/2660-36-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

C:\Windows\system\AWRQdgm.exe

MD5 af7e0b4c6250b555e814091f074fcca3
SHA1 1b9944752e4935711d1f04eb81f170568e9a5a6d
SHA256 f4a868d010e1b884de5538ea7777eb3386e3f3e3fed7db48a80e5d24d18b9ab2
SHA512 46d824149df8466983d3b3bb2e3aeabafa41757799b48fbd4adefabd4d19451b014d45e8740e2b2daab2c21e5c42be2fc261eda91a1d95e54b608250a3ed3ca9

C:\Windows\system\lUfKAVi.exe

MD5 afbac5431b14aefe8383337c4bd9f79f
SHA1 48789eee2428ca2943add13b15fd88a0b7d5978d
SHA256 23b9506e460054ae22024d15a40cbaa6a1fe18a809dc98af69bb5b511c0ae7d5
SHA512 8e9f4066b229bd81462d54be785a0b69292920dc5c321861191590cc650ae87c10a1851f7dcd33e0d79fa43054337d1443938b278c9dd53eb9123858f0959bd2

memory/624-115-0x000000013F670000-0x000000013F9C4000-memory.dmp

memory/2316-126-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

memory/624-133-0x00000000022E0000-0x0000000002634000-memory.dmp

C:\Windows\system\aFgiwvh.exe

MD5 21b9c51e14b75959c9ccbfd5bb863011
SHA1 060a7227a4183902ac0635873d19e2679f7b6fca
SHA256 af6133e559e47fa821bc9ff9aa39092d2cb4032496c9e0998862acba38a57299
SHA512 8a3d7d99f8e593d6a894190b22c22a5ec1ba6fc97013d6f218e85b6bd0eaa88cc32c8d8b6d166b3610f0e31fc7d97e72bed44e37dc4fb001c922ac56efe6f9ea

memory/624-122-0x00000000022E0000-0x0000000002634000-memory.dmp

memory/2168-119-0x000000013F670000-0x000000013F9C4000-memory.dmp

C:\Windows\system\teqBPnN.exe

MD5 5d23e8566b35ff051e0bb7989cd32eb6
SHA1 96f26e79a319c169dc02ede32b69830ad4cbaebc
SHA256 e4af7bf59a145907017b07fedc17dbbb77354956ca8d306cbde1ad1620d24c5d
SHA512 1326dae9d6a9c7f0f5aa8b15e25f956da8697ffe2302eb25c2df19fa406e28f9d0b8d4a37627d2275e9c0d21654827b34f54d0bedaf57d42e79b4b6c75234455

\Windows\system\vCPSsSb.exe

MD5 5891d7af204ba2d7d176a54fd9fe4c30
SHA1 59458432c8244718c6334cbfb128d8813ffc4ad2
SHA256 fe794f603d1e8e7649a778fc2b792768bf60d9eade24b05498bec972ef4bb99b
SHA512 a7f2a15253e64478d7804d5d0972332e449c625a1d411b8ec9fd522f3032ff02aadaa53c4809a29072b9f8ec16d2fb8059719bfe8592589c3e630dfdbb8054e0

memory/624-135-0x000000013F2B0000-0x000000013F604000-memory.dmp

memory/624-134-0x000000013F560000-0x000000013F8B4000-memory.dmp

memory/624-131-0x000000013F780000-0x000000013FAD4000-memory.dmp

memory/624-130-0x00000000022E0000-0x0000000002634000-memory.dmp

C:\Windows\system\QLxwsNP.exe

MD5 976c6eb7e92f6fd79a0ee3845b1f8a6f
SHA1 91dee0a97fedff24f4dc3e0f9a79329727b35a3e
SHA256 ddef1f0931206cd09ee1397e754a7388596bc27f5b3680583620d10a836dd52c
SHA512 1e00b3c11c97da87e4beb39eb2375eb97159450316927de1e12a3559805a572c3443aec5ab64ae920c9df9ca3ffab2e9d9a1ec8c6a438fbee34a6ab12f3558cf

C:\Windows\system\NQnAuns.exe

MD5 f89614c2acf45c5efbeb92453ab2241b
SHA1 5e50f16098143fe6b5bda0c03fa2d9a54f3b78a0
SHA256 a2498f997b99410aed86c7a28b2fdcac56467e4f0da3410ec43adbb94ab8ce3e
SHA512 428b4bdfae8761c6b1e6c49d55c69b62b2150b9158a0be681d0b9ce7154825c4a8d6ec92bcd9af002ff1e8bb1982d6a9be6c3a6016575aaa315fc5a83c5c8ef5

memory/2120-109-0x000000013FEF0000-0x0000000140244000-memory.dmp

C:\Windows\system\fLvDBGs.exe

MD5 0ae90a91eadbee46d866cf9580ff9657
SHA1 2352d7f3663621760b002fc47f99d4e60ec3f0c3
SHA256 6c6e2e89e6e81c248228531092bf2293ebfb99df31c377d166a3aed6cc3b5d99
SHA512 383893f8ff00fa232f6b3eaed77c61cd1cfdacc0e2728cd5efec652297f91b00a8c4b12c5e65d45b57754aa85c763604cd63fea376b2a87010a71be8d6eb8cc8

C:\Windows\system\JOJDrjq.exe

MD5 95502979f4c5e3c760e6c04364656ae8
SHA1 98c3f1b357195b69b471b4e5906bb2f20d23f531
SHA256 1c5ec67cb8dde0ae3e386ad742ab1a7fed54f74e681c5b3136860c287c61c106
SHA512 5c351c9e450afbf1d68baf2e3c5104bcd02b4b1bd78238f739c65d847d94a95c4c7ad501995b16554ad0e8a87cdd3c1457f2b1bf100ab4807db09dd14811e4c1

C:\Windows\system\hGDomNT.exe

MD5 73471e86d7fcd8b1f481db47fb4cf1d7
SHA1 cfbfff66cab22e92d3227cc551b4b2cab52b5c1a
SHA256 9eee60bb7afa4375554781026382daf5d810b34d0414f0bd2bcfc5b275ea6f79
SHA512 f0743d0495e39a33cecef72202e8f50c140339584e98d761610666ba36bc0fa4d5b317fa145b9a456ee2a3ac9c145ff4e6a805f3c97eb6f6fe292cf4258ceab9

C:\Windows\system\qAAgtDV.exe

MD5 e6e62261d430b74a6820de4d536d8241
SHA1 e75a26e8a3fb1c761f785273bbb31c2b025de027
SHA256 3ccf23214164ba71d3d3e4172954023648bbd93d2744728e5b9dced3c12988ad
SHA512 7d0b18ed3df0e118b451d4a0b7ad2c5d6be29d0a308e747a27308f1dc188a47a0e8062ff0b32e5c8916d7f76ee7fdd6b1814f9ae5ef5ecb28c253f9629a99eee

memory/2412-101-0x000000013F250000-0x000000013F5A4000-memory.dmp

memory/2140-84-0x000000013F6A0000-0x000000013F9F4000-memory.dmp

memory/624-82-0x000000013F6A0000-0x000000013F9F4000-memory.dmp

memory/2608-140-0x000000013FCF0000-0x0000000140044000-memory.dmp

memory/2488-141-0x000000013F470000-0x000000013F7C4000-memory.dmp

memory/2732-142-0x000000013F510000-0x000000013F864000-memory.dmp

memory/624-143-0x000000013F670000-0x000000013F9C4000-memory.dmp

memory/1996-144-0x000000013F730000-0x000000013FA84000-memory.dmp

memory/2140-145-0x000000013F6A0000-0x000000013F9F4000-memory.dmp

memory/2316-147-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

memory/1072-146-0x000000013F300000-0x000000013F654000-memory.dmp

memory/2660-148-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

memory/2704-149-0x000000013FC90000-0x000000013FFE4000-memory.dmp

memory/2488-150-0x000000013F470000-0x000000013F7C4000-memory.dmp

memory/2608-151-0x000000013FCF0000-0x0000000140044000-memory.dmp

memory/2732-152-0x000000013F510000-0x000000013F864000-memory.dmp

memory/2412-153-0x000000013F250000-0x000000013F5A4000-memory.dmp

memory/2168-154-0x000000013F670000-0x000000013F9C4000-memory.dmp

memory/2120-155-0x000000013FEF0000-0x0000000140244000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 07:13

Reported

2024-06-01 07:16

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\pNhQcpZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KWZwEoh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XGyxgZm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lUxXuol.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YBunsxq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ytCoXmv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\shnlJok.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mzrWiRJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZdAKHwT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vMkKetx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ljXKBgJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jotXVKU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dJEHhBn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DFIuCBH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QoszihL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jtIUNxq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gZWIWIU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tPEDdOy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fcsAIGa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SEcanHo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CMbXiML.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3500 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\QoszihL.exe
PID 3500 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\QoszihL.exe
PID 3500 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\XGyxgZm.exe
PID 3500 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\XGyxgZm.exe
PID 3500 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\jtIUNxq.exe
PID 3500 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\jtIUNxq.exe
PID 3500 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\fcsAIGa.exe
PID 3500 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\fcsAIGa.exe
PID 3500 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\vMkKetx.exe
PID 3500 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\vMkKetx.exe
PID 3500 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\ljXKBgJ.exe
PID 3500 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\ljXKBgJ.exe
PID 3500 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\jotXVKU.exe
PID 3500 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\jotXVKU.exe
PID 3500 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\lUxXuol.exe
PID 3500 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\lUxXuol.exe
PID 3500 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\gZWIWIU.exe
PID 3500 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\gZWIWIU.exe
PID 3500 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\dJEHhBn.exe
PID 3500 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\dJEHhBn.exe
PID 3500 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\tPEDdOy.exe
PID 3500 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\tPEDdOy.exe
PID 3500 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\shnlJok.exe
PID 3500 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\shnlJok.exe
PID 3500 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\SEcanHo.exe
PID 3500 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\SEcanHo.exe
PID 3500 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\YBunsxq.exe
PID 3500 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\YBunsxq.exe
PID 3500 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\mzrWiRJ.exe
PID 3500 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\mzrWiRJ.exe
PID 3500 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\ytCoXmv.exe
PID 3500 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\ytCoXmv.exe
PID 3500 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZdAKHwT.exe
PID 3500 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZdAKHwT.exe
PID 3500 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\pNhQcpZ.exe
PID 3500 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\pNhQcpZ.exe
PID 3500 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\DFIuCBH.exe
PID 3500 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\DFIuCBH.exe
PID 3500 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\KWZwEoh.exe
PID 3500 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\KWZwEoh.exe
PID 3500 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\CMbXiML.exe
PID 3500 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe C:\Windows\System\CMbXiML.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\QoszihL.exe

C:\Windows\System\QoszihL.exe

C:\Windows\System\XGyxgZm.exe

C:\Windows\System\XGyxgZm.exe

C:\Windows\System\jtIUNxq.exe

C:\Windows\System\jtIUNxq.exe

C:\Windows\System\fcsAIGa.exe

C:\Windows\System\fcsAIGa.exe

C:\Windows\System\vMkKetx.exe

C:\Windows\System\vMkKetx.exe

C:\Windows\System\ljXKBgJ.exe

C:\Windows\System\ljXKBgJ.exe

C:\Windows\System\jotXVKU.exe

C:\Windows\System\jotXVKU.exe

C:\Windows\System\lUxXuol.exe

C:\Windows\System\lUxXuol.exe

C:\Windows\System\gZWIWIU.exe

C:\Windows\System\gZWIWIU.exe

C:\Windows\System\dJEHhBn.exe

C:\Windows\System\dJEHhBn.exe

C:\Windows\System\tPEDdOy.exe

C:\Windows\System\tPEDdOy.exe

C:\Windows\System\shnlJok.exe

C:\Windows\System\shnlJok.exe

C:\Windows\System\SEcanHo.exe

C:\Windows\System\SEcanHo.exe

C:\Windows\System\YBunsxq.exe

C:\Windows\System\YBunsxq.exe

C:\Windows\System\mzrWiRJ.exe

C:\Windows\System\mzrWiRJ.exe

C:\Windows\System\ytCoXmv.exe

C:\Windows\System\ytCoXmv.exe

C:\Windows\System\ZdAKHwT.exe

C:\Windows\System\ZdAKHwT.exe

C:\Windows\System\pNhQcpZ.exe

C:\Windows\System\pNhQcpZ.exe

C:\Windows\System\DFIuCBH.exe

C:\Windows\System\DFIuCBH.exe

C:\Windows\System\KWZwEoh.exe

C:\Windows\System\KWZwEoh.exe

C:\Windows\System\CMbXiML.exe

C:\Windows\System\CMbXiML.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 16.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3500-0-0x00007FF603180000-0x00007FF6034D4000-memory.dmp

memory/3500-1-0x00000248C8200000-0x00000248C8210000-memory.dmp

C:\Windows\System\QoszihL.exe

MD5 383320d26906bc6bf89ca0c59c44830c
SHA1 b7cadf8faa88d099cc7a2f98096db959d863ac5f
SHA256 79eb820c017c9113864c7ecf9c729535c1cc077208bf560be237c9cdd5f2a89e
SHA512 2004cb5b3c7caf0852af8d9e7d1275b605a32756df5c4d32a902690661c163e527640bfe8da4549f1e96e8b788e85534789f522c554194cc7924ddec4834da82

C:\Windows\System\XGyxgZm.exe

MD5 1e75202bde1b2da8964f3a0f4bee0d20
SHA1 01c10ab63963257b6eef8526dbffef67330a20b5
SHA256 e620f337a07bd05568a61510ab67f19c1b6b84d241e4ed3fb88b6c624d956ede
SHA512 75e5440c53ae4b45e3333032e6a7cb7f33e7d14aeb86a4b0ba5e7d6361e904ab11384cad3b1cf7ffa93b205961bd6cc66e1f35a5361f3ea657fafbcb20e76e7c

memory/1640-10-0x00007FF76D760000-0x00007FF76DAB4000-memory.dmp

memory/2436-16-0x00007FF662F20000-0x00007FF663274000-memory.dmp

C:\Windows\System\fcsAIGa.exe

MD5 82478fa92285450308f79d7543aed660
SHA1 e122572726349fc971c5828f9ff35c1edee571a0
SHA256 ed78acc1339153ef3d104d90d99d4cf091bd4a2a956fa2b0bf573c09278aa42f
SHA512 7aa918dd971e22a91be5ed915f9cd9c6a6eba67a5c8cd2ebfc741781e1536c5795fa68a57d1eeadb80ab9d6a5fb06108fc6ded744871fd0c450c77ac4d612aa4

memory/2772-26-0x00007FF736310000-0x00007FF736664000-memory.dmp

memory/3504-25-0x00007FF706F50000-0x00007FF7072A4000-memory.dmp

C:\Windows\System\jtIUNxq.exe

MD5 d3c85769aa8b4f9722da0c0bee079280
SHA1 34139849152658a5980b03b407cf71aefdf55a7a
SHA256 4de461f2a81728de27d98448bfbf2b74c30f2b1ba2b7f0a5378820f3bb884d77
SHA512 5846f7ef3a0b5c449177e13a09495d27a55cdb49a64da4617d350e5e5fb127e3020dc057ee613dc21aba65524ccd0eb87993b3bfc66245bb5dd1c7080f02275e

C:\Windows\System\vMkKetx.exe

MD5 b2cb4cd51f9d7b01daef0f05c5c77a95
SHA1 4d970e11d1acdf7baee211423df6c0ca516dd940
SHA256 4da2e5bfffcd7b46ff8f2deb51b469a4c82b5864222f2367981e6a1e0915d6c4
SHA512 18d9b6d5729fdc54669effd2871dd0d52d05f31fdba83327d1cc0164179f599539dada1d57657a5d258df49bb6224aab65c3d1aae5f08c8e701cb3ec8fc51969

memory/3116-32-0x00007FF646850000-0x00007FF646BA4000-memory.dmp

C:\Windows\System\ljXKBgJ.exe

MD5 3aa53d0f9b459f3e1660c9cba258a119
SHA1 3ca5772c8eff8b44e1d925cc03c519e706adf470
SHA256 fcd20c51688bdc9e6766d5dab5a65e83f357780526055738ab70da8205a71189
SHA512 dd7c08b1f6bb927c0e10b12bb39c6df0b10fa0356eb774405c2ca7d219f3d0aea8f370df6053234869ca680714ccf4c7ed773eb3384f6627a7db977e0f56dbd2

C:\Windows\System\lUxXuol.exe

MD5 6279182b6bc72dc3d337447b04c0d1eb
SHA1 f73f5b48a2ce65294f288a66f028440dcaecf185
SHA256 da91f30fbd5c964d75ecdb523b6556a62c02283540fab5e70e432ffba9d27a21
SHA512 d81bc20e15e7255f508aae052ade670ec8ca4be413f6cdea85ea03bf2b5ea6913013c5b3280f7da4f33ca18c350466f6ab62949c2c7f0f4e4985297938d03433

memory/2964-51-0x00007FF676FE0000-0x00007FF677334000-memory.dmp

C:\Windows\System\jotXVKU.exe

MD5 6433c8c181ea7f4dcaf0dfd18166a52b
SHA1 68159ecf3eb3a7a16ba3b7941cc2067ec62da1b5
SHA256 c0b01a2fa70f74e0636c905830fb9fc0095ec47d959ed19b8a6e0d458520b0a5
SHA512 8334e9aa8407f976e6bb086835de6e406d4fc10136a8749788cbd80c5f7fa30b4bd4bef9088c3a5c54c72ddc049143414fda36fd55bf2d4541c7750ccf3213fa

C:\Windows\System\dJEHhBn.exe

MD5 b3060b47dfd2cd3888461987f30a29cf
SHA1 36a5f876cd5e163924f37afea47f5e89fc3971f7
SHA256 b376ba7682e6ecc2b3e780d53f0a29a0e25927ee187141ce9610c55f8d152cc0
SHA512 9f148b2c9d9f751141ed91f4b403c2a663824ebb9d2022a3210f3c5902efe8bda1d25cf9ffdc01bf99c8e735b10700d029b4e08e8eea79f0d9e2c083d48a8102

C:\Windows\System\gZWIWIU.exe

MD5 d52316bce07d5dae579b6c773a4839a5
SHA1 52e79ac97d98d4dd4a4dc22acdbe65bc1304d4df
SHA256 3038eaeaafbfd9d62d584065cd2d22d74770418126fc7fe7eeca38b07eec25f8
SHA512 d78abb6cf143ddffe21b9e62e3646203b112fe9fc0a862071202dec358caac83491dbc0625b27dfd0af39fd35619ac320269171771d5f6c504513f5b6159f679

memory/3312-57-0x00007FF6C8160000-0x00007FF6C84B4000-memory.dmp

C:\Windows\System\tPEDdOy.exe

MD5 c3c493ee937fc4eab7672a9e621fccfc
SHA1 7d4a4c4ed53cfa8df753e0d908a35b45d2ec8d93
SHA256 7b2123dd1fdc4d9da2aa91053dc50a3cfa9da9d05f98d30d4bc7d4d863ad7b88
SHA512 c9a9c11ea6fe990f4ed076350be3296d4ca96666830ea0ecd02adc752a2d2110d9fdbbd55d95d442af4937df7671df03c3b8ecf26a75ffc37d43200bbfcaa091

C:\Windows\System\SEcanHo.exe

MD5 23e13dcb33f33544dc3626c0ba0ffbae
SHA1 daf5910d1c04c0cff501225384746e50d5c756d5
SHA256 444d2cc49eca65f0727b26a6c8a2c2273479c12ff7a53fdbe5d6e69b05bfe211
SHA512 d30d9fadcb0012d0c96557b0af52174f2d88b1c4887255180a1c1aca07a9da097f725378a7dbf9efeddbaed4ccbc19cedf098514bb52fb4b1d26b01bb40d60da

C:\Windows\System\ytCoXmv.exe

MD5 b3e20c9a4613e61abe92aced890cec13
SHA1 878ef5d4a8d1e35d2a22651643d912a9c4d64226
SHA256 e5625f633100be0d5a29943b79cf849bb8b80e0dc6f32748988e939c96ed046b
SHA512 ffa8972735a89b0dac31c5261e73191c09c0bc612d5c9d379e4b1f25ad63687e40339343735e898962e6478433651044948598cc7e07ac1e81731acedfdadf6c

C:\Windows\System\pNhQcpZ.exe

MD5 d940c2a5ba8c9e2ee4a337ec9e210a65
SHA1 49fbb9493d2d561a762a4def2ca218989c6b1043
SHA256 7a83173d3ba3d2727cf9b5ac7ca646347f3782bbc19286b691fd3c0ef6a19cc5
SHA512 d1b395b6a012eda3406af9244ce18d99f22c0ca0a4181be941b1fcecb99535c121fdb62ae68531d277427c9e744557605ddb48afe0c16030c5e7557d1bd9d6a7

C:\Windows\System\CMbXiML.exe

MD5 4544d18ac0a3754bdac6f74e02db7ddc
SHA1 3ebdf0c81fcf7a8f8fee4631e3189cdfa5766aad
SHA256 3108d61a701d0c3575c5b474c4d9d92719dd13859bdb81f5414738a8d310910e
SHA512 f86e32fb6a92eb9a118b1c2113e60d6e84b1e3fd0a5c23035243d4bed6dc38c4f12ac4531240f11f7366fa05ca8912d84b0fd2334361107069403206964a5fa2

C:\Windows\System\KWZwEoh.exe

MD5 46005f27db5f5d4c9b8ba7744cf97de1
SHA1 41dba6eb7a43edd339e103b5cf48cf165002df1a
SHA256 347db79a9a964ceda0eb098dcfff0cb944a1911b4931cbc3170d3dd8b9c0d6a0
SHA512 5ebb9e27e24a9986a4775c39d03c8a41c822c3e8a482c4d7120d63a1f3e284e698bdaa072b90b855fd0118d50c6524bb1eb88e29571b4f542c2619aa8b6686a1

C:\Windows\System\DFIuCBH.exe

MD5 666b10ae040e2fc840c0c79e40079ea3
SHA1 7439fdc5015a118023ab3eaf351f39d3dda6ea2c
SHA256 ac0bce2373144542196a3fd57a34ffe6a7dd95f140d1f0b5eed04b002b466d7f
SHA512 c9ef8071012b5b25c72c67d383484409137f08ad6b333e745879a295bcc055169ceeb23235a04e1bc9cdb72ba74fa1e7c651b81eea84652a502538d5d41eb1d8

C:\Windows\System\ZdAKHwT.exe

MD5 e4c8961f8c22bf4ef76732641be63b0f
SHA1 c61205e3dbaed8cfdd7dd5c3c526fdddfceb2194
SHA256 a24887632c64fe6aab2011fc33b2cb6b2e321d40b1feea2e69992bb16259df35
SHA512 a1321819d4e96ef54a5b9ce2c21756ac604df1cba7304fb5b411270c946ddc23773ca4408c986f05a5fb6490a10f322e6d65b9e38b842f131c3dd1e87eb2fd10

C:\Windows\System\mzrWiRJ.exe

MD5 cf1230b52d43e812214a025a646e7f36
SHA1 03be1d46a1c933852f11b437ec8b55e595e705e2
SHA256 5bf52bfbdbda88d3673b4c4ff2f6c1418e9f2f6cffa0e3939efe1baa1ba5f72d
SHA512 d89b8216e4abd642264cd5848ad25bc32e199d85eae5be85c12cec7ecb9a13c8586f636fbc542d87223d55ff109b95baadfe263381b29de1da1889bf52487bdd

C:\Windows\System\YBunsxq.exe

MD5 6a19d0acc037324bc067b0e50988f223
SHA1 87e0879df912f8859a3ad311109867ec56837d64
SHA256 c56289d65b6fc7f0e1e94d9b6065f92594456132b677169f459976bb803ec5e0
SHA512 cb8776b1cc2ecd602037c75dca5f66eb51e18e9bb1e5ee2c4bf044c99071174ff71e2ac17e664d06838354fa07817b00020940b921a29e945f79b23380b0c803

C:\Windows\System\shnlJok.exe

MD5 a97d48b7de5f62ce7c7ce4f451e1d16f
SHA1 51b9eeee364b6a4dadcdf86f43165b3d4a54b7e4
SHA256 cbfe4ec6a2f54120e097a9b6f5f47e88a4073256be00a57367e57aee9d2870ec
SHA512 52a36c89fc0f3ecfcbda5c2c118d614ef78bca0c8e427443617e18a2f5f1133c9e41fdc5af172a62560abca64b5ca27f7a4bb30034fbd25bf4bcb3d14bdba812

memory/5040-50-0x00007FF75B750000-0x00007FF75BAA4000-memory.dmp

memory/1812-43-0x00007FF637420000-0x00007FF637774000-memory.dmp

memory/3436-116-0x00007FF7F0460000-0x00007FF7F07B4000-memory.dmp

memory/2224-117-0x00007FF7C1490000-0x00007FF7C17E4000-memory.dmp

memory/3044-118-0x00007FF71AE20000-0x00007FF71B174000-memory.dmp

memory/1112-119-0x00007FF70AC80000-0x00007FF70AFD4000-memory.dmp

memory/3096-120-0x00007FF744390000-0x00007FF7446E4000-memory.dmp

memory/3888-121-0x00007FF67D5D0000-0x00007FF67D924000-memory.dmp

memory/1708-122-0x00007FF693FE0000-0x00007FF694334000-memory.dmp

memory/4776-123-0x00007FF7E1900000-0x00007FF7E1C54000-memory.dmp

memory/2444-124-0x00007FF7FF360000-0x00007FF7FF6B4000-memory.dmp

memory/1372-125-0x00007FF74BA80000-0x00007FF74BDD4000-memory.dmp

memory/3948-126-0x00007FF7022F0000-0x00007FF702644000-memory.dmp

memory/3500-127-0x00007FF603180000-0x00007FF6034D4000-memory.dmp

memory/3064-128-0x00007FF684170000-0x00007FF6844C4000-memory.dmp

memory/2436-129-0x00007FF662F20000-0x00007FF663274000-memory.dmp

memory/3504-130-0x00007FF706F50000-0x00007FF7072A4000-memory.dmp

memory/3116-131-0x00007FF646850000-0x00007FF646BA4000-memory.dmp

memory/1812-132-0x00007FF637420000-0x00007FF637774000-memory.dmp

memory/2964-133-0x00007FF676FE0000-0x00007FF677334000-memory.dmp

memory/3312-134-0x00007FF6C8160000-0x00007FF6C84B4000-memory.dmp

memory/1640-135-0x00007FF76D760000-0x00007FF76DAB4000-memory.dmp

memory/2436-136-0x00007FF662F20000-0x00007FF663274000-memory.dmp

memory/3504-137-0x00007FF706F50000-0x00007FF7072A4000-memory.dmp

memory/2772-138-0x00007FF736310000-0x00007FF736664000-memory.dmp

memory/3116-139-0x00007FF646850000-0x00007FF646BA4000-memory.dmp

memory/1812-140-0x00007FF637420000-0x00007FF637774000-memory.dmp

memory/5040-141-0x00007FF75B750000-0x00007FF75BAA4000-memory.dmp

memory/3436-142-0x00007FF7F0460000-0x00007FF7F07B4000-memory.dmp

memory/3312-143-0x00007FF6C8160000-0x00007FF6C84B4000-memory.dmp

memory/2964-144-0x00007FF676FE0000-0x00007FF677334000-memory.dmp

memory/2224-145-0x00007FF7C1490000-0x00007FF7C17E4000-memory.dmp

memory/3064-146-0x00007FF684170000-0x00007FF6844C4000-memory.dmp

memory/3044-147-0x00007FF71AE20000-0x00007FF71B174000-memory.dmp

memory/3888-152-0x00007FF67D5D0000-0x00007FF67D924000-memory.dmp

memory/1708-151-0x00007FF693FE0000-0x00007FF694334000-memory.dmp

memory/4776-150-0x00007FF7E1900000-0x00007FF7E1C54000-memory.dmp

memory/1112-149-0x00007FF70AC80000-0x00007FF70AFD4000-memory.dmp

memory/3096-148-0x00007FF744390000-0x00007FF7446E4000-memory.dmp

memory/1372-154-0x00007FF74BA80000-0x00007FF74BDD4000-memory.dmp

memory/3948-153-0x00007FF7022F0000-0x00007FF702644000-memory.dmp

memory/2444-155-0x00007FF7FF360000-0x00007FF7FF6B4000-memory.dmp