Malware Analysis Report

2025-01-22 19:34

Sample ID 240601-nkjhlabb4y
Target 2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike
SHA256 07a71a44ac6d0e79258d875c25fe96f5fc1d40cfcaa7eff91f4627c511fc8d08
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

07a71a44ac6d0e79258d875c25fe96f5fc1d40cfcaa7eff91f4627c511fc8d08

Threat Level: Known bad

The file 2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Cobaltstrike family

XMRig Miner payload

Xmrig family

Cobaltstrike

UPX dump on OEP (original entry point)

xmrig

Cobalt Strike reflective loader

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

XMRig Miner payload

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 11:27

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 11:27

Reported

2024-06-01 11:29

Platform

win7-20240220-en

Max time kernel

134s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\yYrAGzG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TdNdCvN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QoGSQZO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TthRaGg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rOGsccr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\thvABMC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TugnGLU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UZYeqVs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lvFEbYA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LavJcMB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HydZuKC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\axqrRii.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hZSjwfI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QXjNdxx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rPzvBpA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wxkhTXQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bUEZgHK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tyDScNr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OLIfnCC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CRIdGVV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dIggINH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3036 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\TugnGLU.exe
PID 3036 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\TugnGLU.exe
PID 3036 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\TugnGLU.exe
PID 3036 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\CRIdGVV.exe
PID 3036 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\CRIdGVV.exe
PID 3036 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\CRIdGVV.exe
PID 3036 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\hZSjwfI.exe
PID 3036 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\hZSjwfI.exe
PID 3036 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\hZSjwfI.exe
PID 3036 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\QoGSQZO.exe
PID 3036 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\QoGSQZO.exe
PID 3036 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\QoGSQZO.exe
PID 3036 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\dIggINH.exe
PID 3036 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\dIggINH.exe
PID 3036 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\dIggINH.exe
PID 3036 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\TthRaGg.exe
PID 3036 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\TthRaGg.exe
PID 3036 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\TthRaGg.exe
PID 3036 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\yYrAGzG.exe
PID 3036 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\yYrAGzG.exe
PID 3036 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\yYrAGzG.exe
PID 3036 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\QXjNdxx.exe
PID 3036 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\QXjNdxx.exe
PID 3036 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\QXjNdxx.exe
PID 3036 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\rPzvBpA.exe
PID 3036 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\rPzvBpA.exe
PID 3036 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\rPzvBpA.exe
PID 3036 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\UZYeqVs.exe
PID 3036 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\UZYeqVs.exe
PID 3036 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\UZYeqVs.exe
PID 3036 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\wxkhTXQ.exe
PID 3036 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\wxkhTXQ.exe
PID 3036 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\wxkhTXQ.exe
PID 3036 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\lvFEbYA.exe
PID 3036 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\lvFEbYA.exe
PID 3036 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\lvFEbYA.exe
PID 3036 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\bUEZgHK.exe
PID 3036 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\bUEZgHK.exe
PID 3036 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\bUEZgHK.exe
PID 3036 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\LavJcMB.exe
PID 3036 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\LavJcMB.exe
PID 3036 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\LavJcMB.exe
PID 3036 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\tyDScNr.exe
PID 3036 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\tyDScNr.exe
PID 3036 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\tyDScNr.exe
PID 3036 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\HydZuKC.exe
PID 3036 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\HydZuKC.exe
PID 3036 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\HydZuKC.exe
PID 3036 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\axqrRii.exe
PID 3036 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\axqrRii.exe
PID 3036 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\axqrRii.exe
PID 3036 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\TdNdCvN.exe
PID 3036 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\TdNdCvN.exe
PID 3036 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\TdNdCvN.exe
PID 3036 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\OLIfnCC.exe
PID 3036 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\OLIfnCC.exe
PID 3036 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\OLIfnCC.exe
PID 3036 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\rOGsccr.exe
PID 3036 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\rOGsccr.exe
PID 3036 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\rOGsccr.exe
PID 3036 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\thvABMC.exe
PID 3036 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\thvABMC.exe
PID 3036 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\thvABMC.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\TugnGLU.exe

C:\Windows\System\TugnGLU.exe

C:\Windows\System\CRIdGVV.exe

C:\Windows\System\CRIdGVV.exe

C:\Windows\System\hZSjwfI.exe

C:\Windows\System\hZSjwfI.exe

C:\Windows\System\QoGSQZO.exe

C:\Windows\System\QoGSQZO.exe

C:\Windows\System\dIggINH.exe

C:\Windows\System\dIggINH.exe

C:\Windows\System\TthRaGg.exe

C:\Windows\System\TthRaGg.exe

C:\Windows\System\yYrAGzG.exe

C:\Windows\System\yYrAGzG.exe

C:\Windows\System\QXjNdxx.exe

C:\Windows\System\QXjNdxx.exe

C:\Windows\System\rPzvBpA.exe

C:\Windows\System\rPzvBpA.exe

C:\Windows\System\UZYeqVs.exe

C:\Windows\System\UZYeqVs.exe

C:\Windows\System\wxkhTXQ.exe

C:\Windows\System\wxkhTXQ.exe

C:\Windows\System\lvFEbYA.exe

C:\Windows\System\lvFEbYA.exe

C:\Windows\System\bUEZgHK.exe

C:\Windows\System\bUEZgHK.exe

C:\Windows\System\LavJcMB.exe

C:\Windows\System\LavJcMB.exe

C:\Windows\System\tyDScNr.exe

C:\Windows\System\tyDScNr.exe

C:\Windows\System\HydZuKC.exe

C:\Windows\System\HydZuKC.exe

C:\Windows\System\axqrRii.exe

C:\Windows\System\axqrRii.exe

C:\Windows\System\TdNdCvN.exe

C:\Windows\System\TdNdCvN.exe

C:\Windows\System\OLIfnCC.exe

C:\Windows\System\OLIfnCC.exe

C:\Windows\System\rOGsccr.exe

C:\Windows\System\rOGsccr.exe

C:\Windows\System\thvABMC.exe

C:\Windows\System\thvABMC.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3036-0-0x000000013F980000-0x000000013FCD4000-memory.dmp

memory/3036-1-0x00000000002F0000-0x0000000000300000-memory.dmp

C:\Windows\system\TugnGLU.exe

MD5 d295c664e594819dd242bfe1c2bbc6d4
SHA1 47e2de39ea8332be0f06ac955099182b60023bb8
SHA256 cf504450a75773f8afef653134fc5be2403519fbcc03f62eddf5db97ad28e50b
SHA512 89ab0216eceda84befe8cb7d5d3115d16a5fb926e5aa304f9be4adaa531f409ba644411d84e03fd79fd6f63d0f07c29512fda2c0b2d5cb5519eeabc88b3fc7e1

C:\Windows\system\CRIdGVV.exe

MD5 4f64455d59961a6cce53a66ce0e13360
SHA1 a7f15cb96508aac7a007101bb32048e3d1ae06f9
SHA256 f53532bc7ff870030bfb84f45a21b0459ca714809154b84ec84fa1119d3b6978
SHA512 696d82d58e1026ae9520452b9a6770517d7fa9b576667ef532dd360a023db447f2dd59370caafd85352784afad71bc66e91403e1e2aa939ada1a041b6fb070c1

\Windows\system\dIggINH.exe

MD5 95add4c03dc89d2f5c2a0fdd0ecb9d72
SHA1 ec237bf3b7373e3b285fb900a18bd96d829f73f1
SHA256 fe8202ec79cddd3ad7bdd594c3930bfa09998eaba1f95df4ce7697d440f9183c
SHA512 8d0b2d0524e49c25158b33ef3aa82c236e898d5827f4172fa0a150d3056d82a5dc06c8dcf6faa58367a0edb11f884fb98da8be51ea394c69b249f3d76dd293db

C:\Windows\system\QoGSQZO.exe

MD5 53098ad70ad11d5afb40bbb12a07f29b
SHA1 4f6eccbae4b814dde489a945ae7b0f2d9e1b51b1
SHA256 d5cd86f7c71d14d3fbe5c835418c74a8eec0456c35c09df28dbe26a17184cc4d
SHA512 0aba081f031fb1f2dcea4a690f7a9fa18b05514e73401bcbbfabeb9abb7ba2df1e6497cd73edfc1994ac691471ff636a590ec46b04d897d7e746e92df5dbcd3c

C:\Windows\system\hZSjwfI.exe

MD5 209f9007dddcbffc0e2d947861b58403
SHA1 e3857f9cbe3c7c6d4160771e5569973346875063
SHA256 dd7201391289d76d16f2445829fc0a58ca38149ea66edf0dc5395db350a3c775
SHA512 4eead90fea2947bbac0a90a384d45efe9275488bb46aea6cf28dd48019257ede246ce4111f6cb60c7848a2c8ebb4200a7c8f17abd408ebd51f249d998cd22992

C:\Windows\system\TthRaGg.exe

MD5 95512b2cb32fd1ce0e2b0bd0a154bab5
SHA1 36e80d6657a89e12fde8a6b5c97ae637e429a958
SHA256 036a2805e682d5d173bbf2d97e6ed460a59acee80207fe97a1cd04d2c9946a7f
SHA512 78ea515ea67d7e0a1b2ddc8fda7ab315f3065d2a06004c148024c6bcba2f01b400efeaeba8e99c2f346da6830aeacf83d94fa8eb053e25481a84f7a09cee4622

C:\Windows\system\yYrAGzG.exe

MD5 c28d442b15be2493b67131cba044a95b
SHA1 09a6fb11006d2cd036c8e6e668a63f5b856f30fd
SHA256 004aa02824fa74bbb1a2d52a58d673f83a10268c9fb87b84775ca347ea79a55a
SHA512 1c5cc6e418ba22a37790310a4cbf0e04a9aa8c16d891d8ebb3bf4b75683dd9f3d88f0b4f2e192ee7a1425b7bb009dde884947c42bfc23828bf3b5067953d56b9

C:\Windows\system\QXjNdxx.exe

MD5 073f26ae4312221b0fc6aac18f63e761
SHA1 e5b9d91b4c50aa6f7b8024ec4ee7cc6e6cc76a6a
SHA256 4f4c48d62ca78121900853955c62792e0c6d02120825c4e0fed108226cdd3761
SHA512 37fa149ad0513a0bf9b8a68e97b8e3bf9d303643db1f9e7074fd11abe1f412feb6d5f12a4bf04d43e5fc1406119ca2bf7c217d72f69762d873a223712961b479

C:\Windows\system\rPzvBpA.exe

MD5 f987b60c33fb97f450219a14f1f9e15a
SHA1 c40f0c852d5b22ec3fcc734cd68a6db077abf22b
SHA256 b411e689251f00bec1b655985f608f97318496366c48e3127f623dfc026fca24
SHA512 c36a5241b85ae99d88b4f68a1beafb046ab4ec15c340d0006fce1b5fc34ad8a8ccb13b57bf6a3b1880169f70281934ace242ea723ead4a665a33d251d9b1486e

C:\Windows\system\UZYeqVs.exe

MD5 04dffc6dff2656c2d36a576dc30c6989
SHA1 903635599ee9ec89936eab1d41cfc4d5075a7fda
SHA256 f447fc8b990e1e5a7e140f6f67a6b2c53df57873239d64b368186dd02b53bfbe
SHA512 c4c0a21d6f8f61494586817abad44cf50af7fd87c80cae76cee6ec108789b7f2dbc349d1bbb47951c74b12a2e3f06faa2f536fbde757efe65a88e231ce5d271c

C:\Windows\system\wxkhTXQ.exe

MD5 ea81047b63fff40875f77ac4f25b6fff
SHA1 defb286e12fed5c149534a92ef47b59cb559fd89
SHA256 f8224033f02effe5d6a787c08d6843da9932ddfefb9792dc80f8556961672ac8
SHA512 4d20041fef8bc985982e5311febf9c5f588b6ecb138e1461fbd69e19cab3a44740ec5d8ac08531664cb4763a8d87b7339b01c8c10a1d140908d4b69eb6262f27

C:\Windows\system\HydZuKC.exe

MD5 b5ba7183005798bb0a32829eeef8071a
SHA1 c84c175d0bdbfc59aa80e1a8605f91536d970c4a
SHA256 be31a07dad253c91078b3668f2124b59a8ad25f91f0d8da2b711b9f847085803
SHA512 4b640798afbfc0a3971f43e4f3ff2b0e4d43c6a7423b24ef570fb5e66b1cf8c889fac4a32d63ef6f9d826bb39ddc04898303d5f3cbe9dd71f63054676e50ed02

C:\Windows\system\thvABMC.exe

MD5 128659a6a2c0969d09062ca133bd29e3
SHA1 62c7c93add6161db974321042875e298db72f32c
SHA256 67193311c5261858f01d17bc08473a6b6cc8469a4a6113ba6bb61d6fb6912ba9
SHA512 7146a25ad81f6824f34f1d8fe7fabd75289a8a5dfd882449e73697ff9a37e8f8169013418c5d78e36af9920fe8e4f527f952792f60b38d4fe2df195aa3dbc011

C:\Windows\system\rOGsccr.exe

MD5 5d74f2cc5a9b862fc1e49429364cfdcf
SHA1 ff135688a23f99613afde575f0380df938665660
SHA256 255a4666dcbe040c50926ba5f052c6d09ede3704f75a3e27ebebc386418b1003
SHA512 42775695c613c334239c54c17653472f86da99ea42a357a1b79f38d77a70cb3f5cb534fbd74c95d2ea8a6941ed87391260e05902fb44286dc04066be85a9ec90

C:\Windows\system\OLIfnCC.exe

MD5 11e26bc5ebf308fd3832750da9115b04
SHA1 e06f67c2c83f54117117719ed785f4a81fec23d0
SHA256 b683038fbbc32e9d1b51e1488a125f9de565c43fa6ff64db33942a79a7c247c2
SHA512 41b0f7c5bb077ff60a73378a8ecb96c1cb5305a6da8dfaa430bf6ca9c74ab66c57ef4b2a514bd37e068fcd7f504fd1196873b8619d50d758f58f4381a536ec57

C:\Windows\system\TdNdCvN.exe

MD5 707ab656d802923133e1afbe4c3fb284
SHA1 6ad77a80d51fa5ccd293d24b32f9265384c50606
SHA256 61af4c8faee620c604dc086594011c17d2171ff03a1f454b8883f7c10d437f27
SHA512 5691071a58ad32de463672498b44b4679bdd2f80b6ffcb3b11cbff3d4dafd01baf48c5773612063c3aec0767ca5aaea6c62a91841151f57bebad19e6b43eeaac

memory/3036-91-0x000000013F150000-0x000000013F4A4000-memory.dmp

C:\Windows\system\axqrRii.exe

MD5 679d9938d1e8550118c79dc001d568e7
SHA1 5282519f378122d883077d99ebec0fde6b8cae5f
SHA256 b0eb8768635fa29dd3fff27aec80ce01b018353b47ac8b5f5f559679c3d7bda6
SHA512 9dbea5e79732406eddbfeb17e8cf80377ae9b76fb9ca177e9b0920346838aae9c64507284ce1d6849945848f249f3a27eccb0e35cd9a745621550ac809f1a7e4

memory/3036-118-0x000000013F0D0000-0x000000013F424000-memory.dmp

memory/2560-117-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

memory/2640-125-0x000000013F1E0000-0x000000013F534000-memory.dmp

memory/2388-127-0x000000013F470000-0x000000013F7C4000-memory.dmp

memory/3036-133-0x000000013F110000-0x000000013F464000-memory.dmp

memory/3036-132-0x000000013F220000-0x000000013F574000-memory.dmp

memory/3008-131-0x000000013FC70000-0x000000013FFC4000-memory.dmp

memory/2860-130-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

memory/3036-129-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

memory/2440-128-0x000000013F990000-0x000000013FCE4000-memory.dmp

memory/3036-126-0x000000013F470000-0x000000013F7C4000-memory.dmp

memory/3036-124-0x000000013F1E0000-0x000000013F534000-memory.dmp

memory/2516-123-0x000000013F3B0000-0x000000013F704000-memory.dmp

memory/3036-122-0x000000013F3B0000-0x000000013F704000-memory.dmp

memory/2624-121-0x000000013F5E0000-0x000000013F934000-memory.dmp

memory/3036-120-0x000000013F5E0000-0x000000013F934000-memory.dmp

memory/2496-119-0x000000013F0D0000-0x000000013F424000-memory.dmp

memory/3036-116-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

memory/2504-115-0x000000013FDA0000-0x00000001400F4000-memory.dmp

memory/3036-114-0x000000013FDA0000-0x00000001400F4000-memory.dmp

memory/2628-113-0x000000013F310000-0x000000013F664000-memory.dmp

memory/3036-112-0x000000013F310000-0x000000013F664000-memory.dmp

memory/2564-111-0x000000013F700000-0x000000013FA54000-memory.dmp

memory/3036-110-0x0000000002260000-0x00000000025B4000-memory.dmp

memory/2484-108-0x000000013F110000-0x000000013F464000-memory.dmp

memory/3052-107-0x000000013F150000-0x000000013F4A4000-memory.dmp

C:\Windows\system\tyDScNr.exe

MD5 7cdc1b563d148e9afc849b9a3f6faff6
SHA1 2fe183496682a90e8829103a8c7e072eecb19ba3
SHA256 86d9dbb177f34c1a6f39c42d1ed0e009cfb212b5f5c67972538e505c12d4ca49
SHA512 8d86a03f17500f36d0875b420ecf45f31a3cc737dcb5fb86c42bd5db97ffe0bf5e9d5c6ca6ac34a463561b0d7f56379de582aab1f7029cc7d7e0edd7f343eedb

C:\Windows\system\LavJcMB.exe

MD5 6f8a893db128a22fdb60c4d2eb1d7f88
SHA1 e29ca41481f430a2084b2ba2f4276a10cea91c1c
SHA256 94c79ecddbe854830f1fefeaf7a569e590348b61b5bc78f1d13f68b353132359
SHA512 549650c4ace503b26f35b5527947065ef983b4b69fe45e63e2e79c19aeee6e0f0b9ee64fe03537eb3a934cae1a8f2fe30c532eed4788574dcf1269eef5f77778

C:\Windows\system\bUEZgHK.exe

MD5 abe8b66d90493c677ec1d7d8c45af26a
SHA1 f1224c1828034d613f4d513f11204f1986a15a9d
SHA256 3159e9819c2417803ae5d90fe0aab269d617b75557b98f1df62fff1fecebeb07
SHA512 c86119fe47fb7cde7f3a13df267eddb01e26242fcefdb43383d16563743a2c2f5766f4ab342d9625f159cfe422d180516c948aa72df92443e9a898448dd3ad7b

C:\Windows\system\lvFEbYA.exe

MD5 3a817f66e3f090338ca36f6eb2297c70
SHA1 eaa77e748f18613aa27ac523d63e5d2531febe83
SHA256 f586da9931eeabf3040640e3ac332adbc12c3d3a0f0340e63c384969e49eb295
SHA512 61450131a7108c9ff256be3db7fde08cab4629718bd430a890036cd1063abbafa9f1c5e3654bb4749ad521f56a19a1333153afea6689320133779bc8f302dded

memory/3036-134-0x000000013F980000-0x000000013FCD4000-memory.dmp

memory/3052-135-0x000000013F150000-0x000000013F4A4000-memory.dmp

memory/2564-138-0x000000013F700000-0x000000013FA54000-memory.dmp

memory/2628-137-0x000000013F310000-0x000000013F664000-memory.dmp

memory/2484-136-0x000000013F110000-0x000000013F464000-memory.dmp

memory/2504-139-0x000000013FDA0000-0x00000001400F4000-memory.dmp

memory/2496-141-0x000000013F0D0000-0x000000013F424000-memory.dmp

memory/2560-140-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

memory/2860-142-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

memory/2516-146-0x000000013F3B0000-0x000000013F704000-memory.dmp

memory/3008-145-0x000000013FC70000-0x000000013FFC4000-memory.dmp

memory/2388-144-0x000000013F470000-0x000000013F7C4000-memory.dmp

memory/2440-143-0x000000013F990000-0x000000013FCE4000-memory.dmp

memory/2624-148-0x000000013F5E0000-0x000000013F934000-memory.dmp

memory/2640-147-0x000000013F1E0000-0x000000013F534000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 11:27

Reported

2024-06-01 11:29

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\PAClIwK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IBokypP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rFwamDN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HHoWZgw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yokdlBz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\trrShHC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hcclINw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\foJnirX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sWoIXcT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zkIrmVT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EbDXJPT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XeJSRmM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PRBONxL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\trVbduK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jmUJaHS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TJQGOKL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QWSdClF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VDMFwns.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ozpmzaN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dNBuPzi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QZjdKLT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1220 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\XeJSRmM.exe
PID 1220 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\XeJSRmM.exe
PID 1220 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\PAClIwK.exe
PID 1220 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\PAClIwK.exe
PID 1220 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\PRBONxL.exe
PID 1220 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\PRBONxL.exe
PID 1220 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\yokdlBz.exe
PID 1220 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\yokdlBz.exe
PID 1220 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\trVbduK.exe
PID 1220 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\trVbduK.exe
PID 1220 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\VDMFwns.exe
PID 1220 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\VDMFwns.exe
PID 1220 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\IBokypP.exe
PID 1220 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\IBokypP.exe
PID 1220 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\jmUJaHS.exe
PID 1220 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\jmUJaHS.exe
PID 1220 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\trrShHC.exe
PID 1220 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\trrShHC.exe
PID 1220 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\ozpmzaN.exe
PID 1220 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\ozpmzaN.exe
PID 1220 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\TJQGOKL.exe
PID 1220 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\TJQGOKL.exe
PID 1220 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\dNBuPzi.exe
PID 1220 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\dNBuPzi.exe
PID 1220 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\hcclINw.exe
PID 1220 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\hcclINw.exe
PID 1220 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\foJnirX.exe
PID 1220 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\foJnirX.exe
PID 1220 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\sWoIXcT.exe
PID 1220 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\sWoIXcT.exe
PID 1220 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\QWSdClF.exe
PID 1220 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\QWSdClF.exe
PID 1220 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\rFwamDN.exe
PID 1220 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\rFwamDN.exe
PID 1220 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\QZjdKLT.exe
PID 1220 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\QZjdKLT.exe
PID 1220 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\zkIrmVT.exe
PID 1220 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\zkIrmVT.exe
PID 1220 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\HHoWZgw.exe
PID 1220 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\HHoWZgw.exe
PID 1220 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\EbDXJPT.exe
PID 1220 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe C:\Windows\System\EbDXJPT.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_fad17acbdd76d145a8deaf2d83e56b42_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\XeJSRmM.exe

C:\Windows\System\XeJSRmM.exe

C:\Windows\System\PAClIwK.exe

C:\Windows\System\PAClIwK.exe

C:\Windows\System\PRBONxL.exe

C:\Windows\System\PRBONxL.exe

C:\Windows\System\yokdlBz.exe

C:\Windows\System\yokdlBz.exe

C:\Windows\System\trVbduK.exe

C:\Windows\System\trVbduK.exe

C:\Windows\System\VDMFwns.exe

C:\Windows\System\VDMFwns.exe

C:\Windows\System\IBokypP.exe

C:\Windows\System\IBokypP.exe

C:\Windows\System\jmUJaHS.exe

C:\Windows\System\jmUJaHS.exe

C:\Windows\System\trrShHC.exe

C:\Windows\System\trrShHC.exe

C:\Windows\System\ozpmzaN.exe

C:\Windows\System\ozpmzaN.exe

C:\Windows\System\TJQGOKL.exe

C:\Windows\System\TJQGOKL.exe

C:\Windows\System\dNBuPzi.exe

C:\Windows\System\dNBuPzi.exe

C:\Windows\System\hcclINw.exe

C:\Windows\System\hcclINw.exe

C:\Windows\System\foJnirX.exe

C:\Windows\System\foJnirX.exe

C:\Windows\System\sWoIXcT.exe

C:\Windows\System\sWoIXcT.exe

C:\Windows\System\QWSdClF.exe

C:\Windows\System\QWSdClF.exe

C:\Windows\System\rFwamDN.exe

C:\Windows\System\rFwamDN.exe

C:\Windows\System\QZjdKLT.exe

C:\Windows\System\QZjdKLT.exe

C:\Windows\System\zkIrmVT.exe

C:\Windows\System\zkIrmVT.exe

C:\Windows\System\HHoWZgw.exe

C:\Windows\System\HHoWZgw.exe

C:\Windows\System\EbDXJPT.exe

C:\Windows\System\EbDXJPT.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1220-0-0x00007FF6AB190000-0x00007FF6AB4E4000-memory.dmp

memory/1220-1-0x00000166C6B50000-0x00000166C6B60000-memory.dmp

C:\Windows\System\XeJSRmM.exe

MD5 9f272d8ef98bed45ae88482a63327180
SHA1 1863272c2c425e593c21ab32b7ecc988d9ba0d60
SHA256 81330138c309b20dd99de8b8e66a1890565b794dcc1b3a9345b530d4baaa4ff9
SHA512 d59bff23dcf27be313a5572343e7b688f92d4cb2232e52cb1456552d296bb3cad411f8463891f6cc56295c60f66fdb06a1bc6146fb8a7862a2e94410aa988d0a

C:\Windows\System\PAClIwK.exe

MD5 0815d6335d7bd904744f4738631d29dc
SHA1 af94fde2e856d89a18ba73c2021b50862c87da66
SHA256 254dd7d944fdf5f991cdb378e7f99190072b866c69362921239d877c1498d669
SHA512 66bd33149b96fc38a5930533e23a3b063b6a63882e0e33f17a8673c98fc5d9c773e1cb16a2d546a87741f5582f0635652363ed3fba94e5a9d8f1d87e9572c56a

memory/972-14-0x00007FF63DB90000-0x00007FF63DEE4000-memory.dmp

C:\Windows\System\PRBONxL.exe

MD5 86a75ddc23049be7fe7a95340ef27ad7
SHA1 571ba4312feda72ec6ad7742f49ddfdd68946759
SHA256 ec7f8ab154781c675a8b13597044f673ff4067186e14845e42024ff1b2c6b70c
SHA512 698be0d1e2f2453b581576b5619104e05870a575bc8646425641498c311189014183377dabb273908dc540cd7b63e9767ec21a473545c473cb7ec720e3242466

C:\Windows\System\yokdlBz.exe

MD5 f4179ab261f93fb7ec82d4922ec81fe8
SHA1 964e790419f5b58092c8e552aac954590d1aa4c6
SHA256 880ae4eb6b47c12e7f58bb834e6e78e76a7158d4518acf500959db05b605f1c3
SHA512 c71da57ad6bd6c99a43b5fb37f260079603fb826e93e2160edbb70ed174b0d9b1d5db0027ec88142d31f2f40050175f76ab83534184e0b4024ceee9844ab6781

C:\Windows\System\trVbduK.exe

MD5 8bfbf88e3f8cc1440be41018c7ef4557
SHA1 eb39e7bbb275f3d922ee333c72b83af56958362f
SHA256 4f1d0f1776f872d58727081598cd048871df523d39477250a10ce1ce7675f424
SHA512 0438810f16885c2645c0b8de70ade85f5c1d537fb0ac1ae3207f913a73d1641c60d961d7bcb35a618b120bfe87cf3e1a1e0021e856883e620e2a233989ee6cbe

memory/4180-32-0x00007FF677B10000-0x00007FF677E64000-memory.dmp

C:\Windows\System\jmUJaHS.exe

MD5 c65f918f9146f59f24217e02244a62c1
SHA1 38bddce8c6c304e41ebd6b7dca36e547d1b31286
SHA256 d55b0ae3470bbea615fde70aebd9c60df776b5a506785a1f4ef5269810d30cd6
SHA512 26aca79cba7a96c5225aae44a5a2bf4b7e1af55395d922786da9e910b13643afea80aa022a2bf37fc4048b22cba5e2e279239cec8c545f0d2e79cbe152a80a8d

C:\Windows\System\ozpmzaN.exe

MD5 8265e816829079e02d2a2cdb288c93d5
SHA1 04bfa9f896d6ef054788606f2f4721ef99e6641b
SHA256 5fa5a005db7d7204d424d9c083e20e24074d85e0b12dc7e29baf2850c58966ad
SHA512 6f178b763a1d48188c0a738b39163f3821db5bee2c6b5ef36eea4419d2c7d5afb7ac048e5371442d930ed90ef5485539ed6804cb6120215e093d6178d661caa4

C:\Windows\System\dNBuPzi.exe

MD5 82e15f316d9495adaa82b8f1c006fe04
SHA1 98d1f61a7b27f8ba09709e523668bbe32ffa424a
SHA256 06bf14f8a17d99638b3f9defff86d087d579a0a76ea3e498a0a288fef59c9f9a
SHA512 250a1ea74544b12c5e8c5c2056f2d020db2c545f97bc7a162e338685819099cf6e7b66497bfe4e4a13ac5c4036762cd4c38683bf2b62de077204c86f9c1b63b9

C:\Windows\System\hcclINw.exe

MD5 09e2906fdf706e88944756de1053de66
SHA1 55fea1171e3bed1773d49848f5faf7a4e1484750
SHA256 b499fe5c590ff299c68c4d31c8a9d59fbd75e91caa93fd237b413829ee5a0efb
SHA512 6bd50fc5aaf083942fab6aa21a0b546c71480a5b54ed48af087f9b025a72d1004cb7096214605ecc316ff576f300a11068cab81f32594b29bec23db10a961c20

C:\Windows\System\QWSdClF.exe

MD5 3430fec3d20aea92d2310327d5b51a1c
SHA1 ba4dff18183f972de13c6ae0a66776a127033c79
SHA256 d6f6fc8db17d783369a7020bc2f9f71b04fa6b9e8633fe6b835b22f475beb82b
SHA512 ac3ae934d8b2756439f59b3659db29f547140fff83c8b109df0a74d4ef5f4be6cc83b4f4f8869d3953153634a46f9ba1b3d147be0e3de3f02278a13c2e7d033f

memory/2000-93-0x00007FF6B2020000-0x00007FF6B2374000-memory.dmp

memory/5060-104-0x00007FF632A70000-0x00007FF632DC4000-memory.dmp

memory/4620-112-0x00007FF6F2270000-0x00007FF6F25C4000-memory.dmp

memory/5072-116-0x00007FF776970000-0x00007FF776CC4000-memory.dmp

memory/4088-120-0x00007FF795410000-0x00007FF795764000-memory.dmp

memory/4232-124-0x00007FF6676A0000-0x00007FF6679F4000-memory.dmp

memory/1516-126-0x00007FF65D2B0000-0x00007FF65D604000-memory.dmp

memory/3896-125-0x00007FF70E270000-0x00007FF70E5C4000-memory.dmp

memory/2300-123-0x00007FF730B30000-0x00007FF730E84000-memory.dmp

memory/3940-122-0x00007FF66F8C0000-0x00007FF66FC14000-memory.dmp

memory/1780-121-0x00007FF74AC90000-0x00007FF74AFE4000-memory.dmp

memory/1460-119-0x00007FF6D9070000-0x00007FF6D93C4000-memory.dmp

memory/2476-118-0x00007FF620BB0000-0x00007FF620F04000-memory.dmp

memory/1288-117-0x00007FF64F7A0000-0x00007FF64FAF4000-memory.dmp

memory/2256-115-0x00007FF681E10000-0x00007FF682164000-memory.dmp

C:\Windows\System\HHoWZgw.exe

MD5 4015ab07f146372988ec64ed7483b73c
SHA1 c05bac694d57b64c1081dc892acdc5ada986af8f
SHA256 b5843a308d66fa8356f0ca60a56829fded44e7ba29f4773b5048e6c0f7248a43
SHA512 55a35ecfe8cbda40d5730f6330f1921eb44be988ac91ae0c10f40ec1d22cca947c36bf7fde2f18f0d4a4728cc48433588b62a63bb475102dc16109f2da75f537

C:\Windows\System\EbDXJPT.exe

MD5 14c068c1604cf78c2835d0431438f821
SHA1 2a118fe64bca4cb4ea04c9a2b399c7545ddb0cbc
SHA256 20569c6d00338ab997850febac81f5529e0864048b96765edec917c329e94475
SHA512 e2a56e61b66dc726504fe36cb4801edb49fdbee3627a5c13d181bb59f189fe0a12f764063575331ee4e0928bddd471455713709ae1320bbae7c13d35bf8de668

memory/4616-109-0x00007FF76B210000-0x00007FF76B564000-memory.dmp

C:\Windows\System\zkIrmVT.exe

MD5 4329e94c76a7df88ed939632a2fb3ee0
SHA1 4484a5546d669a5311a2572cab7f30c004e26e28
SHA256 fef164660f94c4040f3b90edc2d71e028e0b7bd550dba595cd3d8307bccade72
SHA512 627da1995d43b76bc2d06fdb629a9c64cba21e8e48301f2a7ed813370f9c369b3413d17481fd232bbbfe30815058bc0bb9afdb6d455361097e714d64ca22c716

C:\Windows\System\foJnirX.exe

MD5 47df458851d1c7ffd034f2394abcabc2
SHA1 fef4c0ba47ca0c4f7932257c9c109d3945ff7eb6
SHA256 205706b65fc57bf1fca2dc5ccdc900d5fe00e25cdf4b667fc1cc9272fb149bd3
SHA512 ba1e0d50a271636df04206eaf1826226e1336f9234138c9a6c175e664423ea8069cb2593aedb6e0a741a215224d2204eea2ad77f02d98cd2d796eae2d91ff810

C:\Windows\System\QZjdKLT.exe

MD5 cf237d1ffdbe838dc2a52e8baa96b487
SHA1 01ef1f5dda82ec0cd7e2366fd4d58d90f3c083a6
SHA256 d84aaf76c2b127c4dda636ddfcbefb865fdb7e121609965a25180268cc2cbd1c
SHA512 3fdbcdd325005937d09f9ae3cb33d61da2195d329e6266234205d9efe8023efd093d6f37675f7d44069f748638e70f2ae5a007028bbd1712b7f5df26cda7bc58

C:\Windows\System\rFwamDN.exe

MD5 7730d7f393abc0f8a4a66d1de5a36bcc
SHA1 6b372cf8decb4d2d0f2e3ba78828211057d3ad1c
SHA256 76a268ec28312fcc2414e0110e03336f10fba7686c1567ae322dcccead5e4ab7
SHA512 6ed84ba339baaf200422696b69e46bad322e10ea1cd78f3e375ca677b36a2d7b7d528b76786347aaa3ce8a41694a4f2459d22eb608f8bc4500109c9eb358d538

C:\Windows\System\sWoIXcT.exe

MD5 25a27b6783c075559ab0b4c0b3dd79eb
SHA1 d62a701936f3e8a20d1d1f14770a0cea663d4fd2
SHA256 16b0a75056cecb917011b1e6066962047d19c78e65a298a736103f1d8390599f
SHA512 b0509aec7bec11f7718c899f986e6e717b77e8bd430c10a3a05ee86bc4700cad0935866763754a7c828f3d3812e767bee80ab5e8f1a86205924f3d8d7137a9e2

memory/1748-86-0x00007FF7210F0000-0x00007FF721444000-memory.dmp

C:\Windows\System\TJQGOKL.exe

MD5 995f41799a78a942e230a2f48a295174
SHA1 edd6de37881a0d0ec56527ad5ce00373dbbf82bb
SHA256 1e2ebd3cbad5b77b985478b9ee5ee71a5793230e1655a2316e7ba8cf98076889
SHA512 88aa8d1b673003e428823e84a07e1548bf5fc22a543ce80c3f7d88db071cc5a34780276fc43e79a0428a962504f73b92b4463fa8139c740745d7a3508e15978a

C:\Windows\System\trrShHC.exe

MD5 42294c11f0e2bb5b6cd59d505f37cf63
SHA1 5b2730ba16eeb7553f5cdcb1bf4beb3c9354ad7e
SHA256 72665ada60dcd8729b3a750284b09acf07b812be2b0ef962759e63d633c1fad8
SHA512 0ba2635d6fdb4cf201d93d6345519ad45a764cbe2245e73aeeb03dd4390f1d0ab7b5b746d316111bb9f146a0e79a8bfbba8fd51fae29b38b2a1f4386bc362e53

C:\Windows\System\IBokypP.exe

MD5 a5025509ea791a30f1d17c53aec5d099
SHA1 78a842eabef862a71500b99f79bae7c590856f8c
SHA256 333c639536b7005f352cb26e2f85c3ec9f5092339eaba3f55786892bc8bce760
SHA512 84aa284bcbcc469960af3ec304c9dbd7c64856c429ad9e98b6ad49641d5dba63b21239739e714df80cd2e2b1126139d19296dc192d6b8214ccb41d96f0805daf

C:\Windows\System\VDMFwns.exe

MD5 9b679f5b483dd5111846b6c31a627371
SHA1 4622c1665bf9a211e4d870b5c6248b36500e6c86
SHA256 696ff9b9ffb2cf259ff4ce33f9c248def1fda34c2553f08f4b770e4fb8159a90
SHA512 eba1aef6be49d6b0822447c9d86e2925d995299c9d7ecc5654291f2381722051074150cc5bba95263ed8b9778c23ae1ffbb8004717ad5ab093fb647fafed75a5

memory/4532-18-0x00007FF6A8470000-0x00007FF6A87C4000-memory.dmp

memory/3464-8-0x00007FF6A7440000-0x00007FF6A7794000-memory.dmp

memory/1220-128-0x00007FF6AB190000-0x00007FF6AB4E4000-memory.dmp

memory/972-129-0x00007FF63DB90000-0x00007FF63DEE4000-memory.dmp

memory/4532-130-0x00007FF6A8470000-0x00007FF6A87C4000-memory.dmp

memory/1288-131-0x00007FF64F7A0000-0x00007FF64FAF4000-memory.dmp

memory/3464-132-0x00007FF6A7440000-0x00007FF6A7794000-memory.dmp

memory/972-133-0x00007FF63DB90000-0x00007FF63DEE4000-memory.dmp

memory/4532-134-0x00007FF6A8470000-0x00007FF6A87C4000-memory.dmp

memory/4180-135-0x00007FF677B10000-0x00007FF677E64000-memory.dmp

memory/3940-136-0x00007FF66F8C0000-0x00007FF66FC14000-memory.dmp

memory/1748-137-0x00007FF7210F0000-0x00007FF721444000-memory.dmp

memory/2300-138-0x00007FF730B30000-0x00007FF730E84000-memory.dmp

memory/2000-139-0x00007FF6B2020000-0x00007FF6B2374000-memory.dmp

memory/4616-140-0x00007FF76B210000-0x00007FF76B564000-memory.dmp

memory/5060-141-0x00007FF632A70000-0x00007FF632DC4000-memory.dmp

memory/4620-142-0x00007FF6F2270000-0x00007FF6F25C4000-memory.dmp

memory/2256-143-0x00007FF681E10000-0x00007FF682164000-memory.dmp

memory/1460-145-0x00007FF6D9070000-0x00007FF6D93C4000-memory.dmp

memory/4232-144-0x00007FF6676A0000-0x00007FF6679F4000-memory.dmp

memory/2476-146-0x00007FF620BB0000-0x00007FF620F04000-memory.dmp

memory/4088-148-0x00007FF795410000-0x00007FF795764000-memory.dmp

memory/5072-147-0x00007FF776970000-0x00007FF776CC4000-memory.dmp

memory/1780-149-0x00007FF74AC90000-0x00007FF74AFE4000-memory.dmp

memory/1516-150-0x00007FF65D2B0000-0x00007FF65D604000-memory.dmp

memory/3896-151-0x00007FF70E270000-0x00007FF70E5C4000-memory.dmp

memory/1288-152-0x00007FF64F7A0000-0x00007FF64FAF4000-memory.dmp