Malware Analysis Report

2025-01-22 19:43

Sample ID 240601-qtel4sde6y
Target 2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike
SHA256 92f43619b2bfac52ae7ce61cd671b85d1a81361c6c11707ad5866b06bbcc3d25
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

92f43619b2bfac52ae7ce61cd671b85d1a81361c6c11707ad5866b06bbcc3d25

Threat Level: Known bad

The file 2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Xmrig family

xmrig

Cobaltstrike

Cobaltstrike family

Cobalt Strike reflective loader

Detects Reflective DLL injection artifacts

XMRig Miner payload

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

XMRig Miner payload

UPX dump on OEP (original entry point)

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 13:32

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 13:32

Reported

2024-06-01 13:35

Platform

win7-20240221-en

Max time kernel

141s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\oGnceRf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zcqBKAB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SrUvJBu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CMftVCO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FrcHUHE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kVtXOeD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GwXBLxR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YZUehNL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\evVQnCR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jCQDlud.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XRTANFd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bdBAWQE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\Bbpcupq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\awARTIm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CzGmxSt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ezKfrqJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uyUMdla.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XtfzFhe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IDvRoLQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vbaCKEK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eCFXktP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2044 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\kVtXOeD.exe
PID 2044 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\kVtXOeD.exe
PID 2044 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\kVtXOeD.exe
PID 2044 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\GwXBLxR.exe
PID 2044 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\GwXBLxR.exe
PID 2044 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\GwXBLxR.exe
PID 2044 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\YZUehNL.exe
PID 2044 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\YZUehNL.exe
PID 2044 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\YZUehNL.exe
PID 2044 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\CzGmxSt.exe
PID 2044 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\CzGmxSt.exe
PID 2044 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\CzGmxSt.exe
PID 2044 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\evVQnCR.exe
PID 2044 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\evVQnCR.exe
PID 2044 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\evVQnCR.exe
PID 2044 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\ezKfrqJ.exe
PID 2044 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\ezKfrqJ.exe
PID 2044 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\ezKfrqJ.exe
PID 2044 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\uyUMdla.exe
PID 2044 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\uyUMdla.exe
PID 2044 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\uyUMdla.exe
PID 2044 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\oGnceRf.exe
PID 2044 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\oGnceRf.exe
PID 2044 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\oGnceRf.exe
PID 2044 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\Bbpcupq.exe
PID 2044 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\Bbpcupq.exe
PID 2044 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\Bbpcupq.exe
PID 2044 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\XtfzFhe.exe
PID 2044 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\XtfzFhe.exe
PID 2044 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\XtfzFhe.exe
PID 2044 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\jCQDlud.exe
PID 2044 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\jCQDlud.exe
PID 2044 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\jCQDlud.exe
PID 2044 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\zcqBKAB.exe
PID 2044 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\zcqBKAB.exe
PID 2044 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\zcqBKAB.exe
PID 2044 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\IDvRoLQ.exe
PID 2044 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\IDvRoLQ.exe
PID 2044 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\IDvRoLQ.exe
PID 2044 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\SrUvJBu.exe
PID 2044 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\SrUvJBu.exe
PID 2044 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\SrUvJBu.exe
PID 2044 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\XRTANFd.exe
PID 2044 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\XRTANFd.exe
PID 2044 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\XRTANFd.exe
PID 2044 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\vbaCKEK.exe
PID 2044 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\vbaCKEK.exe
PID 2044 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\vbaCKEK.exe
PID 2044 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\bdBAWQE.exe
PID 2044 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\bdBAWQE.exe
PID 2044 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\bdBAWQE.exe
PID 2044 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\eCFXktP.exe
PID 2044 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\eCFXktP.exe
PID 2044 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\eCFXktP.exe
PID 2044 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\CMftVCO.exe
PID 2044 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\CMftVCO.exe
PID 2044 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\CMftVCO.exe
PID 2044 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\awARTIm.exe
PID 2044 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\awARTIm.exe
PID 2044 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\awARTIm.exe
PID 2044 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\FrcHUHE.exe
PID 2044 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\FrcHUHE.exe
PID 2044 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\FrcHUHE.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\kVtXOeD.exe

C:\Windows\System\kVtXOeD.exe

C:\Windows\System\GwXBLxR.exe

C:\Windows\System\GwXBLxR.exe

C:\Windows\System\YZUehNL.exe

C:\Windows\System\YZUehNL.exe

C:\Windows\System\CzGmxSt.exe

C:\Windows\System\CzGmxSt.exe

C:\Windows\System\evVQnCR.exe

C:\Windows\System\evVQnCR.exe

C:\Windows\System\ezKfrqJ.exe

C:\Windows\System\ezKfrqJ.exe

C:\Windows\System\uyUMdla.exe

C:\Windows\System\uyUMdla.exe

C:\Windows\System\oGnceRf.exe

C:\Windows\System\oGnceRf.exe

C:\Windows\System\Bbpcupq.exe

C:\Windows\System\Bbpcupq.exe

C:\Windows\System\XtfzFhe.exe

C:\Windows\System\XtfzFhe.exe

C:\Windows\System\jCQDlud.exe

C:\Windows\System\jCQDlud.exe

C:\Windows\System\zcqBKAB.exe

C:\Windows\System\zcqBKAB.exe

C:\Windows\System\IDvRoLQ.exe

C:\Windows\System\IDvRoLQ.exe

C:\Windows\System\SrUvJBu.exe

C:\Windows\System\SrUvJBu.exe

C:\Windows\System\XRTANFd.exe

C:\Windows\System\XRTANFd.exe

C:\Windows\System\vbaCKEK.exe

C:\Windows\System\vbaCKEK.exe

C:\Windows\System\bdBAWQE.exe

C:\Windows\System\bdBAWQE.exe

C:\Windows\System\eCFXktP.exe

C:\Windows\System\eCFXktP.exe

C:\Windows\System\CMftVCO.exe

C:\Windows\System\CMftVCO.exe

C:\Windows\System\awARTIm.exe

C:\Windows\System\awARTIm.exe

C:\Windows\System\FrcHUHE.exe

C:\Windows\System\FrcHUHE.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2044-0-0x000000013F090000-0x000000013F3E4000-memory.dmp

memory/2044-1-0x0000000000180000-0x0000000000190000-memory.dmp

C:\Windows\system\kVtXOeD.exe

MD5 5dba9f98b32ed9ae8b979877cc4faa5f
SHA1 a057d69930e357f58387a80c010e3af84c6d9966
SHA256 6be9ba2edb5f37438ec0e95f993cf484be59b3c0e59350b8b9af78c4da0ddbda
SHA512 5d17ea1b1be08a2eb17cca0960d09936b6b3e058e3c78f11c3af45bbf320da77ba5f14288b314daa3b935507a8365f5416fefa3fa5b00b904fe05b6154d27719

\Windows\system\GwXBLxR.exe

MD5 5f986a69e1c7b5a0be41aaa7b36b8b88
SHA1 b9963f842e69a71e5b0343f25757da7f9edd172e
SHA256 9755a5704d4e997a40b5ff151ad2dc7c565d561c4e2c55c5462437a8db65c384
SHA512 92154195568d9caaa7ed927562386fe03ff68aa7765515c4e5e7383c797ff844b7b53d2374c75635988611ad4089810c8075c55f1f7b180a17040e1c6a3d9d94

memory/3060-9-0x000000013F0B0000-0x000000013F404000-memory.dmp

memory/2044-8-0x0000000002420000-0x0000000002774000-memory.dmp

memory/2044-14-0x000000013F900000-0x000000013FC54000-memory.dmp

memory/2692-16-0x000000013F900000-0x000000013FC54000-memory.dmp

memory/2672-22-0x000000013FF70000-0x00000001402C4000-memory.dmp

memory/1328-29-0x000000013F0F0000-0x000000013F444000-memory.dmp

memory/2680-37-0x000000013F970000-0x000000013FCC4000-memory.dmp

memory/2044-41-0x000000013FCF0000-0x0000000140044000-memory.dmp

memory/2600-42-0x000000013FCF0000-0x0000000140044000-memory.dmp

C:\Windows\system\uyUMdla.exe

MD5 d612265ceb4bf2f54ac22ecaed04767c
SHA1 c66c040ccd11075fa1f5752e57c54900fcd921d3
SHA256 669e198b719f97bb9b10bcb40f22bec07fd51236311088e52829ca0c9ad41cf4
SHA512 a9321539c1fb5a0428346bef9c2994bf570dc7e428da64db9b717045d932e1cd7b4f402cdd50120eaa94ab24f579f2bf354a529cbe09377d81833f41bd58c6f6

memory/2184-51-0x000000013F1B0000-0x000000013F504000-memory.dmp

memory/2044-57-0x000000013FCE0000-0x0000000140034000-memory.dmp

memory/2156-58-0x000000013FCE0000-0x0000000140034000-memory.dmp

memory/1112-65-0x000000013FE50000-0x00000001401A4000-memory.dmp

memory/2636-78-0x000000013F560000-0x000000013F8B4000-memory.dmp

memory/2692-82-0x000000013F900000-0x000000013FC54000-memory.dmp

\Windows\system\CMftVCO.exe

MD5 cb8b7e500c7b8a3947dafcc91150ff69
SHA1 14f8cdc3578a9f9ad44722c1d142acf7afb9d0c9
SHA256 35fede379b7972de0991d81941888bf55b37793b76e4b749c1e3f0ac4266dfdd
SHA512 dd7955207b390397b1a68edb3d8f4b016042cdcc8da038885aab25d9525a6919fd3325329430664831b4ae51c1b48dedea6c947c57998823541eee5fe02de4f0

memory/1328-107-0x000000013F0F0000-0x000000013F444000-memory.dmp

C:\Windows\system\bdBAWQE.exe

MD5 cf4a339a4d11f2d1efe58c1d73c44afd
SHA1 64896372af5d99c6887d1bb0f00801d9744f463f
SHA256 237bb457a7124081aa4a991ed7b759fee8c49a566279984f0a32b0e3f3e5ea83
SHA512 753323c5128c8cffde1d50156146b3d5f528cbaa51e3873853255242295b6fabf9232b7de9b4a601f9f18e00f1547a1b328a8d61006bcab0976c756f64e7c69f

\Windows\system\awARTIm.exe

MD5 af713143be827f23e17ea149d8d3e59f
SHA1 02ac9b36227585f7397cd36dc8eb51c821a16941
SHA256 263725a8345138c0cffd9c946a4b4cce73fd1f5ca8de616c74b5102e0791052e
SHA512 8400adfca35934b261981b6c2748f398bdbb4e4ba3503bfd9f04e96dcf36d29fb1c3a3dcd9166d2608a6c62ac0de3fb7b3a31a117b2e53f91913d54b2d42557f

memory/2044-116-0x000000013F590000-0x000000013F8E4000-memory.dmp

memory/2196-114-0x000000013FB70000-0x000000013FEC4000-memory.dmp

\Windows\system\eCFXktP.exe

MD5 ed93665d7dc2b46facd8c5730dae58bb
SHA1 ed2d5fffd589572ab4df5eba04f9c078159b9ab1
SHA256 b5ce4a596a5fc6e756a9ff1f651c9032b0d84a98ddcd33d0e0b1d4c15ea337f4
SHA512 a8d09e45c60977f28d13dd6f74ef2c51ee47fab67942c9d5c618520a8ce6ed560e517dd9b7e59206cb16f701b48d5daa78238960199180837185ac1cef9af1f8

\Windows\system\vbaCKEK.exe

MD5 54fe05029d5c5431e6855aa26dcf9916
SHA1 05301b37d80e64c0b5ed4a63f70390837aa3955e
SHA256 9141ac3c9e31bc14fee87922c7fbbc5727a9b132d4067da39b0c7a301cce27c8
SHA512 40e8329f54cc0e03c407978eb05e8a834d34b2e7ad9370370fc6a508cbc4a66b7c8c81437c792f5f5f78bbb3ef81fe2dfdcffd8826a96c6177c118af27c70c77

C:\Windows\system\FrcHUHE.exe

MD5 4dbad1c38c8515716e06726d0528a7f7
SHA1 be563a94f08defdc22a029506eded8d672404372
SHA256 d25ae5b1d75e52f5ba207e25e097653ce2f3aa8e2f9ad234e3fcb3e5f5e39098
SHA512 2fd8ab7e7778776b2c0b65bfee763feec1f7bb42bd4f83c52491d826ad3e616b6ef9a0be916dc82950409fc42576f72469be8a36208a56724d181485b377a23b

C:\Windows\system\SrUvJBu.exe

MD5 f4fd92179121e1c358d89b003ce74c74
SHA1 54b334fb44891891983a1a9591324c403401a283
SHA256 7146074374468bf13ef3a012beb4d48cc38a813947e5184f9cdebaf743d969e7
SHA512 18f0a5eddad0b8725914f385c7a9f1c86517477579e5f08f0711a03e25903836df2e2c44d6ca7735f53884ca79f4b3f3944713cf44c1373a60f0831ea3e6adc9

memory/2044-111-0x000000013FB70000-0x000000013FEC4000-memory.dmp

C:\Windows\system\XRTANFd.exe

MD5 54311a46d26abd4bc83f76c4b9f2f0e0
SHA1 6e64c4279f79b7a0c9980ea823912b9b08eb59a4
SHA256 ef013bb46d6f4cfe55dd05df72830f16a3329fd0e2f48053939a32fafc49efe9
SHA512 08f18b7b637058910532008d4457409bb29300758fdc6b90ecaa101fff4ad54a822411865fa7150071cd781b140b0d025d293c479b95ba242d30b86ac7aaae26

memory/1584-94-0x000000013F2B0000-0x000000013F604000-memory.dmp

memory/2044-93-0x0000000002420000-0x0000000002774000-memory.dmp

memory/2672-92-0x000000013FF70000-0x00000001402C4000-memory.dmp

C:\Windows\system\IDvRoLQ.exe

MD5 9d0eedf338c820be56a1fd18954f7fee
SHA1 ff47a6b2c970239734b4d7daacc99e646e7a22b6
SHA256 7ca8ccc64e2c9d56a2cef27904089c35baf193ac4b087731fe5068ba3a3a2eec
SHA512 a57b5fc1066aa1c392d48b72b0b13919a8dc52619fae04b84a9593ad499f30a2f857d0aae37f42afa5d297eb56416095a6568dc8999071f8639d1488e2a2f88f

memory/2756-84-0x000000013F7C0000-0x000000013FB14000-memory.dmp

memory/2044-83-0x000000013F7C0000-0x000000013FB14000-memory.dmp

C:\Windows\system\zcqBKAB.exe

MD5 d68fa39dbc1c4caeaf19eaab3cbc2d7c
SHA1 73da1519436357fe37a4eb2157783c9170cff6e9
SHA256 5b930baf148a05479eba40edc2b635418962539a968d19233481e6ea004daeab
SHA512 1c501bc7235cb00ae119a1fe27f6c46cef4b8a3dec0ecdee8a38e84a2c4486cbff0a2065a8afd033ee3c118e764e6dcf0b05495dabd65ecddc12d92bf6a2c826

C:\Windows\system\jCQDlud.exe

MD5 36e5379bd9c612e89d9a7ff11ae1e41a
SHA1 3a14853a21a2a898a1074aee045367746649adde
SHA256 476d2db3f5e6e35b680778f4061e95b8ff5343814fb2383cd8471afd38172bb3
SHA512 2358484158fea93e1e3d7db58d6ca37a09bf01b7d74417b138e5ad4ecca294fd1558606821039e42fb56ef5db751beabe56b18d9371a59b85db13fa8e41ef1dc

memory/2616-72-0x000000013FD10000-0x0000000140064000-memory.dmp

memory/2044-71-0x000000013F090000-0x000000013F3E4000-memory.dmp

C:\Windows\system\XtfzFhe.exe

MD5 7295740ad89581c0eaedbcdf8a479c78
SHA1 a0168330ffbbed02c51d555f0fa0724e76e7ffe4
SHA256 9143e843953c20cfd6c58d7c80e211bd1e9d7e9b63980592d310129d1a5845fc
SHA512 65b7c970c1b27fd422a7a2b20c6ff29a0da91c1aa844d26eb7e80ad1a935d451db8006d18551d58fd0de00b90f1b9a4e5a68f81b9e8191e8ccc57bb80cd1a588

memory/2600-138-0x000000013FCF0000-0x0000000140044000-memory.dmp

memory/2044-64-0x000000013FE50000-0x00000001401A4000-memory.dmp

C:\Windows\system\Bbpcupq.exe

MD5 255d84d97ef67d019deb6550aaa194cc
SHA1 2df4c726fa64ba04596998d58d8d4294df662ca1
SHA256 88665b5685179df9c43205025fb3edeb9ad13843e450bf2600fff54f6b0843d7
SHA512 426115aac24d444a734fc8a203b108290b38836b8b49271a1d884b97ac0f010e25753062904688764cef53198b37c7c052e782175bc11b2a1ec6fe108cc33af2

C:\Windows\system\oGnceRf.exe

MD5 9b06a605aedfda8e73c5515a30ed2fc7
SHA1 7f3c707b29ed202289063b1d2987569c0135f468
SHA256 1c3b8fa2e6224a731669e1138a3902fc10366928c1194f2bc31957613f83ff02
SHA512 98044f2d56c97704dfd9406d23530c698e5a795dce3145b6b7faa7df0cd355eb1cd873ec346caa8ca731a9b4942615f55035aa037e649b05a4dc709f3db0b48d

memory/2044-50-0x0000000002420000-0x0000000002774000-memory.dmp

C:\Windows\system\ezKfrqJ.exe

MD5 fd8d14474f25919d34053276eb2dab08
SHA1 8d9022f9e2c4751dddd310240de0cdc30a914a6e
SHA256 1afa38db597bfc0f0846e1cc66d2d1ff15bd002004135b0b852a32635a0ffd14
SHA512 70e23202bcda3cb6ec9504393f7222848e26ded5fac4460a2eb8c49781b70cc179d09d95113fdf24b2a34513f5f837f8cf1548a1226cf66e5a3cf834a8e256b1

memory/2044-36-0x000000013F970000-0x000000013FCC4000-memory.dmp

memory/2044-27-0x0000000002420000-0x0000000002774000-memory.dmp

C:\Windows\system\evVQnCR.exe

MD5 9f53be3a7171b5eb2186916c1e012eff
SHA1 4c025a33a4d33489747e723bdda71f3bcb0d622d
SHA256 782c52c83caffed5e57f3354634d6368c70f36022b5f23bfa35a41da59beb7d0
SHA512 1c4c076f7cb432317860b86291760a77da4c121c01217cac546029459a74fb22a9a0be7ca9bf7d7e1be8d05d0ec8ae0150239341a3e2076ade07b433d834a083

C:\Windows\system\CzGmxSt.exe

MD5 3e1540b46f20357e32d28f6417c87817
SHA1 a9aa9b50eca3d19e5f82ed43d7db38e4ddb272f9
SHA256 b1ac656410cf54849ce06c1d11a50c11bebc9cc1cc0b0ee5475b8cba69903152
SHA512 c377041b6dd512e7c311ebac86b6a3cdce8a0cc6b1bad9df3db86f5abc87f0f80eccf5fe1dba89649ef5b18d8aaeea2c1992f596023428dd4ab8a7c3ca3994a8

memory/2044-21-0x000000013FF70000-0x00000001402C4000-memory.dmp

C:\Windows\system\YZUehNL.exe

MD5 4a644eb21c103e366163475f28cb86fa
SHA1 d793cb529d67b2a16ff49a39bf2ca18062e41942
SHA256 79ef27da7d6632a8523eb6d35a49752bfc2965bcd694c01ed8efe0cae52c2c57
SHA512 4cf565d1b26bb318ae13b96bcfac12316d6deb4d316d9e8617ff2440b89ca1b0016a685db8680da902f4be0a76f2a76d2ee322b6b8de85f9ef46e6843c2677e4

memory/2044-139-0x000000013F7C0000-0x000000013FB14000-memory.dmp

memory/2756-140-0x000000013F7C0000-0x000000013FB14000-memory.dmp

memory/2044-141-0x0000000002420000-0x0000000002774000-memory.dmp

memory/2044-142-0x000000013FB70000-0x000000013FEC4000-memory.dmp

memory/3060-143-0x000000013F0B0000-0x000000013F404000-memory.dmp

memory/2692-144-0x000000013F900000-0x000000013FC54000-memory.dmp

memory/2672-145-0x000000013FF70000-0x00000001402C4000-memory.dmp

memory/1328-146-0x000000013F0F0000-0x000000013F444000-memory.dmp

memory/2680-147-0x000000013F970000-0x000000013FCC4000-memory.dmp

memory/2600-148-0x000000013FCF0000-0x0000000140044000-memory.dmp

memory/2184-149-0x000000013F1B0000-0x000000013F504000-memory.dmp

memory/2156-150-0x000000013FCE0000-0x0000000140034000-memory.dmp

memory/1112-151-0x000000013FE50000-0x00000001401A4000-memory.dmp

memory/2616-152-0x000000013FD10000-0x0000000140064000-memory.dmp

memory/2636-153-0x000000013F560000-0x000000013F8B4000-memory.dmp

memory/2756-154-0x000000013F7C0000-0x000000013FB14000-memory.dmp

memory/1584-155-0x000000013F2B0000-0x000000013F604000-memory.dmp

memory/2196-156-0x000000013FB70000-0x000000013FEC4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 13:32

Reported

2024-06-01 13:35

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\HRvJrYO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hRpTFYV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zClryir.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jykXsSV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nFNKgxw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jcxQPlH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NWwcghX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WpExRUF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kzkwJte.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CeKLIbT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EGPGanN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QlcecSU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uEaaPgQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\seOjAlj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vugGTVn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SfQJNgG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DjRwVbj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HNYXbbB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DLgraHj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PMLdIRK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pohuHFr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4376 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\nFNKgxw.exe
PID 4376 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\nFNKgxw.exe
PID 4376 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\SfQJNgG.exe
PID 4376 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\SfQJNgG.exe
PID 4376 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\HRvJrYO.exe
PID 4376 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\HRvJrYO.exe
PID 4376 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\kzkwJte.exe
PID 4376 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\kzkwJte.exe
PID 4376 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\CeKLIbT.exe
PID 4376 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\CeKLIbT.exe
PID 4376 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\hRpTFYV.exe
PID 4376 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\hRpTFYV.exe
PID 4376 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\DjRwVbj.exe
PID 4376 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\DjRwVbj.exe
PID 4376 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\HNYXbbB.exe
PID 4376 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\HNYXbbB.exe
PID 4376 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\DLgraHj.exe
PID 4376 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\DLgraHj.exe
PID 4376 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\jcxQPlH.exe
PID 4376 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\jcxQPlH.exe
PID 4376 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\NWwcghX.exe
PID 4376 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\NWwcghX.exe
PID 4376 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\zClryir.exe
PID 4376 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\zClryir.exe
PID 4376 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\PMLdIRK.exe
PID 4376 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\PMLdIRK.exe
PID 4376 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\uEaaPgQ.exe
PID 4376 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\uEaaPgQ.exe
PID 4376 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\WpExRUF.exe
PID 4376 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\WpExRUF.exe
PID 4376 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\EGPGanN.exe
PID 4376 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\EGPGanN.exe
PID 4376 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\seOjAlj.exe
PID 4376 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\seOjAlj.exe
PID 4376 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\jykXsSV.exe
PID 4376 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\jykXsSV.exe
PID 4376 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\vugGTVn.exe
PID 4376 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\vugGTVn.exe
PID 4376 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\pohuHFr.exe
PID 4376 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\pohuHFr.exe
PID 4376 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\QlcecSU.exe
PID 4376 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe C:\Windows\System\QlcecSU.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_732ab3eb6b51412136007ad016e31fec_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\nFNKgxw.exe

C:\Windows\System\nFNKgxw.exe

C:\Windows\System\SfQJNgG.exe

C:\Windows\System\SfQJNgG.exe

C:\Windows\System\HRvJrYO.exe

C:\Windows\System\HRvJrYO.exe

C:\Windows\System\kzkwJte.exe

C:\Windows\System\kzkwJte.exe

C:\Windows\System\CeKLIbT.exe

C:\Windows\System\CeKLIbT.exe

C:\Windows\System\hRpTFYV.exe

C:\Windows\System\hRpTFYV.exe

C:\Windows\System\DjRwVbj.exe

C:\Windows\System\DjRwVbj.exe

C:\Windows\System\HNYXbbB.exe

C:\Windows\System\HNYXbbB.exe

C:\Windows\System\DLgraHj.exe

C:\Windows\System\DLgraHj.exe

C:\Windows\System\jcxQPlH.exe

C:\Windows\System\jcxQPlH.exe

C:\Windows\System\NWwcghX.exe

C:\Windows\System\NWwcghX.exe

C:\Windows\System\zClryir.exe

C:\Windows\System\zClryir.exe

C:\Windows\System\PMLdIRK.exe

C:\Windows\System\PMLdIRK.exe

C:\Windows\System\uEaaPgQ.exe

C:\Windows\System\uEaaPgQ.exe

C:\Windows\System\WpExRUF.exe

C:\Windows\System\WpExRUF.exe

C:\Windows\System\EGPGanN.exe

C:\Windows\System\EGPGanN.exe

C:\Windows\System\seOjAlj.exe

C:\Windows\System\seOjAlj.exe

C:\Windows\System\jykXsSV.exe

C:\Windows\System\jykXsSV.exe

C:\Windows\System\vugGTVn.exe

C:\Windows\System\vugGTVn.exe

C:\Windows\System\pohuHFr.exe

C:\Windows\System\pohuHFr.exe

C:\Windows\System\QlcecSU.exe

C:\Windows\System\QlcecSU.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4376-0-0x00007FF68DC30000-0x00007FF68DF84000-memory.dmp

memory/4376-1-0x000001D3D4810000-0x000001D3D4820000-memory.dmp

C:\Windows\System\nFNKgxw.exe

MD5 c6c6b2784cbd65c6d31b8b5d10cd8da0
SHA1 4c38a66acae94af90d8d6532923ba7a45672a844
SHA256 51f22725318893365462f2e9f1d20e778430840065291f2b2f50938c24472255
SHA512 50c5b40378f77b9e415a1f913d597b0abeca7ea4e038b35702270b5489a1235157057afbcf9e2e6bd763e9039b623d9c3f0a057f6fa2a38b50319e516d0ff211

C:\Windows\System\HRvJrYO.exe

MD5 96dab7102a23e55210aaae701a1daa0b
SHA1 8a8f4bdc4931f5b624f8f098c4232a350e892557
SHA256 8d623bf971dbe7a5b394376df76d7547d9812f92ea0c4b15f544773ecce8c8ed
SHA512 5e76f69a946d2a8d8dc8f7197420102b5a5545c3797c361b1fbc209cccc588ab1dc3ce11758a42248c403f7c4f3795bbad119ed8607928b2be41e2b75b8a2918

memory/752-9-0x00007FF688D80000-0x00007FF6890D4000-memory.dmp

memory/456-14-0x00007FF711C00000-0x00007FF711F54000-memory.dmp

memory/1252-20-0x00007FF688F60000-0x00007FF6892B4000-memory.dmp

C:\Windows\System\SfQJNgG.exe

MD5 3a95106124a9129e69a54d064e54e8eb
SHA1 9dd727d93e3985a18d4de704143289a2b18ed9e9
SHA256 199e649b558acc8d4466b925d04ede7979673aeb318af0d72682a1200c284541
SHA512 cbc906661fd5643ba66aae5ee9e4fece25fbf7df80a46fc0c14186117381a33186fef418c317109ac058686fd077a1c8d9c99ddfa70dfc1535657d93a5dad0b7

C:\Windows\System\kzkwJte.exe

MD5 06801fd6a82ef6cb5d4e48d49016e262
SHA1 2c0d489dbff56c37d4e336c473b5f902fd326b23
SHA256 9d5229d86cce89ddf093011dd9012f82ea83d61ca0b31d06df4f90e660c97907
SHA512 c16773e756214a5ac3d57ff5c23b131e88fb3f1acb7f72aa2aff178d78fa62339e802fdefee8c16f50be27078576453191cc9fc79404df6e40c9ec1efba7f076

C:\Windows\System\CeKLIbT.exe

MD5 4ee5636fa643233c22e2a51e628d4838
SHA1 bd597dbf38327478cdf79ccd413a0bcd16fa26a5
SHA256 1074f643a8f462e44163ea182cab777cad1584ea4e8b5ca75de09abffb195c64
SHA512 ae13d5deaa992d3407c1d526bc5b89e510cc97190863d4ee37c462779054c5495edd60c14b594267c5c4e082957134376230fa6689e596819a1019602a593fc3

C:\Windows\System\hRpTFYV.exe

MD5 b2c8b2490ae0d53c0e679bb314a34dec
SHA1 36f576e53234213dc6939885e47c8ed00fa44a91
SHA256 3c0a6f0e2ede3fa26d260819ad1a1ffbfd76f63cf1b53f40146c6071455c1e1a
SHA512 6a9bf9ae963b3d2af6e0f34f5318a8b4be119e44323bf64b55076e2ec0d49906b1b2e841f357d10291f587cb575b84d3fbd10bc2140949a1846755b4dac995ed

memory/4228-34-0x00007FF76C300000-0x00007FF76C654000-memory.dmp

memory/704-36-0x00007FF772D40000-0x00007FF773094000-memory.dmp

C:\Windows\System\DjRwVbj.exe

MD5 7916420a06315737e95678c031f532f1
SHA1 bd1bd405716c2e11913043e5c69cc14638f36501
SHA256 ea2be047fb2df1a5d28c5411ebe8815c49bac59d0721c8cca594ebc1bba79ddc
SHA512 81d22f1008847b29dc3548cea8cb466840a8930149ee21c6a70d95e299a98fbd858ac13cb2e77f6cb43701d39b92464887d659e9a517512f3d77886d7a9e19d4

C:\Windows\System\DLgraHj.exe

MD5 90f44c77365b3a7f4e1c9b76ceb28d0e
SHA1 fb3368d4f9f9a02b429bb7ec3fcd1940ae2e1b90
SHA256 87f91e63f9d00b6376a3b86af33c4a99287f2f045db413ccac134cb232e15358
SHA512 9ccd8b69844d35cff3350d5a478282cc2be60a02024c114b2886ac50d7f28907186f9ff25074a62e4de2b99fffd0d157173711f1f8579a36154c2c9493ccf93b

C:\Windows\System\HNYXbbB.exe

MD5 43ebfcdfa70402cda8982a729770dcae
SHA1 15c96b6313ceda05d0891fe3ca0d5b2457f91407
SHA256 8de3066fa89556c602d93a6e5d7b38fb67e1802ea4a4651d64a787b736075141
SHA512 bf54aa6ebc4c56aa150a63c543bd60d01d593951decb2a6c66b4458c0be142adb4c66bae823fccf2e97bf96fa0c309a67337ce877d9610a4326302ae1027dcee

C:\Windows\System\NWwcghX.exe

MD5 d51fda510f34eebd95412212f7344bc4
SHA1 bbcfddce10af7633887e98b4c860706727745534
SHA256 92d4bef803561dd8c361de144b5e9b90b8f31c30c4ec40065c7ffead39c82f11
SHA512 7ff957c21adf7e6d503d540a866b618bca32aaa282d60b28d8089a93da4ddb2d3c2ee3cb40611c79daf5cb980cbb23079f4e0b6db7ab5636f285c5f6841a5c30

C:\Windows\System\jcxQPlH.exe

MD5 e26916e14a3c4301660b14a17b216881
SHA1 a915138aa6276711fdf6ae4e44b7e058615bd7f7
SHA256 8d0d86faee762888610b7fbcb8de0fdfac410413a19bedb8c2cf6f5a19f8846f
SHA512 9bc3838feee7ff6559313a4138e48722711274b04d185bc268b2417b3e073dcf3854447e50fb4c338eaf5f0e7053778c11f0ba759ae020b4132f221d57fde2c4

memory/1736-65-0x00007FF7BD1A0000-0x00007FF7BD4F4000-memory.dmp

C:\Windows\System\zClryir.exe

MD5 ca20e94eda590572acdd5f5e9fcaded0
SHA1 a6593f20a47209ebf11b4a55858c10000a3f3942
SHA256 b7ec878fbc5deea787d5f37a85003050a0275540067f837175a48a6090a34a4a
SHA512 cb60a7ed7a0d14a49449eae68e3a60cea175f28658f4079f14aedc162ce760ba38941d010ac3cfd682df5a88589f17daaa4b1d7f4dbe2fa1b681c348216c705c

C:\Windows\System\PMLdIRK.exe

MD5 f078e656dbff1f1d7dbb6acaa2e3792d
SHA1 c7307e1d137b2359f4af1c2598a430e9a513ca98
SHA256 97d1bf3b249ff565b3551ef5e087513a2231b3cf2624255aaa5a786d30779142
SHA512 f3e9fc7eb7509cefcb1f6c94f7e71e37afd110adf95383740acedd81365c912b8bcefedbce8940dadb72c76246dd8080f15cd85308398206a17f2bd68c4dad46

C:\Windows\System\EGPGanN.exe

MD5 9b8ad6b255531a28bc22b4cc2e644b3f
SHA1 0535b4d6dec862053cfc7a8f7756fc9cdd870a68
SHA256 940f69d37749ba2fe376b71fa58daa3216c6fe8ae44209f02fd4b3b0c7d85fec
SHA512 3380d0e5667d80828d1d0c5057e0e5147fe945c21e9d4b2478464b4e629c701717e45c89a4012f94c4f7160ad5a8aa5e0146e1519cafd42684168b27dd07778a

C:\Windows\System\uEaaPgQ.exe

MD5 ec49ed0ff13d1223e54e6b5df4965454
SHA1 a044150528ec89600462c58338e02fb11d9c9e6b
SHA256 a7e9e5d468b4aecaaa676251422db9bed946d6d355237edca843bbb83cef7d7c
SHA512 f88aa0396275f27f946f16756ce095d6ed56e575bf87200384d522252280ccdf6ccf635a5a750152b4c9bdbd2c7fe0b431b953dd881a2bc7f9babb8b944e3a55

memory/752-102-0x00007FF688D80000-0x00007FF6890D4000-memory.dmp

C:\Windows\System\jykXsSV.exe

MD5 f5af38bfb5f709c79d6aaaed35d3240b
SHA1 d2c71aa26272a43fe6d0804e18510c0859de6a61
SHA256 11f5099dc80106d39e4f1888b28315749facce832965adb298673f12ab91190c
SHA512 bfecdc1931a7b4369eefb2c66d13c3fc581fe364e6ac7246429fd2d925bebfe47e92ed97e331d3e646ebf4985c212e3622f2b742a7faf75fac44b7d89b5e5e35

C:\Windows\System\seOjAlj.exe

MD5 7d985f7002ae2a3b50a2b1ef66e4c1e7
SHA1 5d1164db340eaba2e95a66aab2989091bdef30f6
SHA256 3b14d51ef7b7a98fd3febb9dc657dc04527018f550259957b559aced39d748fb
SHA512 7eff3c3da0fc7aaeb1d94e84094659c5d2a9b26af311df397fc260dee5fe293cb5de4310bbead49dd388cf33bca3efed8664d59f79cde0349f19dd4c36271446

C:\Windows\System\WpExRUF.exe

MD5 433d4932dd6273046fbe702c3d12c272
SHA1 07c40901e4663ee6f4c03b3627eacd4ca5c6b58a
SHA256 a120ac70d8b94103cc4adf045ee78c3656b3f12dc9eadf118c09704540aef83a
SHA512 6566dbae3429a064b9b47898d18bc99e8ae3669a972678546786159d3eea248a11ebcc824635b5c9217ec3f3757e32988ae2f1e7725f2f8cf1e046ec829e0e1b

memory/1592-104-0x00007FF6A0FA0000-0x00007FF6A12F4000-memory.dmp

memory/2252-103-0x00007FF6A7DB0000-0x00007FF6A8104000-memory.dmp

memory/4376-101-0x00007FF68DC30000-0x00007FF68DF84000-memory.dmp

memory/4612-100-0x00007FF6675B0000-0x00007FF667904000-memory.dmp

memory/932-99-0x00007FF6BC260000-0x00007FF6BC5B4000-memory.dmp

memory/4464-96-0x00007FF68DA20000-0x00007FF68DD74000-memory.dmp

memory/5044-91-0x00007FF7AE770000-0x00007FF7AEAC4000-memory.dmp

memory/2812-83-0x00007FF618830000-0x00007FF618B84000-memory.dmp

memory/2288-68-0x00007FF799C00000-0x00007FF799F54000-memory.dmp

memory/544-56-0x00007FF7B8D80000-0x00007FF7B90D4000-memory.dmp

memory/4968-53-0x00007FF777660000-0x00007FF7779B4000-memory.dmp

memory/1368-49-0x00007FF6188F0000-0x00007FF618C44000-memory.dmp

memory/1928-35-0x00007FF730340000-0x00007FF730694000-memory.dmp

C:\Windows\System\pohuHFr.exe

MD5 e8990193f42d4f6e8e3b80407f9e1db1
SHA1 c30ac4d545b25ea8f55884341360d2675abab321
SHA256 f02a33c7fe87322f351eb46cfb4c990d3e5fe62c500cbde17649231ac3471687
SHA512 cbbf7ba9e3ec9625bc5da9b0f1c9ebfe1e8bb47b7e84ac480e88e86f630d4facb8f0b7443d162bdccdb4ddc251e0f2a23e9ed32f463b05a760ba7aaab5ed4130

C:\Windows\System\vugGTVn.exe

MD5 7a7fe7ff556c6d8dbcdb3c2f2fd2f4d4
SHA1 c500fd22a1907faba010df97fa1131c6917c8f9e
SHA256 bd6ecd9e490073873569baee352cf6bf9719973c60a1178012eda592f24beac3
SHA512 3aa1d424cacff76557edef47a4c54f11a7b4d4c23aa4fa97f6de4391018db32e43ef61d5755c9848713270806f0d47200adde407c09c0046d14790ae3cffae8d

memory/884-126-0x00007FF664BC0000-0x00007FF664F14000-memory.dmp

memory/456-124-0x00007FF711C00000-0x00007FF711F54000-memory.dmp

C:\Windows\System\QlcecSU.exe

MD5 d0b8c32ee0ac22399935f18aa8dc90c7
SHA1 d36da611ecd8b2bcd19ef5b2c8dca7b2d8a4bbcd
SHA256 4f945bfdb8c1c39c744ac1f8ae82f143cab5d0c7d2430f9251ce8c767ab9758a
SHA512 eb876243df34ffefee58df929f74ba54d0dfa278900df6be8cab4bd755050c40279e7a880744e6a8163c0d74e7821f7d307dfb16830af09d1d9ddf73aeac2719

memory/2316-122-0x00007FF6F27F0000-0x00007FF6F2B44000-memory.dmp

memory/2332-121-0x00007FF6A2160000-0x00007FF6A24B4000-memory.dmp

memory/1252-131-0x00007FF688F60000-0x00007FF6892B4000-memory.dmp

memory/704-132-0x00007FF772D40000-0x00007FF773094000-memory.dmp

memory/4968-133-0x00007FF777660000-0x00007FF7779B4000-memory.dmp

memory/544-134-0x00007FF7B8D80000-0x00007FF7B90D4000-memory.dmp

memory/2288-135-0x00007FF799C00000-0x00007FF799F54000-memory.dmp

memory/5044-136-0x00007FF7AE770000-0x00007FF7AEAC4000-memory.dmp

memory/4464-137-0x00007FF68DA20000-0x00007FF68DD74000-memory.dmp

memory/932-138-0x00007FF6BC260000-0x00007FF6BC5B4000-memory.dmp

memory/4612-139-0x00007FF6675B0000-0x00007FF667904000-memory.dmp

memory/1592-140-0x00007FF6A0FA0000-0x00007FF6A12F4000-memory.dmp

memory/2332-141-0x00007FF6A2160000-0x00007FF6A24B4000-memory.dmp

memory/2316-142-0x00007FF6F27F0000-0x00007FF6F2B44000-memory.dmp

memory/884-143-0x00007FF664BC0000-0x00007FF664F14000-memory.dmp

memory/752-144-0x00007FF688D80000-0x00007FF6890D4000-memory.dmp

memory/456-145-0x00007FF711C00000-0x00007FF711F54000-memory.dmp

memory/1252-146-0x00007FF688F60000-0x00007FF6892B4000-memory.dmp

memory/4228-147-0x00007FF76C300000-0x00007FF76C654000-memory.dmp

memory/1928-148-0x00007FF730340000-0x00007FF730694000-memory.dmp

memory/1368-149-0x00007FF6188F0000-0x00007FF618C44000-memory.dmp

memory/704-150-0x00007FF772D40000-0x00007FF773094000-memory.dmp

memory/4968-151-0x00007FF777660000-0x00007FF7779B4000-memory.dmp

memory/544-152-0x00007FF7B8D80000-0x00007FF7B90D4000-memory.dmp

memory/2812-153-0x00007FF618830000-0x00007FF618B84000-memory.dmp

memory/1736-154-0x00007FF7BD1A0000-0x00007FF7BD4F4000-memory.dmp

memory/2288-155-0x00007FF799C00000-0x00007FF799F54000-memory.dmp

memory/5044-156-0x00007FF7AE770000-0x00007FF7AEAC4000-memory.dmp

memory/2252-157-0x00007FF6A7DB0000-0x00007FF6A8104000-memory.dmp

memory/932-158-0x00007FF6BC260000-0x00007FF6BC5B4000-memory.dmp

memory/4464-159-0x00007FF68DA20000-0x00007FF68DD74000-memory.dmp

memory/4612-161-0x00007FF6675B0000-0x00007FF667904000-memory.dmp

memory/1592-160-0x00007FF6A0FA0000-0x00007FF6A12F4000-memory.dmp

memory/2332-162-0x00007FF6A2160000-0x00007FF6A24B4000-memory.dmp

memory/2316-164-0x00007FF6F27F0000-0x00007FF6F2B44000-memory.dmp

memory/884-163-0x00007FF664BC0000-0x00007FF664F14000-memory.dmp