Malware Analysis Report

2024-10-24 18:16

Sample ID 240606-3ca9ksde2x
Target 2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike
SHA256 df0b9a534d45764fd14bac8531c59bed3907f4a5d7b695ac044d60f4992896be
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

df0b9a534d45764fd14bac8531c59bed3907f4a5d7b695ac044d60f4992896be

Threat Level: Known bad

The file 2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Detects Reflective DLL injection artifacts

Cobaltstrike

Cobaltstrike family

XMRig Miner payload

Xmrig family

xmrig

Cobalt Strike reflective loader

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

XMRig Miner payload

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-06 23:21

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-06 23:21

Reported

2024-06-06 23:24

Platform

win7-20240221-en

Max time kernel

137s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\MKZSvtY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AjLkJPC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KZLFmZL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MvmxSFO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jgNUVjn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kuaCwXt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mrdcjnH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZNRAYqg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bNPDhdK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mRqntGl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qovqMFe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XuAiQVQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gFTDBYB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XmMZceg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zrBrvyw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pAFmoFY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FbClxMG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cTIQZfP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VhWtUqm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EVEYOdY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gKjrVQA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3064 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\VhWtUqm.exe
PID 3064 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\VhWtUqm.exe
PID 3064 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\VhWtUqm.exe
PID 3064 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\pAFmoFY.exe
PID 3064 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\pAFmoFY.exe
PID 3064 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\pAFmoFY.exe
PID 3064 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZNRAYqg.exe
PID 3064 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZNRAYqg.exe
PID 3064 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZNRAYqg.exe
PID 3064 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\FbClxMG.exe
PID 3064 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\FbClxMG.exe
PID 3064 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\FbClxMG.exe
PID 3064 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\cTIQZfP.exe
PID 3064 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\cTIQZfP.exe
PID 3064 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\cTIQZfP.exe
PID 3064 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\MvmxSFO.exe
PID 3064 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\MvmxSFO.exe
PID 3064 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\MvmxSFO.exe
PID 3064 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\EVEYOdY.exe
PID 3064 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\EVEYOdY.exe
PID 3064 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\EVEYOdY.exe
PID 3064 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\jgNUVjn.exe
PID 3064 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\jgNUVjn.exe
PID 3064 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\jgNUVjn.exe
PID 3064 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\bNPDhdK.exe
PID 3064 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\bNPDhdK.exe
PID 3064 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\bNPDhdK.exe
PID 3064 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\qovqMFe.exe
PID 3064 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\qovqMFe.exe
PID 3064 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\qovqMFe.exe
PID 3064 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\gKjrVQA.exe
PID 3064 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\gKjrVQA.exe
PID 3064 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\gKjrVQA.exe
PID 3064 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\kuaCwXt.exe
PID 3064 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\kuaCwXt.exe
PID 3064 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\kuaCwXt.exe
PID 3064 wrote to memory of 356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\mRqntGl.exe
PID 3064 wrote to memory of 356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\mRqntGl.exe
PID 3064 wrote to memory of 356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\mRqntGl.exe
PID 3064 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\MKZSvtY.exe
PID 3064 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\MKZSvtY.exe
PID 3064 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\MKZSvtY.exe
PID 3064 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\AjLkJPC.exe
PID 3064 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\AjLkJPC.exe
PID 3064 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\AjLkJPC.exe
PID 3064 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\XuAiQVQ.exe
PID 3064 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\XuAiQVQ.exe
PID 3064 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\XuAiQVQ.exe
PID 3064 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\gFTDBYB.exe
PID 3064 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\gFTDBYB.exe
PID 3064 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\gFTDBYB.exe
PID 3064 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\KZLFmZL.exe
PID 3064 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\KZLFmZL.exe
PID 3064 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\KZLFmZL.exe
PID 3064 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\XmMZceg.exe
PID 3064 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\XmMZceg.exe
PID 3064 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\XmMZceg.exe
PID 3064 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\mrdcjnH.exe
PID 3064 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\mrdcjnH.exe
PID 3064 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\mrdcjnH.exe
PID 3064 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\zrBrvyw.exe
PID 3064 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\zrBrvyw.exe
PID 3064 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\zrBrvyw.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\VhWtUqm.exe

C:\Windows\System\VhWtUqm.exe

C:\Windows\System\pAFmoFY.exe

C:\Windows\System\pAFmoFY.exe

C:\Windows\System\ZNRAYqg.exe

C:\Windows\System\ZNRAYqg.exe

C:\Windows\System\FbClxMG.exe

C:\Windows\System\FbClxMG.exe

C:\Windows\System\cTIQZfP.exe

C:\Windows\System\cTIQZfP.exe

C:\Windows\System\MvmxSFO.exe

C:\Windows\System\MvmxSFO.exe

C:\Windows\System\EVEYOdY.exe

C:\Windows\System\EVEYOdY.exe

C:\Windows\System\jgNUVjn.exe

C:\Windows\System\jgNUVjn.exe

C:\Windows\System\bNPDhdK.exe

C:\Windows\System\bNPDhdK.exe

C:\Windows\System\qovqMFe.exe

C:\Windows\System\qovqMFe.exe

C:\Windows\System\gKjrVQA.exe

C:\Windows\System\gKjrVQA.exe

C:\Windows\System\kuaCwXt.exe

C:\Windows\System\kuaCwXt.exe

C:\Windows\System\mRqntGl.exe

C:\Windows\System\mRqntGl.exe

C:\Windows\System\MKZSvtY.exe

C:\Windows\System\MKZSvtY.exe

C:\Windows\System\AjLkJPC.exe

C:\Windows\System\AjLkJPC.exe

C:\Windows\System\XuAiQVQ.exe

C:\Windows\System\XuAiQVQ.exe

C:\Windows\System\gFTDBYB.exe

C:\Windows\System\gFTDBYB.exe

C:\Windows\System\KZLFmZL.exe

C:\Windows\System\KZLFmZL.exe

C:\Windows\System\XmMZceg.exe

C:\Windows\System\XmMZceg.exe

C:\Windows\System\mrdcjnH.exe

C:\Windows\System\mrdcjnH.exe

C:\Windows\System\zrBrvyw.exe

C:\Windows\System\zrBrvyw.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3064-0-0x000000013FF10000-0x0000000140264000-memory.dmp

memory/3064-1-0x00000000001F0000-0x0000000000200000-memory.dmp

\Windows\system\VhWtUqm.exe

MD5 0100ed89ca85ca6cc934570271909710
SHA1 5e4a78b3492b72319b540476f4fddd32cfc23fe9
SHA256 85d642d0e0880e9458b27f273d35186aa4732b5151d06c2871f7a3011aa39f8a
SHA512 11369124a37cb3266897c41915e56c24a390e1c31a0c41878bd3599e88a689591177104c796253a7841a601f76751696a35be9cfef40a188b9829607c6751bd9

memory/1872-9-0x000000013FBA0000-0x000000013FEF4000-memory.dmp

memory/3064-8-0x000000013FBA0000-0x000000013FEF4000-memory.dmp

\Windows\system\pAFmoFY.exe

MD5 b0127299f797cb7bd681d12fa6dab5ff
SHA1 aacf63bfb99664e16b4a8627932d2d049b63517c
SHA256 0b9a1c3dccf5b1af7bc6a5667d5c62792a49d10529e505711b778f45973c2693
SHA512 7852a19b241883a395c23924874bd741f113ff345ea1af87fd6ba9ba55b0cc265cc25d3b42ad03a0ce6cfa5ede6da06625e647daf809aaedcce45f02042bfb02

C:\Windows\system\ZNRAYqg.exe

MD5 bdc8ec587c9592411e85a4c7179f4c12
SHA1 09c71b12fe6f8630efe110f8312986e2107cfa1f
SHA256 943f8681659e19da74dcf1ffd2447eb01cbeb008f5f3419e160e5f1002a81890
SHA512 a4601201729a74365050b9510f5ccecd91a9d97106a76b439e0d6884937be64a89c011fcc5f3abb1362315725827b54622dadeab08b8f95b5c509022ea0399b7

memory/1988-17-0x000000013FAC0000-0x000000013FE14000-memory.dmp

C:\Windows\system\FbClxMG.exe

MD5 78ad31ea7881758071a52c3966f27883
SHA1 e1fbf9c111e63c525f649aa57a8badea9d888870
SHA256 17c1ef031ceb4c6be63a119b9052ab8ff5348d51beed930fb022705ff791c7df
SHA512 b943e171acdbe12ffff845f20015eb81e8b96133a12d1510b77a1b42c2dd5b67e3b829b00feb520c0e23ee97f8143530f00a2404e551cd78fb676472cdade0e5

memory/3064-28-0x000000013FB00000-0x000000013FE54000-memory.dmp

memory/2620-29-0x000000013FB00000-0x000000013FE54000-memory.dmp

memory/2516-27-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

memory/3064-23-0x00000000024B0000-0x0000000002804000-memory.dmp

C:\Windows\system\cTIQZfP.exe

MD5 5c71b5b79d7001baee359e39aad94b38
SHA1 63a34dd07310630308e1645c678164140887ecde
SHA256 a94dcbe1e3981f47ffdb4bbafd014add391a2579b37ff056b71de14d8691caed
SHA512 cfb31b71d25668be2d022c402eceb68ad7088406d6f4bf14f19e609266635df44425aa3b981c2fd09ebfd74ccb5f462144a98a384cb151b0589470ade3867107

memory/2540-39-0x000000013F240000-0x000000013F594000-memory.dmp

memory/2716-43-0x000000013FCE0000-0x0000000140034000-memory.dmp

memory/3064-41-0x00000000024B0000-0x0000000002804000-memory.dmp

C:\Windows\system\MvmxSFO.exe

MD5 1d9dd2919111dd9f3bfabf9e80584386
SHA1 41400fc2ecd2ed52a67053298bb17e567416e115
SHA256 14c03cb6e6e598a544b6c1d2a08179923a4e969c0d6bd257fc898e69eb745d5b
SHA512 320843660e280c2af163eaabd84c322ca9db518824361e6f11dff997e7663372d2a7db0f5532df7a42754abdce8c371ae265eb104584eae15ee31c03bc5e9afc

memory/3064-37-0x000000013F240000-0x000000013F594000-memory.dmp

\Windows\system\jgNUVjn.exe

MD5 705eeebe0dbe59d458eedb91aaf080ce
SHA1 0a4c7a3fae9ace2503404ba7c2a5df4ed65539a9
SHA256 37f17c085cd9b04e05f553e100bddfa4603644fe878f9655a37e339eebc1cba7
SHA512 c8fc5b85df87b8d634a4203cbb6f0d772bfcac88f37e4dd75a4206092d4326ca5dfa26a4b676df8c70430934ffde38bc5e4b52ff7931e9b2dcd90aeeab38ee9f

memory/2584-55-0x000000013F970000-0x000000013FCC4000-memory.dmp

memory/3064-63-0x000000013F8C0000-0x000000013FC14000-memory.dmp

memory/3064-62-0x000000013FF10000-0x0000000140264000-memory.dmp

C:\Windows\system\bNPDhdK.exe

MD5 208dafa074ac123d00c12fe271a57d0a
SHA1 930d77c9250f26ccb1c1d33f9380500dc4c533e0
SHA256 4ba1d706e8b2d347c0d2b40ff36a58f51a692bc7454a32fe9649f330c9aa7a7c
SHA512 89f427a50a5f13283c166ec3d3eba3d0614b61920042e56cf127f4d6c3cff039f75411dc9865f57f4e145e2e26cc4faf13c9c732cc82afc57e65677afb2b03ba

memory/2416-64-0x000000013F8C0000-0x000000013FC14000-memory.dmp

memory/2448-57-0x000000013FEB0000-0x0000000140204000-memory.dmp

memory/3064-48-0x000000013F970000-0x000000013FCC4000-memory.dmp

C:\Windows\system\EVEYOdY.exe

MD5 2192f64625de8bd09eb425b5301a53b3
SHA1 81745742c0e2e52aa5e0024579df1ed049630a0e
SHA256 117f07a23d113bc08d670c6da11fd8a42773dfe616f0c642dd38ad3b8b6fc188
SHA512 919e65ecafb5947f4ad15bc02a49173f3065035e3893aab5edb163a6cd0961b4f9476900a8537ac953665c3f51f1e5f21ab913255b2ec3843c71a91b2d72b637

memory/2516-71-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

memory/1612-73-0x000000013FC80000-0x000000013FFD4000-memory.dmp

memory/3064-72-0x00000000024B0000-0x0000000002804000-memory.dmp

memory/1988-70-0x000000013FAC0000-0x000000013FE14000-memory.dmp

C:\Windows\system\qovqMFe.exe

MD5 58c1e6e18ccec45d6d879e861730424d
SHA1 53118d970a4e39eebced1c55a27c5e996914a982
SHA256 cb39a2da033074d851c84675ecc539970a7c926b939d80fe3cd639e0b922d7f5
SHA512 b0c723e5551d7854706c2ffbc2fc96b9cc8ac18c8b278dd19301c28833e6778161b7fa7023b4190c72b9bb568b458eae651a53b7c948e224636dd024d3104bc1

C:\Windows\system\gKjrVQA.exe

MD5 e90dd655ca19fca58cbf5bdf97323c0c
SHA1 047a0d9076969b34d8f13c4f2d48f38258dd5f8c
SHA256 7b85a3ac91ed9dea9392ae106b4bac4fe85cba7a52c37ce75273cc1440f1d1b8
SHA512 4fb7d60ed3211ba8572ded330ae1f26399520215b0b46d32eb51ee278fb357bde14dfe7174b9d95a8869c5bbb53d276965a4242c782b7480649fa328a2e55a04

memory/2760-80-0x000000013FDC0000-0x0000000140114000-memory.dmp

memory/3064-79-0x00000000024B0000-0x0000000002804000-memory.dmp

\Windows\system\kuaCwXt.exe

MD5 170a47f9b4a1dc7eb15bea2c43292a41
SHA1 fecde0ca5a01c6f254cae05c30be2e5b9f032b35
SHA256 9713dddeb97eefe481abca3573ac93f5fd761caafda183f3df1a3f36157bda35
SHA512 0222c9df203bdc27d82429d961dca6a7c6105ebed7c89448a2c4ae86106ead1ea55ba49361791417becfad44545319986372bf73d97733ef85cff39c55e41711

\Windows\system\MKZSvtY.exe

MD5 182fc86a57c54b602e536edf176ebbf9
SHA1 5facedafd825d7f6309b9a34e48fd9531b4e37cf
SHA256 613c78104e5d75cb74ec0bacfa2cef593e6295732d11029797b679dbb5af9df7
SHA512 72084e11dcc41eaa7d9b2d26dc64edf58898c6d324f2102b429392be4d4e2e2302bb1ce7efd97cc8b6a049d3ea90e52b8f9c71773b676d8a873ae4f1f158c9c5

\Windows\system\XuAiQVQ.exe

MD5 124c950ae78f448f63a9a44787f405c3
SHA1 c84522c446af821dd59f3b0d5f3308b6af780c00
SHA256 843ce5175d1f0c3281ccc62c50df2318a8d57c137466f8684a9cfb4438e90869
SHA512 8f95a15d007c03d205756132ffbc884818641b874c87bb73e10cd10b760c1a1debcdfe620fdb67a51e89490de80bd8d422ac717bf07e0c50dd4c0cc058db2b89

memory/3064-116-0x000000013F4E0000-0x000000013F834000-memory.dmp

C:\Windows\system\mrdcjnH.exe

MD5 7edc3c51d81942541062a40612988b76
SHA1 82622a401fa47cfd39f9756eee95967d64048cdb
SHA256 4e7e40681a98167046dfe9e4d1e264eb642d0d0772e16fc970976387727cac01
SHA512 e0be8d7cd2756fb5c43e41e4d6b08fb23e584ff1c0d870584a2b0de66962451305233c200a5f8267e5889a03e7541b4c3d376dc2c8d766cbfd9a866372fa2b04

C:\Windows\system\AjLkJPC.exe

MD5 c90e3d285dde457c334949a87667cbb2
SHA1 0f700664d3e736a0b9c8159acabafe615bb031ca
SHA256 55fefc5b5afe80b56a060ac8c154de86114b630add8cbb1dcf0a9ea52f756fc8
SHA512 e06d8ef9116a55110f29cc4dd87842bc8e322e18e36fae77a3da13993b033de6f5bafe33325d5ede3bdcdac81ed702b1c9cf4b116765a42283b3dbab91182012

\Windows\system\zrBrvyw.exe

MD5 6cd961357a4249f5aa062c35d0e8eb56
SHA1 4fb9e4acd1a8ed9e91ea585205b01de461b6bac2
SHA256 ec6f2bbdf4286454a52c024eb5ffe76f49d42ebed05399b97282b5bebd10b677
SHA512 25a07031e308207984c8d034f13bb9eb42e28b6ee52e33742d216f28898c553052ab40bd0656ee641bce89fc50e40b6ba90196199b8820da8d69cd08c9a28b8c

C:\Windows\system\KZLFmZL.exe

MD5 cd8a478ee3e049c8a1e4fbc4752b6b83
SHA1 58a992a49c1f91f89b9dafa89ed31aca73e0dd8e
SHA256 27070b9d706835898dae6c7abc29f0c220156d048433edf3b8d0ffecbed10c89
SHA512 f0b0c82d1435919ba0b075489cc3833f3c8f6e13364411af93201007ae7723fbf2d855988dd1c75edb05b0a8169b478b2f2c2cf8a2a06aeba3caa0cf240624cd

\Windows\system\XmMZceg.exe

MD5 1de31ea9beea17367eb250ef6264c9af
SHA1 b1ae33c0956f2c4ab5f14fb2348a11527f6ad796
SHA256 2d699c3d301c0fb12c15e40cfb87b3a7c2ae5d6ad3379ee16c5399a931dbdb26
SHA512 0f6bae68fab302e9b5d6e662b1a4f7b1e22c9b4c165af291e01e9602e507dc66120e77f605821181ecfe40661a52d17098cebadc4e2ae50847b3b800c24223df

\Windows\system\gFTDBYB.exe

MD5 fe928464de8d5c2f66f49ee7502e04f3
SHA1 23a1a134cf0ec715c3076d25e05a091535cdb429
SHA256 05ad5afd509c61767a9c27670f662d4b2715ace8d825fc3b631717a3a7d3a7be
SHA512 34ad223da3d624b52dec9217f70dec63d19cf103f0800c47d5094df7d0c083c6fb0ce9e549a538edf48e3173aa942ae8e42fbf587f3c34c9b1235a864360ecce

C:\Windows\system\mRqntGl.exe

MD5 a06132dc81d54ee139e985d31e1877f9
SHA1 d3efd3c8396985e79c67d6e9967148353be64660
SHA256 cc51e3e73b7a7cba13e4b7102e46c459170c3f686848140fe0d7b36113adc609
SHA512 7264dbdfa10b0def34f317ff576d8299ccae0764c253ddbbc9c7a2bb0694d2b004413b67ddd754dc0bca73a390a85b151c8d387dd5113e4c4f63e73b6420ba9e

memory/3064-129-0x000000013F020000-0x000000013F374000-memory.dmp

memory/2828-128-0x000000013F4E0000-0x000000013F834000-memory.dmp

memory/356-127-0x000000013F140000-0x000000013F494000-memory.dmp

memory/1440-124-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

memory/3064-123-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

memory/3064-122-0x000000013F140000-0x000000013F494000-memory.dmp

memory/2540-106-0x000000013F240000-0x000000013F594000-memory.dmp

memory/2716-135-0x000000013FCE0000-0x0000000140034000-memory.dmp

memory/3064-134-0x00000000024B0000-0x0000000002804000-memory.dmp

memory/2584-140-0x000000013F970000-0x000000013FCC4000-memory.dmp

memory/1872-141-0x000000013FBA0000-0x000000013FEF4000-memory.dmp

memory/1988-142-0x000000013FAC0000-0x000000013FE14000-memory.dmp

memory/2620-144-0x000000013FB00000-0x000000013FE54000-memory.dmp

memory/2516-143-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

memory/2540-145-0x000000013F240000-0x000000013F594000-memory.dmp

memory/2716-146-0x000000013FCE0000-0x0000000140034000-memory.dmp

memory/2448-147-0x000000013FEB0000-0x0000000140204000-memory.dmp

memory/2584-148-0x000000013F970000-0x000000013FCC4000-memory.dmp

memory/2416-149-0x000000013F8C0000-0x000000013FC14000-memory.dmp

memory/1612-150-0x000000013FC80000-0x000000013FFD4000-memory.dmp

memory/2760-151-0x000000013FDC0000-0x0000000140114000-memory.dmp

memory/2828-152-0x000000013F4E0000-0x000000013F834000-memory.dmp

memory/1440-153-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

memory/356-154-0x000000013F140000-0x000000013F494000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-06 23:21

Reported

2024-06-06 23:24

Platform

win10v2004-20240426-en

Max time kernel

136s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\bNPDhdK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qovqMFe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gKjrVQA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gFTDBYB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KZLFmZL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XmMZceg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cTIQZfP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EVEYOdY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AjLkJPC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zrBrvyw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZNRAYqg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pAFmoFY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jgNUVjn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kuaCwXt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mRqntGl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MKZSvtY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VhWtUqm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MvmxSFO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XuAiQVQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mrdcjnH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FbClxMG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4612 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\VhWtUqm.exe
PID 4612 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\VhWtUqm.exe
PID 4612 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\pAFmoFY.exe
PID 4612 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\pAFmoFY.exe
PID 4612 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZNRAYqg.exe
PID 4612 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZNRAYqg.exe
PID 4612 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\FbClxMG.exe
PID 4612 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\FbClxMG.exe
PID 4612 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\cTIQZfP.exe
PID 4612 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\cTIQZfP.exe
PID 4612 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\MvmxSFO.exe
PID 4612 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\MvmxSFO.exe
PID 4612 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\EVEYOdY.exe
PID 4612 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\EVEYOdY.exe
PID 4612 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\jgNUVjn.exe
PID 4612 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\jgNUVjn.exe
PID 4612 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\bNPDhdK.exe
PID 4612 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\bNPDhdK.exe
PID 4612 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\qovqMFe.exe
PID 4612 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\qovqMFe.exe
PID 4612 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\gKjrVQA.exe
PID 4612 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\gKjrVQA.exe
PID 4612 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\kuaCwXt.exe
PID 4612 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\kuaCwXt.exe
PID 4612 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\mRqntGl.exe
PID 4612 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\mRqntGl.exe
PID 4612 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\MKZSvtY.exe
PID 4612 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\MKZSvtY.exe
PID 4612 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\AjLkJPC.exe
PID 4612 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\AjLkJPC.exe
PID 4612 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\XuAiQVQ.exe
PID 4612 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\XuAiQVQ.exe
PID 4612 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\gFTDBYB.exe
PID 4612 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\gFTDBYB.exe
PID 4612 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\KZLFmZL.exe
PID 4612 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\KZLFmZL.exe
PID 4612 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\XmMZceg.exe
PID 4612 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\XmMZceg.exe
PID 4612 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\mrdcjnH.exe
PID 4612 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\mrdcjnH.exe
PID 4612 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\zrBrvyw.exe
PID 4612 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe C:\Windows\System\zrBrvyw.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_124eb7730f4f1745bf5c723d600e4d7b_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\VhWtUqm.exe

C:\Windows\System\VhWtUqm.exe

C:\Windows\System\pAFmoFY.exe

C:\Windows\System\pAFmoFY.exe

C:\Windows\System\ZNRAYqg.exe

C:\Windows\System\ZNRAYqg.exe

C:\Windows\System\FbClxMG.exe

C:\Windows\System\FbClxMG.exe

C:\Windows\System\cTIQZfP.exe

C:\Windows\System\cTIQZfP.exe

C:\Windows\System\MvmxSFO.exe

C:\Windows\System\MvmxSFO.exe

C:\Windows\System\EVEYOdY.exe

C:\Windows\System\EVEYOdY.exe

C:\Windows\System\jgNUVjn.exe

C:\Windows\System\jgNUVjn.exe

C:\Windows\System\bNPDhdK.exe

C:\Windows\System\bNPDhdK.exe

C:\Windows\System\qovqMFe.exe

C:\Windows\System\qovqMFe.exe

C:\Windows\System\gKjrVQA.exe

C:\Windows\System\gKjrVQA.exe

C:\Windows\System\kuaCwXt.exe

C:\Windows\System\kuaCwXt.exe

C:\Windows\System\mRqntGl.exe

C:\Windows\System\mRqntGl.exe

C:\Windows\System\MKZSvtY.exe

C:\Windows\System\MKZSvtY.exe

C:\Windows\System\AjLkJPC.exe

C:\Windows\System\AjLkJPC.exe

C:\Windows\System\XuAiQVQ.exe

C:\Windows\System\XuAiQVQ.exe

C:\Windows\System\gFTDBYB.exe

C:\Windows\System\gFTDBYB.exe

C:\Windows\System\KZLFmZL.exe

C:\Windows\System\KZLFmZL.exe

C:\Windows\System\XmMZceg.exe

C:\Windows\System\XmMZceg.exe

C:\Windows\System\mrdcjnH.exe

C:\Windows\System\mrdcjnH.exe

C:\Windows\System\zrBrvyw.exe

C:\Windows\System\zrBrvyw.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4612-0-0x00007FF6E9010000-0x00007FF6E9364000-memory.dmp

memory/4612-1-0x000001A1856F0000-0x000001A185700000-memory.dmp

C:\Windows\System\VhWtUqm.exe

MD5 0100ed89ca85ca6cc934570271909710
SHA1 5e4a78b3492b72319b540476f4fddd32cfc23fe9
SHA256 85d642d0e0880e9458b27f273d35186aa4732b5151d06c2871f7a3011aa39f8a
SHA512 11369124a37cb3266897c41915e56c24a390e1c31a0c41878bd3599e88a689591177104c796253a7841a601f76751696a35be9cfef40a188b9829607c6751bd9

memory/4892-8-0x00007FF6288D0000-0x00007FF628C24000-memory.dmp

C:\Windows\System\pAFmoFY.exe

MD5 b0127299f797cb7bd681d12fa6dab5ff
SHA1 aacf63bfb99664e16b4a8627932d2d049b63517c
SHA256 0b9a1c3dccf5b1af7bc6a5667d5c62792a49d10529e505711b778f45973c2693
SHA512 7852a19b241883a395c23924874bd741f113ff345ea1af87fd6ba9ba55b0cc265cc25d3b42ad03a0ce6cfa5ede6da06625e647daf809aaedcce45f02042bfb02

C:\Windows\System\ZNRAYqg.exe

MD5 bdc8ec587c9592411e85a4c7179f4c12
SHA1 09c71b12fe6f8630efe110f8312986e2107cfa1f
SHA256 943f8681659e19da74dcf1ffd2447eb01cbeb008f5f3419e160e5f1002a81890
SHA512 a4601201729a74365050b9510f5ccecd91a9d97106a76b439e0d6884937be64a89c011fcc5f3abb1362315725827b54622dadeab08b8f95b5c509022ea0399b7

memory/2280-14-0x00007FF683B90000-0x00007FF683EE4000-memory.dmp

memory/4896-20-0x00007FF724DA0000-0x00007FF7250F4000-memory.dmp

C:\Windows\System\FbClxMG.exe

MD5 78ad31ea7881758071a52c3966f27883
SHA1 e1fbf9c111e63c525f649aa57a8badea9d888870
SHA256 17c1ef031ceb4c6be63a119b9052ab8ff5348d51beed930fb022705ff791c7df
SHA512 b943e171acdbe12ffff845f20015eb81e8b96133a12d1510b77a1b42c2dd5b67e3b829b00feb520c0e23ee97f8143530f00a2404e551cd78fb676472cdade0e5

C:\Windows\System\cTIQZfP.exe

MD5 5c71b5b79d7001baee359e39aad94b38
SHA1 63a34dd07310630308e1645c678164140887ecde
SHA256 a94dcbe1e3981f47ffdb4bbafd014add391a2579b37ff056b71de14d8691caed
SHA512 cfb31b71d25668be2d022c402eceb68ad7088406d6f4bf14f19e609266635df44425aa3b981c2fd09ebfd74ccb5f462144a98a384cb151b0589470ade3867107

memory/4256-30-0x00007FF6B5EF0000-0x00007FF6B6244000-memory.dmp

C:\Windows\System\MvmxSFO.exe

MD5 1d9dd2919111dd9f3bfabf9e80584386
SHA1 41400fc2ecd2ed52a67053298bb17e567416e115
SHA256 14c03cb6e6e598a544b6c1d2a08179923a4e969c0d6bd257fc898e69eb745d5b
SHA512 320843660e280c2af163eaabd84c322ca9db518824361e6f11dff997e7663372d2a7db0f5532df7a42754abdce8c371ae265eb104584eae15ee31c03bc5e9afc

C:\Windows\System\jgNUVjn.exe

MD5 705eeebe0dbe59d458eedb91aaf080ce
SHA1 0a4c7a3fae9ace2503404ba7c2a5df4ed65539a9
SHA256 37f17c085cd9b04e05f553e100bddfa4603644fe878f9655a37e339eebc1cba7
SHA512 c8fc5b85df87b8d634a4203cbb6f0d772bfcac88f37e4dd75a4206092d4326ca5dfa26a4b676df8c70430934ffde38bc5e4b52ff7931e9b2dcd90aeeab38ee9f

C:\Windows\System\gKjrVQA.exe

MD5 e90dd655ca19fca58cbf5bdf97323c0c
SHA1 047a0d9076969b34d8f13c4f2d48f38258dd5f8c
SHA256 7b85a3ac91ed9dea9392ae106b4bac4fe85cba7a52c37ce75273cc1440f1d1b8
SHA512 4fb7d60ed3211ba8572ded330ae1f26399520215b0b46d32eb51ee278fb357bde14dfe7174b9d95a8869c5bbb53d276965a4242c782b7480649fa328a2e55a04

memory/4892-69-0x00007FF6288D0000-0x00007FF628C24000-memory.dmp

memory/4208-70-0x00007FF79CA00000-0x00007FF79CD54000-memory.dmp

memory/2300-65-0x00007FF7A5CD0000-0x00007FF7A6024000-memory.dmp

C:\Windows\System\qovqMFe.exe

MD5 58c1e6e18ccec45d6d879e861730424d
SHA1 53118d970a4e39eebced1c55a27c5e996914a982
SHA256 cb39a2da033074d851c84675ecc539970a7c926b939d80fe3cd639e0b922d7f5
SHA512 b0c723e5551d7854706c2ffbc2fc96b9cc8ac18c8b278dd19301c28833e6778161b7fa7023b4190c72b9bb568b458eae651a53b7c948e224636dd024d3104bc1

memory/4612-59-0x00007FF6E9010000-0x00007FF6E9364000-memory.dmp

memory/1072-58-0x00007FF79F230000-0x00007FF79F584000-memory.dmp

C:\Windows\System\bNPDhdK.exe

MD5 208dafa074ac123d00c12fe271a57d0a
SHA1 930d77c9250f26ccb1c1d33f9380500dc4c533e0
SHA256 4ba1d706e8b2d347c0d2b40ff36a58f51a692bc7454a32fe9649f330c9aa7a7c
SHA512 89f427a50a5f13283c166ec3d3eba3d0614b61920042e56cf127f4d6c3cff039f75411dc9865f57f4e145e2e26cc4faf13c9c732cc82afc57e65677afb2b03ba

memory/2616-50-0x00007FF750A20000-0x00007FF750D74000-memory.dmp

C:\Windows\System\EVEYOdY.exe

MD5 2192f64625de8bd09eb425b5301a53b3
SHA1 81745742c0e2e52aa5e0024579df1ed049630a0e
SHA256 117f07a23d113bc08d670c6da11fd8a42773dfe616f0c642dd38ad3b8b6fc188
SHA512 919e65ecafb5947f4ad15bc02a49173f3065035e3893aab5edb163a6cd0961b4f9476900a8537ac953665c3f51f1e5f21ab913255b2ec3843c71a91b2d72b637

memory/4024-44-0x00007FF659E80000-0x00007FF65A1D4000-memory.dmp

memory/4156-38-0x00007FF708160000-0x00007FF7084B4000-memory.dmp

memory/1004-80-0x00007FF648320000-0x00007FF648674000-memory.dmp

memory/2712-83-0x00007FF6121A0000-0x00007FF6124F4000-memory.dmp

memory/2868-115-0x00007FF7F5E50000-0x00007FF7F61A4000-memory.dmp

C:\Windows\System\mrdcjnH.exe

MD5 7edc3c51d81942541062a40612988b76
SHA1 82622a401fa47cfd39f9756eee95967d64048cdb
SHA256 4e7e40681a98167046dfe9e4d1e264eb642d0d0772e16fc970976387727cac01
SHA512 e0be8d7cd2756fb5c43e41e4d6b08fb23e584ff1c0d870584a2b0de66962451305233c200a5f8267e5889a03e7541b4c3d376dc2c8d766cbfd9a866372fa2b04

memory/2616-125-0x00007FF750A20000-0x00007FF750D74000-memory.dmp

C:\Windows\System\zrBrvyw.exe

MD5 6cd961357a4249f5aa062c35d0e8eb56
SHA1 4fb9e4acd1a8ed9e91ea585205b01de461b6bac2
SHA256 ec6f2bbdf4286454a52c024eb5ffe76f49d42ebed05399b97282b5bebd10b677
SHA512 25a07031e308207984c8d034f13bb9eb42e28b6ee52e33742d216f28898c553052ab40bd0656ee641bce89fc50e40b6ba90196199b8820da8d69cd08c9a28b8c

memory/1768-133-0x00007FF7BF670000-0x00007FF7BF9C4000-memory.dmp

memory/1072-132-0x00007FF79F230000-0x00007FF79F584000-memory.dmp

memory/4116-131-0x00007FF65BA40000-0x00007FF65BD94000-memory.dmp

memory/1940-124-0x00007FF7872C0000-0x00007FF787614000-memory.dmp

memory/2708-121-0x00007FF6B6870000-0x00007FF6B6BC4000-memory.dmp

C:\Windows\System\XmMZceg.exe

MD5 1de31ea9beea17367eb250ef6264c9af
SHA1 b1ae33c0956f2c4ab5f14fb2348a11527f6ad796
SHA256 2d699c3d301c0fb12c15e40cfb87b3a7c2ae5d6ad3379ee16c5399a931dbdb26
SHA512 0f6bae68fab302e9b5d6e662b1a4f7b1e22c9b4c165af291e01e9602e507dc66120e77f605821181ecfe40661a52d17098cebadc4e2ae50847b3b800c24223df

C:\Windows\System\KZLFmZL.exe

MD5 cd8a478ee3e049c8a1e4fbc4752b6b83
SHA1 58a992a49c1f91f89b9dafa89ed31aca73e0dd8e
SHA256 27070b9d706835898dae6c7abc29f0c220156d048433edf3b8d0ffecbed10c89
SHA512 f0b0c82d1435919ba0b075489cc3833f3c8f6e13364411af93201007ae7723fbf2d855988dd1c75edb05b0a8169b478b2f2c2cf8a2a06aeba3caa0cf240624cd

memory/2292-113-0x00007FF6157B0000-0x00007FF615B04000-memory.dmp

C:\Windows\System\gFTDBYB.exe

MD5 fe928464de8d5c2f66f49ee7502e04f3
SHA1 23a1a134cf0ec715c3076d25e05a091535cdb429
SHA256 05ad5afd509c61767a9c27670f662d4b2715ace8d825fc3b631717a3a7d3a7be
SHA512 34ad223da3d624b52dec9217f70dec63d19cf103f0800c47d5094df7d0c083c6fb0ce9e549a538edf48e3173aa942ae8e42fbf587f3c34c9b1235a864360ecce

memory/4024-107-0x00007FF659E80000-0x00007FF65A1D4000-memory.dmp

memory/4156-106-0x00007FF708160000-0x00007FF7084B4000-memory.dmp

C:\Windows\System\XuAiQVQ.exe

MD5 124c950ae78f448f63a9a44787f405c3
SHA1 c84522c446af821dd59f3b0d5f3308b6af780c00
SHA256 843ce5175d1f0c3281ccc62c50df2318a8d57c137466f8684a9cfb4438e90869
SHA512 8f95a15d007c03d205756132ffbc884818641b874c87bb73e10cd10b760c1a1debcdfe620fdb67a51e89490de80bd8d422ac717bf07e0c50dd4c0cc058db2b89

memory/2216-98-0x00007FF6FD070000-0x00007FF6FD3C4000-memory.dmp

memory/4256-93-0x00007FF6B5EF0000-0x00007FF6B6244000-memory.dmp

C:\Windows\System\AjLkJPC.exe

MD5 c90e3d285dde457c334949a87667cbb2
SHA1 0f700664d3e736a0b9c8159acabafe615bb031ca
SHA256 55fefc5b5afe80b56a060ac8c154de86114b630add8cbb1dcf0a9ea52f756fc8
SHA512 e06d8ef9116a55110f29cc4dd87842bc8e322e18e36fae77a3da13993b033de6f5bafe33325d5ede3bdcdac81ed702b1c9cf4b116765a42283b3dbab91182012

C:\Windows\System\MKZSvtY.exe

MD5 182fc86a57c54b602e536edf176ebbf9
SHA1 5facedafd825d7f6309b9a34e48fd9531b4e37cf
SHA256 613c78104e5d75cb74ec0bacfa2cef593e6295732d11029797b679dbb5af9df7
SHA512 72084e11dcc41eaa7d9b2d26dc64edf58898c6d324f2102b429392be4d4e2e2302bb1ce7efd97cc8b6a049d3ea90e52b8f9c71773b676d8a873ae4f1f158c9c5

memory/5116-87-0x00007FF798430000-0x00007FF798784000-memory.dmp

memory/4896-82-0x00007FF724DA0000-0x00007FF7250F4000-memory.dmp

C:\Windows\System\mRqntGl.exe

MD5 a06132dc81d54ee139e985d31e1877f9
SHA1 d3efd3c8396985e79c67d6e9967148353be64660
SHA256 cc51e3e73b7a7cba13e4b7102e46c459170c3f686848140fe0d7b36113adc609
SHA512 7264dbdfa10b0def34f317ff576d8299ccae0764c253ddbbc9c7a2bb0694d2b004413b67ddd754dc0bca73a390a85b151c8d387dd5113e4c4f63e73b6420ba9e

C:\Windows\System\kuaCwXt.exe

MD5 170a47f9b4a1dc7eb15bea2c43292a41
SHA1 fecde0ca5a01c6f254cae05c30be2e5b9f032b35
SHA256 9713dddeb97eefe481abca3573ac93f5fd761caafda183f3df1a3f36157bda35
SHA512 0222c9df203bdc27d82429d961dca6a7c6105ebed7c89448a2c4ae86106ead1ea55ba49361791417becfad44545319986372bf73d97733ef85cff39c55e41711

memory/4284-26-0x00007FF76A7F0000-0x00007FF76AB44000-memory.dmp

memory/2300-136-0x00007FF7A5CD0000-0x00007FF7A6024000-memory.dmp

memory/5116-137-0x00007FF798430000-0x00007FF798784000-memory.dmp

memory/2216-138-0x00007FF6FD070000-0x00007FF6FD3C4000-memory.dmp

memory/2868-139-0x00007FF7F5E50000-0x00007FF7F61A4000-memory.dmp

memory/1768-140-0x00007FF7BF670000-0x00007FF7BF9C4000-memory.dmp

memory/4892-141-0x00007FF6288D0000-0x00007FF628C24000-memory.dmp

memory/2280-142-0x00007FF683B90000-0x00007FF683EE4000-memory.dmp

memory/4896-143-0x00007FF724DA0000-0x00007FF7250F4000-memory.dmp

memory/4284-144-0x00007FF76A7F0000-0x00007FF76AB44000-memory.dmp

memory/4256-145-0x00007FF6B5EF0000-0x00007FF6B6244000-memory.dmp

memory/4156-146-0x00007FF708160000-0x00007FF7084B4000-memory.dmp

memory/4024-147-0x00007FF659E80000-0x00007FF65A1D4000-memory.dmp

memory/2616-149-0x00007FF750A20000-0x00007FF750D74000-memory.dmp

memory/4208-151-0x00007FF79CA00000-0x00007FF79CD54000-memory.dmp

memory/2300-150-0x00007FF7A5CD0000-0x00007FF7A6024000-memory.dmp

memory/1072-148-0x00007FF79F230000-0x00007FF79F584000-memory.dmp

memory/1004-152-0x00007FF648320000-0x00007FF648674000-memory.dmp

memory/2712-153-0x00007FF6121A0000-0x00007FF6124F4000-memory.dmp

memory/2216-155-0x00007FF6FD070000-0x00007FF6FD3C4000-memory.dmp

memory/2292-156-0x00007FF6157B0000-0x00007FF615B04000-memory.dmp

memory/5116-154-0x00007FF798430000-0x00007FF798784000-memory.dmp

memory/2708-157-0x00007FF6B6870000-0x00007FF6B6BC4000-memory.dmp

memory/1940-159-0x00007FF7872C0000-0x00007FF787614000-memory.dmp

memory/2868-158-0x00007FF7F5E50000-0x00007FF7F61A4000-memory.dmp

memory/4116-160-0x00007FF65BA40000-0x00007FF65BD94000-memory.dmp

memory/1768-161-0x00007FF7BF670000-0x00007FF7BF9C4000-memory.dmp