Malware Analysis Report

2024-10-24 18:16

Sample ID 240606-3jlc5adf8y
Target 2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike
SHA256 de20716705db13864f1e21e4a396d74c1f4428079b21242ee6974105571818dc
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

de20716705db13864f1e21e4a396d74c1f4428079b21242ee6974105571818dc

Threat Level: Known bad

The file 2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Xmrig family

Cobaltstrike

xmrig

Cobalt Strike reflective loader

Cobaltstrike family

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

XMRig Miner payload

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-06 23:34

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-06 23:32

Reported

2024-06-06 23:38

Platform

win7-20240508-en

Max time kernel

133s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\jdnHLBQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RnMVTTn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\Diejsbs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vSGewvQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eGOqVUF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SoRKhLi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\otDKcUl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TIjJvUa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AtpunYQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AvoUJqk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zXlHyXU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FnhpuAq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UhVBaJt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zLbOkMZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\axeFXdR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HuesdXT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wmVzTCP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FxzYHdM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ApmiJWE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CpFBDrT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dDZopqM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2244 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\jdnHLBQ.exe
PID 2244 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\jdnHLBQ.exe
PID 2244 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\jdnHLBQ.exe
PID 2244 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\zLbOkMZ.exe
PID 2244 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\zLbOkMZ.exe
PID 2244 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\zLbOkMZ.exe
PID 2244 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\otDKcUl.exe
PID 2244 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\otDKcUl.exe
PID 2244 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\otDKcUl.exe
PID 2244 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\FxzYHdM.exe
PID 2244 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\FxzYHdM.exe
PID 2244 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\FxzYHdM.exe
PID 2244 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\ApmiJWE.exe
PID 2244 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\ApmiJWE.exe
PID 2244 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\ApmiJWE.exe
PID 2244 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\TIjJvUa.exe
PID 2244 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\TIjJvUa.exe
PID 2244 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\TIjJvUa.exe
PID 2244 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\RnMVTTn.exe
PID 2244 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\RnMVTTn.exe
PID 2244 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\RnMVTTn.exe
PID 2244 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\axeFXdR.exe
PID 2244 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\axeFXdR.exe
PID 2244 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\axeFXdR.exe
PID 2244 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\AtpunYQ.exe
PID 2244 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\AtpunYQ.exe
PID 2244 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\AtpunYQ.exe
PID 2244 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\HuesdXT.exe
PID 2244 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\HuesdXT.exe
PID 2244 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\HuesdXT.exe
PID 2244 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\AvoUJqk.exe
PID 2244 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\AvoUJqk.exe
PID 2244 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\AvoUJqk.exe
PID 2244 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\Diejsbs.exe
PID 2244 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\Diejsbs.exe
PID 2244 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\Diejsbs.exe
PID 2244 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\eGOqVUF.exe
PID 2244 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\eGOqVUF.exe
PID 2244 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\eGOqVUF.exe
PID 2244 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\vSGewvQ.exe
PID 2244 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\vSGewvQ.exe
PID 2244 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\vSGewvQ.exe
PID 2244 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\wmVzTCP.exe
PID 2244 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\wmVzTCP.exe
PID 2244 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\wmVzTCP.exe
PID 2244 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\SoRKhLi.exe
PID 2244 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\SoRKhLi.exe
PID 2244 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\SoRKhLi.exe
PID 2244 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\zXlHyXU.exe
PID 2244 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\zXlHyXU.exe
PID 2244 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\zXlHyXU.exe
PID 2244 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\CpFBDrT.exe
PID 2244 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\CpFBDrT.exe
PID 2244 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\CpFBDrT.exe
PID 2244 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\FnhpuAq.exe
PID 2244 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\FnhpuAq.exe
PID 2244 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\FnhpuAq.exe
PID 2244 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\dDZopqM.exe
PID 2244 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\dDZopqM.exe
PID 2244 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\dDZopqM.exe
PID 2244 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\UhVBaJt.exe
PID 2244 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\UhVBaJt.exe
PID 2244 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\UhVBaJt.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\jdnHLBQ.exe

C:\Windows\System\jdnHLBQ.exe

C:\Windows\System\zLbOkMZ.exe

C:\Windows\System\zLbOkMZ.exe

C:\Windows\System\otDKcUl.exe

C:\Windows\System\otDKcUl.exe

C:\Windows\System\FxzYHdM.exe

C:\Windows\System\FxzYHdM.exe

C:\Windows\System\ApmiJWE.exe

C:\Windows\System\ApmiJWE.exe

C:\Windows\System\TIjJvUa.exe

C:\Windows\System\TIjJvUa.exe

C:\Windows\System\RnMVTTn.exe

C:\Windows\System\RnMVTTn.exe

C:\Windows\System\axeFXdR.exe

C:\Windows\System\axeFXdR.exe

C:\Windows\System\AtpunYQ.exe

C:\Windows\System\AtpunYQ.exe

C:\Windows\System\HuesdXT.exe

C:\Windows\System\HuesdXT.exe

C:\Windows\System\AvoUJqk.exe

C:\Windows\System\AvoUJqk.exe

C:\Windows\System\Diejsbs.exe

C:\Windows\System\Diejsbs.exe

C:\Windows\System\eGOqVUF.exe

C:\Windows\System\eGOqVUF.exe

C:\Windows\System\vSGewvQ.exe

C:\Windows\System\vSGewvQ.exe

C:\Windows\System\wmVzTCP.exe

C:\Windows\System\wmVzTCP.exe

C:\Windows\System\SoRKhLi.exe

C:\Windows\System\SoRKhLi.exe

C:\Windows\System\zXlHyXU.exe

C:\Windows\System\zXlHyXU.exe

C:\Windows\System\CpFBDrT.exe

C:\Windows\System\CpFBDrT.exe

C:\Windows\System\FnhpuAq.exe

C:\Windows\System\FnhpuAq.exe

C:\Windows\System\dDZopqM.exe

C:\Windows\System\dDZopqM.exe

C:\Windows\System\UhVBaJt.exe

C:\Windows\System\UhVBaJt.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2244-0-0x000000013F220000-0x000000013F574000-memory.dmp

C:\Windows\system\zLbOkMZ.exe

MD5 5e7e0c8991a5e52d168a18430d4f0683
SHA1 eca04bc7a7b52646f69f764e068ed7df631957b9
SHA256 dd7d35bb1a47b99d9029da4e191412454c79ebbb990f656c04adc9cd68c8c9d1
SHA512 239a8011be9b6f06f192576504381e8ea061fc6ba8ebf211eea3af2fbeda5999adf3c3970f0f9315db3e0507f9132a8b6ec38075eabe016a3110f988d2191e9f

memory/2244-17-0x00000000022C0000-0x0000000002614000-memory.dmp

C:\Windows\system\TIjJvUa.exe

MD5 38e1b7b0b9aa649f5c14f03127a6d132
SHA1 3917ca36707cd2c4dba6b6926d34a14a7bb117b1
SHA256 ddb3f57945f3929208b2b32e9fb1bc992b84f62c9f6d825404b952bbb20eee72
SHA512 47f8cf2986d63387cdc2751aeb8271afa2f9ce56ab0a21337ea9677985ff041ab00a0daf7ea6b9731948111f864f618de503be2edb6c7c0b58599566140c22a0

memory/2092-35-0x000000013F660000-0x000000013F9B4000-memory.dmp

C:\Windows\system\axeFXdR.exe

MD5 711965c0ed770375b388ea9b5ea57c70
SHA1 21f7ffc0c96b29ee6bc8176dc97f6fd049d110a2
SHA256 c07d701eb04ab4f8699484a3bd23da869373ffe5abb89855dad47bf019625666
SHA512 1805d8628649a043140bc3aafe1e7909e2e2c4d13967ba772fc49046b58f359c9204953c678c902e0a7afe7ca922f35fcfea6266309db91efb45c72ff619c428

C:\Windows\system\AtpunYQ.exe

MD5 f6cdfb3d88537b367792cbd894bd98ed
SHA1 3d3f99c94c72c456dffcf949bc5d30603a7e936c
SHA256 05dd3d926d8f7a6b3411e38a31ef4f8229eb7d780b830e3fca3bbab5124eef86
SHA512 0da483abd45f0fc31271e46184ea3a074b58fa3e0dc6bb0072318eee13b5c0ffc1280f1aa582bb4e78cf8a2c355408182d9725282b3a73e6e2dadc9f4f43faa3

\Windows\system\AtpunYQ.exe

MD5 ca837987b19c09dd4fdcd3ecb06f1c71
SHA1 39d9e7567271cf504193180ffb6b445f1be37749
SHA256 efa96d6c11ed1d7df8e761a39e4bc078f44c3ddee43475b94cfed2b55fb2a50a
SHA512 8745b8f0b151d3dc1d06b3538c6b3eabb640e493c65a999217c769dda7a476fe354f352dba4a487b8f34bc1d2a98a4a24305a4e9b8273b47aac66a4114c87bca

memory/2624-58-0x000000013F640000-0x000000013F994000-memory.dmp

memory/2384-54-0x000000013F0F0000-0x000000013F444000-memory.dmp

C:\Windows\system\AvoUJqk.exe

MD5 b6c8330b212428ba3b976b411c0fd89b
SHA1 aeca8db08117bc77c6fe3b514eb636461b5ac34c
SHA256 6ee0e48f1efec4ef7508c4c8b0731907c27b82e9ba6fea6609ea7bc92eec4f72
SHA512 8e6ec6225dcf28d26b059b3c9ded7758ba4e48acab788ebe94c4d4fde62746c46841fb4c59603023e7dbf23f66c0dcb05025cc64efebf40f3cf9405c74f26408

\Windows\system\eGOqVUF.exe

MD5 1168d7a7c8a53346155a339dcc9ac198
SHA1 b873dbf11bef334e338ad028f647b52afb5a5aba
SHA256 6df0d1e987ccf5e8fa9d4cde12ef36f08adbf8373c0c9bbf499c0233861322ab
SHA512 88b89f64554ef23ea7c5067d22feb205e4d0e9ff16679ab4149f96421afc0bef5958e9997818db794e3ef6d8bb72cc78ea2cdf25812c8073fb45b8766fff4806

\Windows\system\wmVzTCP.exe

MD5 7ca4c7d08ec840a69d3101c638d4b72f
SHA1 9a0bd3c709f755b63121fadc936f446aec1e7ee6
SHA256 ad375c6a067690acfdb9ba070a3a7e26450ca7423af526c703ce192d7173f7e7
SHA512 93ae69558c6397f1d10b68fc7e156b1c23dffe4348c43264d4d2484e88db3346ef1d13b6b607cc291558edc2cbc35a0667021d52c5cf7e17eeb41ed495e23c3b

C:\Windows\system\wmVzTCP.exe

MD5 72bc30ac90ae016c5b7db4f14524fb61
SHA1 1c65e3bdb866c6b5476e931f704089c39709d80c
SHA256 f42bea1c82f6412516882e964fea23ee498f5b707431bbee55238ba83456ab67
SHA512 dbc849bfc1e347a962f93e9a5e7b6f49bed26ac2f48fcd8d2f5cea4c52b43b6ff567be23b261be00cb6cfe388ebb8e4909b28c5f8ea4a4fd3ac515f136d27d88

memory/3032-77-0x000000013F9E0000-0x000000013FD34000-memory.dmp

memory/2244-82-0x000000013FD10000-0x0000000140064000-memory.dmp

C:\Windows\system\vSGewvQ.exe

MD5 964e1fc64de5e65dc575c38ef635ca8c
SHA1 394de598753b25c838907073444d2ac56e72cbf8
SHA256 121f9a0ed0605caef34e4810d7de7095a4f08c3de591e3ab1c52681a399e09be
SHA512 494cc8029a4e4a7df7829914ba4ea657e7fa5d2545cd79e5543692dd47dd1241daf5528f473bb4d44f925bb7c0712dec5e17435445a721587a2a8c431bbfde8e

C:\Windows\system\SoRKhLi.exe

MD5 71dddc318bc3ee51172400d2edd07fc7
SHA1 ce7eabe5977a385550e809b9515e59d423999149
SHA256 a7182d589906b0006d06d288c3c97dea73e9315525340248bbe2752f94fdbc1b
SHA512 46c9dfefa48cfbeb722f44a28efedfd209efaec9cea683374c003d0e6f9ef42bd833ccad2e5f5e5d65a1f649cab167c657466a7a4474d9d88c81c44e564dfee7

C:\Windows\system\FnhpuAq.exe

MD5 9dd345cc3894de467bb2316a3e156eb1
SHA1 38999412f8d01748770f00d889fe9b293331dfc5
SHA256 ffa42779cdf00f5a34dae26dca4b54f84e602f34dcdd6519f4a54657db528d93
SHA512 b2c814fcbfa9cac66695bc003f299cd7efe096f770afa1054106f8734226b3e2b2de015fc7d93c44b6d7ad2ca007d790d561a86a7dff1a48d629b663d065b243

memory/2244-119-0x000000013FD10000-0x0000000140064000-memory.dmp

memory/2696-120-0x000000013FD10000-0x0000000140064000-memory.dmp

memory/2676-118-0x000000013FD10000-0x0000000140064000-memory.dmp

memory/2544-121-0x000000013F6B0000-0x000000013FA04000-memory.dmp

memory/2516-122-0x000000013F4B0000-0x000000013F804000-memory.dmp

memory/2548-123-0x000000013F620000-0x000000013F974000-memory.dmp

memory/2956-125-0x000000013F330000-0x000000013F684000-memory.dmp

memory/2304-126-0x000000013F8F0000-0x000000013FC44000-memory.dmp

memory/2244-124-0x00000000022C0000-0x0000000002614000-memory.dmp

memory/2244-127-0x000000013F660000-0x000000013F9B4000-memory.dmp

C:\Windows\system\dDZopqM.exe

MD5 93a11e34b3d240e5d1f4435d8fa78818
SHA1 46d60bed44f50e436c0ed359c36194d6ef20833f
SHA256 00ab91d9658c88a0c446f17d875f4bd5beb898216246b7339218b6bf5113050a
SHA512 c30b532550e0b273bfd75c59bf4d2ccf7b689c80683643d44f7fc0db8e4be36ab855e1fbc9dbf02b9bb3feb2e7386b72cab7a74269a0865937f1b00188aa14b6

memory/2244-131-0x000000013F5B0000-0x000000013F904000-memory.dmp

memory/2244-130-0x000000013F8F0000-0x000000013FC44000-memory.dmp

memory/2244-129-0x000000013F9E0000-0x000000013FD34000-memory.dmp

memory/2244-128-0x000000013FAB0000-0x000000013FE04000-memory.dmp

C:\Windows\system\CpFBDrT.exe

MD5 64608890dcd212091a87599b2f0612b4
SHA1 642cba6fdd06687bf7b84652d1d79a4e1e6a2442
SHA256 b0713465db08a043a2fc63565826669db6692aab975c0e29a5185ae16112322b
SHA512 9bdeddb8d2b5d212ce44eb56a90491fbba59fad54bddc0d8b4b8bf820f02cd20cd341a5b8d7dee63bec0cc37a66e5649ab2d3fa0a94759da8902674545d3a347

memory/2832-69-0x000000013F2E0000-0x000000013F634000-memory.dmp

C:\Windows\system\Diejsbs.exe

MD5 2543c4760bd9af7f70b7834411ab61af
SHA1 ed963cb76a076b222f6cdae99e8563d4444f6351
SHA256 c5992c95fef0e281d0ce0d741b02048e13663a833b3e0a3351e4871cc0042001
SHA512 37d8c491a184de94728c08add4a199f5cd8ae60d7cd02c39ad185a2859dd5e731e72c9b8cd0fd70525b0b413284ba12790037144a49d111203eb80cb9afcba56

memory/2244-60-0x00000000022C0000-0x0000000002614000-memory.dmp

memory/2760-59-0x000000013FAB0000-0x000000013FE04000-memory.dmp

C:\Windows\system\HuesdXT.exe

MD5 8003c8ca1c6255c4a9df50b61d369786
SHA1 ef521c59d5519424152618453d9a1ec413a267cf
SHA256 caa068826195e26df36f4f536e4c6574635de1b7a9a02c85ee8ca5d8d8224bf8
SHA512 0384a1e885e5629a148689a8b4027e18c5b2d083fe94b00bac0956a112bba29ab292c390c9a09436cf2e74109a83853e787b70a1e1be9d9ef015a376f3eba795

\Windows\system\axeFXdR.exe

MD5 a916afd25420d97a52be2f221c6e49bf
SHA1 a8249c4c427a78b140972f6f68ccf48896a49946
SHA256 49cdb5f88f50a9f9257bb8da5720fef63842f710f304d050dd5a6c8c790175a9
SHA512 f084d8d36d704b5514d3b4286190ad3e538f6d47e8b873a4709b28efa3a877ac23074ada682550cf833ac62c62c6a13419959faba64a0b817335d0fb1d6531cd

C:\Windows\system\RnMVTTn.exe

MD5 8086157261764dfbd7a3397cf9dc9022
SHA1 2198a9203bdd117d0d1452b678acf1bbb73bf3d2
SHA256 a69b11dddc952f49bae29b47d3304949686e2cff2e8a200ef69d0ac628a7ef0e
SHA512 18c482e8c43feacbb63ddca8e0158f2fcaf37e3ab8aa02487914adfe1a7e761eb36c5b9eaf79671f642c73568c8db1292066ceda67a77978ac4e46761ae38268

memory/2244-36-0x00000000022C0000-0x0000000002614000-memory.dmp

memory/1708-30-0x000000013F330000-0x000000013F684000-memory.dmp

\Windows\system\ApmiJWE.exe

MD5 230aaddc382e26cc96d357c3ba4ce2cc
SHA1 417be44275b8175fd4896fac8d3d0b7a82dc9bc7
SHA256 8ed4745c8d63c760e2830952dee05bbe81225ac8a1df73d34be525314860b658
SHA512 d40ab4ed2822698ee969070688599a4f32c5cdecfe249440791a8e5102b62d0beb3d8769f0b678470f1d335abd24008ff7df37b42c9741242c75d58b896c94a7

C:\Windows\system\FxzYHdM.exe

MD5 9e21c93f4d64f0aa066841c9ed4defbd
SHA1 740ba9b813566c2fde9f22baf9e735a043a058e9
SHA256 3bc04c2873689a46a2172390b93f540782ac76e54b195598ad842dd72ab046d4
SHA512 15d976bca7ba2dec01ed492248d0ba3354cdb563c8071b8e358b5bfcb01909557b4f53b6c8e02a5c31b084dca1a9b8ec3347eff72225123cc5ce788c3bf249ab

C:\Windows\system\otDKcUl.exe

MD5 d087d60bee972482ba414dde57d94064
SHA1 0e58102d75409e85387c950e86f4cc96da371515
SHA256 1ee51685b7af314df3c8f01c4b39b91c739a420b0c8968c9cd986b716fd08dc9
SHA512 500b3e00dc02005c17b03b8494021fddbab5916723a913433d6ef89aa2cf4e6e68fc4172636b2bd68c73de2d44f0d00b4e792d1f453e109ae727ef66e97b6e2b

\Windows\system\jdnHLBQ.exe

MD5 2c4fa504db3a8cc77d63b0df49ad1149
SHA1 b95039a9f77c5bb7c4cf958380418a348cf0f047
SHA256 de16c80a6b45b8be31ff559d4d96fc2b6ee58ca6641821e78652125fe251e0a5
SHA512 b9d9ca8bb261ef4fa0d6c386eb6940a2801cfc58dafdf84a9bb14b99d07516ad81188eeb5fc689d0d38c73bf0b7804c9eae5b875b651602ae458f24c32a3167e

memory/2244-1-0x00000000002F0000-0x0000000000300000-memory.dmp

memory/2244-132-0x000000013F220000-0x000000013F574000-memory.dmp

memory/2244-133-0x000000013F640000-0x000000013F994000-memory.dmp

memory/1708-134-0x000000013F330000-0x000000013F684000-memory.dmp

memory/2832-139-0x000000013F2E0000-0x000000013F634000-memory.dmp

memory/3032-140-0x000000013F9E0000-0x000000013FD34000-memory.dmp

memory/2696-141-0x000000013FD10000-0x0000000140064000-memory.dmp

memory/2544-143-0x000000013F6B0000-0x000000013FA04000-memory.dmp

memory/2676-142-0x000000013FD10000-0x0000000140064000-memory.dmp

memory/2548-146-0x000000013F620000-0x000000013F974000-memory.dmp

memory/2304-147-0x000000013F8F0000-0x000000013FC44000-memory.dmp

memory/2956-145-0x000000013F330000-0x000000013F684000-memory.dmp

memory/2516-144-0x000000013F4B0000-0x000000013F804000-memory.dmp

memory/2760-138-0x000000013FAB0000-0x000000013FE04000-memory.dmp

memory/2624-137-0x000000013F640000-0x000000013F994000-memory.dmp

memory/2384-136-0x000000013F0F0000-0x000000013F444000-memory.dmp

memory/2092-135-0x000000013F660000-0x000000013F9B4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-06 23:32

Reported

2024-06-06 23:38

Platform

win10v2004-20240426-en

Max time kernel

133s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\glOOoXL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NxGtxgj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nvFRvgZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AcRnJGB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zYpwijO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kBHiDrx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EGghzQM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mqrmRfb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hYFhyOn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bCZOjlY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XislXjy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ULAxRpQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BbAJrYa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rXCWSfl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EiHJTpn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rUknhfi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pqkZpCt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xVNUCxs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ozgXAdu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DaVIMkR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ssuSveo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5068 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\pqkZpCt.exe
PID 5068 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\pqkZpCt.exe
PID 5068 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\glOOoXL.exe
PID 5068 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\glOOoXL.exe
PID 5068 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\xVNUCxs.exe
PID 5068 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\xVNUCxs.exe
PID 5068 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\NxGtxgj.exe
PID 5068 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\NxGtxgj.exe
PID 5068 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\ozgXAdu.exe
PID 5068 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\ozgXAdu.exe
PID 5068 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\XislXjy.exe
PID 5068 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\XislXjy.exe
PID 5068 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\kBHiDrx.exe
PID 5068 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\kBHiDrx.exe
PID 5068 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\ULAxRpQ.exe
PID 5068 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\ULAxRpQ.exe
PID 5068 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\EGghzQM.exe
PID 5068 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\EGghzQM.exe
PID 5068 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\nvFRvgZ.exe
PID 5068 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\nvFRvgZ.exe
PID 5068 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\BbAJrYa.exe
PID 5068 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\BbAJrYa.exe
PID 5068 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\DaVIMkR.exe
PID 5068 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\DaVIMkR.exe
PID 5068 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\rXCWSfl.exe
PID 5068 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\rXCWSfl.exe
PID 5068 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\AcRnJGB.exe
PID 5068 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\AcRnJGB.exe
PID 5068 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\mqrmRfb.exe
PID 5068 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\mqrmRfb.exe
PID 5068 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\ssuSveo.exe
PID 5068 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\ssuSveo.exe
PID 5068 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\hYFhyOn.exe
PID 5068 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\hYFhyOn.exe
PID 5068 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\EiHJTpn.exe
PID 5068 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\EiHJTpn.exe
PID 5068 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\bCZOjlY.exe
PID 5068 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\bCZOjlY.exe
PID 5068 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\zYpwijO.exe
PID 5068 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\zYpwijO.exe
PID 5068 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\rUknhfi.exe
PID 5068 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe C:\Windows\System\rUknhfi.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\pqkZpCt.exe

C:\Windows\System\pqkZpCt.exe

C:\Windows\System\glOOoXL.exe

C:\Windows\System\glOOoXL.exe

C:\Windows\System\xVNUCxs.exe

C:\Windows\System\xVNUCxs.exe

C:\Windows\System\NxGtxgj.exe

C:\Windows\System\NxGtxgj.exe

C:\Windows\System\ozgXAdu.exe

C:\Windows\System\ozgXAdu.exe

C:\Windows\System\XislXjy.exe

C:\Windows\System\XislXjy.exe

C:\Windows\System\kBHiDrx.exe

C:\Windows\System\kBHiDrx.exe

C:\Windows\System\ULAxRpQ.exe

C:\Windows\System\ULAxRpQ.exe

C:\Windows\System\EGghzQM.exe

C:\Windows\System\EGghzQM.exe

C:\Windows\System\nvFRvgZ.exe

C:\Windows\System\nvFRvgZ.exe

C:\Windows\System\BbAJrYa.exe

C:\Windows\System\BbAJrYa.exe

C:\Windows\System\DaVIMkR.exe

C:\Windows\System\DaVIMkR.exe

C:\Windows\System\rXCWSfl.exe

C:\Windows\System\rXCWSfl.exe

C:\Windows\System\AcRnJGB.exe

C:\Windows\System\AcRnJGB.exe

C:\Windows\System\mqrmRfb.exe

C:\Windows\System\mqrmRfb.exe

C:\Windows\System\ssuSveo.exe

C:\Windows\System\ssuSveo.exe

C:\Windows\System\hYFhyOn.exe

C:\Windows\System\hYFhyOn.exe

C:\Windows\System\EiHJTpn.exe

C:\Windows\System\EiHJTpn.exe

C:\Windows\System\bCZOjlY.exe

C:\Windows\System\bCZOjlY.exe

C:\Windows\System\zYpwijO.exe

C:\Windows\System\zYpwijO.exe

C:\Windows\System\rUknhfi.exe

C:\Windows\System\rUknhfi.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/5068-0-0x00007FF7668E0000-0x00007FF766C34000-memory.dmp

C:\Windows\System\pqkZpCt.exe

MD5 f2c1e8b326b04f066100adb28a99bd76
SHA1 acf98c45deb3d9f9e6a933d83b28a34890c081e9
SHA256 d84dd4bab41ee73fddffd8b0a98054503cfcfcbb66d7459668fc46b567fac6c5
SHA512 d3550f6ecd502e3f17eb4a9556727135fea6c99c052c6700977102309fbaefeef9f00935230341ac9bc0e1d0318670e9e42590893dfa0b7bd022bbf9f7870185

C:\Windows\System\glOOoXL.exe

MD5 3cfad51315f9230512e0a59bf68e7370
SHA1 9de79a1fd9a390e77899e920c495b404146228f2
SHA256 f3aecf8b98ed1da7db0c0395bd2c57a57091a2b8069a9df43bb22ef40430a8dc
SHA512 1f5a1cbf2ef543e8899be469201c3ae0151e83f2e1dc37f1d4611ddcb4a05f1d4b4252b030f0e84b574684cfaa59c3d4a4d2545b6de7e5e06bb42d0f4fc03cf7

C:\Windows\System\xVNUCxs.exe

MD5 9dfa4ac4a6af75db29a3d0e67d7f0e1d
SHA1 6e2556c27f66f64c79d4c10d263193d91aa77306
SHA256 7ae1d7986363758de4082747333c18d5316fd49c711356caf1d43e986c4328c0
SHA512 45f7e8a7bfd2e3847c0cd1796e7c06dc1bd735ab963b730ff732ebe83a4280da86056f1c07562e52b9cb04e5d25549b7c73ed41b2c9a77f4db49ad5ddbe8caea

C:\Windows\System\NxGtxgj.exe

MD5 984a8cf637fc9f46a5be1646493a183b
SHA1 eff3045fcb5d0b4a9321004fdd3e94f3f336f5af
SHA256 0d4a824efda706db87b77805c320758f4772451fa0404efc091a4e3040c61068
SHA512 f10e98d33b97922d86b629662f92ca9b0747603db9cee26627e84885ca9797232c0f5349bf7b35b6812a24bc6e60bd825c6020365d2a762c823adc6158a78b7d

memory/2436-30-0x00007FF76A790000-0x00007FF76AAE4000-memory.dmp

C:\Windows\System\ozgXAdu.exe

MD5 38e1b7b0b9aa649f5c14f03127a6d132
SHA1 3917ca36707cd2c4dba6b6926d34a14a7bb117b1
SHA256 ddb3f57945f3929208b2b32e9fb1bc992b84f62c9f6d825404b952bbb20eee72
SHA512 47f8cf2986d63387cdc2751aeb8271afa2f9ce56ab0a21337ea9677985ff041ab00a0daf7ea6b9731948111f864f618de503be2edb6c7c0b58599566140c22a0

memory/1728-44-0x00007FF611C10000-0x00007FF611F64000-memory.dmp

C:\Windows\System\kBHiDrx.exe

MD5 1e2459942327eb396bd8cd9cbc885d14
SHA1 b979cbcb517509c30843efb1d91bef30f1f24a44
SHA256 54a03d5d208d751b31e23b71307944c1879786db4797c4e135ceee676e41235a
SHA512 62534d80e6c8c22bb311b0a7f5fb302c5a153d567d6f207a17c6fee8290718e68d1dc2dc16c134b4032b4de9f3329105695e611408c440b9aa805aa38dc8aaf7

C:\Windows\System\kBHiDrx.exe

MD5 f6cdfb3d88537b367792cbd894bd98ed
SHA1 3d3f99c94c72c456dffcf949bc5d30603a7e936c
SHA256 05dd3d926d8f7a6b3411e38a31ef4f8229eb7d780b830e3fca3bbab5124eef86
SHA512 0da483abd45f0fc31271e46184ea3a074b58fa3e0dc6bb0072318eee13b5c0ffc1280f1aa582bb4e78cf8a2c355408182d9725282b3a73e6e2dadc9f4f43faa3

memory/2640-38-0x00007FF6951A0000-0x00007FF6954F4000-memory.dmp

memory/4204-48-0x00007FF7615C0000-0x00007FF761914000-memory.dmp

memory/3564-56-0x00007FF61AD00000-0x00007FF61B054000-memory.dmp

C:\Windows\System\EGghzQM.exe

MD5 cf2e29731c287373bd170f01b05d997b
SHA1 b0d51c9dab7c4d32fe742266590ffa0660fb6815
SHA256 80e0256dae0cf484f07f90d5305e2f1407ad2b476a9be673e66f73bb342551c3
SHA512 b74c0805c94ff3a8cdfd4016117a9497c2d4a3e6c081f36e725b0000d79686c0b6b896241969f44efc8dd3b20d2e8f58686965269857e1e070c9597ab9c84d5f

memory/896-63-0x00007FF7A11C0000-0x00007FF7A1514000-memory.dmp

C:\Windows\System\BbAJrYa.exe

MD5 0628374c349921c969043e8b725a574d
SHA1 d4d4b61d7abb11c25e423140f9a833a035819e3d
SHA256 6f83751bb7dc13a49d7ca6c6a874635ca4829b15e2d7e8a8c8ddaf2890ac09c0
SHA512 2db578fa7a962b14aae5c857e6974664cd647108bf44f83523c1fc47be8f0f23756b21e5f42a2231cc51d1daf9889177945ad8eab23827274ef49200ad4dd7a1

memory/3560-70-0x00007FF720250000-0x00007FF7205A4000-memory.dmp

C:\Windows\System\rXCWSfl.exe

MD5 711965c0ed770375b388ea9b5ea57c70
SHA1 21f7ffc0c96b29ee6bc8176dc97f6fd049d110a2
SHA256 c07d701eb04ab4f8699484a3bd23da869373ffe5abb89855dad47bf019625666
SHA512 1805d8628649a043140bc3aafe1e7909e2e2c4d13967ba772fc49046b58f359c9204953c678c902e0a7afe7ca922f35fcfea6266309db91efb45c72ff619c428

C:\Windows\System\AcRnJGB.exe

MD5 c665d55523745ebd550a2c4296ad8ec9
SHA1 43f72a8e93454ded742dbec7a7c84f59cb0d6520
SHA256 4ce197747d9fbeeec8496c26db012627d7ce7e6aa1a732a7c731d6ef8431204b
SHA512 57b316ce017c765c9f224c8ed85aafffadf3e3509d0b9d8b28c09b7a506bf84dd5216ab3d5048ad1f637628cef7585aca82701224766df2dd48aff33618c1454

C:\Windows\System\rXCWSfl.exe

MD5 5d0b5e7ecff3937b97e65e37059d5f63
SHA1 1ca91f93f364b2a6d5c2b538c2c35daaac59cb0d
SHA256 96346869d9dc55e98d2f0f2f123ad998380676a3b1955b700b1bd911cfb8890a
SHA512 e93c97ccbb6bdfbb5269773813deace70d3cb873a66561e1426d2a19d5b74aa780c0eb3dab1998e3334ad5433078f0b59144615a35cb08007f5874131c57b6f4

memory/2784-81-0x00007FF602DF0000-0x00007FF603144000-memory.dmp

memory/4084-92-0x00007FF7CE7D0000-0x00007FF7CEB24000-memory.dmp

memory/4248-102-0x00007FF75BB20000-0x00007FF75BE74000-memory.dmp

C:\Windows\System\bCZOjlY.exe

MD5 7eb810ab3e29af35f749d0bb7818773d
SHA1 78b08e870d58674b2898ed4c7269de47428e5499
SHA256 09c1ff0f09e3bac84b3a3eb487ddf091b25f7f3ae622ca9aaec95483f8d9b0ec
SHA512 97ece0dc5266cb1ff5f5dd92ed13f4bc91e6f629dbda292642c3f95038c9b65db7afcc1d82c25f227f742cecc79a988c8a6dd15b1b26c3e1fa4290d48c3ab88b

C:\Windows\System\EiHJTpn.exe

MD5 8003c8ca1c6255c4a9df50b61d369786
SHA1 ef521c59d5519424152618453d9a1ec413a267cf
SHA256 caa068826195e26df36f4f536e4c6574635de1b7a9a02c85ee8ca5d8d8224bf8
SHA512 0384a1e885e5629a148689a8b4027e18c5b2d083fe94b00bac0956a112bba29ab292c390c9a09436cf2e74109a83853e787b70a1e1be9d9ef015a376f3eba795

memory/2984-110-0x00007FF64E660000-0x00007FF64E9B4000-memory.dmp

memory/4204-109-0x00007FF7615C0000-0x00007FF761914000-memory.dmp

memory/4612-119-0x00007FF6BF020000-0x00007FF6BF374000-memory.dmp

memory/3560-118-0x00007FF720250000-0x00007FF7205A4000-memory.dmp

memory/3660-103-0x00007FF746290000-0x00007FF7465E4000-memory.dmp

memory/4832-98-0x00007FF607DA0000-0x00007FF6080F4000-memory.dmp

C:\Windows\System\ssuSveo.exe

MD5 93bacfc3d845f374627b012c3a61a1e5
SHA1 f08219d5f19196fbc7a3a1e7ffbfb44e344c21ae
SHA256 4fd1d5231f529c0710d6a6cd40036ebe10563700b5f25c50aacacf0ccbeb0b9d
SHA512 63e909e0f694f7072b09c22815e6279a7448ff3ee9b219e1f03fa23b70411a9de5cd54205f2b9fac218aee1fe5bb1761b1d6308bcade318f7b85c7b720112b83

C:\Windows\System\ssuSveo.exe

MD5 992e15ebc2245cf970acce9948576d6c
SHA1 3322f50d4aebf915abc8a5277cd07a23adf5f127
SHA256 34aca34b8538d4e7f9b5ca1806b2281a0382769188fd9d2c13b1e312e96b00f5
SHA512 2299491ec9c9bd4a6ac0a40bf192f660f0f17c74b61aa4e0097b4c4f83a6d479f7a76f02af36d33e9826debb7591943213a22619c67db9751ef075d87dd44bf7

C:\Windows\System\mqrmRfb.exe

MD5 536ccffc9fb54ccaa170d80cb4661ca1
SHA1 20db858b752256e3ce00036fe9344fc329d2019e
SHA256 ef008b0990da31f5ab9fbc017836ae2b30216bbb76cea57f1ebc3bce95918af5
SHA512 87bfc1293db20aa77928cb0876bbced62cc17751634101b46bd18be9043ef234da425b36026c33f4dec7325f64f661557cae7bf5ded005fe818c37915925b6f8

C:\Windows\System\zYpwijO.exe

MD5 48ee306c3e30f678cbb2d54b3d468754
SHA1 e089368be338f8a28f56c70a0cc3f139cf1f76e9
SHA256 f1a35a28dbcce99eb23bd8124438d47bbdf5d5e60fe656fdcf989560f7bf1915
SHA512 0ccb8d9875f8c1b65b5fec19ef1e9510b56f8673d5085fbbcea25f25af6d7bb5f5ef246f47e177585a6e673ceee8a36fd5b1164606e0ce905c9d5495f597dfc2

memory/3044-75-0x00007FF76A5E0000-0x00007FF76A934000-memory.dmp

C:\Windows\System\DaVIMkR.exe

MD5 12290e241ed2e6c4adafa5d04e2f138d
SHA1 97fda7e552fddea3ac07f6c05616044e41cce11e
SHA256 a6a2cb6fb3598d051d13929a0f67262c880cfb448e462285e50b61837564dadf
SHA512 4917ade55c5d1ed859c36affd21355ed1aa8e004308b86bd08a5536f0c0e157b2db3b43ba4d95da2c702629298e5b033347259d7bf9f6c3f5abe43d69897f898

memory/5068-62-0x00007FF7668E0000-0x00007FF766C34000-memory.dmp

memory/3928-129-0x00007FF740050000-0x00007FF7403A4000-memory.dmp

memory/3668-130-0x00007FF7D5B10000-0x00007FF7D5E64000-memory.dmp

memory/3044-131-0x00007FF76A5E0000-0x00007FF76A934000-memory.dmp

C:\Windows\System\ULAxRpQ.exe

MD5 37bd5f6d8c71e78ab1a2fdc153f02621
SHA1 e612e0add7764075283debcf42d5da6a3f59d1b1
SHA256 2bd229bc79a89662e2287ea71c114ba09f5f8944fa55ec9f2d31c2a2faf46f2f
SHA512 d183a86f11cac716ab99718059a08ff884a463fd18cb02f03356432701068b372819a7c9f9dc9df20afe7c38d890f2a4804d1288147e1e81abf4d27ad7b12b81

memory/4356-32-0x00007FF63D6C0000-0x00007FF63DA14000-memory.dmp

C:\Windows\System\ozgXAdu.exe

MD5 7ca4c7d08ec840a69d3101c638d4b72f
SHA1 9a0bd3c709f755b63121fadc936f446aec1e7ee6
SHA256 ad375c6a067690acfdb9ba070a3a7e26450ca7423af526c703ce192d7173f7e7
SHA512 93ae69558c6397f1d10b68fc7e156b1c23dffe4348c43264d4d2484e88db3346ef1d13b6b607cc291558edc2cbc35a0667021d52c5cf7e17eeb41ed495e23c3b

C:\Windows\System\NxGtxgj.exe

MD5 1bb6a05e5a7fad15fc3b308444e8ddc1
SHA1 1ae446555655fd5ee36098eaadd5e894b9b17276
SHA256 a5f360f7ef5657cf163fd4f28b35637c2987df8f9e01eea288e6c788d6fe3439
SHA512 64e49d8155be65f328fc33b38ba2e28beb3dd6399da40cb5ca2a11db08a05781e3dc79130eca0a5e9224a5e1cd3cab2e6b4516453b5e5dfe393425b0f9c7c3d3

memory/2372-20-0x00007FF759240000-0x00007FF759594000-memory.dmp

memory/4760-14-0x00007FF7AB6F0000-0x00007FF7ABA44000-memory.dmp

memory/2808-8-0x00007FF6C0080000-0x00007FF6C03D4000-memory.dmp

C:\Windows\System\pqkZpCt.exe

MD5 e8c4508a392ccf08590d3627a36cc3c3
SHA1 3a57dd6c92ebc54582acaafd15cc9311eb0d15a2
SHA256 cea51cc96156d8e8255e2ccada29ae7300a3315f995e7ba6d44446f87dc9a09d
SHA512 f92387e78f5fe98543d9e60ae371868a188c86c9137b7d0a0d3bf28026dbd3fc59a4eb30687c1a9721f81959fcdee80d280162f492d355d2ec0e6a7c5d939410

memory/5068-1-0x0000019ACD280000-0x0000019ACD290000-memory.dmp

memory/2784-132-0x00007FF602DF0000-0x00007FF603144000-memory.dmp

memory/3660-133-0x00007FF746290000-0x00007FF7465E4000-memory.dmp

memory/2984-134-0x00007FF64E660000-0x00007FF64E9B4000-memory.dmp

memory/2808-135-0x00007FF6C0080000-0x00007FF6C03D4000-memory.dmp

memory/4760-136-0x00007FF7AB6F0000-0x00007FF7ABA44000-memory.dmp

memory/2372-137-0x00007FF759240000-0x00007FF759594000-memory.dmp

memory/2436-138-0x00007FF76A790000-0x00007FF76AAE4000-memory.dmp

memory/4356-139-0x00007FF63D6C0000-0x00007FF63DA14000-memory.dmp

memory/2640-140-0x00007FF6951A0000-0x00007FF6954F4000-memory.dmp

memory/1728-141-0x00007FF611C10000-0x00007FF611F64000-memory.dmp

memory/4204-142-0x00007FF7615C0000-0x00007FF761914000-memory.dmp

memory/3564-143-0x00007FF61AD00000-0x00007FF61B054000-memory.dmp

memory/896-144-0x00007FF7A11C0000-0x00007FF7A1514000-memory.dmp

memory/3560-145-0x00007FF720250000-0x00007FF7205A4000-memory.dmp

memory/3044-146-0x00007FF76A5E0000-0x00007FF76A934000-memory.dmp

memory/4084-148-0x00007FF7CE7D0000-0x00007FF7CEB24000-memory.dmp

memory/2784-147-0x00007FF602DF0000-0x00007FF603144000-memory.dmp

memory/4832-149-0x00007FF607DA0000-0x00007FF6080F4000-memory.dmp

memory/4248-150-0x00007FF75BB20000-0x00007FF75BE74000-memory.dmp

memory/3660-151-0x00007FF746290000-0x00007FF7465E4000-memory.dmp

memory/2984-152-0x00007FF64E660000-0x00007FF64E9B4000-memory.dmp

memory/4612-153-0x00007FF6BF020000-0x00007FF6BF374000-memory.dmp

memory/3928-154-0x00007FF740050000-0x00007FF7403A4000-memory.dmp

memory/3668-155-0x00007FF7D5B10000-0x00007FF7D5E64000-memory.dmp