Malware Analysis Report

2024-10-24 18:16

Sample ID 240606-wsmh8ahf8s
Target 2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike
SHA256 66b140dff70a948ff0b19a98f4203027ab6f7dd438bd58d4ae496c3052eef466
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

66b140dff70a948ff0b19a98f4203027ab6f7dd438bd58d4ae496c3052eef466

Threat Level: Known bad

The file 2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

UPX dump on OEP (original entry point)

Cobaltstrike family

xmrig

XMRig Miner payload

Xmrig family

Cobalt Strike reflective loader

Cobaltstrike

Detects Reflective DLL injection artifacts

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

XMRig Miner payload

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-06 18:11

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-06 18:11

Reported

2024-06-06 18:13

Platform

win7-20240221-en

Max time kernel

129s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\wjVNZPg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uuyyZLN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uWUCTFz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zRrOWmZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\unAxgmQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tLibuNc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MNUtlmi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AhVUJXU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LuqgSpy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\twHMAbG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zMcOtHs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IKXAikR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZBnpwUI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\thSTxtV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QjDbiWw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oWRHBPn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XUKTBsM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dyyzQHb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ohIeUcm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gfslCyH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oakhJCr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1284 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\unAxgmQ.exe
PID 1284 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\unAxgmQ.exe
PID 1284 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\unAxgmQ.exe
PID 1284 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\twHMAbG.exe
PID 1284 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\twHMAbG.exe
PID 1284 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\twHMAbG.exe
PID 1284 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\tLibuNc.exe
PID 1284 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\tLibuNc.exe
PID 1284 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\tLibuNc.exe
PID 1284 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\MNUtlmi.exe
PID 1284 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\MNUtlmi.exe
PID 1284 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\MNUtlmi.exe
PID 1284 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\zMcOtHs.exe
PID 1284 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\zMcOtHs.exe
PID 1284 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\zMcOtHs.exe
PID 1284 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\IKXAikR.exe
PID 1284 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\IKXAikR.exe
PID 1284 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\IKXAikR.exe
PID 1284 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\QjDbiWw.exe
PID 1284 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\QjDbiWw.exe
PID 1284 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\QjDbiWw.exe
PID 1284 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\wjVNZPg.exe
PID 1284 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\wjVNZPg.exe
PID 1284 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\wjVNZPg.exe
PID 1284 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\oWRHBPn.exe
PID 1284 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\oWRHBPn.exe
PID 1284 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\oWRHBPn.exe
PID 1284 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\AhVUJXU.exe
PID 1284 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\AhVUJXU.exe
PID 1284 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\AhVUJXU.exe
PID 1284 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\LuqgSpy.exe
PID 1284 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\LuqgSpy.exe
PID 1284 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\LuqgSpy.exe
PID 1284 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\uuyyZLN.exe
PID 1284 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\uuyyZLN.exe
PID 1284 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\uuyyZLN.exe
PID 1284 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\XUKTBsM.exe
PID 1284 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\XUKTBsM.exe
PID 1284 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\XUKTBsM.exe
PID 1284 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZBnpwUI.exe
PID 1284 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZBnpwUI.exe
PID 1284 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZBnpwUI.exe
PID 1284 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\dyyzQHb.exe
PID 1284 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\dyyzQHb.exe
PID 1284 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\dyyzQHb.exe
PID 1284 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\ohIeUcm.exe
PID 1284 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\ohIeUcm.exe
PID 1284 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\ohIeUcm.exe
PID 1284 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\uWUCTFz.exe
PID 1284 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\uWUCTFz.exe
PID 1284 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\uWUCTFz.exe
PID 1284 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\zRrOWmZ.exe
PID 1284 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\zRrOWmZ.exe
PID 1284 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\zRrOWmZ.exe
PID 1284 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\gfslCyH.exe
PID 1284 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\gfslCyH.exe
PID 1284 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\gfslCyH.exe
PID 1284 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\thSTxtV.exe
PID 1284 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\thSTxtV.exe
PID 1284 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\thSTxtV.exe
PID 1284 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\oakhJCr.exe
PID 1284 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\oakhJCr.exe
PID 1284 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\oakhJCr.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\unAxgmQ.exe

C:\Windows\System\unAxgmQ.exe

C:\Windows\System\twHMAbG.exe

C:\Windows\System\twHMAbG.exe

C:\Windows\System\tLibuNc.exe

C:\Windows\System\tLibuNc.exe

C:\Windows\System\MNUtlmi.exe

C:\Windows\System\MNUtlmi.exe

C:\Windows\System\zMcOtHs.exe

C:\Windows\System\zMcOtHs.exe

C:\Windows\System\IKXAikR.exe

C:\Windows\System\IKXAikR.exe

C:\Windows\System\QjDbiWw.exe

C:\Windows\System\QjDbiWw.exe

C:\Windows\System\wjVNZPg.exe

C:\Windows\System\wjVNZPg.exe

C:\Windows\System\oWRHBPn.exe

C:\Windows\System\oWRHBPn.exe

C:\Windows\System\AhVUJXU.exe

C:\Windows\System\AhVUJXU.exe

C:\Windows\System\LuqgSpy.exe

C:\Windows\System\LuqgSpy.exe

C:\Windows\System\uuyyZLN.exe

C:\Windows\System\uuyyZLN.exe

C:\Windows\System\XUKTBsM.exe

C:\Windows\System\XUKTBsM.exe

C:\Windows\System\ZBnpwUI.exe

C:\Windows\System\ZBnpwUI.exe

C:\Windows\System\dyyzQHb.exe

C:\Windows\System\dyyzQHb.exe

C:\Windows\System\ohIeUcm.exe

C:\Windows\System\ohIeUcm.exe

C:\Windows\System\uWUCTFz.exe

C:\Windows\System\uWUCTFz.exe

C:\Windows\System\zRrOWmZ.exe

C:\Windows\System\zRrOWmZ.exe

C:\Windows\System\gfslCyH.exe

C:\Windows\System\gfslCyH.exe

C:\Windows\System\thSTxtV.exe

C:\Windows\System\thSTxtV.exe

C:\Windows\System\oakhJCr.exe

C:\Windows\System\oakhJCr.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1284-0-0x000000013F470000-0x000000013F7C4000-memory.dmp

memory/1284-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\unAxgmQ.exe

MD5 d395fffd015945c47627ac0397d54a3c
SHA1 2599579159f4f31266e100993b8e3bf5a492b87a
SHA256 2aaa945e7ad782b78917fec7a33ba0c22619bd3497cc2edf26d30ab1ec783d89
SHA512 0e4ff7632e7c7acfda649762771c5547ce7c5ead21d75e7d618c1a845b1a6095fbc43a91043b950b8f2bd0149e1bb2d150038cb9d61307a318de2d7e66318d76

memory/2516-8-0x000000013F830000-0x000000013FB84000-memory.dmp

memory/2552-18-0x000000013F0D0000-0x000000013F424000-memory.dmp

C:\Windows\system\twHMAbG.exe

MD5 7d71821d6c6a73b1944ac22677e86868
SHA1 15bad1070c1b4f510cc867ed6c8e233f16fd6aa0
SHA256 4faf2f7c29eca0f27518bb8d5b42249bdde32a71018149370519cac4266a27da
SHA512 1cf4395d0f49d85123646b45786a7fb2e134314e0b10939dc2991aba507107e7aee3a20907e4ea3bdcf377badcf44d712f496f43a7c9e3719edf80f4d116044b

\Windows\system\tLibuNc.exe

MD5 a8cd32f506afb6ab2d23579b20212fa0
SHA1 d7c3106b02bbb7e648926c245935e403a3846433
SHA256 777fbcca4222169f4600cc4a48deb175cb6a34b57453ef862588ee7c249a4e59
SHA512 da6ffe133d2a441af285e8ebed4530863d8d6936ab3e6f9f858c33b5339286d25b66321eda82a7c454c7440cff2fd30e18d1ebd9a9a2a8b80914ae95976a8fa9

memory/2528-28-0x000000013FEF0000-0x0000000140244000-memory.dmp

C:\Windows\system\zMcOtHs.exe

MD5 b27a7a2c77eb8a422f252a22e5afa95c
SHA1 6a8c3903d30eb44d42ed2659d18f1ed2af68ab15
SHA256 70ba9aa4f0b74b8e12eb2d6162ed61280d97c19c10cd8c5eed1e88e96f2f81fd
SHA512 61090444432a7b5e3f88a1102ee6449ddcc1912813ec780ecba794d593da86c1dc1b53ef5f79a22124c2c4798a9afbb0a3564f34a322dcf264efea43df29093f

C:\Windows\system\MNUtlmi.exe

MD5 20c10423bdef58d4cf057ecb4c52b025
SHA1 1ad7dd4e5f96d3a65421da5887a4cbb3a76fe946
SHA256 b3d47ad83e35f38d2ff60664e674168e1a95772b605f346faff0b4556999b426
SHA512 dda409a4f11c3f65f528e0d21120c55dfe844c4c4847466056b7d3031120212a91cf5a7e8abe80d23eaf9578056d16177401b8f9376d685a7a4e8d9c694f47a6

memory/1284-26-0x000000013FEF0000-0x0000000140244000-memory.dmp

memory/2688-25-0x000000013FC70000-0x000000013FFC4000-memory.dmp

memory/1284-24-0x000000013FC70000-0x000000013FFC4000-memory.dmp

memory/1284-13-0x000000013F0D0000-0x000000013F424000-memory.dmp

C:\Windows\system\oWRHBPn.exe

MD5 a6617e6ea626ee868f10eafdaf180574
SHA1 3fc754665fefdf7c41dcd5862ae5e71f45af0772
SHA256 30aa3f3a074660ef2df7b49cfdf90ba12432ab68667881fdfa7b262505f884b9
SHA512 fd0160e0c322360e211c38f850c234e10400ec2e113d4dc8a0a57ab7fa897899919440e27efbb3787b221d786cdfca8c979eac7abbf30d2aa7b749b8871e83f6

\Windows\system\IKXAikR.exe

MD5 ac8e155ba35a1b190ce5afbfaaeea79a
SHA1 04447efb24f748ddb176525f4287fc57627c18b3
SHA256 94823ef483510b4cbeecc3d33197b6ee85b667c74ad15fe6327aa1fe0157d336
SHA512 44dcd765460cc511441a166387555bd42b1988d2a7e8105bbaa667d0ff9268be6c9491899444de5718d774b1689a1cf0945bd613b6e90b4e15a0170317d78641

\Windows\system\AhVUJXU.exe

MD5 31907902a6a8d1ef89dceeef332a6cac
SHA1 fb685b6495b7c3ffb175eb3eb332a2f79a18af90
SHA256 66c2ad00a3701b9fdbfb88b5118dab37f2101415afa5e9a5efb1bb601d4b51ca
SHA512 4d9b7938519e6581c5933312c32de8e37c35a352cd2322999ff1ecfb2dc65a33b2cbe11152da5908c22c04d6ed309f3fe738158f347c5c3ff62185ac0004b7fc

\Windows\system\uuyyZLN.exe

MD5 f3f4aa1de186c78b39163ada8b410a3d
SHA1 deb1e90a112242b382f503b8972a7cba4e78307e
SHA256 86dbc9070d76b6a4e646f9868b1fdb0f1b4e904189c8ea1b140465896efaa9eb
SHA512 bff636e29481e583d5a772e104e6070d8e16420a9d0f28d20606f9dfd9bafb1cd9de7734adb1afe8d2cd932bfd8a099e23224d8f8fa397078e59a6bbebaa12da

memory/2768-114-0x000000013FD90000-0x00000001400E4000-memory.dmp

C:\Windows\system\gfslCyH.exe

MD5 1c9c874b06e64c12ac8c5322b1ee5ecf
SHA1 7f61ada66d373c953e86323e1a330ac5ca4df618
SHA256 681cb8853249a59830a6628ed467337be0230679829c16a3319962734f9bcd4c
SHA512 c861994ee6f578a406557ddcee25f726ce2e89cd4049dba4b68d6a92a03638eb92a3358d3d715c3dbfbb344965342ed3f1402eff76434b641f2a74c59a708beb

\Windows\system\thSTxtV.exe

MD5 388e8b40cc72c94403965550662fc5a1
SHA1 e99b0dc8434bafaeb3eed0e271870d9e3f9be7ad
SHA256 de8d45cb1a6bdaa0a8b0a762545521ea16b295e39ee2bc6cdc030fd05bc301ce
SHA512 8ce73449bae8ff5d40468eb2f7c1ddbe111415843b6961aa95dab31c36b41c313246d4ec0dda23f1dda74475985dd6abb7dc6b0fea905581cef524b678c4e8d3

C:\Windows\system\uWUCTFz.exe

MD5 55c3ea18e81b2badd872f78faf62d685
SHA1 383c21976638b9d16adb2d59fcda16b9d32437f7
SHA256 ab99fc486a62b6baaab9c0d82fdd9faadd90f372cc243da6c57eb366abb2f4b9
SHA512 6176036adfa8031d2fc602ae420d0cc28bbc2f14e45b013712c75120b9ae2133059576114eeaa02c6b5e180394530d39a39e585b39cb533ad7d8411a6e124f7c

\Windows\system\zRrOWmZ.exe

MD5 9ff61c62be195be0c7792f210fb892da
SHA1 6c40e4e5929d3b45551757f2c5cd20376e8c35c2
SHA256 2b2b090e5e03c4c13ce88a4f9372911530f930d4135aee53b064c0cab61b7572
SHA512 a3abec03f7d5c43d5af41f373ed7e2f6259b1822746e0b52d61f4ce2208606b71709e7cf206508540964974748994ce54d549cc0f6fe371b3f6615bfe302a94a

memory/1284-99-0x0000000002360000-0x00000000026B4000-memory.dmp

\Windows\system\ohIeUcm.exe

MD5 98ca18b715f8be868333b97ded6de3c3
SHA1 536ae771615219c2413f4e60513fb48df21c01d9
SHA256 1b01ba360ef69179522dbbd07611065cf13c8b45e841c8ba6b2888e52c11df12
SHA512 3b8d36f9ed368b23b80ff284b51da4cabf55ce95c34001db0f7eb555ba81c969bc1d3b45ea71e7f39808db4f068e8daf7ea80a9606da9ec812b0a2f8e990756b

memory/2552-135-0x000000013F0D0000-0x000000013F424000-memory.dmp

memory/1284-90-0x000000013F470000-0x000000013F7C4000-memory.dmp

memory/1284-89-0x000000013FAE0000-0x000000013FE34000-memory.dmp

\Windows\system\ZBnpwUI.exe

MD5 c7122385f564e62e4ab63b95781263d6
SHA1 2b9280431b28befa09b989e01c3e54170f632c7a
SHA256 60693c91410a78bd94c23e554199a4996ab2550d4c5c92e25065c385fcadc386
SHA512 0ec537e8d52bc62add8650eaa5939678c763d4a4c537ff7a471e6dc35da16f37ada640672715f6af489d3503bb614200ea207f32cad9946438da9087b7ac9a35

memory/1284-136-0x000000013F0D0000-0x000000013F424000-memory.dmp

\Windows\system\wjVNZPg.exe

MD5 a07dad34e2f955735717ec03d33d1e89
SHA1 8f3c9547ba3e0094d29e77d57f7e282247897dab
SHA256 5272c4e836d75efefcab1b0905be40ff6c5ada79ebe13d8d8d3ccc04545c7347
SHA512 807fa1ca4072a66a406d4add9dfd6e27e0ada40ddef0c516ac58c6541533559e3ffcb20184db5bfdbb08c62b4291971ee0df9413e0c902c784b9cd35d4bd1e0b

memory/2516-119-0x000000013F830000-0x000000013FB84000-memory.dmp

memory/1284-118-0x0000000002360000-0x00000000026B4000-memory.dmp

C:\Windows\system\oakhJCr.exe

MD5 e9c078181afee71bd348ac33c28dd54d
SHA1 41e11e3d8dcabd01407eff13056abfd8ea040ea0
SHA256 d383ed5b04bb55d4c6a902c2b28ed167ffbec9554eb67b0d2c7c86d5068ec8be
SHA512 73e0fc7485f0374d798e7cda943e59761f01784945c25d140ad9a33e99bbbebbf8ee2dd5846bfc43152cb26dcb312a74652411ed738032befc9e28f4373e56c5

memory/636-95-0x000000013FB20000-0x000000013FE74000-memory.dmp

C:\Windows\system\dyyzQHb.exe

MD5 a234e9a932930c5b261e943a13185868
SHA1 ed53a655d64ebfdbdb3dbc9681bd6e0a8a161dc2
SHA256 aeffa67db1eadd293d0b2de54877aced7cdda419bbc7c8cb767fbd1347903260
SHA512 091c8a78f02a8a488e894bcfc4a8ce911c208d35413b3bcdc3b774a95c359e2096c3023c7897afe92bb1c5e1c498f03ead680ab3952db582e628421933894536

memory/2928-85-0x000000013FB20000-0x000000013FE74000-memory.dmp

C:\Windows\system\XUKTBsM.exe

MD5 94fa0a84a61a5e64fa6909f729888bbe
SHA1 337fcf64d1f8e1d00ae388482f3bd1b60d77c06f
SHA256 6128e3a3f99b29dc6b751b330fec85089705efb7bad8b9344ff8e3044aeba392
SHA512 649ec69ad31a58616a43b705df050f93da3e658f529cee84aa02ab96e4e9948845e78adff8ecefa43bcf60e365ee32554947e13c48ead20bf1464c391517d22d

memory/1336-83-0x000000013F0B0000-0x000000013F404000-memory.dmp

memory/2696-80-0x000000013F730000-0x000000013FA84000-memory.dmp

memory/1284-39-0x0000000002360000-0x00000000026B4000-memory.dmp

memory/2584-38-0x000000013F4E0000-0x000000013F834000-memory.dmp

memory/1284-37-0x0000000002360000-0x00000000026B4000-memory.dmp

C:\Windows\system\LuqgSpy.exe

MD5 7c9b3a14b56eb83ca0b9007e865f1127
SHA1 5fdf055e8f0657b336238f9b0b73df39d36d5654
SHA256 1c3b288ab82ec8c5b2b2cbf23bfa1e8e1f84fdf8f08519efe90528a649af587a
SHA512 b1878be6fa0595dc59e5ed4ff89714a3b8ee0ea99294ddabf0cb7ae37ff35d573e4c4c1af1939bb2dc24af0db4f0beb06103cdce3492741792b74678a73dc246

memory/1284-67-0x000000013F0B0000-0x000000013F404000-memory.dmp

memory/1284-66-0x000000013FB20000-0x000000013FE74000-memory.dmp

memory/2456-65-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

memory/1284-64-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

memory/2452-63-0x000000013F7B0000-0x000000013FB04000-memory.dmp

memory/1284-62-0x0000000002360000-0x00000000026B4000-memory.dmp

memory/2560-61-0x000000013FD50000-0x00000001400A4000-memory.dmp

memory/2528-137-0x000000013FEF0000-0x0000000140244000-memory.dmp

memory/1284-60-0x000000013FD50000-0x00000001400A4000-memory.dmp

C:\Windows\system\QjDbiWw.exe

MD5 dc0a9a5a861146552f70970044d717ce
SHA1 2212a8fbe31caed61dff9237df1df588b63a318e
SHA256 3306fb16e6a8ae0aec3d7953505d497832f0e816f4c04752458e4fdbe44545e3
SHA512 b20a6759bdc1cd8b0ef70b2fbf08bbace999642487dd89b0d57f53808fb0528eda878fb070741180c32f4b759087b300c4a511dba566e94ec11f66571fc5ede0

memory/636-138-0x000000013FB20000-0x000000013FE74000-memory.dmp

memory/2768-139-0x000000013FD90000-0x00000001400E4000-memory.dmp

memory/1284-140-0x0000000002360000-0x00000000026B4000-memory.dmp

memory/2516-141-0x000000013F830000-0x000000013FB84000-memory.dmp

memory/2552-142-0x000000013F0D0000-0x000000013F424000-memory.dmp

memory/2688-143-0x000000013FC70000-0x000000013FFC4000-memory.dmp

memory/2528-144-0x000000013FEF0000-0x0000000140244000-memory.dmp

memory/2584-145-0x000000013F4E0000-0x000000013F834000-memory.dmp

memory/2452-146-0x000000013F7B0000-0x000000013FB04000-memory.dmp

memory/2456-148-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

memory/2560-147-0x000000013FD50000-0x00000001400A4000-memory.dmp

memory/1336-150-0x000000013F0B0000-0x000000013F404000-memory.dmp

memory/2928-151-0x000000013FB20000-0x000000013FE74000-memory.dmp

memory/2696-149-0x000000013F730000-0x000000013FA84000-memory.dmp

memory/636-153-0x000000013FB20000-0x000000013FE74000-memory.dmp

memory/2768-152-0x000000013FD90000-0x00000001400E4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-06 18:11

Reported

2024-06-06 18:13

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\AcKGpPA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vlLeGJd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sFNRaAM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oVAOXXn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FGyJiat.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RrzzWuI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AjomDaS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eGiGaHS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BxVmiKl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pCqZFUN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AdWBefJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FtNhmVt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kpbHcJn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rnaEuin.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BSjksng.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MDGjlbv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EMvtxlJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AUViPwP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DbtlhSA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pZiOBxh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uULiZUF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4432 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\kpbHcJn.exe
PID 4432 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\kpbHcJn.exe
PID 4432 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\rnaEuin.exe
PID 4432 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\rnaEuin.exe
PID 4432 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\AjomDaS.exe
PID 4432 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\AjomDaS.exe
PID 4432 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\eGiGaHS.exe
PID 4432 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\eGiGaHS.exe
PID 4432 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\DbtlhSA.exe
PID 4432 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\DbtlhSA.exe
PID 4432 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\BSjksng.exe
PID 4432 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\BSjksng.exe
PID 4432 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\vlLeGJd.exe
PID 4432 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\vlLeGJd.exe
PID 4432 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\sFNRaAM.exe
PID 4432 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\sFNRaAM.exe
PID 4432 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\pZiOBxh.exe
PID 4432 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\pZiOBxh.exe
PID 4432 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\BxVmiKl.exe
PID 4432 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\BxVmiKl.exe
PID 4432 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\pCqZFUN.exe
PID 4432 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\pCqZFUN.exe
PID 4432 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\uULiZUF.exe
PID 4432 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\uULiZUF.exe
PID 4432 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\MDGjlbv.exe
PID 4432 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\MDGjlbv.exe
PID 4432 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\AdWBefJ.exe
PID 4432 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\AdWBefJ.exe
PID 4432 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\oVAOXXn.exe
PID 4432 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\oVAOXXn.exe
PID 4432 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\FGyJiat.exe
PID 4432 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\FGyJiat.exe
PID 4432 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\EMvtxlJ.exe
PID 4432 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\EMvtxlJ.exe
PID 4432 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\AcKGpPA.exe
PID 4432 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\AcKGpPA.exe
PID 4432 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\RrzzWuI.exe
PID 4432 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\RrzzWuI.exe
PID 4432 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\AUViPwP.exe
PID 4432 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\AUViPwP.exe
PID 4432 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\FtNhmVt.exe
PID 4432 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe C:\Windows\System\FtNhmVt.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\kpbHcJn.exe

C:\Windows\System\kpbHcJn.exe

C:\Windows\System\rnaEuin.exe

C:\Windows\System\rnaEuin.exe

C:\Windows\System\AjomDaS.exe

C:\Windows\System\AjomDaS.exe

C:\Windows\System\eGiGaHS.exe

C:\Windows\System\eGiGaHS.exe

C:\Windows\System\DbtlhSA.exe

C:\Windows\System\DbtlhSA.exe

C:\Windows\System\BSjksng.exe

C:\Windows\System\BSjksng.exe

C:\Windows\System\vlLeGJd.exe

C:\Windows\System\vlLeGJd.exe

C:\Windows\System\sFNRaAM.exe

C:\Windows\System\sFNRaAM.exe

C:\Windows\System\pZiOBxh.exe

C:\Windows\System\pZiOBxh.exe

C:\Windows\System\BxVmiKl.exe

C:\Windows\System\BxVmiKl.exe

C:\Windows\System\pCqZFUN.exe

C:\Windows\System\pCqZFUN.exe

C:\Windows\System\uULiZUF.exe

C:\Windows\System\uULiZUF.exe

C:\Windows\System\MDGjlbv.exe

C:\Windows\System\MDGjlbv.exe

C:\Windows\System\AdWBefJ.exe

C:\Windows\System\AdWBefJ.exe

C:\Windows\System\oVAOXXn.exe

C:\Windows\System\oVAOXXn.exe

C:\Windows\System\FGyJiat.exe

C:\Windows\System\FGyJiat.exe

C:\Windows\System\EMvtxlJ.exe

C:\Windows\System\EMvtxlJ.exe

C:\Windows\System\AcKGpPA.exe

C:\Windows\System\AcKGpPA.exe

C:\Windows\System\RrzzWuI.exe

C:\Windows\System\RrzzWuI.exe

C:\Windows\System\AUViPwP.exe

C:\Windows\System\AUViPwP.exe

C:\Windows\System\FtNhmVt.exe

C:\Windows\System\FtNhmVt.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 114.83.221.88.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 131.83.221.88.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 153.141.79.40.in-addr.arpa udp

Files

memory/4432-0-0x00007FF6C6C80000-0x00007FF6C6FD4000-memory.dmp

memory/4432-1-0x0000023120320000-0x0000023120330000-memory.dmp

C:\Windows\System\kpbHcJn.exe

MD5 7ca45ec490a76c358752f0956b6fd367
SHA1 cdc5e495967bfa700a80e7375f5e3bf444226212
SHA256 2cfe0e8d60d25afda78ca87540085e9622c2c9f93ba7a7c89e212a9ec08ea0e5
SHA512 8cdc363de0fede693e68bb8d930ba2372596718707eb5ffb91ff391803f00b94b5a6810f4b8a7be187dfc70299700b087dfb43c40ce7debd3605d08a02e4df8d

memory/336-7-0x00007FF75E500000-0x00007FF75E854000-memory.dmp

C:\Windows\System\rnaEuin.exe

MD5 6628f6aa1de870ee9e8ad4d28f8bced0
SHA1 ca4c073df3c6e4202277bb58b03adfd57aaf8300
SHA256 fcc6c4b0ed028d1dd638347b2508a93113ef108887f2e84438804ce368531193
SHA512 8a134a0e1d812209033075d561f95bb6a7801b09fea1bc57160346f0630207b296d1d6c476bd11a43b775762a2e909f67f8c7a0c0eb0d9c78bbe15aa3c86181b

memory/4480-12-0x00007FF6A26A0000-0x00007FF6A29F4000-memory.dmp

C:\Windows\System\AjomDaS.exe

MD5 c89e14cac475c51a4525dafdb1039fbe
SHA1 c548c51341df456252c27bf58eed9feb10b3e68e
SHA256 921a4e180c5af32e69bf00fd8d626c295fc4ba894b30a1c83319bc72802db912
SHA512 0e1a1277d7f85cf1e236a2ecbf5d5cfd9217ed93b8d02efec2532ed7270a59acb82607a9a4543ec8aa6c96267a698d4344b40970afce914cafcf2d89d506ec29

memory/3916-29-0x00007FF690910000-0x00007FF690C64000-memory.dmp

memory/4656-34-0x00007FF6E6C30000-0x00007FF6E6F84000-memory.dmp

C:\Windows\System\BSjksng.exe

MD5 51f588afbcac235e83f01d011c730175
SHA1 69c596e9b916ad7fca72c04fdd88c538f892ec8b
SHA256 2ccbe866ba596ca867509e08a6bb2131f568f6a50d647cf5512b3da21f8226d8
SHA512 41c6e1f82633e9a8159024dd6fd08636697ae218af2112b951c66275be8da35ecfc0688871195a56f717e2cc89bff8b7d7d430e089b3b01eb782f0c7afb9fae7

C:\Windows\System\vlLeGJd.exe

MD5 dfb907d299da94e5ce4722c22ee999c7
SHA1 c73399ab2f00c3b54fa8f64897e2dccb0a7938e7
SHA256 634b90a2b9327af64c1860578a00dc21c8d460c0b556d15a89e621312d5bb05a
SHA512 abb520b2a2160b35db093a0860fc61f87a08bd2587be09744f18eda6e457ae74f254a02555455674eb6341ffffb1fffc9eea4547064aba9744bf66efe9e9091f

C:\Windows\System\sFNRaAM.exe

MD5 d40eacb322280a0622fbcb606bd9a80a
SHA1 33e89f604521acb77d9dcf2ca368893fc112ebbb
SHA256 aa5130e74bf6121f283faaffd43327ed2381cf007f703e0d07a0bdd01c38d38c
SHA512 8b95591769a41c6d7c183a6630d8ad102f071aac4bc8eaec32e622ba55f1c69eef46582f39db41f381e3d1e905ed5b83a2a3a3c6d60c76dfce0dd632484fbcd0

C:\Windows\System\BxVmiKl.exe

MD5 7d7f07035175516870b4c8bbdfbfe0a8
SHA1 8083d82c31e38d1aaf618af3edd0a5f2afc6bb59
SHA256 bf8bf190c7052d95df7282faa8030f282a9bb9a8787d4be0d455681218f4431c
SHA512 4fab3d566595216c4afcdbe8bf22395b7610b16fe4c310124603959fb313b2317849eecef8ed2f8dea6b1a17c093239c536a691f183aea1f26c42046ac8eee6c

C:\Windows\System\MDGjlbv.exe

MD5 1479bd001aadd7672febe55dd8d1409b
SHA1 fa4a364db516dbcb1e3b589938ffb921ea6faa85
SHA256 181e783a352ff2828c7dfe0c275726030064c8a64e54000035fb57977e3c1601
SHA512 e657e3a75f8afbb5964638cfe266a0ba7f5c41b276115b1717e942e4d07e4133e9eb2cecd0b1a5ca182f93738d5383dae1af2526a813d2af809eb0c98125024b

C:\Windows\System\AdWBefJ.exe

MD5 12a07f66a03a77f6fb58d63f00e21e48
SHA1 04774c1539b1348c8150a591b6a1a6f863289e1b
SHA256 1b4cc24c8f15eac8bc3d46164ede69c130a9c948f252b86a513c82b9a780c7af
SHA512 57319df51d8f2ca0225ff01db43ed883b82e4ecbb03ca0a20dfdc2a1cb4f65a4c244decc7c8ab83f1a0e18b1bcfc9b3613c1271a33e8c3fe0abfe92703e5c045

C:\Windows\System\oVAOXXn.exe

MD5 cce4d17c324b6e3ee9741a7914fd7bea
SHA1 e294bd65e9fdd28a985d92e2bc6891424f38b6bd
SHA256 6c294bfacc95b6856a75f18d7eacf17e09f541ad6920910f2cd4075ab54276c9
SHA512 3c3eac632e7ea2a53c735d24ffbea4c449c85704c6d76f8da36428699fe2db5a31ac6572b11bb43433cad327c42d7f6318b29db685c4875db95dc5862bc6c66d

C:\Windows\System\AUViPwP.exe

MD5 2865a26deb01597fa1e8475fee06d7a0
SHA1 fb9fb5af0a38bba96519601b7cb81fe1d2438257
SHA256 c345215f34e6ac35e5bc67ca3e62a058e4a527f1760cc4338c9ad37f56a6d33f
SHA512 2884044c9311178c3b211877a3f2f81d2782d385dacceea2c7ee54a7b09c87e424f384330f8c1f18e0000138821e36511a801dbb364463b1bf5b19718b1a2609

C:\Windows\System\FtNhmVt.exe

MD5 30275ea3d48110bad72e1a29cbd3015d
SHA1 d7136a7753e8a23f8e603a539ec638295059877e
SHA256 ccec41b45584ee904056f67fc8bd7492b94d3db644e8eb36f6d30ceb684fb5a0
SHA512 0bbb2bb82263a2fba4c5aec3dfaaa46c474cc79a156f3c740e2c685f61ab5ea6fd2203a62605155fd7fbf76597fb10240d97cef21d580bc6b83d9cbd17970f42

C:\Windows\System\RrzzWuI.exe

MD5 c0fc9c5436fe1ecdf310b8dcb87c71c9
SHA1 f85c5cdd9888a01c78f6b3c3f7f8f3044ccb88c7
SHA256 e3e888cad3fa78e572051a3d25b385259c64a6fa9b7253dcfdc0cc4977ad34cb
SHA512 72489dcca044720bd0d90bcd26cdb485f5afeea84adb984ab84cb26b428c82451dcfe58cc0d4d23ad5fc7ce880ab6a11fa160ace89fb587ff5a8dc836f58a609

C:\Windows\System\AcKGpPA.exe

MD5 287845873f0123d375a8b6e2d8070f18
SHA1 69a246d4fb99c3bd383c8c9eadb425031690f660
SHA256 b98db241186e3e2288c2d065c25b21266194a48caef9305bcfeb00854d354ed0
SHA512 67064395d3827100e370d99ed3b2f0bea888ab6d25ffd8d39317455a594d5791efef5749a586c0705270251763ee41e0acc147ecba1edde28431c2e96c688da5

C:\Windows\System\EMvtxlJ.exe

MD5 91beec4ca5c65766144ac3a211923382
SHA1 ec3a3eeed57d17ae4ef0ac8978e3692c42007167
SHA256 2c79492356a0fd51b04fc9dd304d849243797b7b6773d2066811f659212ac99c
SHA512 3c5e7278107d0b11dbe4068b7b46cfbb3082a1d47fc2857f691e8bbcef3bbe818bf267d4e71a2899a26648b827eea19e9671f85fc932f783e1555d4c147bfc4b

C:\Windows\System\FGyJiat.exe

MD5 7c852ff83df3e75ab0fc3c2874c260f0
SHA1 56fb98d5453767987fede589c389aa4fae009bd6
SHA256 8c2966bb0d5e92d4fa451d6f6e692e7cedd0bbfe5b5117203bbb103cc8115238
SHA512 bfcb99acf626d45988f67eafe37ba5b945f93914e8b81218aa03239700e790e81f056f9eef72dc17edea5864990d06cb0b3fe7f522cec36dbcdff9e4e3f14b7d

C:\Windows\System\uULiZUF.exe

MD5 3bd74f9b610ddb0ebe2680e728dcd34f
SHA1 545a8e067a866072b4abb50f1edea5931f2a61d3
SHA256 d2862500664bc614b64ea06d2209fd899f404474f9629e008e45bcd5e42e9f9f
SHA512 97637efbee0722f117203b6e4253d7035ac91f253ea43b508442ff7fe84d361203e3b416579d9a32f3885102f91b53bd81f9ee1ff52b1cc1069760e6227143f2

C:\Windows\System\pCqZFUN.exe

MD5 bed6bd34a85dfaefc6a3cc4c13dbe20e
SHA1 41d8c3282109b7f03e3c83289ef7cf4a03e695f4
SHA256 bd4619e52c8a4f9780edaab844c1fa077d80a1db692158333fe51cc5a55311e0
SHA512 3b0c1e9f83de1457829af207efc57e71cf68dd925506b3e22e5ce8bc5895480f8eb11adf168d46a02a25f37b84775c89062dbf875b77a10a7f7e0c49c8f4b836

C:\Windows\System\pZiOBxh.exe

MD5 8cfbe95fd8992ae64e9c25d86a341996
SHA1 4c3ce017d0b16da126c668b3bb2bc5e010028ab5
SHA256 037f5abe8bfc0e254132782b0d3236fa62883b4ca67cd25dbddf51cffa5fa09f
SHA512 71ee9c751c2715e9691a72eb7dfcbbd9e4eab2ca055f221fe45ba2e356aa6ac9c4b3ff0db959447514eb77face58c05ed06e79e74b2f9bde5699e248095eb18c

C:\Windows\System\DbtlhSA.exe

MD5 a83e72e451bd9d4b45cd93aff92e56a6
SHA1 9b59f29d09f1c76846c060d04216bef5c4426aa9
SHA256 031cc44aa4d9ca61d37f34e66a5cd6790c86ef3da82c0d8f98802da816b72d1b
SHA512 946f1e12334968aea63e85de5902eb0421b17fc956c4b2f7d9804d757bc7d9966500f8104715b28486023e7aabd5484c313e2d6999d9024281ae8985169d576b

C:\Windows\System\eGiGaHS.exe

MD5 ab89976b5efabf959d7f2df10f69e930
SHA1 be0704c77b8f7ffa6cb695a53328ab8a4a42c374
SHA256 2c5ac81e4b78056de8eb26becd439b4794f6863977fa21de3b0ebc428886daaa
SHA512 4d1bda787468bf6108ad493cd300a5295cd5dc7f0f5e11a04a418cdbac34a153573f0c31d3dda962bdb905733bf60fd22b74bfdc7008a0382c42cb4db1be4bf1

memory/3564-20-0x00007FF72B9D0000-0x00007FF72BD24000-memory.dmp

memory/4012-112-0x00007FF6F1E30000-0x00007FF6F2184000-memory.dmp

memory/4356-113-0x00007FF6067E0000-0x00007FF606B34000-memory.dmp

memory/4700-114-0x00007FF690A60000-0x00007FF690DB4000-memory.dmp

memory/940-115-0x00007FF611F10000-0x00007FF612264000-memory.dmp

memory/1952-116-0x00007FF708FD0000-0x00007FF709324000-memory.dmp

memory/2268-119-0x00007FF62DC50000-0x00007FF62DFA4000-memory.dmp

memory/4088-118-0x00007FF6B4440000-0x00007FF6B4794000-memory.dmp

memory/1568-121-0x00007FF7AF9F0000-0x00007FF7AFD44000-memory.dmp

memory/3048-120-0x00007FF6B6BF0000-0x00007FF6B6F44000-memory.dmp

memory/4380-117-0x00007FF7B1CD0000-0x00007FF7B2024000-memory.dmp

memory/4872-123-0x00007FF78B650000-0x00007FF78B9A4000-memory.dmp

memory/3116-125-0x00007FF64E3A0000-0x00007FF64E6F4000-memory.dmp

memory/548-127-0x00007FF7BFB10000-0x00007FF7BFE64000-memory.dmp

memory/2468-126-0x00007FF7AE130000-0x00007FF7AE484000-memory.dmp

memory/4420-124-0x00007FF6168C0000-0x00007FF616C14000-memory.dmp

memory/4976-122-0x00007FF755960000-0x00007FF755CB4000-memory.dmp

memory/4432-128-0x00007FF6C6C80000-0x00007FF6C6FD4000-memory.dmp

memory/336-129-0x00007FF75E500000-0x00007FF75E854000-memory.dmp

memory/4480-130-0x00007FF6A26A0000-0x00007FF6A29F4000-memory.dmp

memory/3564-131-0x00007FF72B9D0000-0x00007FF72BD24000-memory.dmp

memory/4656-132-0x00007FF6E6C30000-0x00007FF6E6F84000-memory.dmp

memory/336-133-0x00007FF75E500000-0x00007FF75E854000-memory.dmp

memory/4480-134-0x00007FF6A26A0000-0x00007FF6A29F4000-memory.dmp

memory/3564-135-0x00007FF72B9D0000-0x00007FF72BD24000-memory.dmp

memory/3916-136-0x00007FF690910000-0x00007FF690C64000-memory.dmp

memory/4656-137-0x00007FF6E6C30000-0x00007FF6E6F84000-memory.dmp

memory/4012-138-0x00007FF6F1E30000-0x00007FF6F2184000-memory.dmp

memory/548-139-0x00007FF7BFB10000-0x00007FF7BFE64000-memory.dmp

memory/4700-141-0x00007FF690A60000-0x00007FF690DB4000-memory.dmp

memory/940-140-0x00007FF611F10000-0x00007FF612264000-memory.dmp

memory/4356-142-0x00007FF6067E0000-0x00007FF606B34000-memory.dmp

memory/2468-144-0x00007FF7AE130000-0x00007FF7AE484000-memory.dmp

memory/2268-151-0x00007FF62DC50000-0x00007FF62DFA4000-memory.dmp

memory/4380-153-0x00007FF7B1CD0000-0x00007FF7B2024000-memory.dmp

memory/4088-152-0x00007FF6B4440000-0x00007FF6B4794000-memory.dmp

memory/3048-150-0x00007FF6B6BF0000-0x00007FF6B6F44000-memory.dmp

memory/1568-149-0x00007FF7AF9F0000-0x00007FF7AFD44000-memory.dmp

memory/4976-148-0x00007FF755960000-0x00007FF755CB4000-memory.dmp

memory/4872-147-0x00007FF78B650000-0x00007FF78B9A4000-memory.dmp

memory/4420-146-0x00007FF6168C0000-0x00007FF616C14000-memory.dmp

memory/3116-145-0x00007FF64E3A0000-0x00007FF64E6F4000-memory.dmp

memory/1952-143-0x00007FF708FD0000-0x00007FF709324000-memory.dmp