Malware Analysis Report

2024-10-16 03:08

Sample ID 240608-hjlzfahh6t
Target 2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike
SHA256 90719454e16bd774106b9c5123f793ce64d797664a77f3643a68d8440694bc92
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

90719454e16bd774106b9c5123f793ce64d797664a77f3643a68d8440694bc92

Threat Level: Known bad

The file 2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

UPX dump on OEP (original entry point)

xmrig

Cobaltstrike family

Xmrig family

XMRig Miner payload

Detects Reflective DLL injection artifacts

Cobalt Strike reflective loader

Cobaltstrike

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

XMRig Miner payload

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-08 06:46

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-08 06:46

Reported

2024-06-08 06:48

Platform

win7-20240419-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\VyQwpEh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hVaiXNV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zvRMxGf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UZutXqL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HQSQeVN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UJVKmhU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FyUxcJx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YkRGWPx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kZraFFR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CwcmIpt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UMWprqO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yHapLFY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tcSfWQy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dLRHRsI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RgidQMo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RKXDwKl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vMEyILd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AKOLgGM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NAFcCye.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TJxlbBu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wHzISEj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2444 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\CwcmIpt.exe
PID 2444 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\CwcmIpt.exe
PID 2444 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\CwcmIpt.exe
PID 2444 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\TJxlbBu.exe
PID 2444 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\TJxlbBu.exe
PID 2444 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\TJxlbBu.exe
PID 2444 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\UMWprqO.exe
PID 2444 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\UMWprqO.exe
PID 2444 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\UMWprqO.exe
PID 2444 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\AKOLgGM.exe
PID 2444 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\AKOLgGM.exe
PID 2444 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\AKOLgGM.exe
PID 2444 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\UJVKmhU.exe
PID 2444 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\UJVKmhU.exe
PID 2444 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\UJVKmhU.exe
PID 2444 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\NAFcCye.exe
PID 2444 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\NAFcCye.exe
PID 2444 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\NAFcCye.exe
PID 2444 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\yHapLFY.exe
PID 2444 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\yHapLFY.exe
PID 2444 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\yHapLFY.exe
PID 2444 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\tcSfWQy.exe
PID 2444 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\tcSfWQy.exe
PID 2444 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\tcSfWQy.exe
PID 2444 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\YkRGWPx.exe
PID 2444 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\YkRGWPx.exe
PID 2444 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\YkRGWPx.exe
PID 2444 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\wHzISEj.exe
PID 2444 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\wHzISEj.exe
PID 2444 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\wHzISEj.exe
PID 2444 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\FyUxcJx.exe
PID 2444 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\FyUxcJx.exe
PID 2444 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\FyUxcJx.exe
PID 2444 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\VyQwpEh.exe
PID 2444 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\VyQwpEh.exe
PID 2444 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\VyQwpEh.exe
PID 2444 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\kZraFFR.exe
PID 2444 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\kZraFFR.exe
PID 2444 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\kZraFFR.exe
PID 2444 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\hVaiXNV.exe
PID 2444 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\hVaiXNV.exe
PID 2444 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\hVaiXNV.exe
PID 2444 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\dLRHRsI.exe
PID 2444 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\dLRHRsI.exe
PID 2444 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\dLRHRsI.exe
PID 2444 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\RgidQMo.exe
PID 2444 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\RgidQMo.exe
PID 2444 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\RgidQMo.exe
PID 2444 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\zvRMxGf.exe
PID 2444 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\zvRMxGf.exe
PID 2444 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\zvRMxGf.exe
PID 2444 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\RKXDwKl.exe
PID 2444 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\RKXDwKl.exe
PID 2444 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\RKXDwKl.exe
PID 2444 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\vMEyILd.exe
PID 2444 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\vMEyILd.exe
PID 2444 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\vMEyILd.exe
PID 2444 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\UZutXqL.exe
PID 2444 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\UZutXqL.exe
PID 2444 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\UZutXqL.exe
PID 2444 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\HQSQeVN.exe
PID 2444 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\HQSQeVN.exe
PID 2444 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\HQSQeVN.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\CwcmIpt.exe

C:\Windows\System\CwcmIpt.exe

C:\Windows\System\TJxlbBu.exe

C:\Windows\System\TJxlbBu.exe

C:\Windows\System\UMWprqO.exe

C:\Windows\System\UMWprqO.exe

C:\Windows\System\AKOLgGM.exe

C:\Windows\System\AKOLgGM.exe

C:\Windows\System\UJVKmhU.exe

C:\Windows\System\UJVKmhU.exe

C:\Windows\System\NAFcCye.exe

C:\Windows\System\NAFcCye.exe

C:\Windows\System\yHapLFY.exe

C:\Windows\System\yHapLFY.exe

C:\Windows\System\tcSfWQy.exe

C:\Windows\System\tcSfWQy.exe

C:\Windows\System\YkRGWPx.exe

C:\Windows\System\YkRGWPx.exe

C:\Windows\System\wHzISEj.exe

C:\Windows\System\wHzISEj.exe

C:\Windows\System\FyUxcJx.exe

C:\Windows\System\FyUxcJx.exe

C:\Windows\System\VyQwpEh.exe

C:\Windows\System\VyQwpEh.exe

C:\Windows\System\kZraFFR.exe

C:\Windows\System\kZraFFR.exe

C:\Windows\System\hVaiXNV.exe

C:\Windows\System\hVaiXNV.exe

C:\Windows\System\dLRHRsI.exe

C:\Windows\System\dLRHRsI.exe

C:\Windows\System\RgidQMo.exe

C:\Windows\System\RgidQMo.exe

C:\Windows\System\zvRMxGf.exe

C:\Windows\System\zvRMxGf.exe

C:\Windows\System\RKXDwKl.exe

C:\Windows\System\RKXDwKl.exe

C:\Windows\System\vMEyILd.exe

C:\Windows\System\vMEyILd.exe

C:\Windows\System\UZutXqL.exe

C:\Windows\System\UZutXqL.exe

C:\Windows\System\HQSQeVN.exe

C:\Windows\System\HQSQeVN.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2444-0-0x000000013F6C0000-0x000000013FA14000-memory.dmp

memory/2444-1-0x00000000003F0000-0x0000000000400000-memory.dmp

\Windows\system\CwcmIpt.exe

MD5 cad6b3fb646ba62a9888d4e33cd8a3f3
SHA1 8498414160492204133fea5562fde10b9f9b90a2
SHA256 123d6845535a5d28462c6c9d2f85fb060b0dfe99d0f1431f0d72f58610b2e4ac
SHA512 41e7c16ee95a8df7e36a0855af587d85d775d634263f0cead13c3d3068499a2ed0a68b88fa19c60a3bf12205593557b1bee286a19aaab8a42c4b8a9feb032934

C:\Windows\system\TJxlbBu.exe

MD5 de65968e497d7a9fd24ffa71ed03e137
SHA1 f5cc41a8756563ab98def550d0586eab06f5c7da
SHA256 afb9c890bbd915c97998fdc9ce72521d078d6ae344a13605a9eec4636e271f16
SHA512 01570baa35ffa827881d7b857c14d0d130b75f03fc709b40ff26de38bd93f3071742235c9c167c4c803cdaf4ad95973e0fc950716e4691a9a9bd96094e255cd5

memory/2836-16-0x000000013F380000-0x000000013F6D4000-memory.dmp

memory/2444-7-0x000000013F270000-0x000000013F5C4000-memory.dmp

memory/2392-14-0x000000013F270000-0x000000013F5C4000-memory.dmp

memory/2444-12-0x0000000002390000-0x00000000026E4000-memory.dmp

C:\Windows\system\UMWprqO.exe

MD5 70c2afa05ca5b9dc26a215ba19923eee
SHA1 d4238bdf103e4016383e89ca1f71b0c9dd2d001a
SHA256 ca4fe17ced905fe683b3645809416d13fbbe6d4cd866bd846a71989b7f949196
SHA512 8143aaf6ca371577b26b5a1bf45acd96f1e9efc0d921aaf2ef43e9015f302ff5ba19de23e0cffde3783117d8d69b9d2d14681982950768febb0c313774a0201a

memory/2784-23-0x000000013F640000-0x000000013F994000-memory.dmp

C:\Windows\system\AKOLgGM.exe

MD5 e25f400f5c8743d32c094301de84ebba
SHA1 29a257794cb94c268ea55e5c630c06d2ded3ee8a
SHA256 5f0e3eb80e80b2c5b2b726e11a175c364fc4796cca2e36d3f7793c367f8cb17e
SHA512 17ea0e3932ffc16a3d1b4d69ddfbe80c775a052138fbd361f639bfec54c42285ce1ac82022da32ab821a13003b53fb45841feee4d06da8c4a60630f53c495cab

memory/2444-28-0x0000000002390000-0x00000000026E4000-memory.dmp

\Windows\system\NAFcCye.exe

MD5 8a7fc4882b468136e3fae0f9de517ffc
SHA1 4f915db7823a0a270516e1f46e6d559da1a39371
SHA256 5104ec62e1c5dae2eaac165427af09d9ae1951ba09f47159a8570284daab34b5
SHA512 6a43b937a271bdc1619aee56240ff6238d523e027bab0911b21328027472bb16a5200804a783f670cb3ed02696e67790d5a2fe4ec61b6399136c89781d319968

memory/2672-29-0x000000013F420000-0x000000013F774000-memory.dmp

\Windows\system\UJVKmhU.exe

MD5 5b700b36cacf763f2e5d681b524b3346
SHA1 ddfc521bc3a6802e859fb909cc9ec7f4bea4493c
SHA256 b2ac55d34cbf62fbdb694d31b840a9602fce342628b55d5692494cd68780a617
SHA512 84e0f6c95e7329434ea34bc9c89a3db78ebcb0afd5e670ece4e8606b850892b86072d3bca378d86df7b08399dc2b5f9a6c4a93a0aaecbdabb5930e8c20e2a1d5

memory/2148-42-0x000000013FA50000-0x000000013FDA4000-memory.dmp

memory/2444-41-0x000000013F6C0000-0x000000013FA14000-memory.dmp

memory/2644-38-0x000000013F440000-0x000000013F794000-memory.dmp

memory/2444-37-0x0000000002390000-0x00000000026E4000-memory.dmp

memory/2444-22-0x0000000002390000-0x00000000026E4000-memory.dmp

\Windows\system\yHapLFY.exe

MD5 7fd120f22755dfbc7432e25af6bc9193
SHA1 7f0a7534931fb6fc1868018ec8e20ccf0f750907
SHA256 abb6fd71a77bcfb2c30b33ec4153e1d7555fab6787ec431f8cf8a4bf0311ce54
SHA512 e9b16400c475cf324f5714bf3594a0f56a097ceda1af050c39c2894770f6cf27b1d28ffbb140ba70e6d09155f76eadaed6963fe56131ba6b24f226538cc9566a

memory/2444-49-0x000000013FF50000-0x00000001402A4000-memory.dmp

memory/2740-51-0x000000013FF50000-0x00000001402A4000-memory.dmp

C:\Windows\system\tcSfWQy.exe

MD5 48df87400e67ea0869ada95536863dc9
SHA1 1b1d8c65b52b64ffda6dd4e7cd2434cbfd4f3f56
SHA256 b1a1a94409b0ba5463018fb030517ddce430fc46d875851f423b7b9b04a0c0ea
SHA512 4ca98ba6a4ca02c14af515a07e8b1a6450b4384dafdfb0853928a61bce44396d7c506bc0100d510643e11637126a25e6bd7836105ab6ed538ce064eda68d3fb1

memory/2444-57-0x0000000002390000-0x00000000026E4000-memory.dmp

memory/2820-58-0x000000013F7D0000-0x000000013FB24000-memory.dmp

\Windows\system\YkRGWPx.exe

MD5 c71eba00bf9e8a220e7697efbb36f17f
SHA1 3f38c422cddfcb3bdc756f0233265cd6256d5d50
SHA256 0048e1d269474697ca595f5c452e0bb30695de392d33cae7924950230a1f2b02
SHA512 972ac8df9410c2d14e8f4ff3df2810b5701a7b7ee8802f25a8e0d15dbe55346c0e5f1e21715b414c13d59c902f798f1cd6715ec5deb765e1e31ae7cf2ca40bca

memory/2836-64-0x000000013F380000-0x000000013F6D4000-memory.dmp

memory/2572-66-0x000000013FFC0000-0x0000000140314000-memory.dmp

memory/2444-65-0x000000013FFC0000-0x0000000140314000-memory.dmp

C:\Windows\system\wHzISEj.exe

MD5 f6e480cf85d5c30ff957bfb8a6c76438
SHA1 6ec71ab31b8edf62043ce1aa8f2aaeb55698cd26
SHA256 9de210346f29923e6988dab18e70a23e02954bbaaa10f184555681f035bde792
SHA512 f2a025aebeac774ab1cfc14b2faf7f2170743a0fe83b1b0d27b734ef78ef08b8fc0372eb085288103737ed31ffdcf68496d33c07078c8ace4dac14de26aed37a

memory/2348-72-0x000000013FFB0000-0x0000000140304000-memory.dmp

\Windows\system\FyUxcJx.exe

MD5 126d6684a3893b94640117abd616f14c
SHA1 6ed8c18fcdb1f64c6a29d856bdcb7c18b7285de2
SHA256 25b8712dc0da2b67918691e36719023018dff0553a7f23765d65d3afe7cb6464
SHA512 0a6c96b79235247303bbea4489de8287c6438b790e82934cb9066a25451c2400109e55fe4195d2c9c5baf4b881189677e4292788cf78a9c2c28c3f4e3ae84519

memory/1636-80-0x000000013F920000-0x000000013FC74000-memory.dmp

memory/2444-79-0x0000000002390000-0x00000000026E4000-memory.dmp

memory/2672-78-0x000000013F420000-0x000000013F774000-memory.dmp

C:\Windows\system\VyQwpEh.exe

MD5 6578d837c32a3fc4b7fc07db23d37e84
SHA1 cfa332172d7fabf46f1dfd3a66b3ce9cbeb40194
SHA256 64557716fd2e43bad29f4ed79af003f2ef913e8229fd66cfa167339fd2e994e7
SHA512 0e68ab96f9d8dd77ef32d1496f97326121d1f18be6ad02cbe931ecac1e24071cd7b9a84bd37e235e77481144c86e74f94b04ff3237ae08d680235b05265a679c

memory/2944-87-0x000000013FCE0000-0x0000000140034000-memory.dmp

memory/2444-86-0x000000013FCE0000-0x0000000140034000-memory.dmp

memory/2064-96-0x000000013F490000-0x000000013F7E4000-memory.dmp

memory/2444-93-0x0000000002390000-0x00000000026E4000-memory.dmp

C:\Windows\system\kZraFFR.exe

MD5 a5e4c1ad4ecc3f452eb0eb0d155dd7bf
SHA1 2ea4e110b175e73f1ab110159a15b61154b7c739
SHA256 6b4a76f379af43c846cd94f34db7aaf36aef04ea109e3c3a6661f10ce729738d
SHA512 cb6e4697ab06b0d53bc96a88e9bc3a7920ffba772d9da8cc07174338ff00f2fba4dacebfd092dd272f85b9e79820409504970d6a4d8666f574ae73706517d602

C:\Windows\system\dLRHRsI.exe

MD5 fd7a03e6523a2e951ce8575d2aac18ec
SHA1 ccbb4480aca41d2c6146df350954581f15fca2fb
SHA256 7760d9a51091c61ed929bc9b8fd58154ee4671f0608e9b239fa1daff6aebcbdb
SHA512 4ff2e2429ee8f327fd56f422d1837af2a85f7412cfba67597b869b65f135c5c03d20967ebac659dc89fde7a866e6b51c0136e34043687fb2cc27482c802f1a14

C:\Windows\system\RKXDwKl.exe

MD5 190f4e83de090f7bee7cccc6eeaefd9b
SHA1 96cee095663b3864ee06c177752ddc96bb82917c
SHA256 17e0f0d232710a21ab145efcd5461d3264b89288d835119338ee5b2688313314
SHA512 8933bfc7437e1abb5277ffdd25007a523f3bb28c0bf44f9f324c6f4f0843a00724194eb6b417c5c036deee849fba1083b40a34108dd3fb2c5b1a39c3ea6c268f

C:\Windows\system\UZutXqL.exe

MD5 3cdd925862777e5bda32db4d11b2bc41
SHA1 9e8b4653ff2e8a5e60182ee1ca3d95def2de4587
SHA256 c78be3e1ace5e4a1c5f35913ed68cef79802bfbf4a7f389c4f1df8d85ed1eb90
SHA512 a5b0ce6fb4713eb45fd5b140c834c0b160c658dd9f802a22b6a49a99d7ff496a124a9280d0fdbf83d2ec1e0eb80c8d26c005b60b1c00d7c456128d20fbdd5f4a

\Windows\system\HQSQeVN.exe

MD5 90eb166149525ec46f64ac77ef4962ea
SHA1 cb2e55fb03cde225199a4e3167608130a2f05af0
SHA256 0d4c7f38c0d0148bc47231c7f6e07bd6fda808b5348122cdf903d65edef505e7
SHA512 c0b8968bee6dbdc9746bca88cda26114f9f816d8aaa7d338ef0e34fb4c8ca606289b3bfffb1a591e987b0e564aca66dc647951cbe7e051249911fe837b3e02cb

C:\Windows\system\vMEyILd.exe

MD5 ff020dacc36cea4eb974ab2dc63e468a
SHA1 8737ee5ca75da08b297baf930f97b5e462d4860b
SHA256 e62d1042ccc9e139b6fd6ffc2aa823957f86407d54db6877bdc888cedd3348a5
SHA512 8db266247af5f4dca41613e2e28606ab16e4196170855f0a95625bc07984825660206252564b8d2cb947eb89710bbcf52fa23ab45f594e002304c6b5e46887fb

C:\Windows\system\zvRMxGf.exe

MD5 825a4fb274c3c0916438e70c8ba2a4b1
SHA1 46280485338b50c5970caa01cdd51b31b737956d
SHA256 e0a09b242f39e8cc6bc35f77b80a238d3a2cc5c8192b9a6c3dddb00b6e81f192
SHA512 ec34a3825b7202eca789ba3c51b18dc48cf2936f9cfc3e98288930827cd76d39c1bfbbd834df5f56f0885e103100544ea5500acde0be6beda6fa6f7795f3c29e

memory/1996-107-0x000000013F4B0000-0x000000013F804000-memory.dmp

memory/2148-105-0x000000013FA50000-0x000000013FDA4000-memory.dmp

memory/2444-104-0x0000000002390000-0x00000000026E4000-memory.dmp

memory/2444-103-0x0000000002390000-0x00000000026E4000-memory.dmp

C:\Windows\system\hVaiXNV.exe

MD5 b5478c78e5bf0f38ed929912ad82bf46
SHA1 f5cdfbecba34c9ac0d835ab88cc14620f74ae5a1
SHA256 484517d9c47f1ff68815563921badb68028966c494f52f9a59de7bf519a3809c
SHA512 7bef23caa3424981a8100d3e5748b80b502eda973b8c95fc554d7115d341a54daf17221251c350d5177931c7f8ade99c5f48ebee5e1994cc6ba37441da80c89e

memory/2644-100-0x000000013F440000-0x000000013F794000-memory.dmp

C:\Windows\system\RgidQMo.exe

MD5 c6c5c74e2de1ae3834a8682c04db7b59
SHA1 8f624d90392f934a07782554700f0435ce85f596
SHA256 b5717af9e7a8af69d483b217fd196edd1487f65fd73f1c41ed75579b185784f2
SHA512 b7708fd77aacd56d7ea5fda9233bd48c0863b4a75bf2291070ab223541269c32f00f6d70d9bbc3474e8861f606bbf3562175e8d66f861359e8757c91a20543cc

memory/2444-138-0x000000013FF50000-0x00000001402A4000-memory.dmp

memory/2740-139-0x000000013FF50000-0x00000001402A4000-memory.dmp

memory/2444-141-0x0000000002390000-0x00000000026E4000-memory.dmp

memory/2444-142-0x000000013FFC0000-0x0000000140314000-memory.dmp

memory/2444-143-0x000000013FFB0000-0x0000000140304000-memory.dmp

memory/2444-144-0x0000000002390000-0x00000000026E4000-memory.dmp

memory/2444-145-0x000000013FCE0000-0x0000000140034000-memory.dmp

memory/2392-146-0x000000013F270000-0x000000013F5C4000-memory.dmp

memory/2836-147-0x000000013F380000-0x000000013F6D4000-memory.dmp

memory/2784-148-0x000000013F640000-0x000000013F994000-memory.dmp

memory/2672-149-0x000000013F420000-0x000000013F774000-memory.dmp

memory/2644-150-0x000000013F440000-0x000000013F794000-memory.dmp

memory/2148-151-0x000000013FA50000-0x000000013FDA4000-memory.dmp

memory/2740-152-0x000000013FF50000-0x00000001402A4000-memory.dmp

memory/2820-153-0x000000013F7D0000-0x000000013FB24000-memory.dmp

memory/2572-154-0x000000013FFC0000-0x0000000140314000-memory.dmp

memory/2348-155-0x000000013FFB0000-0x0000000140304000-memory.dmp

memory/1636-156-0x000000013F920000-0x000000013FC74000-memory.dmp

memory/2944-157-0x000000013FCE0000-0x0000000140034000-memory.dmp

memory/2064-158-0x000000013F490000-0x000000013F7E4000-memory.dmp

memory/1996-159-0x000000013F4B0000-0x000000013F804000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-08 06:46

Reported

2024-06-08 06:48

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\bSAWPEs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aEXhfvr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QwXDTcT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jKcXMnQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vDFUBBR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PRkPQgq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IiQZbIM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VYMmdfQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TJZnlgm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FgwRaQm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kkSxHGO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zkXZDmi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cjCxUGs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nsrldcj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qhHmZTL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KafNdsj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OOCLMbq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\guELymC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iSsWthy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MrDbTaT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aUJVChz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1636 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\FgwRaQm.exe
PID 1636 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\FgwRaQm.exe
PID 1636 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\nsrldcj.exe
PID 1636 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\nsrldcj.exe
PID 1636 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\vDFUBBR.exe
PID 1636 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\vDFUBBR.exe
PID 1636 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\iSsWthy.exe
PID 1636 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\iSsWthy.exe
PID 1636 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\kkSxHGO.exe
PID 1636 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\kkSxHGO.exe
PID 1636 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\PRkPQgq.exe
PID 1636 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\PRkPQgq.exe
PID 1636 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\zkXZDmi.exe
PID 1636 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\zkXZDmi.exe
PID 1636 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\MrDbTaT.exe
PID 1636 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\MrDbTaT.exe
PID 1636 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\aUJVChz.exe
PID 1636 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\aUJVChz.exe
PID 1636 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\IiQZbIM.exe
PID 1636 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\IiQZbIM.exe
PID 1636 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\bSAWPEs.exe
PID 1636 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\bSAWPEs.exe
PID 1636 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\VYMmdfQ.exe
PID 1636 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\VYMmdfQ.exe
PID 1636 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\qhHmZTL.exe
PID 1636 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\qhHmZTL.exe
PID 1636 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\KafNdsj.exe
PID 1636 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\KafNdsj.exe
PID 1636 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\cjCxUGs.exe
PID 1636 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\cjCxUGs.exe
PID 1636 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\aEXhfvr.exe
PID 1636 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\aEXhfvr.exe
PID 1636 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\QwXDTcT.exe
PID 1636 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\QwXDTcT.exe
PID 1636 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\OOCLMbq.exe
PID 1636 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\OOCLMbq.exe
PID 1636 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\guELymC.exe
PID 1636 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\guELymC.exe
PID 1636 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\jKcXMnQ.exe
PID 1636 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\jKcXMnQ.exe
PID 1636 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\TJZnlgm.exe
PID 1636 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe C:\Windows\System\TJZnlgm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_c58d1fa6168b55c339f71794fb20898d_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\FgwRaQm.exe

C:\Windows\System\FgwRaQm.exe

C:\Windows\System\nsrldcj.exe

C:\Windows\System\nsrldcj.exe

C:\Windows\System\vDFUBBR.exe

C:\Windows\System\vDFUBBR.exe

C:\Windows\System\iSsWthy.exe

C:\Windows\System\iSsWthy.exe

C:\Windows\System\kkSxHGO.exe

C:\Windows\System\kkSxHGO.exe

C:\Windows\System\PRkPQgq.exe

C:\Windows\System\PRkPQgq.exe

C:\Windows\System\zkXZDmi.exe

C:\Windows\System\zkXZDmi.exe

C:\Windows\System\MrDbTaT.exe

C:\Windows\System\MrDbTaT.exe

C:\Windows\System\aUJVChz.exe

C:\Windows\System\aUJVChz.exe

C:\Windows\System\IiQZbIM.exe

C:\Windows\System\IiQZbIM.exe

C:\Windows\System\bSAWPEs.exe

C:\Windows\System\bSAWPEs.exe

C:\Windows\System\VYMmdfQ.exe

C:\Windows\System\VYMmdfQ.exe

C:\Windows\System\qhHmZTL.exe

C:\Windows\System\qhHmZTL.exe

C:\Windows\System\KafNdsj.exe

C:\Windows\System\KafNdsj.exe

C:\Windows\System\cjCxUGs.exe

C:\Windows\System\cjCxUGs.exe

C:\Windows\System\aEXhfvr.exe

C:\Windows\System\aEXhfvr.exe

C:\Windows\System\QwXDTcT.exe

C:\Windows\System\QwXDTcT.exe

C:\Windows\System\OOCLMbq.exe

C:\Windows\System\OOCLMbq.exe

C:\Windows\System\guELymC.exe

C:\Windows\System\guELymC.exe

C:\Windows\System\jKcXMnQ.exe

C:\Windows\System\jKcXMnQ.exe

C:\Windows\System\TJZnlgm.exe

C:\Windows\System\TJZnlgm.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 13.179.89.13.in-addr.arpa udp

Files

memory/1636-0-0x00007FF637940000-0x00007FF637C94000-memory.dmp

memory/1636-1-0x000001AC40B50000-0x000001AC40B60000-memory.dmp

C:\Windows\System\FgwRaQm.exe

MD5 873470d907a364e3035107c8571852bd
SHA1 4c3bebcd67199277e832aa9955a7d23ae15de4f5
SHA256 44efa421c39054ecadaff05816887bcc67dfbec4741d881f7bc649e5cb64a346
SHA512 76ed4bc889a687615aae9fe0acac69046e6235f644045e505cde5cd382df52af228690b9d9392cf8679db78128b2a58c2f0401469722a3bfa1a714701e6e131f

C:\Windows\System\nsrldcj.exe

MD5 64a33aeee181c418fd96280eee6cd86a
SHA1 c7d3517f10c27f9647da6673480a5458858dd72c
SHA256 0454e5ec90c4ce712c78b1afceddb1b5d36d7945cdf4024ac314c849559dc22d
SHA512 8d1e3b4cbb6b51a465b3a9af3349faaebcd4f52687f5c5f7b7ac0f337372a48f1beac3dae388f7f7b3ebf768727d4596f49ccffddd8e31d44fdca2dd53137b99

C:\Windows\System\vDFUBBR.exe

MD5 1ddce6cb6c0de3c13a10e3cd14fc473d
SHA1 0c20cca3d9362970aed2ef53748f43291bcc687b
SHA256 0d5cbaddf99abf639b25638f48ac25692d8f88c30702d738806433866a55561a
SHA512 ca828c602fb8fcdb1d19a769a99f04085e81c7dabbb174e7d8da667e6d6f488ec03e72be5d79db8fa636bfbff46b57480ca39cd6e31592bf179441359693ff8c

C:\Windows\System\iSsWthy.exe

MD5 b31d126e82573ff1bb32ca13e40b0901
SHA1 74d5c6ff66001d60ebe27504988a02869f421af7
SHA256 e19b7a010288aebd88a0ee16d33d561cfbe17388f1837c6df8e6e5f0fd266043
SHA512 1c76400fbffc4d33b061e18042706771e14de167f811d7a0105de44ac54d68edd5ee1c2151e6dc8071dc8577b946c5d9ff6ef4fad8ddf404e1cf1a32bbdbb6a6

C:\Windows\System\kkSxHGO.exe

MD5 ae2e4b4720a1378316891ab9d4ba1f9c
SHA1 8e4d46ae18592c0d89f95897be7412c908ffd853
SHA256 071a95c47cf98c7f45cf154b1372d15ecd7efb2d50f1085cb409b20f7cdb2bd2
SHA512 5263acd71ba11ee3922a47ebe8369afa52e07dd7c38c6ed57b74717df49156a3770a30c668b5003e4209bf3c60b3259b0b7c54b01d6e87717fe2fc96fc74ad68

C:\Windows\System\MrDbTaT.exe

MD5 8a9d14f1220cf50c4d51a5b76b8c9522
SHA1 7917fda4b462341b43ac3c57abfbed5dd68cf59d
SHA256 1a83ce3fd429307dadc3264371d876e4406c4f09580f590bc554a2aa5a229a7d
SHA512 a398e60ceed261714dbf35bc677ba4c1404043717d22a03cb19963fb81ffb829d007837b3f6e63e204284c9e558b636700e37a533155bc9e719d35f392fe9dee

memory/992-50-0x00007FF7D0BF0000-0x00007FF7D0F44000-memory.dmp

C:\Windows\System\zkXZDmi.exe

MD5 e17b41d25934b7f6ba3278facf163d77
SHA1 13e7813a2e78f127e1ff09676ecbf1bd2e22eb50
SHA256 4c8770c627b747736e90c69c7649cd06c0e5b24815807d2c2dfbabc13b479bb1
SHA512 69fb51760956ceef60267de8ba5422a1437ec9724f1f21c9ab75806dfa9b0cdf69fbaef110630050e6b48d11eb03f0aa4d28e97b190fa180935ec31f29728e3d

C:\Windows\System\aUJVChz.exe

MD5 060fb1ed5e7feed557bbaf1dfbd8fff6
SHA1 a588076a1527027376187efbde3c638e837fd8f9
SHA256 73d73d7bf66a24ec4ed1ec2b9da1fc3c8bbd9593593a9e63a5cfe912c51b5025
SHA512 82d7e30e67c19ab64f1a76ba75b7ab8f8b2d01970759134df7867b36f24bbc938cf2add48a25abcdcca9ec0c31431b3a769767ebf7add5618952853741df6871

C:\Windows\System\bSAWPEs.exe

MD5 bbbd63b9307e65e77c91b1e97964ac7c
SHA1 794138e2b6abbfd282a326231e017bdd733f6f2b
SHA256 5f4773d5c2121d03124ac7e885d0c36d5392410d9d9231e4d2524b1f890513a8
SHA512 8f1a67b7bb09c52c25e90ed5fbcd93a4f187fab88ee1b11daccbebb30519c18ac86d64add7fb9dd66392d81380e742aecf2f5a786cb7a78aa76f8d72cbac0f69

memory/3496-63-0x00007FF661E60000-0x00007FF6621B4000-memory.dmp

C:\Windows\System\IiQZbIM.exe

MD5 c54273518dd993b9547aa1349a8a99ca
SHA1 a232c259dfc9143a5bbcd1d0bc6109bdcecfca15
SHA256 74c269aa3a330279ae4cbb8d1ef778402996f242cc95ff0ff3f8743db5c4d683
SHA512 8f683c6e73662910d4d44e4d04e4884c8c39c636294dd7c37b20cf5551480e331cb86edc0e3c2bdc7702e74b958a7c4d5b2fde1233ed9e5bc1cbfd940dc190ae

memory/688-60-0x00007FF7A9230000-0x00007FF7A9584000-memory.dmp

memory/3172-59-0x00007FF7BEE10000-0x00007FF7BF164000-memory.dmp

memory/4004-54-0x00007FF745AB0000-0x00007FF745E04000-memory.dmp

C:\Windows\System\PRkPQgq.exe

MD5 305af1a957c289bf29643e436ccea4eb
SHA1 51dd904a0708c821af419ef31a0a72a5a31262c4
SHA256 1ff043858dd92938be0e92df1a412aa6765291f3994abc6acee976c9e818d316
SHA512 614c2d6dab9453a1d8eebcbd955bd3684de490206818d6de071064a377744f116ca92d122dff85d345baaa2ba9294d285bc75ee868c7ecc11ae473736c7bae51

memory/2248-34-0x00007FF7DA390000-0x00007FF7DA6E4000-memory.dmp

memory/1420-31-0x00007FF71D4C0000-0x00007FF71D814000-memory.dmp

memory/2408-29-0x00007FF6734F0000-0x00007FF673844000-memory.dmp

memory/3292-22-0x00007FF64E350000-0x00007FF64E6A4000-memory.dmp

memory/2692-16-0x00007FF67B3B0000-0x00007FF67B704000-memory.dmp

memory/2120-13-0x00007FF668450000-0x00007FF6687A4000-memory.dmp

C:\Windows\System\VYMmdfQ.exe

MD5 b6a6e4b5c7c2e45bba4ff84978897dcf
SHA1 e55e860d4b4fdaf8d4207b6ab9558bd9fb95c0de
SHA256 cc4d40e16afc4453454e0670bb280d016a1dbd1ec6c2271125e81a1013965994
SHA512 85f5ceb91e0cf060003fd4adbf2107594ccef36c3e201a895d6c11b00af7e32f02cc950b34f63c55faab81fdfe7bfcb2f7737ebc5fcf3854e52cb834a2f3518f

memory/1636-74-0x00007FF637940000-0x00007FF637C94000-memory.dmp

memory/1444-75-0x00007FF701EF0000-0x00007FF702244000-memory.dmp

C:\Windows\System\qhHmZTL.exe

MD5 fd737af59df9fef7b0d8c4962b30722c
SHA1 ffff45b24795aadcefbe75e0d76d9f2aa8f3b142
SHA256 1af53f25adf1e6d29609cd8d3bdce1669f3e5bea4195d0f262344b01dcb4d5a9
SHA512 5d57b613e67c807290c81923f99cab80e42387dec025831536e86cc2fcf1cc378a9d86d4eff41917b6d8a07d1e5bf1b81d6b5f7b14163f99e9b217546633d374

memory/1940-80-0x00007FF77C2C0000-0x00007FF77C614000-memory.dmp

C:\Windows\System\KafNdsj.exe

MD5 b3e77a75ab0bb563376a7630203062d5
SHA1 09edd60ec55b5129c22ffc9580c553fa2545408f
SHA256 8d6f95773e75f61263ea67c960f63f57f3f6be7d7543959d663284dbe8cfcfe8
SHA512 f6c74d8393952320f3a2049963ba95463fd6687f69fe2ae9211519ab2bd818d7c690ba74a6207c0f75f2cb9da2f20acb3e5da32bdc576e58b21dbfcd742a84a2

memory/1472-87-0x00007FF7BC130000-0x00007FF7BC484000-memory.dmp

C:\Windows\System\cjCxUGs.exe

MD5 1cee4b0392637e83a150028fe0643e93
SHA1 62f3bc010c6dd560f81543c9a5c38c6eb71ed9e1
SHA256 f3aff6f6019412304ec074405f5646f623f97012f2293ae05fa588fa174bbcd9
SHA512 5de2c5d269c8fdac1b6a157860bb0937d3489337b0897f4f92c3b00bc12309166e966bfc8aa381545f44af55f021838d8cbbee7d06317ef4228e0339d3c0347a

C:\Windows\System\aEXhfvr.exe

MD5 0784353cf508e8d8d0effed8f5332030
SHA1 b9c7c899fea244b03d079ca7a255ea0b4994b170
SHA256 d0f38ae5743117527b5dd94b57b91cf7b8946f117af42cc5000e80a93a6a17d0
SHA512 76bbc1a05cbef0fe50c1b9136643ef0e93385a2f4ec5d5f3364d6236bf4dc243e6ac11a6f60c4b7bf4fcbb4eecfd516001a54dde51d0e8d77e567ba751e3735a

memory/4764-92-0x00007FF6DA430000-0x00007FF6DA784000-memory.dmp

memory/2408-91-0x00007FF6734F0000-0x00007FF673844000-memory.dmp

memory/1440-100-0x00007FF690950000-0x00007FF690CA4000-memory.dmp

C:\Windows\System\QwXDTcT.exe

MD5 27d8e30c6fdae93db8dc7dcf4e896cfd
SHA1 e01752f1f16142a7ec4d5dfbc155b0c41e5aa1f6
SHA256 ad4f8afb165be2b9453fa8985ed0675ef4eb9f4cc201a0b23835c60c8a0c29c2
SHA512 96efb52c9c6596004ddc4f8067b6bf1fd710283bdfbffacd37a7df12fb020a49f095c09db81a78c1e415ec9d3f233428b9884cd1d82dc5dd6ea11d0a930641a1

memory/1420-104-0x00007FF71D4C0000-0x00007FF71D814000-memory.dmp

C:\Windows\System\OOCLMbq.exe

MD5 979557cb2fd9f0f1a1af4e7e07a9bbac
SHA1 e78c9d638403e3df5478080aefd2b185cd3da491
SHA256 8ed71f141b9051b0c81d38d7f31584a2d3d6bb0ab309fc99cfd42b19dd3e1796
SHA512 12487841b51e3eed4cb1f29987eb5c3a9759fff9b819d32d1ca2d33d449490b58ffb8d79bb516385354c982404c55d72a0066aff97cc0f248b4af7667e30eab1

C:\Windows\System\guELymC.exe

MD5 378c731e3cfd420919bac38aa4e1f3e4
SHA1 731aab77f6b9dc462d8a0fe75e4201e6eab4b194
SHA256 38b8bdd9d449d6c20e146851c8eb668da9da6da1a584baeed62b6229f76e4fdb
SHA512 ba93c3e49b35d8273f6be57a13f324b02af3528d770449bc91cbb1f625453e39435c801a377b9ac77e2017f7de1681270e249affc6edfff583266b8e839d3cd1

C:\Windows\System\jKcXMnQ.exe

MD5 688ae6d734f3c7565a6f80feb13e39f4
SHA1 dc088e46416e05e8c0b25e119d311e9995e7d1c6
SHA256 39e2c57670d237eef982e15246590d67f153aed2a584aa3ffb5bed3bc700ed5d
SHA512 5f3484e5c3e9471bee0bfb997cebe6fca4f2eeae594b785a9950a2ef399206a58f6639bfe2cf6c9282beb78e490273fe1c8281b7977b598e4588fb6d6acddbe9

C:\Windows\System\TJZnlgm.exe

MD5 c60314c5450e09bdb439da02f3dc9bb0
SHA1 f773023c6889f05de4c3a3ec42a06c3c472a9b0b
SHA256 968687cb6964293430d18ebd022983a2f1ffb15adc03b6bb5bf669a2f17359d7
SHA512 ceda93d7bca3f0662c4a481f2c7d06ba9e4d2971fa80ca1d2615a5056bef107b30c6c2e35b9806af65dd3b73a989c5197cd189482a911fb4951470836d9f13a8

memory/992-124-0x00007FF7D0BF0000-0x00007FF7D0F44000-memory.dmp

memory/1036-119-0x00007FF7FDEB0000-0x00007FF7FE204000-memory.dmp

memory/2248-116-0x00007FF7DA390000-0x00007FF7DA6E4000-memory.dmp

memory/2472-113-0x00007FF765610000-0x00007FF765964000-memory.dmp

memory/4004-131-0x00007FF745AB0000-0x00007FF745E04000-memory.dmp

memory/2464-132-0x00007FF69DD00000-0x00007FF69E054000-memory.dmp

memory/848-130-0x00007FF6B2320000-0x00007FF6B2674000-memory.dmp

memory/1768-133-0x00007FF6DA620000-0x00007FF6DA974000-memory.dmp

memory/688-134-0x00007FF7A9230000-0x00007FF7A9584000-memory.dmp

memory/3496-135-0x00007FF661E60000-0x00007FF6621B4000-memory.dmp

memory/1940-136-0x00007FF77C2C0000-0x00007FF77C614000-memory.dmp

memory/4764-137-0x00007FF6DA430000-0x00007FF6DA784000-memory.dmp

memory/2472-138-0x00007FF765610000-0x00007FF765964000-memory.dmp

memory/848-139-0x00007FF6B2320000-0x00007FF6B2674000-memory.dmp

memory/2120-140-0x00007FF668450000-0x00007FF6687A4000-memory.dmp

memory/2692-141-0x00007FF67B3B0000-0x00007FF67B704000-memory.dmp

memory/3292-142-0x00007FF64E350000-0x00007FF64E6A4000-memory.dmp

memory/2408-143-0x00007FF6734F0000-0x00007FF673844000-memory.dmp

memory/1420-144-0x00007FF71D4C0000-0x00007FF71D814000-memory.dmp

memory/3172-145-0x00007FF7BEE10000-0x00007FF7BF164000-memory.dmp

memory/2248-146-0x00007FF7DA390000-0x00007FF7DA6E4000-memory.dmp

memory/992-147-0x00007FF7D0BF0000-0x00007FF7D0F44000-memory.dmp

memory/3496-149-0x00007FF661E60000-0x00007FF6621B4000-memory.dmp

memory/4004-150-0x00007FF745AB0000-0x00007FF745E04000-memory.dmp

memory/688-148-0x00007FF7A9230000-0x00007FF7A9584000-memory.dmp

memory/1444-151-0x00007FF701EF0000-0x00007FF702244000-memory.dmp

memory/1940-152-0x00007FF77C2C0000-0x00007FF77C614000-memory.dmp

memory/1472-153-0x00007FF7BC130000-0x00007FF7BC484000-memory.dmp

memory/4764-154-0x00007FF6DA430000-0x00007FF6DA784000-memory.dmp

memory/1440-155-0x00007FF690950000-0x00007FF690CA4000-memory.dmp

memory/1036-156-0x00007FF7FDEB0000-0x00007FF7FE204000-memory.dmp

memory/2472-157-0x00007FF765610000-0x00007FF765964000-memory.dmp

memory/2464-158-0x00007FF69DD00000-0x00007FF69E054000-memory.dmp

memory/848-160-0x00007FF6B2320000-0x00007FF6B2674000-memory.dmp

memory/1768-159-0x00007FF6DA620000-0x00007FF6DA974000-memory.dmp