Malware Analysis Report

2024-10-16 03:07

Sample ID 240608-kmg6rsae8z
Target 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike
SHA256 d609a3537c2943a264101bac876c2bd5bf03a1fa3ad6dd77e8c68d37310af66c
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d609a3537c2943a264101bac876c2bd5bf03a1fa3ad6dd77e8c68d37310af66c

Threat Level: Known bad

The file 2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

xmrig

Cobaltstrike family

Cobalt Strike reflective loader

XMRig Miner payload

Xmrig family

Cobaltstrike

XMRig Miner payload

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-08 08:42

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-08 08:42

Reported

2024-06-08 08:45

Platform

win7-20240508-en

Max time kernel

134s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\zmTswFt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MWMlbOX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pvSdPJE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ezIkzur.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qRqcURA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PZKLRHZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XTJYLHE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VVMWImK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\twWzNmP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QIzrlXQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oDlwaGS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eyKmVLe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XEqHYQO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WqIhaAk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CWRkqjz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\brXADCH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RiGpszq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\slKiUth.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eDHAkqi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CJcmDht.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MSKmQzY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1928 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\MSKmQzY.exe
PID 1928 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\MSKmQzY.exe
PID 1928 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\MSKmQzY.exe
PID 1928 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\XEqHYQO.exe
PID 1928 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\XEqHYQO.exe
PID 1928 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\XEqHYQO.exe
PID 1928 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\VVMWImK.exe
PID 1928 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\VVMWImK.exe
PID 1928 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\VVMWImK.exe
PID 1928 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\WqIhaAk.exe
PID 1928 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\WqIhaAk.exe
PID 1928 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\WqIhaAk.exe
PID 1928 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\twWzNmP.exe
PID 1928 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\twWzNmP.exe
PID 1928 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\twWzNmP.exe
PID 1928 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\QIzrlXQ.exe
PID 1928 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\QIzrlXQ.exe
PID 1928 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\QIzrlXQ.exe
PID 1928 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\oDlwaGS.exe
PID 1928 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\oDlwaGS.exe
PID 1928 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\oDlwaGS.exe
PID 1928 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\CWRkqjz.exe
PID 1928 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\CWRkqjz.exe
PID 1928 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\CWRkqjz.exe
PID 1928 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\brXADCH.exe
PID 1928 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\brXADCH.exe
PID 1928 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\brXADCH.exe
PID 1928 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\pvSdPJE.exe
PID 1928 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\pvSdPJE.exe
PID 1928 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\pvSdPJE.exe
PID 1928 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\zmTswFt.exe
PID 1928 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\zmTswFt.exe
PID 1928 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\zmTswFt.exe
PID 1928 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\RiGpszq.exe
PID 1928 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\RiGpszq.exe
PID 1928 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\RiGpszq.exe
PID 1928 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\slKiUth.exe
PID 1928 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\slKiUth.exe
PID 1928 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\slKiUth.exe
PID 1928 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\XTJYLHE.exe
PID 1928 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\XTJYLHE.exe
PID 1928 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\XTJYLHE.exe
PID 1928 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\ezIkzur.exe
PID 1928 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\ezIkzur.exe
PID 1928 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\ezIkzur.exe
PID 1928 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\MWMlbOX.exe
PID 1928 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\MWMlbOX.exe
PID 1928 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\MWMlbOX.exe
PID 1928 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\eDHAkqi.exe
PID 1928 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\eDHAkqi.exe
PID 1928 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\eDHAkqi.exe
PID 1928 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\qRqcURA.exe
PID 1928 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\qRqcURA.exe
PID 1928 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\qRqcURA.exe
PID 1928 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\CJcmDht.exe
PID 1928 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\CJcmDht.exe
PID 1928 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\CJcmDht.exe
PID 1928 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\eyKmVLe.exe
PID 1928 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\eyKmVLe.exe
PID 1928 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\eyKmVLe.exe
PID 1928 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\PZKLRHZ.exe
PID 1928 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\PZKLRHZ.exe
PID 1928 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\PZKLRHZ.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\MSKmQzY.exe

C:\Windows\System\MSKmQzY.exe

C:\Windows\System\XEqHYQO.exe

C:\Windows\System\XEqHYQO.exe

C:\Windows\System\VVMWImK.exe

C:\Windows\System\VVMWImK.exe

C:\Windows\System\WqIhaAk.exe

C:\Windows\System\WqIhaAk.exe

C:\Windows\System\twWzNmP.exe

C:\Windows\System\twWzNmP.exe

C:\Windows\System\QIzrlXQ.exe

C:\Windows\System\QIzrlXQ.exe

C:\Windows\System\oDlwaGS.exe

C:\Windows\System\oDlwaGS.exe

C:\Windows\System\CWRkqjz.exe

C:\Windows\System\CWRkqjz.exe

C:\Windows\System\brXADCH.exe

C:\Windows\System\brXADCH.exe

C:\Windows\System\pvSdPJE.exe

C:\Windows\System\pvSdPJE.exe

C:\Windows\System\zmTswFt.exe

C:\Windows\System\zmTswFt.exe

C:\Windows\System\RiGpszq.exe

C:\Windows\System\RiGpszq.exe

C:\Windows\System\slKiUth.exe

C:\Windows\System\slKiUth.exe

C:\Windows\System\XTJYLHE.exe

C:\Windows\System\XTJYLHE.exe

C:\Windows\System\ezIkzur.exe

C:\Windows\System\ezIkzur.exe

C:\Windows\System\MWMlbOX.exe

C:\Windows\System\MWMlbOX.exe

C:\Windows\System\eDHAkqi.exe

C:\Windows\System\eDHAkqi.exe

C:\Windows\System\qRqcURA.exe

C:\Windows\System\qRqcURA.exe

C:\Windows\System\CJcmDht.exe

C:\Windows\System\CJcmDht.exe

C:\Windows\System\eyKmVLe.exe

C:\Windows\System\eyKmVLe.exe

C:\Windows\System\PZKLRHZ.exe

C:\Windows\System\PZKLRHZ.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1928-0-0x000000013F450000-0x000000013F7A4000-memory.dmp

memory/1928-1-0x00000000002F0000-0x0000000000300000-memory.dmp

C:\Windows\system\MSKmQzY.exe

MD5 813db0636b55b65f9534cce08204f1a0
SHA1 ac5e95cd4dd8304bb6e66a7ab65f704a504d90fb
SHA256 b1de3770d65a1b3a8a9828c588847d188471b19bb35c7795eb565ba8f61893cb
SHA512 19cba23caf0dcfaa65f54d194801743a50db08f7948e6896089e768fa2e8e0e39391a9a765e54003624424e6700fa2e10a6183e50700acf26ccb64687bb3f4c5

C:\Windows\system\XEqHYQO.exe

MD5 e16ce437529fb445cc1641f16fc3d14f
SHA1 c53c14c23e04afb0d333c825f2ba8ad3192545e7
SHA256 ba71989e6eee2872239a2c20d312bc95694ee358aab82e7a780328ec40ace43e
SHA512 1fedcf8790ca1036e8eb3c3e23f9ce7f1ddf37575cac0fa22a63c4069313eec3ec4262ae7c5ccf0dea00a4d03148ff274129e7c830849e3cd1591a8acccc2600

C:\Windows\system\VVMWImK.exe

MD5 630a84e4f8c4804888c4da288bd5d5f8
SHA1 a9cd2f5fe1da15eab70f2883b466e0a50a122c18
SHA256 dc600c4a9a3a41fdcb2d143cdd51b84ae5b3a93ddd40ab7a67f75630d298b22e
SHA512 0219ff4290431090513575c48f6ec5534e84b52716c7b96e57e02c77668b5b05082d9dfe0fbc2b9ead5392a31e766f52fc44e364537355c8cd79b94442cb9b5f

C:\Windows\system\WqIhaAk.exe

MD5 979483e23332b5438f1102f573e90a10
SHA1 8aaab4c47f39c8d1f0ae65a8e70f4cfb7a4902a4
SHA256 54df7acc83028f86e95461b2ce6d1c6bcc9fbc22a7110709fd19af8e899fc961
SHA512 7fee476fd5d784246d39bbac68d155dd1b687dcc7b80679277c209c340143dd54e283607b5766a819bbdfbc1eb91b494661701bfa5cd67f90d157cf8bcdf8166

C:\Windows\system\twWzNmP.exe

MD5 da575eda49ae68b463c1d841fe50fb66
SHA1 4360a9dd636a4f925e0aaabe01cce858094cef6d
SHA256 bc15aeb42278d22019c843ef7782bba8f6901e332c813643748c73167f33c9b2
SHA512 0f9404e1a32ed9021a90d37be4db1e6f92e9d8ac8b6b22852b56024a6d1320e4638e0effa50ef3931b21d4313f2da7cdd8f161be0dab196104f723b11201320e

C:\Windows\system\QIzrlXQ.exe

MD5 fd9feaef287132abb26daa0339f7f075
SHA1 44acf66a0777db69a123ef6976c6faac8cc704ef
SHA256 9825a8aadc31f3841d79dc0ef5b536ad6b4e823234b27ebf43bfd990f72521bc
SHA512 7bc1b7882b55efd905bde9643b754cb3092cb93ce074624744fda3cce3b1e628cd5bf6b362679f3bca70fb6f18dc622b5a01d50de2908f369f79034ca1308ccd

C:\Windows\system\brXADCH.exe

MD5 ab4a34568a7a37cee983f19d8329f3d0
SHA1 62ae1c729a796f84e77a346e13e6f9392b89a192
SHA256 6052c94ee71069bf24e574a3d1d67a02341f169a4a6ce9acb10a75726bcb4ad2
SHA512 f97a4e2805ad0c3e1b07dda6e25f061ec1abd419d0d35870ae0d3c3571ab26ec2dcee3e901b158785a0936c81284d301903b4e8bcba7c8946470961b252e5ad2

C:\Windows\system\pvSdPJE.exe

MD5 319c01507a2f5df3e5433669b09e8cff
SHA1 10ed191dbb879151aa41ae09f6b29993b1eaa1dd
SHA256 1498d33f0f975665cfe6630045e1a1dd13cfaa12659ee8dc8a2076731e9609b4
SHA512 defce5463769f1537509bd17d0b5288e866eba5870f13dc6e8ebc61213b63daf549c0331dc2970dd5c92a227b325f04341045fa09c635da39fcf878dbe806cfb

C:\Windows\system\zmTswFt.exe

MD5 d10d916c1a8560ab5365e12822d991c5
SHA1 d34ddf06cd6be67a49da78c736dcfb47b65c31e9
SHA256 c02cd89a8cf30cd45549e85d5f6c2b3be7e735fef0c636a6f62fe5a21d90098d
SHA512 dfff429a3de0bd5f55bd7803c1e16ab9c46b70aa20c1ceaa04cee89897fd0e0cde954c053c784027af3c7a174af2e9c3ef9c72ff4794c822703537fc2059897f

C:\Windows\system\slKiUth.exe

MD5 c18e81921a22304cc2d5ada4a1a84e79
SHA1 ad7f5fe000437630dba611086e37ea6f32186899
SHA256 ce72817ea842acd012c485621c29471223b0cb3b6f5284c8f7548366583897af
SHA512 17ff99b51203518030a178c5111f9fe5199b1f310b26da4f80cdc249c9f205e5b8a3dc1186ba2242b48879cd35c4954248d23aa19632f7cae6f2deaaa9c340b2

C:\Windows\system\MWMlbOX.exe

MD5 4a1b6742e04ffb5df78ce94045588aab
SHA1 2c52b587f7fb290304f10fdc851daad7d3c597dd
SHA256 828d3010dd9350338a77ce444a7dbb7bf7489a75868fa5dcd960f9d743f1ca16
SHA512 d32cc411d3fd7fb0f95365c8769bc7b9c79b3eb9adbfc2bd1f2310e5742a3f56b06bdcb3304be6c55196932ea7be702963dea7df7e5058feacc2e35c3897ad83

C:\Windows\system\eyKmVLe.exe

MD5 f3bafa34cc89c846a2b9ae9e13a35b9b
SHA1 a7c7f80599ba2ea6d2512f23c5f59ffa83615eef
SHA256 65a6fc2c77086d856192ccb820a9e043df0349213d52c92c4254ab4f71e638c2
SHA512 0974dd291991b7c5bec615ae4bc13d0204a58933ada32b50a4270dc0a294e06c423222a7166ce041ba0e8660b48597997aa0bef73871cc70e4934d092f51f448

C:\Windows\system\PZKLRHZ.exe

MD5 d7ac8a087588d77cc7575da7ae0f8c2f
SHA1 98f758cd3b4fcc7e23df2aaa0e3b5c51f65ed721
SHA256 e520d24af7187b527a8e5b17ae914b510211cea720f5f23de19d627afa2f6529
SHA512 afddf6c28c2caa7bdc3ed2dcb4e43d090569140253d500e869421f185db7e6e59ab6d38ff88aacd571b9bd0acfd568743b4075a76f146185fc80ab9c4b050813

C:\Windows\system\CJcmDht.exe

MD5 49d71db7c33aa71a2f3e0d62d560d27c
SHA1 a18674c130f88ce54162fe3ec7f9fc804f1341dc
SHA256 98e24c0800c3f48e1e7df3ba5fedd149de5cd4627edd9de185eb4e9ad3207336
SHA512 c861d9861255acb4b340b6a940854eea18e0c8f66b4c95779846f843b53f40c1999d2d2047c42982e4a3450c1af675dc9c4f2da34944507e500aa67be6a78b34

memory/1928-101-0x000000013FA70000-0x000000013FDC4000-memory.dmp

memory/1676-116-0x000000013F200000-0x000000013F554000-memory.dmp

memory/1928-119-0x000000013FCE0000-0x0000000140034000-memory.dmp

memory/2504-118-0x000000013FB10000-0x000000013FE64000-memory.dmp

memory/1928-117-0x000000013FB10000-0x000000013FE64000-memory.dmp

memory/2796-115-0x000000013F120000-0x000000013F474000-memory.dmp

memory/2728-114-0x000000013FEE0000-0x0000000140234000-memory.dmp

memory/1928-113-0x000000013FEE0000-0x0000000140234000-memory.dmp

memory/2812-112-0x000000013FA50000-0x000000013FDA4000-memory.dmp

memory/1928-111-0x000000013FA50000-0x000000013FDA4000-memory.dmp

memory/2928-110-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

memory/2628-109-0x000000013FE90000-0x00000001401E4000-memory.dmp

memory/1928-108-0x000000013FE90000-0x00000001401E4000-memory.dmp

memory/2944-107-0x000000013F430000-0x000000013F784000-memory.dmp

memory/2704-106-0x000000013F4F0000-0x000000013F844000-memory.dmp

memory/1928-105-0x00000000024B0000-0x0000000002804000-memory.dmp

memory/2640-104-0x000000013FE10000-0x0000000140164000-memory.dmp

memory/1928-103-0x000000013FE10000-0x0000000140164000-memory.dmp

memory/2368-102-0x000000013FA70000-0x000000013FDC4000-memory.dmp

memory/2136-100-0x000000013FF00000-0x0000000140254000-memory.dmp

memory/1928-90-0x000000013FF00000-0x0000000140254000-memory.dmp

memory/1932-89-0x000000013F300000-0x000000013F654000-memory.dmp

memory/2448-88-0x000000013F6A0000-0x000000013F9F4000-memory.dmp

C:\Windows\system\qRqcURA.exe

MD5 42e71bd3200c86af41a262047cd9f484
SHA1 18994c9df71a02927da1526c8434aaff15f6b19b
SHA256 2dc1f2678840dcf88c0d704820ea3c8c14e281e863dec620b90cc9130561cea0
SHA512 5fdbeda40f646b8dbd172591ae3609ab077826916aeb50500e44f2e26e6e215ca046f3733a79280dcb398170be2ff421498abc884278889612e5f95f82500299

C:\Windows\system\eDHAkqi.exe

MD5 ad684815dbb5d8aff65fdcf10bf27f31
SHA1 3a8e33ee12811968dba7cc8668e3bb368e6e8654
SHA256 d4e20123d34f6337134cdb972365f517c9e47fc7d1246067f8141839113105b0
SHA512 03945388566498d765f969bcc42a5dad46d3421efc6a49e9b21001a2226e796e9b872ff5a20d5facf9419c056c3794777b39081c0e8af77598ea7d699dfec2d9

C:\Windows\system\ezIkzur.exe

MD5 44c489af4b283cae0458bf1763db0c44
SHA1 58b9b60f48200944ad19f6543bf8c5879b66701c
SHA256 7149455bd339045cec68ad462e4df2299fac817dba47a1279d1d8449eb6d029c
SHA512 6c2ba9a520e468a139f865ff76b25c06241b5c20bda0230e090a4f77aea5fc98a4b771e4299f7369b3b927ae643ac9e15bbdf2122f084704bba4a403c0463d50

C:\Windows\system\XTJYLHE.exe

MD5 1f8015258bc338144e41576ef80bf472
SHA1 9495e48f41c626cd506653adb98d2ae602f87570
SHA256 e072610f0df1b615f7916ac055cb93601f7895aefb849e769267e295572bbc13
SHA512 65c6d7dfb60aee413bbb7023b19ef1e0826ca411fdd8a1babb92bc6ac399292a6bf39a6bcc143011c1464ec4644bbb73edc8eaa311def6aef05c91d583911155

C:\Windows\system\RiGpszq.exe

MD5 cc9caade7f00dda13bfa4d87beba10b3
SHA1 20f7be4fbdfc72d9da7a9296efea4e3d306d08d3
SHA256 32c8dc7a0b31a44d36bcce3d154da4485d19b39a115c6acdd96ebfbf3735916e
SHA512 40c3472c60e81229bd5005e72c2774ea3712088c22d022e342c121645374b43db8ed22dfb3970bc99442d18532fc3851b31a5c140c52418227fd92b0228651de

C:\Windows\system\CWRkqjz.exe

MD5 9af547ea86fce9ae45be91d58d9c73e4
SHA1 b0fde15662ac124c033d8500aefcf69d002a058a
SHA256 a532efb9b17cf023309cfbe300da85d4a9946a11694e6650cfdbc0e1d7460fed
SHA512 9d714a5a9e460c492271cd86920e886941708cfd1eb49e3fa3d7eb300e042766ef60caf9b16009dce6534e91e3b8779c19e7f3ae8d0de47617cd1716b8159e2b

C:\Windows\system\oDlwaGS.exe

MD5 bd82ede5f165e54e725af8d2a7d80158
SHA1 a7deb30ba68b1f074044322a13a4162b37d9197b
SHA256 2cebf6b639de4988390d68d7374a0038da8073e88220c6a9e877efc5b9d98c13
SHA512 b0f494e2adfba615d984f33788bdce5e5e55a4780c37ac8164a29fd74c0cd42e17f407a8a0fb5018f115c2d58ce55450ae84dede8cf152c4cc08d13a09edffc9

memory/1928-130-0x000000013F450000-0x000000013F7A4000-memory.dmp

memory/2448-131-0x000000013F6A0000-0x000000013F9F4000-memory.dmp

memory/1932-132-0x000000013F300000-0x000000013F654000-memory.dmp

memory/1928-133-0x000000013FF00000-0x0000000140254000-memory.dmp

memory/1928-134-0x000000013FA70000-0x000000013FDC4000-memory.dmp

memory/2368-135-0x000000013FA70000-0x000000013FDC4000-memory.dmp

memory/2704-136-0x000000013F4F0000-0x000000013F844000-memory.dmp

memory/2628-137-0x000000013FE90000-0x00000001401E4000-memory.dmp

memory/2504-140-0x000000013FB10000-0x000000013FE64000-memory.dmp

memory/2796-139-0x000000013F120000-0x000000013F474000-memory.dmp

memory/2812-138-0x000000013FA50000-0x000000013FDA4000-memory.dmp

memory/2448-141-0x000000013F6A0000-0x000000013F9F4000-memory.dmp

memory/2136-142-0x000000013FF00000-0x0000000140254000-memory.dmp

memory/2640-146-0x000000013FE10000-0x0000000140164000-memory.dmp

memory/1676-147-0x000000013F200000-0x000000013F554000-memory.dmp

memory/2944-145-0x000000013F430000-0x000000013F784000-memory.dmp

memory/2728-144-0x000000013FEE0000-0x0000000140234000-memory.dmp

memory/2928-143-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

memory/2704-152-0x000000013F4F0000-0x000000013F844000-memory.dmp

memory/1932-154-0x000000013F300000-0x000000013F654000-memory.dmp

memory/2368-153-0x000000013FA70000-0x000000013FDC4000-memory.dmp

memory/2628-151-0x000000013FE90000-0x00000001401E4000-memory.dmp

memory/2812-150-0x000000013FA50000-0x000000013FDA4000-memory.dmp

memory/2504-149-0x000000013FB10000-0x000000013FE64000-memory.dmp

memory/2796-148-0x000000013F120000-0x000000013F474000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-08 08:42

Reported

2024-06-08 08:45

Platform

win10v2004-20240508-en

Max time kernel

144s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\PCfZiaQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RfTuiMJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SRdfHEc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vEMrFLN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VCBprxR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nNNkcqG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EqmrvcW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yoihSwT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VdConld.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WyHJrso.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rYOCRmb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dglZvJS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aSSaRSq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EMnJZwO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dUOQjcJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tirQKHj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jnkHbsD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JeblYOh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QACfghg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ztauxzT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\njUztHS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2860 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\PCfZiaQ.exe
PID 2860 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\PCfZiaQ.exe
PID 2860 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\jnkHbsD.exe
PID 2860 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\jnkHbsD.exe
PID 2860 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\EMnJZwO.exe
PID 2860 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\EMnJZwO.exe
PID 2860 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\EqmrvcW.exe
PID 2860 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\EqmrvcW.exe
PID 2860 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\RfTuiMJ.exe
PID 2860 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\RfTuiMJ.exe
PID 2860 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\SRdfHEc.exe
PID 2860 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\SRdfHEc.exe
PID 2860 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\yoihSwT.exe
PID 2860 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\yoihSwT.exe
PID 2860 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\VdConld.exe
PID 2860 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\VdConld.exe
PID 2860 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\dUOQjcJ.exe
PID 2860 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\dUOQjcJ.exe
PID 2860 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\JeblYOh.exe
PID 2860 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\JeblYOh.exe
PID 2860 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\WyHJrso.exe
PID 2860 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\WyHJrso.exe
PID 2860 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\QACfghg.exe
PID 2860 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\QACfghg.exe
PID 2860 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\ztauxzT.exe
PID 2860 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\ztauxzT.exe
PID 2860 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\rYOCRmb.exe
PID 2860 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\rYOCRmb.exe
PID 2860 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\dglZvJS.exe
PID 2860 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\dglZvJS.exe
PID 2860 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\VCBprxR.exe
PID 2860 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\VCBprxR.exe
PID 2860 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\vEMrFLN.exe
PID 2860 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\vEMrFLN.exe
PID 2860 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\nNNkcqG.exe
PID 2860 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\nNNkcqG.exe
PID 2860 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\njUztHS.exe
PID 2860 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\njUztHS.exe
PID 2860 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\tirQKHj.exe
PID 2860 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\tirQKHj.exe
PID 2860 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\aSSaRSq.exe
PID 2860 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe C:\Windows\System\aSSaRSq.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_ca3f78d97e2a532f29a7ae8189e9f192_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\PCfZiaQ.exe

C:\Windows\System\PCfZiaQ.exe

C:\Windows\System\jnkHbsD.exe

C:\Windows\System\jnkHbsD.exe

C:\Windows\System\EMnJZwO.exe

C:\Windows\System\EMnJZwO.exe

C:\Windows\System\EqmrvcW.exe

C:\Windows\System\EqmrvcW.exe

C:\Windows\System\RfTuiMJ.exe

C:\Windows\System\RfTuiMJ.exe

C:\Windows\System\SRdfHEc.exe

C:\Windows\System\SRdfHEc.exe

C:\Windows\System\yoihSwT.exe

C:\Windows\System\yoihSwT.exe

C:\Windows\System\VdConld.exe

C:\Windows\System\VdConld.exe

C:\Windows\System\dUOQjcJ.exe

C:\Windows\System\dUOQjcJ.exe

C:\Windows\System\JeblYOh.exe

C:\Windows\System\JeblYOh.exe

C:\Windows\System\WyHJrso.exe

C:\Windows\System\WyHJrso.exe

C:\Windows\System\QACfghg.exe

C:\Windows\System\QACfghg.exe

C:\Windows\System\ztauxzT.exe

C:\Windows\System\ztauxzT.exe

C:\Windows\System\rYOCRmb.exe

C:\Windows\System\rYOCRmb.exe

C:\Windows\System\dglZvJS.exe

C:\Windows\System\dglZvJS.exe

C:\Windows\System\VCBprxR.exe

C:\Windows\System\VCBprxR.exe

C:\Windows\System\vEMrFLN.exe

C:\Windows\System\vEMrFLN.exe

C:\Windows\System\nNNkcqG.exe

C:\Windows\System\nNNkcqG.exe

C:\Windows\System\njUztHS.exe

C:\Windows\System\njUztHS.exe

C:\Windows\System\tirQKHj.exe

C:\Windows\System\tirQKHj.exe

C:\Windows\System\aSSaRSq.exe

C:\Windows\System\aSSaRSq.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 52.111.227.14:443 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2860-0-0x00007FF634730000-0x00007FF634A84000-memory.dmp

memory/2860-1-0x000001BB3EAE0000-0x000001BB3EAF0000-memory.dmp

C:\Windows\System\PCfZiaQ.exe

MD5 512313c7f252bd3a875ae69984fe0210
SHA1 5aadbb3878d6df135a66763233658bf5dcb01405
SHA256 f29aecb71964461d73a1ce0ec9f20cda0e6b535b2990de6a655f242fb1f5059d
SHA512 971d74a8da1ca6566ec28980604f159ed3820631fb7b159e132695cfcf3c92bf4dfdc7cc2371cc4ca35e855cdbab8b95f6b954d8188f01fdc8aa9afd92b4203f

memory/4720-7-0x00007FF6026A0000-0x00007FF6029F4000-memory.dmp

C:\Windows\System\jnkHbsD.exe

MD5 d66b73a95eeac5954953c77119384772
SHA1 790f855a1d455b4edf47d7dab147b68fd977597e
SHA256 13e2df454f6bd4892a45adf0d5c173d18502ff09950c6c9ab52b706dd03f14ba
SHA512 3626fd6a8e2617b69369f54a3c7055a59b64e1db4113a72db01b87d5afe7e4fdcf4230d5d15a8f76d42c9d1034f978c270971560f8cf59c86d4e1106430e7bc7

C:\Windows\System\EMnJZwO.exe

MD5 95a43fb5452a0ff0d73e6b9e7e854962
SHA1 4d22bd85181e71792ff2ccb160516a4f85c0214e
SHA256 d672dfd86620186a9839e51ff01e894fed5f2173ba837014806bfc6aaf43e739
SHA512 e0daaece483c745b808fb3e625356121a059579e034d574ef1b893476c7e4beb70ff04983f9558e474c2e6425dffe86f9254b48834d5a51257a0d0493cb0da5b

memory/2304-14-0x00007FF6520B0000-0x00007FF652404000-memory.dmp

C:\Windows\System\EqmrvcW.exe

MD5 6ba7ad1c71f8f34ca39df5306dfb1535
SHA1 5ab0345b1d77a3f81fa28ecf332440314f7e8f9a
SHA256 ea1d4c24b721fcb191865903d70c59e674cb6e35388c03bf37c8c1a7de734bf4
SHA512 7fbe27051196c189f33ea3231fb3dcc1344f7dc5b5ab1b1d70fb73c15b2ba8bcefa8a580ec1350debac94f82f23dce2dab3f9730dd9353db85c1d24e83179134

memory/2484-20-0x00007FF6AE250000-0x00007FF6AE5A4000-memory.dmp

C:\Windows\System\RfTuiMJ.exe

MD5 bec1db0ebcee6dab1f1e9767f044be67
SHA1 168036158a48a9bcc90493677ff9f20e7f9a784d
SHA256 3fb79c161772743c9caa21ab5fe23a11342caeca6f675e0f69e28984d495077f
SHA512 995dfd2ac6f5fedac50a9b7397611dc8c73752bf8712b3c9963f8a64b0653322fc2fe5f7e4b19ec061003d4efb82b9e32e1f7fc399b4a485261e626808b3e2f9

memory/3236-26-0x00007FF73D5A0000-0x00007FF73D8F4000-memory.dmp

C:\Windows\System\SRdfHEc.exe

MD5 dc8a5173567a526809c5c9ae5a13eaf4
SHA1 b1e8b83404d8f437d12ff3c1981718dce4b0c8ff
SHA256 988e7c0dcd1a8d0b391a67004499c8a87b406024d1f73af2bd3e88f8343ba829
SHA512 413a2c09b70a5e92a7b0ed0d079eb690e30a59a9561c9c11d85e1f4f23097ac6deaeef588454ce474624345a97035f7ae963af732229506a0dca951919f84a38

memory/3752-36-0x00007FF783800000-0x00007FF783B54000-memory.dmp

memory/4760-32-0x00007FF716A50000-0x00007FF716DA4000-memory.dmp

C:\Windows\System\yoihSwT.exe

MD5 9945b7c605c2abc0faff699e277a1dc2
SHA1 97f5ca07dee4d354faea6317ec610ebe025224c3
SHA256 049e20bf3cbae8a4f8cb493812d2d5bbad1cc2a831467ebb014cffc5cc775caa
SHA512 db9a76ae4b0d10405e8fee4ae6d44432d068742297f3dbaa6cc51d544c0b2a964ad875e6e2544593e5c35d6e31dfbad743e2414e5ed451b7e3e9218169ec6c36

memory/4552-44-0x00007FF6D4F00000-0x00007FF6D5254000-memory.dmp

C:\Windows\System\VdConld.exe

MD5 95f9f26e8196baf1a33713fc7d36cd2f
SHA1 2cebd3f5612d0cbe875ad5b546e96a7cfef92c3a
SHA256 38cbca533e0c423664c15484e2b3423cd5faf32480fcb12e4689260eb154f07e
SHA512 b961833206ee5a83f68546379e77738ed946a8b17709147555bcfd521f7f9d0ecee2a3edcf5583a95a0f721b44f45457a75bded88eeb63a278ab02f536f43ad9

C:\Windows\System\dUOQjcJ.exe

MD5 f21514bb5ea2643334ccb23cbeae867b
SHA1 684d9f01f56fdd004fe6d000f2adde041a09c6d6
SHA256 9420bf5a1dee5f089aa3fcfe549db46a71161e8072ec4c3481e3dc30782f3504
SHA512 8a6c78be2a058584b303c305ae0a2598bb0f48d9c1e613042a3c75094e72d26b9893e9de57bdb5bfacfe63b6b6fdbc1801c9dc282c13b6512889cc0d3fcb724b

memory/2832-50-0x00007FF7D9090000-0x00007FF7D93E4000-memory.dmp

memory/316-56-0x00007FF69E7C0000-0x00007FF69EB14000-memory.dmp

C:\Windows\System\JeblYOh.exe

MD5 90e18da6b9e586be51396c6197d59cfd
SHA1 b93f19af0ce17d4ed534b14a2ccfdc9d4cced3f8
SHA256 6685f179c391ab10a5eae6c0f8ab25c8bb6b450a7d5a57aa234d61a009243624
SHA512 4e0d1791b669753c79a7ba136b68a4616edd55d9c129d8afe9e56eb4e9611ae3fdc4e1c1bab9241b2961034b04909c91218ff22669222e74c7a1c020765233de

C:\Windows\System\WyHJrso.exe

MD5 2672b62b3ab8840ef3ef946aa569c86b
SHA1 b3379f408d10956b849951143ebc3dfd37c708cb
SHA256 5653cc8035449646486c3021388580d98d7d6d40defd256e11566c880be3a2c4
SHA512 78595632c00902e76deb5d953967ce8e1d444ac9606dae1f5539ea8112021df84c493e8b3a8e8b0d5186337282a510cfbbfa12373f9a9db2bbd9a9b5a6c939de

memory/4404-70-0x00007FF65CAC0000-0x00007FF65CE14000-memory.dmp

C:\Windows\System\QACfghg.exe

MD5 e607e5fdc5e4df27863185870579cd01
SHA1 167a6fbc442f423388921db5296f395c4e4bbf1b
SHA256 58b521ad94fb2c9f7b528403529095df758fc43989c012c78bb1b381c53c1648
SHA512 a5243060ae639f719cf9d66c8ff3835489f15daa9b94a30f5112db642ab966309935f916f5fe0fdcb8bca0f22f165f0d83a46c53432603d38c52967e14837880

C:\Windows\System\ztauxzT.exe

MD5 06e5867b194bed018f1922bc6dd527c6
SHA1 8eb69ec32a391d4069d88358cce1d6c28d79432a
SHA256 77e757adedaa0f791bd8a37125d5fb0698bb61d70b97005264d2b211a74caae4
SHA512 40d70491860ba651947d9574d2c01154cddee4c59ac166b4d90605edc635679427b979f2d0de82e3180eb816b458939a91c3e6481beff73cb1beecdb976e5deb

memory/2016-83-0x00007FF77DEB0000-0x00007FF77E204000-memory.dmp

C:\Windows\System\rYOCRmb.exe

MD5 76491e2f5283d134507ddc62f4e6edbc
SHA1 7a3b652c4f36648721661f8dd4506f23e89fc253
SHA256 245544d12e113cecd5515effc04a98d9377d24ae826abaae4b6773857639da7c
SHA512 921723962e9ad532e2518cac5adf0a029652f7ae8011d5fa5c7b6eed03237c8a0e0b25a9be1015ab903b17bd3cabbd4c2c20ab11b2943714899de4e3118a8035

memory/4040-80-0x00007FF6483E0000-0x00007FF648734000-memory.dmp

memory/4720-67-0x00007FF6026A0000-0x00007FF6029F4000-memory.dmp

memory/4332-63-0x00007FF6C6770000-0x00007FF6C6AC4000-memory.dmp

memory/2860-60-0x00007FF634730000-0x00007FF634A84000-memory.dmp

memory/3236-88-0x00007FF73D5A0000-0x00007FF73D8F4000-memory.dmp

memory/1200-89-0x00007FF607250000-0x00007FF6075A4000-memory.dmp

C:\Windows\System\dglZvJS.exe

MD5 e4cef3c3e94b9d5d0706a98cd47295bf
SHA1 8ceddd4197f4c82083bbca1a23ca0e314bc2f5eb
SHA256 c6131cf62fdbde3c5413a61b4bd45a80a1936209de2b5fa5010275ae9072d064
SHA512 522b888eae704bc784e9fb0c845da1d0ba592891a29135c489bac6f8e08c6b6cf5917934be6c87f33e9dfc73950399c96811d06a023d43e3ab3d2dc9b93a9a30

C:\Windows\System\VCBprxR.exe

MD5 fda7e19aed43fa1a49ffe89c388a94fd
SHA1 e937b4d8ba7b963a815e98225d2724d0209a8f9e
SHA256 c42922a3b9170e8854d44f544d9868997711c1abee796e179122c70198dcfefc
SHA512 fca492a8f61dc7c03967ba725c93f0ac9c1a0422df4912cd6dc02b94ec62b996129d682eb4121add902fa3e4306d0c80ecd80ea91df276391febe20fb447fb3f

memory/4564-101-0x00007FF7A4550000-0x00007FF7A48A4000-memory.dmp

memory/4052-109-0x00007FF6101C0000-0x00007FF610514000-memory.dmp

C:\Windows\System\nNNkcqG.exe

MD5 e7dda3ac14535f5b57e621e83f31e900
SHA1 977b536f6c55aee5e52e5028663631bc957855b2
SHA256 54e3d5075a1c8835d9cd7f58b71dfadc34e944dd56af774722139aafff5f9387
SHA512 2ed886f33768fbcbcb1ee69797f8b361904932ac1f4b3f5ee439f1fce0aafc5ed9301479f0d521bf49c64c61057bcb428fc8024588e2453e5285d6199c60ec6a

C:\Windows\System\vEMrFLN.exe

MD5 8fa22e74f19a662577aee8873880c1be
SHA1 a5530ee53a9e9ab7084126acf98d9695c88a789f
SHA256 6bef8902f2bb28c584f8fe1422bc233f78f117247e814ccb490f1c3c34929244
SHA512 13ddf3cf9f8ccd91162d8230dc2c1496ca0c25fefba4d460e6543008b337c91c73977a4ecb8cee9b50e4209be8720a056f495738f4eb0f9c76c2b1df6d3c7e0b

memory/3752-106-0x00007FF783800000-0x00007FF783B54000-memory.dmp

memory/4388-104-0x00007FF754200000-0x00007FF754554000-memory.dmp

memory/4760-99-0x00007FF716A50000-0x00007FF716DA4000-memory.dmp

memory/2808-116-0x00007FF689C50000-0x00007FF689FA4000-memory.dmp

C:\Windows\System\njUztHS.exe

MD5 a346524a981867f710c5b9142d484c96
SHA1 5d0bd5a8ec21fffab4184568505077e1b51ed221
SHA256 3db2304893221ece71a9edbff501227c9a0a13f03fc14c3d4b9c7b3a7c79c97d
SHA512 582784300cc345a528e9c98be199f4bd75bc7c9ef90cc81100415f7cf06877599b24447b4e66520438a9f9d79d4e92d4c275a810fc7e4fac017b083c24e9d5ea

memory/2832-115-0x00007FF7D9090000-0x00007FF7D93E4000-memory.dmp

memory/1288-122-0x00007FF6D04E0000-0x00007FF6D0834000-memory.dmp

C:\Windows\System\tirQKHj.exe

MD5 afc3f716dba55c7d8c94f9069389ad7d
SHA1 bd055b8043707467dbce1c3a5a980e7b7ee83acd
SHA256 a9717904ce091c0a558b17348a67c31f9007f61b812df3074a3b00ccf3a4e274
SHA512 bc1caed8f2489ea94777083ac47ae94a350aafab8e2d5c58d19e30f4ac06f7f6123bbae0d7f53bf0e4b096c4724d83129508c8bfc49fec1934660ee464189f49

memory/4332-127-0x00007FF6C6770000-0x00007FF6C6AC4000-memory.dmp

C:\Windows\System\aSSaRSq.exe

MD5 53b43fc42a5c1c00789728229f92c220
SHA1 b88c2925d12b71c6dbd17e5d1839078fdf2cc5e7
SHA256 d53cd73529432cc5f13e998012d0ef558a7886a8cf7eb2341f31988dbd3b725d
SHA512 5297700400a5f6ddc10d921a8d2aac4f230b465b3c0afacfa737ba743712acc9c2bd510c25fd2a6b60c55c4e5d9889791ebc0001336110e3885edfe2d36eda22

memory/4040-134-0x00007FF6483E0000-0x00007FF648734000-memory.dmp

memory/684-133-0x00007FF601680000-0x00007FF6019D4000-memory.dmp

memory/4404-132-0x00007FF65CAC0000-0x00007FF65CE14000-memory.dmp

memory/856-130-0x00007FF653240000-0x00007FF653594000-memory.dmp

memory/2016-137-0x00007FF77DEB0000-0x00007FF77E204000-memory.dmp

memory/4052-138-0x00007FF6101C0000-0x00007FF610514000-memory.dmp

memory/856-139-0x00007FF653240000-0x00007FF653594000-memory.dmp

memory/684-140-0x00007FF601680000-0x00007FF6019D4000-memory.dmp

memory/4720-141-0x00007FF6026A0000-0x00007FF6029F4000-memory.dmp

memory/2304-142-0x00007FF6520B0000-0x00007FF652404000-memory.dmp

memory/2484-143-0x00007FF6AE250000-0x00007FF6AE5A4000-memory.dmp

memory/3236-144-0x00007FF73D5A0000-0x00007FF73D8F4000-memory.dmp

memory/4760-145-0x00007FF716A50000-0x00007FF716DA4000-memory.dmp

memory/3752-146-0x00007FF783800000-0x00007FF783B54000-memory.dmp

memory/4552-147-0x00007FF6D4F00000-0x00007FF6D5254000-memory.dmp

memory/2832-148-0x00007FF7D9090000-0x00007FF7D93E4000-memory.dmp

memory/316-149-0x00007FF69E7C0000-0x00007FF69EB14000-memory.dmp

memory/4332-150-0x00007FF6C6770000-0x00007FF6C6AC4000-memory.dmp

memory/4404-151-0x00007FF65CAC0000-0x00007FF65CE14000-memory.dmp

memory/4040-152-0x00007FF6483E0000-0x00007FF648734000-memory.dmp

memory/2016-153-0x00007FF77DEB0000-0x00007FF77E204000-memory.dmp

memory/1200-154-0x00007FF607250000-0x00007FF6075A4000-memory.dmp

memory/4564-155-0x00007FF7A4550000-0x00007FF7A48A4000-memory.dmp

memory/4388-156-0x00007FF754200000-0x00007FF754554000-memory.dmp

memory/4052-157-0x00007FF6101C0000-0x00007FF610514000-memory.dmp

memory/2808-158-0x00007FF689C50000-0x00007FF689FA4000-memory.dmp

memory/1288-159-0x00007FF6D04E0000-0x00007FF6D0834000-memory.dmp

memory/856-160-0x00007FF653240000-0x00007FF653594000-memory.dmp

memory/684-161-0x00007FF601680000-0x00007FF6019D4000-memory.dmp