Malware Analysis Report

2024-10-16 03:09

Sample ID 240608-vlflnaed93
Target 2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike
SHA256 b3953cc7e1333ac902b2d55c8048299ce8d983a97ebce0279cd9a9e705515ce8
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b3953cc7e1333ac902b2d55c8048299ce8d983a97ebce0279cd9a9e705515ce8

Threat Level: Known bad

The file 2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

Cobalt Strike reflective loader

Xmrig family

Cobaltstrike family

Cobaltstrike

XMRig Miner payload

xmrig

UPX dump on OEP (original entry point)

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-08 17:04

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-08 17:04

Reported

2024-06-08 17:07

Platform

win7-20240508-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\iEMqbQu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FyhCLSH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hNsIMna.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sGUXola.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kApBdiu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MaPwKss.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NKalQDf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qckOjdm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wPhkDGB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DzDiItT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VyIVBck.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hoaQyfY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lnRGNyf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yjSiAuy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qzunQdK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cuEdKmX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fFgIfaA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vNZbakg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hszmZZE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fIYFDwp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bttFvvY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2220 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\MaPwKss.exe
PID 2220 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\MaPwKss.exe
PID 2220 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\MaPwKss.exe
PID 2220 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\iEMqbQu.exe
PID 2220 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\iEMqbQu.exe
PID 2220 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\iEMqbQu.exe
PID 2220 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\qzunQdK.exe
PID 2220 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\qzunQdK.exe
PID 2220 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\qzunQdK.exe
PID 2220 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\NKalQDf.exe
PID 2220 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\NKalQDf.exe
PID 2220 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\NKalQDf.exe
PID 2220 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\cuEdKmX.exe
PID 2220 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\cuEdKmX.exe
PID 2220 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\cuEdKmX.exe
PID 2220 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\qckOjdm.exe
PID 2220 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\qckOjdm.exe
PID 2220 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\qckOjdm.exe
PID 2220 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\FyhCLSH.exe
PID 2220 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\FyhCLSH.exe
PID 2220 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\FyhCLSH.exe
PID 2220 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\fFgIfaA.exe
PID 2220 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\fFgIfaA.exe
PID 2220 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\fFgIfaA.exe
PID 2220 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\wPhkDGB.exe
PID 2220 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\wPhkDGB.exe
PID 2220 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\wPhkDGB.exe
PID 2220 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\DzDiItT.exe
PID 2220 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\DzDiItT.exe
PID 2220 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\DzDiItT.exe
PID 2220 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\vNZbakg.exe
PID 2220 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\vNZbakg.exe
PID 2220 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\vNZbakg.exe
PID 2220 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\VyIVBck.exe
PID 2220 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\VyIVBck.exe
PID 2220 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\VyIVBck.exe
PID 2220 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\hNsIMna.exe
PID 2220 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\hNsIMna.exe
PID 2220 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\hNsIMna.exe
PID 2220 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\sGUXola.exe
PID 2220 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\sGUXola.exe
PID 2220 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\sGUXola.exe
PID 2220 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\kApBdiu.exe
PID 2220 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\kApBdiu.exe
PID 2220 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\kApBdiu.exe
PID 2220 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\hszmZZE.exe
PID 2220 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\hszmZZE.exe
PID 2220 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\hszmZZE.exe
PID 2220 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\hoaQyfY.exe
PID 2220 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\hoaQyfY.exe
PID 2220 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\hoaQyfY.exe
PID 2220 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\fIYFDwp.exe
PID 2220 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\fIYFDwp.exe
PID 2220 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\fIYFDwp.exe
PID 2220 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\bttFvvY.exe
PID 2220 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\bttFvvY.exe
PID 2220 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\bttFvvY.exe
PID 2220 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\lnRGNyf.exe
PID 2220 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\lnRGNyf.exe
PID 2220 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\lnRGNyf.exe
PID 2220 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\yjSiAuy.exe
PID 2220 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\yjSiAuy.exe
PID 2220 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\yjSiAuy.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\MaPwKss.exe

C:\Windows\System\MaPwKss.exe

C:\Windows\System\iEMqbQu.exe

C:\Windows\System\iEMqbQu.exe

C:\Windows\System\qzunQdK.exe

C:\Windows\System\qzunQdK.exe

C:\Windows\System\NKalQDf.exe

C:\Windows\System\NKalQDf.exe

C:\Windows\System\cuEdKmX.exe

C:\Windows\System\cuEdKmX.exe

C:\Windows\System\qckOjdm.exe

C:\Windows\System\qckOjdm.exe

C:\Windows\System\FyhCLSH.exe

C:\Windows\System\FyhCLSH.exe

C:\Windows\System\fFgIfaA.exe

C:\Windows\System\fFgIfaA.exe

C:\Windows\System\wPhkDGB.exe

C:\Windows\System\wPhkDGB.exe

C:\Windows\System\DzDiItT.exe

C:\Windows\System\DzDiItT.exe

C:\Windows\System\vNZbakg.exe

C:\Windows\System\vNZbakg.exe

C:\Windows\System\VyIVBck.exe

C:\Windows\System\VyIVBck.exe

C:\Windows\System\hNsIMna.exe

C:\Windows\System\hNsIMna.exe

C:\Windows\System\sGUXola.exe

C:\Windows\System\sGUXola.exe

C:\Windows\System\kApBdiu.exe

C:\Windows\System\kApBdiu.exe

C:\Windows\System\hszmZZE.exe

C:\Windows\System\hszmZZE.exe

C:\Windows\System\hoaQyfY.exe

C:\Windows\System\hoaQyfY.exe

C:\Windows\System\fIYFDwp.exe

C:\Windows\System\fIYFDwp.exe

C:\Windows\System\bttFvvY.exe

C:\Windows\System\bttFvvY.exe

C:\Windows\System\lnRGNyf.exe

C:\Windows\System\lnRGNyf.exe

C:\Windows\System\yjSiAuy.exe

C:\Windows\System\yjSiAuy.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2220-0-0x000000013F9F0000-0x000000013FD44000-memory.dmp

memory/2220-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\MaPwKss.exe

MD5 9343617b97089dcd03de729b818e1a00
SHA1 b2c496be591b7e09346bc1891ee60ca48e7395e2
SHA256 d5604c08861a1a8ea433a6d3e003317cfef8c2fba3b5e5cff8808e2e5ef6875c
SHA512 eeb2c3f4dbaf55abcc50504513a45b04d7644b8dcc3e2260dd2bfa6497c1bbbbc70a7a63e18950ab58102bcb5b6fca054f9431e96d7f8e571912d8f8fb6223d8

memory/1044-8-0x000000013F3C0000-0x000000013F714000-memory.dmp

C:\Windows\system\iEMqbQu.exe

MD5 b59bb966258daeed785223f7ab66d7a6
SHA1 19551b4b249360281c9e5aebd42fa4d13225f331
SHA256 3b98a4090a899ea68f49ed6a152ed2d9cb86b59829c5e30d5b5a264ccbbef5e9
SHA512 cd43dd78bab06281c8a44ce8b8efa7fadaa2afc19ee671f6cc0610a60b555555210351febba603c7ce43a209f62695c9f32b428b69366500c23da50d5c14999d

memory/1196-15-0x000000013FDC0000-0x0000000140114000-memory.dmp

memory/2220-13-0x000000013FDC0000-0x0000000140114000-memory.dmp

C:\Windows\system\qzunQdK.exe

MD5 80f5fc9000c230d674752b2d2caf44d0
SHA1 09f7464a0ca4300035d1a975f971722dc86575c7
SHA256 0047d5ee624546377d1a8f81573bca9d5dd3ace18ce1b987e3ac1faa37a53d54
SHA512 1dd4511b4e57acc7f2b5267d950edb106f4f8edd2b38ce612c7070f197007b99b7ed21cf5bd9b989aa8bbf7db6a893a676fdf52bbf77c5d221dde845dd904a19

memory/2248-21-0x000000013F1E0000-0x000000013F534000-memory.dmp

memory/2220-20-0x000000013F1E0000-0x000000013F534000-memory.dmp

\Windows\system\NKalQDf.exe

MD5 cfe5451890e90bc8b23028d7c10e0c6b
SHA1 19f6aa8313badf27182693cbe9944bd43dec2f76
SHA256 acca2560f4647d84440425112515d4a465132fd61e91933d6f9c80a046c861a9
SHA512 d21b61f28fecd142549086bf2fb5db3b2c3861db91b4c8d36120ea89b758549bdae3b0f86602d2e0d08a1ea0a7d5aa7d42e45e1be2ad764565c604922b32ae6d

memory/2220-27-0x000000013F150000-0x000000013F4A4000-memory.dmp

memory/2652-28-0x000000013F150000-0x000000013F4A4000-memory.dmp

C:\Windows\system\qckOjdm.exe

MD5 2996f1167b52537c01032acff6df573f
SHA1 87355deaf6874160534a87bd3f05543c7dc55d7a
SHA256 23c117e1dc12bb613c0e21b8af375fbbbc4150048a9aa20fa52b0be33232e42b
SHA512 176400d1581bacd6d456369626a3ba944fe10c67d8c5e77d70edcf3728fcd2e92b97c0e55d88839fe884807c40e5ae9f2180e17ee20e5b52ad68f1696301cff5

memory/2708-38-0x000000013FAF0000-0x000000013FE44000-memory.dmp

C:\Windows\system\cuEdKmX.exe

MD5 34a686f78feeb341f11879789c61f5e3
SHA1 abb8ef6f6d1dfd347a2aab43dadcfbae878fd0cf
SHA256 0b346c5ab8571196a6502701f3b117cfe052f628d878e860e53d32aa096d785f
SHA512 9fe009f2ba6c5cceb9b44cbeeecacd868674a1a50aaf0cfb5696cfe356dd1c12f5fed62925ca51c19dc60476f63a6c97a7411be68710b33b7fc1717d8074e035

memory/3008-40-0x000000013F650000-0x000000013F9A4000-memory.dmp

memory/2564-55-0x000000013FF50000-0x00000001402A4000-memory.dmp

\Windows\system\FyhCLSH.exe

MD5 ae40a887a56e937620cc4619e046c0a2
SHA1 02827093079bd645299a6c29907dc720bd131294
SHA256 8a274b9bbdca3064c7e079d1b6a3d2f65bccfcf3e413797976be39816d62161a
SHA512 246906f5d5ecda62bfb16c546638b8ed1ed9517a41dad807c2dbe626b86bb9c5d4846585bd995db64581948535997cd16c6e86d897c9d523e314312c410e34c4

memory/1044-68-0x000000013F3C0000-0x000000013F714000-memory.dmp

C:\Windows\system\VyIVBck.exe

MD5 8a1f85ebe6f724cca3818e6b8f243a5b
SHA1 be2b456627c4ca41f7e5645c082afbe8452fb0f4
SHA256 fb55daac88ed2acf330a7749c3e9604bb2ee2c65d4fb4a4f55bf9e9f5179e0a8
SHA512 b64888f61062785269792905673e3bc5e2617617f972863e1bf03211d0f52706605b96793849693b55c84492c3bac0be8e01fef4d20d33b4c74015047452355f

memory/2220-86-0x000000013FF80000-0x00000001402D4000-memory.dmp

memory/2948-87-0x000000013FF80000-0x00000001402D4000-memory.dmp

C:\Windows\system\kApBdiu.exe

MD5 1c92b711a717ae80c8d5160e5985132c
SHA1 ec28c339d416f895fcbb8ad7bc01bae3965c4f93
SHA256 4af50aa61eb918e8eac30aff604d80b99941dde1ed57b2d19243376a1941cad2
SHA512 4c36961692657cd376ab1609f58d671cea91c8b3b9e817b4eba752797fc2e30140df05faabe66157d70bc9ce090b845e16381d63fae72f8001810cd9ee6be219

C:\Windows\system\bttFvvY.exe

MD5 9e323df89aa0523801298bbb206fa718
SHA1 74b9923ce2fe138d603219d1e45bcec0dc39b942
SHA256 1247d2b1472b16ce6862c773da6b8e742324001a6488678f4772e5831406bad1
SHA512 6ac5c9179307ea31c24d8d11d578726b4b7afb0d8b3e65a72ddcc5afbb2bd1ece930311989706657d2e683f7d7c0ebe11bad0d9b5e1f4d3fdb2c5b230678a6f1

\Windows\system\yjSiAuy.exe

MD5 27f603f6183a85cd4a07b11b9c667dbf
SHA1 01416973ceba8600346e220ed4625b291178f65c
SHA256 9691741fd192012b36382c651b69c719d621a099e8fa014aa9a24ba4a33dd9d9
SHA512 515b96cd71cbc6744c1fcdd393b24bb3a03dfc3c008c50b7b13b280c410d4884c6221a4417b5459709ed33b701dd8ffae4a85f23a198d2ca21d7d2232a04523e

C:\Windows\system\lnRGNyf.exe

MD5 1153c0f377b72331bb9374adb764c243
SHA1 fc8ed1e6eceda09ead108548aad69b42841a1230
SHA256 37ae6f126f205e1e378fd6e661f45eaf8fb2e75392606308965ea9e6aa58ac5b
SHA512 374aa387950a8701d891035b357632f75db2252f9e09c552fa46d8399975c9549a3ff01e2ebbd02cc8b5437162a1425ae2278640913d3dc94cc13bbd9a44745a

C:\Windows\system\fIYFDwp.exe

MD5 b60feeeb45ce0acfa5c2749259018f69
SHA1 35334aab258aff3575974699a914f9e2606150b6
SHA256 e6e263df58e88754fa4a9b60405472851e5e9cbe8e3d1d33e491d6ee1aa05478
SHA512 74437b40209c42d84a3149df9a86d15722d8f5a151b7caab6fa3c4f9db848f529a21a1cf6c24f3553d0f3d33e117207b5861519d5c4c1fc1ac0418d2067c8e43

C:\Windows\system\hoaQyfY.exe

MD5 c5cda98cbe547e1a7dae1d4cd39e7b63
SHA1 dd9ae070372236d1c5e7fccb686170d87b6bfbec
SHA256 b031a55384b142a93e58870ee40d12178c5d4a1cd7d62a1d55959791934c2000
SHA512 42e413f3d11b1ede6344c6d852751003cdaeb6b5c08af760f74d209b4d27a733aafa90f786931e72155a11910c60f1140e47e156674bf2afec19f75a19948d94

C:\Windows\system\hszmZZE.exe

MD5 745a50f35efab208a1974c9d94d6c294
SHA1 6d3a0231da6ea65a15bf7630b0288de86a71a0e5
SHA256 4b9e374254d419ea65fa3c6ab1ce675203b44c8bee72737205f3328ad78434bc
SHA512 20f7cf6f062aac67433351896150bb61bb9f2b074f3ed7bf578b29fa89a1d30c73406786f130345ea0b39bfe712ee2c463ead6bc5a99c5b1a8937343ef1fbbb3

memory/2220-109-0x000000013FD70000-0x00000001400C4000-memory.dmp

memory/1552-108-0x000000013FB10000-0x000000013FE64000-memory.dmp

memory/2564-140-0x000000013FF50000-0x00000001402A4000-memory.dmp

memory/2960-94-0x000000013F280000-0x000000013F5D4000-memory.dmp

C:\Windows\system\hNsIMna.exe

MD5 f13777056bba0e1598d40ee0ec8a9cb1
SHA1 8faa5a464e8c16bd69315dd6dd42795e6dd720b0
SHA256 213e8ff25f416ba90cd0303c4a76a72a721e9db19ccff392d5b25b85bdb57e74
SHA512 cf54a2d7c11a7eea2eb5f5daed9ffa3fcee9341ec7b121bdddbb7df0355d5c936d7da7545fe7066e364927aeceebe255b76fc8b67282c33abbd2e4e0829d228b

memory/2220-92-0x000000013F280000-0x000000013F5D4000-memory.dmp

memory/3068-103-0x000000013FA60000-0x000000013FDB4000-memory.dmp

memory/2220-102-0x0000000002410000-0x0000000002764000-memory.dmp

memory/3008-101-0x000000013F650000-0x000000013F9A4000-memory.dmp

C:\Windows\system\vNZbakg.exe

MD5 26fecaec38ed280d4a88246a145a9120
SHA1 0f71e67b5e9f90d1eb8facef2b5482185bc858c0
SHA256 5c1eac64ea5a1fbb4fb89359ecb248c7fd07695d0c4f75594d6ad7b52c763f1c
SHA512 203b1f0b27bf1bd47b05217ca517add661b7f38626390e054a75aed630ced6d12df032638ef950ef680cb84be625b769f73af9765b6b19352582806b0a626817

memory/2220-76-0x0000000002410000-0x0000000002764000-memory.dmp

memory/1196-75-0x000000013FDC0000-0x0000000140114000-memory.dmp

memory/2220-74-0x000000013FDC0000-0x0000000140114000-memory.dmp

C:\Windows\system\sGUXola.exe

MD5 2d9e1be113e6b8798988e2217d6e8291
SHA1 8198930b3991d36812204e3d769398d43dee4608
SHA256 adf4424818f2e62798cdd6c23e0d99238426041b5cab01f90563edc4c2a7a77f
SHA512 c9ca2f6697aa8c5aec235e228cbda2a6de3bd9b2cb0a1190b259222c5fb505a10f0f65ed219e78ef7d64d9e0559cbf6000e65e228a3a25f6feb0a0a334f6f459

memory/2528-63-0x000000013F540000-0x000000013F894000-memory.dmp

memory/2220-62-0x000000013F9F0000-0x000000013FD44000-memory.dmp

C:\Windows\system\wPhkDGB.exe

MD5 52dc3eef2952f3f770054907bd812a09
SHA1 35b4f1c42fc64a6f059b2c88afb7c4589f7f5c50
SHA256 eb479fd0841f139ce7df4061a9fd66598d455a08054c05e1deb25ed1299f1c2b
SHA512 f05d9a8aba0c87d73c2bda23e04ffebac4bf65cc6239df15b1253ee18396561d0fd8d8b30ce1a1ae186026f532e8386f961f035f5702d3960d0063a746708332

memory/2228-85-0x000000013F860000-0x000000013FBB4000-memory.dmp

memory/2248-84-0x000000013F1E0000-0x000000013F534000-memory.dmp

memory/2220-60-0x000000013F540000-0x000000013F894000-memory.dmp

memory/1552-48-0x000000013FB10000-0x000000013FE64000-memory.dmp

memory/2220-47-0x0000000002410000-0x0000000002764000-memory.dmp

memory/1992-69-0x000000013F0D0000-0x000000013F424000-memory.dmp

C:\Windows\system\DzDiItT.exe

MD5 78efc3ff29874d87b57654ede3454008
SHA1 4635529125e8eb261d7aa9eb8d53cb86b0f62fac
SHA256 67398771d106923d48203858d7f7c3149cf5c68ecbfcd0bfb4a7804e2eb1e7fa
SHA512 8f59545d60f20188cd9e2a230eb985a6a870981f0b3373c5f5d275bd35147962633a941143e436315b05727e1fe4052eccc02f0f5fabd18d39a07ee980ca9b19

memory/2220-54-0x000000013FF50000-0x00000001402A4000-memory.dmp

C:\Windows\system\fFgIfaA.exe

MD5 a5d472c6cd2d8b85a80421f7289ad700
SHA1 4562068e639a4a959bf5ced0ab9eb0d42cb4c3cb
SHA256 52bab2e2f24d0e08c591a6b3856798510451b75c35cadfd17d19db9dabfa71ad
SHA512 0008c4c5ead09250ea86294d26e6027d8e207d067d61c92ee027d3de31327024ede499c9f9769e1d83d6571da1803c46c2d69ed00a768c577379a712cd2e81b1

memory/2220-39-0x000000013F650000-0x000000013F9A4000-memory.dmp

memory/2528-141-0x000000013F540000-0x000000013F894000-memory.dmp

memory/1992-142-0x000000013F0D0000-0x000000013F424000-memory.dmp

memory/2220-143-0x0000000002410000-0x0000000002764000-memory.dmp

memory/2948-144-0x000000013FF80000-0x00000001402D4000-memory.dmp

memory/2220-145-0x000000013F280000-0x000000013F5D4000-memory.dmp

memory/2960-146-0x000000013F280000-0x000000013F5D4000-memory.dmp

memory/2220-147-0x0000000002410000-0x0000000002764000-memory.dmp

memory/2220-148-0x000000013FD70000-0x00000001400C4000-memory.dmp

memory/1044-149-0x000000013F3C0000-0x000000013F714000-memory.dmp

memory/1196-150-0x000000013FDC0000-0x0000000140114000-memory.dmp

memory/2652-151-0x000000013F150000-0x000000013F4A4000-memory.dmp

memory/2248-152-0x000000013F1E0000-0x000000013F534000-memory.dmp

memory/2708-153-0x000000013FAF0000-0x000000013FE44000-memory.dmp

memory/3008-154-0x000000013F650000-0x000000013F9A4000-memory.dmp

memory/1552-155-0x000000013FB10000-0x000000013FE64000-memory.dmp

memory/2564-156-0x000000013FF50000-0x00000001402A4000-memory.dmp

memory/2528-158-0x000000013F540000-0x000000013F894000-memory.dmp

memory/1992-157-0x000000013F0D0000-0x000000013F424000-memory.dmp

memory/2228-159-0x000000013F860000-0x000000013FBB4000-memory.dmp

memory/2948-160-0x000000013FF80000-0x00000001402D4000-memory.dmp

memory/3068-161-0x000000013FA60000-0x000000013FDB4000-memory.dmp

memory/2960-162-0x000000013F280000-0x000000013F5D4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-08 17:04

Reported

2024-06-08 17:07

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\VQELhDT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nWQUgtM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jYayYwW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cEDFLVv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sdBXfUS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PbemDII.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xMREccW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RZFAVfb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZrVShwO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PaVzRyo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AXzkJub.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JcSFHFX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xxgHUAD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MStRuNp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DnFqdzj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\slPBxKy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yAhzjYv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ULZCuQx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PCjjdTk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nSEDlfY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qPoqoJG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1328 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\PCjjdTk.exe
PID 1328 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\PCjjdTk.exe
PID 1328 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\DnFqdzj.exe
PID 1328 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\DnFqdzj.exe
PID 1328 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZrVShwO.exe
PID 1328 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZrVShwO.exe
PID 1328 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\nSEDlfY.exe
PID 1328 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\nSEDlfY.exe
PID 1328 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\sdBXfUS.exe
PID 1328 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\sdBXfUS.exe
PID 1328 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\slPBxKy.exe
PID 1328 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\slPBxKy.exe
PID 1328 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\PbemDII.exe
PID 1328 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\PbemDII.exe
PID 1328 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\xMREccW.exe
PID 1328 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\xMREccW.exe
PID 1328 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\yAhzjYv.exe
PID 1328 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\yAhzjYv.exe
PID 1328 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\PaVzRyo.exe
PID 1328 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\PaVzRyo.exe
PID 1328 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\RZFAVfb.exe
PID 1328 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\RZFAVfb.exe
PID 1328 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\VQELhDT.exe
PID 1328 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\VQELhDT.exe
PID 1328 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\nWQUgtM.exe
PID 1328 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\nWQUgtM.exe
PID 1328 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\ULZCuQx.exe
PID 1328 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\ULZCuQx.exe
PID 1328 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\jYayYwW.exe
PID 1328 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\jYayYwW.exe
PID 1328 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\qPoqoJG.exe
PID 1328 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\qPoqoJG.exe
PID 1328 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\xxgHUAD.exe
PID 1328 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\xxgHUAD.exe
PID 1328 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\cEDFLVv.exe
PID 1328 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\cEDFLVv.exe
PID 1328 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\MStRuNp.exe
PID 1328 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\MStRuNp.exe
PID 1328 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\AXzkJub.exe
PID 1328 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\AXzkJub.exe
PID 1328 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\JcSFHFX.exe
PID 1328 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe C:\Windows\System\JcSFHFX.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_5d548edf9f99d15356514a38f8a126be_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\PCjjdTk.exe

C:\Windows\System\PCjjdTk.exe

C:\Windows\System\DnFqdzj.exe

C:\Windows\System\DnFqdzj.exe

C:\Windows\System\ZrVShwO.exe

C:\Windows\System\ZrVShwO.exe

C:\Windows\System\nSEDlfY.exe

C:\Windows\System\nSEDlfY.exe

C:\Windows\System\sdBXfUS.exe

C:\Windows\System\sdBXfUS.exe

C:\Windows\System\slPBxKy.exe

C:\Windows\System\slPBxKy.exe

C:\Windows\System\PbemDII.exe

C:\Windows\System\PbemDII.exe

C:\Windows\System\xMREccW.exe

C:\Windows\System\xMREccW.exe

C:\Windows\System\yAhzjYv.exe

C:\Windows\System\yAhzjYv.exe

C:\Windows\System\PaVzRyo.exe

C:\Windows\System\PaVzRyo.exe

C:\Windows\System\RZFAVfb.exe

C:\Windows\System\RZFAVfb.exe

C:\Windows\System\VQELhDT.exe

C:\Windows\System\VQELhDT.exe

C:\Windows\System\nWQUgtM.exe

C:\Windows\System\nWQUgtM.exe

C:\Windows\System\ULZCuQx.exe

C:\Windows\System\ULZCuQx.exe

C:\Windows\System\jYayYwW.exe

C:\Windows\System\jYayYwW.exe

C:\Windows\System\qPoqoJG.exe

C:\Windows\System\qPoqoJG.exe

C:\Windows\System\xxgHUAD.exe

C:\Windows\System\xxgHUAD.exe

C:\Windows\System\cEDFLVv.exe

C:\Windows\System\cEDFLVv.exe

C:\Windows\System\MStRuNp.exe

C:\Windows\System\MStRuNp.exe

C:\Windows\System\AXzkJub.exe

C:\Windows\System\AXzkJub.exe

C:\Windows\System\JcSFHFX.exe

C:\Windows\System\JcSFHFX.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
NL 52.111.243.29:443 tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1328-0-0x00007FF7AB790000-0x00007FF7ABAE4000-memory.dmp

memory/1328-1-0x000001D5DE510000-0x000001D5DE520000-memory.dmp

C:\Windows\System\PCjjdTk.exe

MD5 c4bf539a6a4117db677bc5edc738144d
SHA1 a08fb8a7f6716c7fe8a30aaf5ab9423cefe2676f
SHA256 5533a4f9b021cb88c4f1c9d46314d7458c06e278e0e802f9e349fd195365211f
SHA512 e8d78f6c845898e10bfb29839e09dee8626bc92acde64b0b3306bb03413ba2817f543b4820e57ac6aa0439f2e8b7f3c62c5cc542e4b4a130224e700118cfabff

memory/2008-6-0x00007FF73C0F0000-0x00007FF73C444000-memory.dmp

C:\Windows\System\DnFqdzj.exe

MD5 2b330e7d579f711a333181846c466521
SHA1 658bcf5ce12d6c01ef21e781314af41100ccf4d8
SHA256 51cc7a57f4600556c55ea9a56214c1aa85ef88de174a6e4ec19b27b292eab8e4
SHA512 8c6b8b54ea29ea4c5476eaae2e418451989b1578466810b4400568d7670f8641395460090ffcfabf2ee20a6cc6697f8fb97920cc05a19afc65e12c9f88ef1f20

C:\Windows\System\ZrVShwO.exe

MD5 31c7589858bc654fe1be1e532377d39b
SHA1 8bfe7431b579b32ee359626f268a80152204d120
SHA256 ece416b3cabd36f5bdbec347fcac5f381f758a0c44e2b41cf03138bb39cc26d7
SHA512 653118e13ae5748fb9b7445c4aa5d2a64736e225584cadd6beb26a2240811fc86be8696c9d66751cc26b0f2370c89da385626d72449d46c6a07c960732075bb4

memory/1812-12-0x00007FF7CD880000-0x00007FF7CDBD4000-memory.dmp

memory/3892-20-0x00007FF778700000-0x00007FF778A54000-memory.dmp

C:\Windows\System\nSEDlfY.exe

MD5 5716f3fe1fe9785affc7e53aba10252c
SHA1 c42b167876c3f737846232315f867d7941b0018d
SHA256 7981de677421352c88e200d34a25a8991f7c359b948c97d6680c6ee38b93323d
SHA512 63b0c6cc62ca2f2c941d7854a5132c5601f8cde73df6492d74e893a93c45606f8718f8218306525bd8951753080d3b903f98ef9934a653020d83f7d911b397d9

memory/2060-26-0x00007FF788490000-0x00007FF7887E4000-memory.dmp

C:\Windows\System\sdBXfUS.exe

MD5 14625531295703146d74a5117850aa39
SHA1 73fb6237f9a98232934a8fdb0bb08865df37deb5
SHA256 9c27b5d93526f58e53b2783c344d3169a62e0d01d3c723be11fc170f52187758
SHA512 5a598526a175e9db12efadd19e93110eab768e21809e88fcb567a9f997e94cf6e10d0387dfd62a313f8bf45132ddc1e20e39bcd98908f8bd7ee80d6cfd132592

C:\Windows\System\slPBxKy.exe

MD5 00cc18f0cf9c7bfb893bcea89edb5084
SHA1 9a549fd26d169eb490aca91efca5bd9c4199731b
SHA256 3bd9d69aa2969a46c6003b86d8cd53a462d8ef28da1d8f6fb36b2c3c8d9e3fb0
SHA512 5f324d26a041526daa91eda9ce95a30a59b379c74877da960f8f90a0790ae19ca19ab0cbd458896e487c7f4f60afa88a7c1fa36db84755f34892cb10d049b3c1

memory/1716-33-0x00007FF6F98F0000-0x00007FF6F9C44000-memory.dmp

memory/2320-43-0x00007FF615660000-0x00007FF6159B4000-memory.dmp

C:\Windows\System\xMREccW.exe

MD5 33b94fd03c0d46355e8f88ab15c00599
SHA1 f59e14a075d9ecb4cd658a9291b8c23520e9f393
SHA256 529212099f90ddaf227c13f9d3a9873455fdaafd63686f0839b327167c2b5cab
SHA512 f222d3d5ee1b4a98efec33d7ca5939db3a653392b8bf62bc7cbaa49d1fefa83a3e4fd8dd7cc8a37f23f40fd7534954e3c97e82991744c5c8a98f8b6193eec9b0

C:\Windows\System\PbemDII.exe

MD5 d16413edcdf43867e421e55e79abff29
SHA1 5378dad5a98e27d8ecf4008d8da38c7dce5c101e
SHA256 ef8e00b8f0c3dd3f68971d886f2fe5fe6fa29599c3ffe2d0950cbab2797f53ab
SHA512 96c780f8d728dc4337ee3ad4fe596d4797cb2d5747b7e23bbe09299e6bcf0922f25de4de14bdeb47923478da2d340fa8bfe660e9a243d42d61b073a6994c3aa2

memory/1460-38-0x00007FF7461A0000-0x00007FF7464F4000-memory.dmp

memory/2292-50-0x00007FF723140000-0x00007FF723494000-memory.dmp

C:\Windows\System\yAhzjYv.exe

MD5 d4434158a31cae59d08e8175a36a8879
SHA1 dc3e62e4a292d553ae8ffc039fdf401b8a88552e
SHA256 db69ac70c1973b6abc9139be696f4677708011a2e78fb61ef65f4ffb0ce273fd
SHA512 c1e389ecad0b6445edb8a00215326184911ae4330cb2b34261d6a23cc044e79f805de14f08ba790fdabb2ab162e9d8272056e3d212dc81500a8013bfb651cc11

memory/4472-54-0x00007FF7B3530000-0x00007FF7B3884000-memory.dmp

C:\Windows\System\PaVzRyo.exe

MD5 e5965f0229acc641d54fd43cd0777ad4
SHA1 e67f7d0712153b35072e832f309b474eaf3dbf23
SHA256 0b7c2e27e57443e4751738ed343bab8ad847b86ba466c1569b1849d2b0049864
SHA512 6d37b7d3f7c68fc2430ded9a7a423e9a1590dc33577707a07fbdb4b7bf4610a75897bb43f5cacf9bdac0c1e60cdf12e0e676531def46fa1cc9223a94b1cd3bae

memory/2132-61-0x00007FF776600000-0x00007FF776954000-memory.dmp

C:\Windows\System\RZFAVfb.exe

MD5 e07a423ee011e7fef7d7d4e63b41f5cf
SHA1 2016f06b2c80b8e2f10c8fde48ce49221c8e36d1
SHA256 af462e3194e4658fecd5232ba99ccaef465905304c0b7806f52706400a54fd32
SHA512 25b7fcd1fa218e9edba70647947cb7d0bf488e4caa11a7ba1eccd4bf9bce28e9928e32a945a0bf78f096fe93a1afcea9fb1e34d0dd38d6c5786985bec479880a

memory/1328-60-0x00007FF7AB790000-0x00007FF7ABAE4000-memory.dmp

C:\Windows\System\VQELhDT.exe

MD5 324fc62c6f2615fca0320f7dd7f57339
SHA1 8ef61443cad7ddcf1d8815da87cf2d7d36634f44
SHA256 58104c2198abe0c5be55e7a178e2a11d5748edbc6a81e1f4c24a3b748d0ea23e
SHA512 44d7b53c16279aee9fd83f2fc2340da74b2ba06bbe23fd2a166abf03a2d966abaf2f6ce031fea070d7892b97aa681751e52ac14e9d5c8b7c9042f9ddef8f8e93

memory/1812-74-0x00007FF7CD880000-0x00007FF7CDBD4000-memory.dmp

memory/4112-75-0x00007FF710490000-0x00007FF7107E4000-memory.dmp

memory/1736-73-0x00007FF629D80000-0x00007FF62A0D4000-memory.dmp

memory/2008-69-0x00007FF73C0F0000-0x00007FF73C444000-memory.dmp

C:\Windows\System\nWQUgtM.exe

MD5 8caa31e22ac0236b6e51d311f878ab00
SHA1 12b18563ba8b709db8f9343068b56c7c60beb7c6
SHA256 f180c0afc025a081cf2c598f5dfabffd69aaed2f4b81e52bf619dad189075326
SHA512 62c8a8702aa627bdb10eb5eeeed3971afb1a7db97a49dcda762d5b448d768c568a290b779699d14720f90a580f12f19eb46979d768df06ea751e40222ee8d791

C:\Windows\System\ULZCuQx.exe

MD5 65c805e678cd6512bf29a22b8c497829
SHA1 b548da8f4025cf81625742149f5e6386aeacf333
SHA256 d48a10fd40fe8dc1428520e3d65c07d9eee9b51dd0e92ff4c6686ae58377a44c
SHA512 28278dbddb702ea74660309771853205a0fe6cd0de0f88abc53c745928a2ae9a2fd06530d04c4ae3232d445c07d52171d3ed0800717a035d9f103588855ce5a8

C:\Windows\System\jYayYwW.exe

MD5 7ce462ccc61e3344232b763b8e03acac
SHA1 1581fb6a3200fb7d96db73e7427db758f49b5bf4
SHA256 2d31a8d8985561900c135ec071324f383f60c3358549d0e1ff741501734393c4
SHA512 944888bf9f0989eadcfcc30de3391f10a87802f0b7dda96b6c46f92af290a749eb99c298cf40c4d20c69049c08b5be742c7fa1a43c5751d0cb000506b0cb088d

C:\Windows\System\qPoqoJG.exe

MD5 f3f0238fcd79b58ad6376eaea8778bae
SHA1 6d4e3c1f1a7dd64cbbc4c4185cf6065f7c489391
SHA256 511aa0574a54b7d68a51ad94021e0a209fac890f8b1ae3b604d17190d642c79c
SHA512 16dac02e2b900481803138033f3eb3f0dcb896f5deb44d103140c99f77d455d787df253b3b5d6d1c8d74a09cb6447e9e938d63aa134b29d2b7ab9bbbaff75258

C:\Windows\System\xxgHUAD.exe

MD5 cae5e082c360fc54ab523c99a8c97762
SHA1 eaef17bedd1f732b23fa5aaf4b178f44c771928a
SHA256 d15732ff7275c747064bfe2f45f4b8f25404cd00bbad34e5ffc811f3083cb1e4
SHA512 08418c50e3dc497d45e488147892c5948c6b43361d03764335193136c13c592ad8fc954a1fe0a08381634e1fd1590931ef5931480cfce7d584075dd5d2eba0fb

C:\Windows\System\cEDFLVv.exe

MD5 9b12342727fb174b6aa2b2086fbce5fd
SHA1 be0c6eb10f463e8cd9a7ee1f0a44e38ee273ecf8
SHA256 948f232297ab280d78b48b7579d801c89ed86114e4340716fe5d1e6b11428b59
SHA512 63cebb4a85f0713b9b32260e14811979bdabe22645c99fc8e29160437bba346d8d13c323af227645c1b6ec1f032940b4b89e3dc28b397f06b25d34c9fdc980d3

memory/452-111-0x00007FF6FB4F0000-0x00007FF6FB844000-memory.dmp

memory/2320-110-0x00007FF615660000-0x00007FF6159B4000-memory.dmp

memory/4640-104-0x00007FF6FCE80000-0x00007FF6FD1D4000-memory.dmp

memory/1568-95-0x00007FF693120000-0x00007FF693474000-memory.dmp

memory/1716-93-0x00007FF6F98F0000-0x00007FF6F9C44000-memory.dmp

memory/2452-88-0x00007FF7DEBF0000-0x00007FF7DEF44000-memory.dmp

memory/1484-81-0x00007FF7C08A0000-0x00007FF7C0BF4000-memory.dmp

C:\Windows\System\MStRuNp.exe

MD5 91c6a2a176fbe3230a7f4d640be360de
SHA1 80bf97c5e07021ac18c5ac7f0a081cd9c2a69507
SHA256 5214b078d35773dcf1434dc4f4bc1c089009accdc58c8701fff9ac31c29150a1
SHA512 becb51026b376393a1b2b15fe0bcf13201882e5d2a336ec9ab951a4bce79f466af179f4fdaea87f54ede4166ab672a4d4c54ac3bc9530e19d7448aa026a714ca

C:\Windows\System\AXzkJub.exe

MD5 9c16c8e160aa08ebc978cf612f1b3605
SHA1 90cefb758c8a716d5c3b788b7000cd90dc6e6c4e
SHA256 09eddec40dcc10c1289596fbe32e8c80564c2c54989e5f653adc435ed31deff9
SHA512 b359c23b3e632ed14be43f3bc250b5e53dbcb16663f161ef02f7cfba8e3078a3313f1569f4fd28f8531592f775fb0110849355526f38075a83978eda648dc362

C:\Windows\System\JcSFHFX.exe

MD5 f512f90b4a35ec20290a7721267cbdb0
SHA1 5d58ebf37efe5c34e25907209f579a4af143d0c1
SHA256 2115c4781d9ebf374bcf990f07b77a6ee58d1d505432f55e194929170224c273
SHA512 24edb32ed4acb6e7ba9a720ca09394d979d867d67a0bd759793ddef8d344c512ac55aeb28611fd123add2da8d8c9e3daa5ea4f1c52abb8a6d2450bba1798bd39

memory/4472-120-0x00007FF7B3530000-0x00007FF7B3884000-memory.dmp

memory/1392-116-0x00007FF6F9DB0000-0x00007FF6FA104000-memory.dmp

memory/4036-131-0x00007FF763E80000-0x00007FF7641D4000-memory.dmp

memory/4588-133-0x00007FF7B7920000-0x00007FF7B7C74000-memory.dmp

memory/4380-132-0x00007FF6F07C0000-0x00007FF6F0B14000-memory.dmp

memory/2132-134-0x00007FF776600000-0x00007FF776954000-memory.dmp

memory/4112-135-0x00007FF710490000-0x00007FF7107E4000-memory.dmp

memory/1484-136-0x00007FF7C08A0000-0x00007FF7C0BF4000-memory.dmp

memory/2452-137-0x00007FF7DEBF0000-0x00007FF7DEF44000-memory.dmp

memory/1568-138-0x00007FF693120000-0x00007FF693474000-memory.dmp

memory/2008-139-0x00007FF73C0F0000-0x00007FF73C444000-memory.dmp

memory/1812-140-0x00007FF7CD880000-0x00007FF7CDBD4000-memory.dmp

memory/3892-141-0x00007FF778700000-0x00007FF778A54000-memory.dmp

memory/2060-142-0x00007FF788490000-0x00007FF7887E4000-memory.dmp

memory/1716-143-0x00007FF6F98F0000-0x00007FF6F9C44000-memory.dmp

memory/1460-144-0x00007FF7461A0000-0x00007FF7464F4000-memory.dmp

memory/2320-145-0x00007FF615660000-0x00007FF6159B4000-memory.dmp

memory/2292-146-0x00007FF723140000-0x00007FF723494000-memory.dmp

memory/4472-147-0x00007FF7B3530000-0x00007FF7B3884000-memory.dmp

memory/2132-148-0x00007FF776600000-0x00007FF776954000-memory.dmp

memory/1736-149-0x00007FF629D80000-0x00007FF62A0D4000-memory.dmp

memory/4112-150-0x00007FF710490000-0x00007FF7107E4000-memory.dmp

memory/1484-151-0x00007FF7C08A0000-0x00007FF7C0BF4000-memory.dmp

memory/4640-153-0x00007FF6FCE80000-0x00007FF6FD1D4000-memory.dmp

memory/1568-154-0x00007FF693120000-0x00007FF693474000-memory.dmp

memory/2452-152-0x00007FF7DEBF0000-0x00007FF7DEF44000-memory.dmp

memory/452-155-0x00007FF6FB4F0000-0x00007FF6FB844000-memory.dmp

memory/1392-156-0x00007FF6F9DB0000-0x00007FF6FA104000-memory.dmp

memory/4036-157-0x00007FF763E80000-0x00007FF7641D4000-memory.dmp

memory/4380-158-0x00007FF6F07C0000-0x00007FF6F0B14000-memory.dmp

memory/4588-159-0x00007FF7B7920000-0x00007FF7B7C74000-memory.dmp