Malware Analysis Report

2024-10-16 03:09

Sample ID 240608-vz54gadg7t
Target 2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike
SHA256 f74f0a97b1e86ebfa6fae4e0fa60952293e0097a5ad79fadffca25b30d95c7d2
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f74f0a97b1e86ebfa6fae4e0fa60952293e0097a5ad79fadffca25b30d95c7d2

Threat Level: Known bad

The file 2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

XMRig Miner payload

xmrig

Cobaltstrike

Cobalt Strike reflective loader

Cobaltstrike family

Xmrig family

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

XMRig Miner payload

UPX dump on OEP (original entry point)

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-08 17:26

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-08 17:26

Reported

2024-06-08 17:29

Platform

win7-20240221-en

Max time kernel

142s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\EDWvJaf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\idQXdew.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HqiNHSD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KaLQPTW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AcBQSrx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pqJVxam.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CLHEVnK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ddfmXfw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LomkydL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KXHRRhp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hXKoNgq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GPbBkjg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JLZLIlB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xotMHfV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mtiQutW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KTzNjQj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\Dvqqdhf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fZOBlLx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OnIkhbd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MgDbiLF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PtTNCir.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1676 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\Dvqqdhf.exe
PID 1676 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\Dvqqdhf.exe
PID 1676 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\Dvqqdhf.exe
PID 1676 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\EDWvJaf.exe
PID 1676 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\EDWvJaf.exe
PID 1676 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\EDWvJaf.exe
PID 1676 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\fZOBlLx.exe
PID 1676 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\fZOBlLx.exe
PID 1676 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\fZOBlLx.exe
PID 1676 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\GPbBkjg.exe
PID 1676 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\GPbBkjg.exe
PID 1676 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\GPbBkjg.exe
PID 1676 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\JLZLIlB.exe
PID 1676 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\JLZLIlB.exe
PID 1676 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\JLZLIlB.exe
PID 1676 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\pqJVxam.exe
PID 1676 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\pqJVxam.exe
PID 1676 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\pqJVxam.exe
PID 1676 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\CLHEVnK.exe
PID 1676 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\CLHEVnK.exe
PID 1676 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\CLHEVnK.exe
PID 1676 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\ddfmXfw.exe
PID 1676 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\ddfmXfw.exe
PID 1676 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\ddfmXfw.exe
PID 1676 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\xotMHfV.exe
PID 1676 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\xotMHfV.exe
PID 1676 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\xotMHfV.exe
PID 1676 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\LomkydL.exe
PID 1676 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\LomkydL.exe
PID 1676 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\LomkydL.exe
PID 1676 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\OnIkhbd.exe
PID 1676 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\OnIkhbd.exe
PID 1676 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\OnIkhbd.exe
PID 1676 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\MgDbiLF.exe
PID 1676 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\MgDbiLF.exe
PID 1676 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\MgDbiLF.exe
PID 1676 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\KXHRRhp.exe
PID 1676 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\KXHRRhp.exe
PID 1676 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\KXHRRhp.exe
PID 1676 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\idQXdew.exe
PID 1676 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\idQXdew.exe
PID 1676 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\idQXdew.exe
PID 1676 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\PtTNCir.exe
PID 1676 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\PtTNCir.exe
PID 1676 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\PtTNCir.exe
PID 1676 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\HqiNHSD.exe
PID 1676 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\HqiNHSD.exe
PID 1676 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\HqiNHSD.exe
PID 1676 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\mtiQutW.exe
PID 1676 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\mtiQutW.exe
PID 1676 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\mtiQutW.exe
PID 1676 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\hXKoNgq.exe
PID 1676 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\hXKoNgq.exe
PID 1676 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\hXKoNgq.exe
PID 1676 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\KaLQPTW.exe
PID 1676 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\KaLQPTW.exe
PID 1676 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\KaLQPTW.exe
PID 1676 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\KTzNjQj.exe
PID 1676 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\KTzNjQj.exe
PID 1676 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\KTzNjQj.exe
PID 1676 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\AcBQSrx.exe
PID 1676 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\AcBQSrx.exe
PID 1676 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\AcBQSrx.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\Dvqqdhf.exe

C:\Windows\System\Dvqqdhf.exe

C:\Windows\System\EDWvJaf.exe

C:\Windows\System\EDWvJaf.exe

C:\Windows\System\fZOBlLx.exe

C:\Windows\System\fZOBlLx.exe

C:\Windows\System\GPbBkjg.exe

C:\Windows\System\GPbBkjg.exe

C:\Windows\System\JLZLIlB.exe

C:\Windows\System\JLZLIlB.exe

C:\Windows\System\pqJVxam.exe

C:\Windows\System\pqJVxam.exe

C:\Windows\System\CLHEVnK.exe

C:\Windows\System\CLHEVnK.exe

C:\Windows\System\ddfmXfw.exe

C:\Windows\System\ddfmXfw.exe

C:\Windows\System\xotMHfV.exe

C:\Windows\System\xotMHfV.exe

C:\Windows\System\LomkydL.exe

C:\Windows\System\LomkydL.exe

C:\Windows\System\OnIkhbd.exe

C:\Windows\System\OnIkhbd.exe

C:\Windows\System\MgDbiLF.exe

C:\Windows\System\MgDbiLF.exe

C:\Windows\System\KXHRRhp.exe

C:\Windows\System\KXHRRhp.exe

C:\Windows\System\idQXdew.exe

C:\Windows\System\idQXdew.exe

C:\Windows\System\PtTNCir.exe

C:\Windows\System\PtTNCir.exe

C:\Windows\System\HqiNHSD.exe

C:\Windows\System\HqiNHSD.exe

C:\Windows\System\mtiQutW.exe

C:\Windows\System\mtiQutW.exe

C:\Windows\System\hXKoNgq.exe

C:\Windows\System\hXKoNgq.exe

C:\Windows\System\KaLQPTW.exe

C:\Windows\System\KaLQPTW.exe

C:\Windows\System\KTzNjQj.exe

C:\Windows\System\KTzNjQj.exe

C:\Windows\System\AcBQSrx.exe

C:\Windows\System\AcBQSrx.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1676-0-0x000000013FE40000-0x0000000140194000-memory.dmp

memory/1676-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\Dvqqdhf.exe

MD5 5adb7c312bbd554b5fc2687335a45561
SHA1 094a035953248a60117690c670d6595c4d49134d
SHA256 14280bc60a860401a06ba506ca731f3b6683921c456ac3346b9d61df24d03ee3
SHA512 f0cf3c2450fad8b39283db61b155f705002d2a3c563633e3c485cbfed233e7a6c0774ed88436344e41e85859db8b275c1ec651cd88db50e55768e947ae6d158d

memory/1676-6-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

memory/1676-11-0x000000013F470000-0x000000013F7C4000-memory.dmp

memory/1924-10-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

\Windows\system\EDWvJaf.exe

MD5 fc1cc4ed75000d49ac57c15151da9a23
SHA1 0831ad3c3a889d7b528cbffc0dd5da8c79f1e76d
SHA256 1a6858749d414b91c879df867736928b58bc361fc1011b865f722090a5d2115e
SHA512 e8eaa04711cbead7124e0c545101c9945183cc7be39ecd0a5079790d3f5bb8e5be7c01b29b9c88e69b849a838db0ceb0ca38733509c2c4f4756014f37431e5c5

memory/2176-15-0x000000013F470000-0x000000013F7C4000-memory.dmp

C:\Windows\system\fZOBlLx.exe

MD5 46a8b3c13dc34e2bb7f2b40b4c817748
SHA1 283585ad0308dd424cc7dda8489a9df68855267d
SHA256 22875e32a1faa1ae240d32cc88d67f6afeb8cbd3c854211220985fb27abad14e
SHA512 c2df1d706e3abd5526d90e38d2219be539994a415a18cd0564ca95b9570efb95f89f6d01c2a7d712138a3492c59ba20d27d10fd095630b8d19d915b9c58ba1b1

memory/1788-21-0x000000013F910000-0x000000013FC64000-memory.dmp

memory/1676-20-0x000000013F910000-0x000000013FC64000-memory.dmp

C:\Windows\system\GPbBkjg.exe

MD5 7a81435e6e0e6b16b5eea5d73915ef1b
SHA1 606a9f41c828b874f74ee5327b1d4ad2659e4545
SHA256 e07e6b5c667b029a187de9596baae00bccad03798a1c57df21816cb31dc3bfa1
SHA512 505289827479b91d1ac3c21bf5894fbccf92871b9b8d19c4710f3f884e3d9723f4e1539a5893bc22a97a91ddf56cdd3d9a2499dbeb978f7b8f2059d7aa55ec97

memory/2620-28-0x000000013F510000-0x000000013F864000-memory.dmp

C:\Windows\system\pqJVxam.exe

MD5 bcabc0661c8e4045cad152e59c1b0fcb
SHA1 7cacf781d7aad5622d5c177f6f1bcdf000961cdd
SHA256 4a7a124f7b322c84b20b831bc8705d5e5140df0fd3b977eb39dc0c9cd9f6ecf1
SHA512 b0821eaf29ae3b6d03e3406bea187a491c5fef78c50adc67571703e5e4979c329286f006e7742114b74b95236e61f079765edeab3b4b25474f47b2ae14eb65c7

memory/1676-54-0x000000013FE40000-0x0000000140194000-memory.dmp

memory/2776-56-0x000000013FD40000-0x0000000140094000-memory.dmp

memory/1676-70-0x000000013F5D0000-0x000000013F924000-memory.dmp

memory/1676-84-0x00000000023C0000-0x0000000002714000-memory.dmp

C:\Windows\system\HqiNHSD.exe

MD5 2054866559794bbe814d99039314ab8f
SHA1 95a17df510756cf1966691729c53d3db529b2d61
SHA256 a0f19a183dd0f23ef3bf1b8df2ab82d8bdb8a6538f10c85271b747709145937f
SHA512 e3608d3eb1ee0169be4a5e8458d3a8b4675cb6bbaae56bcb2667e4d2875ca58db94d86f6e3f45d6c4615847c2d5c24739ffab8cf5d758606ec2df5611c224b7f

memory/1676-108-0x000000013F2F0000-0x000000013F644000-memory.dmp

C:\Windows\system\KaLQPTW.exe

MD5 3dff2c5940d3bcb2b88a60d28d2e652c
SHA1 3365724c6de8a8d399f0ce1a064634581c78c4e0
SHA256 85f293a6baf6289d202612da4c9aa50d5ae7b65e60f551c72e59d62abb5ee50e
SHA512 f626504a84a5770d36ce2e7d4be6261d092ffb02ae9cedba6ccc0112dea648657c58e0759cbc31d16257772bcce99a48da8b2e42f9e0d02d61fc84ec8ce350ef

C:\Windows\system\hXKoNgq.exe

MD5 4812f37be94445fe12d70136bcc5bd3e
SHA1 5dc4c9ebd6aa983c714e1affabfb54840772646c
SHA256 20d6006b6ce6daa0698d56ae175d68ee7f8e3dac4b35feab21c55754f952e5a5
SHA512 d013463350f3880fe6567d0d8cf6ef34050901aaf860979f1e796be47a6258e44d56dbee264fd7179de57d9bbf7375d10206b7074428a2960e6daff67224991e

C:\Windows\system\mtiQutW.exe

MD5 670cfd38e51888547b8f902513dfcf72
SHA1 5d9030bc6d4160b67849bd6559cf9da0625a3e19
SHA256 97e2d75db129b14ea1bf6e24515adaf3542ab15f09b090a772ed62f71aec7f09
SHA512 00d590100035d1cda45de730f498f11b62c7d617eef0c1d1c8f22a362f33f60877f0de9b91645567a8aa3323af9c6965d7bdaedcd88a1b4312a6a017943b5435

memory/2556-107-0x000000013FA10000-0x000000013FD64000-memory.dmp

C:\Windows\system\PtTNCir.exe

MD5 004a5ab00c72dcf7535767decdfa03e5
SHA1 0cf9b393affc1e1a716cef0f83d12b8b2263f4f6
SHA256 dd58cddf8b9bcb5b65939de2d937060fcd25ad40b906f6090c93c026b8d8acd5
SHA512 7f9e05e28924505972074b1018b5f254bc873a6954f1bc177332a91ada30731cde80b369ea79fb563301a9c53c7921c6ed4ca533a5f9150f27da52bc3375099a

memory/2700-128-0x000000013FB10000-0x000000013FE64000-memory.dmp

memory/2816-101-0x000000013FD80000-0x00000001400D4000-memory.dmp

memory/1676-100-0x00000000023C0000-0x0000000002714000-memory.dmp

memory/2796-94-0x000000013FEE0000-0x0000000140234000-memory.dmp

C:\Windows\system\idQXdew.exe

MD5 8c48fab62d51fd0f47605d8c1f9e08bf
SHA1 1c67a36ed3f399ea3202451271c9c08eb6f8626c
SHA256 43a7c36503ba20b348157d4aa4aadd7c934e058239df33018f031ef1058a668f
SHA512 a8011cee107c1acc6b76edfbaa30319b68bd76220b8da59e8541a7205839c440468700c334ed735f35f454036d928ac4b8e2aa88467a9b30858b76b574e654d1

memory/1676-93-0x00000000023C0000-0x0000000002714000-memory.dmp

memory/2620-92-0x000000013F510000-0x000000013F864000-memory.dmp

C:\Windows\system\KXHRRhp.exe

MD5 fb31433896d531c21a5601012f8b0859
SHA1 05fe7c75eeb7fe627580f37123e8b327d8777675
SHA256 3aff103ca0f97ec43f9c2fdbad1d25353b0e8d2cdb094de2baaaed2c21b7480f
SHA512 cbbba40e507c87c5fedf3d31c05955f59c401ac7fb5f760fa5ee9eb3dd7180355f3796fbb506fbdbc161267914c593664c8a702a957a3f1c88a79b9d9dbfd3db

memory/1800-85-0x000000013FEB0000-0x0000000140204000-memory.dmp

memory/1788-83-0x000000013F910000-0x000000013FC64000-memory.dmp

C:\Windows\system\MgDbiLF.exe

MD5 1b0aa373af847254a3ee872034dcb73f
SHA1 c8611410237eade90519cca982b8962147a3bedd
SHA256 ae4cd96154f168dc3c611124c082a8b5ecee6d3c5894c5bf9b7fc85328315c0f
SHA512 d518ff82ad75b797f4af711089b0eff084dbf36f132e128985e25769b557d026046b194375e6b0de79581adaed13dd38d8c9449432a432a10db01ae411b1bc02

memory/2380-77-0x000000013FDF0000-0x0000000140144000-memory.dmp

memory/1676-76-0x00000000023C0000-0x0000000002714000-memory.dmp

C:\Windows\system\OnIkhbd.exe

MD5 ddbe9d4a69a2fcc16e707d5b116d91fe
SHA1 eaf72d29acbe1f5f5ea6cd9737864945932e15d6
SHA256 ed201b0e3634d401a7465e64d221ea0643ecce39b185b9fc7b3b9e7942b249e4
SHA512 73f33e57276d793e7d6c91df67e1bbae4ae38894f267c6137a7b0e7420b7e46e765c4fa225ffdb6a3c51d2e4ed9dc0a1742a87cae49cf62c9d2002c78900183b

memory/2436-71-0x000000013F5D0000-0x000000013F924000-memory.dmp

memory/2596-64-0x000000013F810000-0x000000013FB64000-memory.dmp

C:\Windows\system\xotMHfV.exe

MD5 faae79a1effbfcdf067a0e169362c08f
SHA1 6d20ac9d7f77504877feb6b14704d9b6d9026c9e
SHA256 bdd397cc8d4e4fe1ad4880b3836b9066ba1168ff487caac9ada302af0ccf9178
SHA512 6646101ba79717052383385b31151c387001c57e5523031582041b15572480067d83c8c3d76224db132e82ddaebfca00d586bf1916064f4386adb5167f9f726e

memory/1924-62-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

memory/1676-61-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

C:\Windows\system\LomkydL.exe

MD5 dfa5ad145c822c8b4d88aa180d8ca6ba
SHA1 d0ba3a89d1b3221ff16c6732946fa13fa98205b8
SHA256 c0670248d67d5bf0b2159a4ceaed04d6fc15b250f69b1192bbb8e5632b74df45
SHA512 f2a2f0e8a5c66c37988689a72e67fd2f5331b51c5fe233329e316f286a6ac637cb8ef209fe2798b157976764144c80a6179586988ff44d25d478abb145286ab9

memory/2776-129-0x000000013FD40000-0x0000000140094000-memory.dmp

memory/2700-49-0x000000013FB10000-0x000000013FE64000-memory.dmp

memory/1676-48-0x00000000023C0000-0x0000000002714000-memory.dmp

C:\Windows\system\CLHEVnK.exe

MD5 6cc4873f248c6c46da589f5f8f409014
SHA1 cc6cc61c89954cea4494fade43f1636bbd09be59
SHA256 0ec96c8274371ebcf578c67f492edea8405972ef677f5754aeadbe5822e7d645
SHA512 68ed936aa36b5e58e9b9c1e45aab548678cc49085ca99f67236861ce323ef6743a04109d49d5d546a84590dca1855d364a80197b840764cc6ad3ae4d37dc60b2

C:\Windows\system\ddfmXfw.exe

MD5 bb69b1160b35e2b558e654f9352eac97
SHA1 7863b013d5e78aa73cb3325cb0e373be5548a886
SHA256 c9ca11d64615ff11aeffdc8af6cb64c4ee68947ba188bbe668ce19b89431c1c0
SHA512 e982b38b97ac3fa8f93678888192952880d5af72f35cee02d7c32d83929c32f59d0c6086197da5ef01b70c9d6d6b5cf3f3d516666f8de0acadb66163d2d60b83

memory/2556-42-0x000000013FA10000-0x000000013FD64000-memory.dmp

memory/1676-41-0x000000013FA10000-0x000000013FD64000-memory.dmp

memory/2624-35-0x000000013F8B0000-0x000000013FC04000-memory.dmp

memory/1676-34-0x000000013F8B0000-0x000000013FC04000-memory.dmp

C:\Windows\system\JLZLIlB.exe

MD5 0af336a98182609ea1e21d11b9c56600
SHA1 8dcfb8355b585cccbfd18c5f8ec151c4275adbe3
SHA256 c01809beff3d142a71415e760feb0334509c3592717d148d6c00c96cb317054f
SHA512 368f0b679ab06d7c2adca36fa9b0645231149d1a66007bcb9e2d8f5a8278a3125fc2d5ddb4d890c058fdc9a598968385ae675614960d53239e3ff7d10f03bb8c

memory/1676-27-0x000000013F510000-0x000000013F864000-memory.dmp

\Windows\system\AcBQSrx.exe

MD5 3f8b534d8cc1ec5d4c394b832d810913
SHA1 0e81d206036c9673ec78b37589e8252056aa3f1d
SHA256 464fece0ed51b4c7adfdef6b8737a1f77b377c2559204ab19164b3f521deb0a6
SHA512 f688f21154eded22a46688d59121569aa1e2a148ea73c7e86c0eeadd68d57b462df2d9cf2f3655413082ecb30742e162b2ea4fbf50353229fc1b076adb7d63f5

C:\Windows\system\KTzNjQj.exe

MD5 4879daa1f7f125c9926f06890d59047c
SHA1 78b517266bb0b75fe507f0c946ad9f33ac57d71f
SHA256 9d9c9712d1df01fddfca2e249e69bf7f52c278fa256e6a8d8ce740b1dfa2e458
SHA512 7483f0ab7e622b1bfcc89becefaabf6fe5cc96b019b8de220adf81a19b459b50932bcc58a40bc0da686e494d6e89d493a6ccf6adefd59d1e11379e9b1b295ff5

memory/2596-142-0x000000013F810000-0x000000013FB64000-memory.dmp

memory/2436-143-0x000000013F5D0000-0x000000013F924000-memory.dmp

memory/1676-144-0x00000000023C0000-0x0000000002714000-memory.dmp

memory/2380-145-0x000000013FDF0000-0x0000000140144000-memory.dmp

memory/1800-146-0x000000013FEB0000-0x0000000140204000-memory.dmp

memory/2796-147-0x000000013FEE0000-0x0000000140234000-memory.dmp

memory/2816-148-0x000000013FD80000-0x00000001400D4000-memory.dmp

memory/1676-149-0x000000013F2F0000-0x000000013F644000-memory.dmp

memory/2176-150-0x000000013F470000-0x000000013F7C4000-memory.dmp

memory/1924-151-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

memory/1788-152-0x000000013F910000-0x000000013FC64000-memory.dmp

memory/2620-153-0x000000013F510000-0x000000013F864000-memory.dmp

memory/2556-154-0x000000013FA10000-0x000000013FD64000-memory.dmp

memory/2776-156-0x000000013FD40000-0x0000000140094000-memory.dmp

memory/2700-155-0x000000013FB10000-0x000000013FE64000-memory.dmp

memory/2596-157-0x000000013F810000-0x000000013FB64000-memory.dmp

memory/2436-158-0x000000013F5D0000-0x000000013F924000-memory.dmp

memory/2380-159-0x000000013FDF0000-0x0000000140144000-memory.dmp

memory/1800-160-0x000000013FEB0000-0x0000000140204000-memory.dmp

memory/2796-161-0x000000013FEE0000-0x0000000140234000-memory.dmp

memory/2816-162-0x000000013FD80000-0x00000001400D4000-memory.dmp

memory/2624-163-0x000000013F8B0000-0x000000013FC04000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-08 17:26

Reported

2024-06-08 17:29

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\jMcvHrq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\saKUdxJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FPCsXzi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pjtBKgg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nZeijsa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WschQYr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vjSjnTe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MGHlCdW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EPjFpcw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QNrQHTH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kbnoEHd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ATWLSHn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\whfWcAt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KWuqaVb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zNUcpYi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sTcTugj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yKBJsjA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZALDYBx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fPxqYHu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tkcQmEG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vECpTFb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1628 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\ATWLSHn.exe
PID 1628 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\ATWLSHn.exe
PID 1628 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\jMcvHrq.exe
PID 1628 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\jMcvHrq.exe
PID 1628 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\whfWcAt.exe
PID 1628 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\whfWcAt.exe
PID 1628 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\fPxqYHu.exe
PID 1628 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\fPxqYHu.exe
PID 1628 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\tkcQmEG.exe
PID 1628 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\tkcQmEG.exe
PID 1628 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\nZeijsa.exe
PID 1628 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\nZeijsa.exe
PID 1628 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\saKUdxJ.exe
PID 1628 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\saKUdxJ.exe
PID 1628 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\KWuqaVb.exe
PID 1628 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\KWuqaVb.exe
PID 1628 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\vECpTFb.exe
PID 1628 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\vECpTFb.exe
PID 1628 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\zNUcpYi.exe
PID 1628 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\zNUcpYi.exe
PID 1628 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\sTcTugj.exe
PID 1628 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\sTcTugj.exe
PID 1628 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\MGHlCdW.exe
PID 1628 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\MGHlCdW.exe
PID 1628 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\EPjFpcw.exe
PID 1628 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\EPjFpcw.exe
PID 1628 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\FPCsXzi.exe
PID 1628 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\FPCsXzi.exe
PID 1628 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\QNrQHTH.exe
PID 1628 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\QNrQHTH.exe
PID 1628 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\yKBJsjA.exe
PID 1628 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\yKBJsjA.exe
PID 1628 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\WschQYr.exe
PID 1628 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\WschQYr.exe
PID 1628 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\kbnoEHd.exe
PID 1628 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\kbnoEHd.exe
PID 1628 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZALDYBx.exe
PID 1628 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZALDYBx.exe
PID 1628 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\vjSjnTe.exe
PID 1628 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\vjSjnTe.exe
PID 1628 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\pjtBKgg.exe
PID 1628 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe C:\Windows\System\pjtBKgg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_2203b94a02a1d749bf22e659b5730dc7_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\ATWLSHn.exe

C:\Windows\System\ATWLSHn.exe

C:\Windows\System\jMcvHrq.exe

C:\Windows\System\jMcvHrq.exe

C:\Windows\System\whfWcAt.exe

C:\Windows\System\whfWcAt.exe

C:\Windows\System\fPxqYHu.exe

C:\Windows\System\fPxqYHu.exe

C:\Windows\System\tkcQmEG.exe

C:\Windows\System\tkcQmEG.exe

C:\Windows\System\nZeijsa.exe

C:\Windows\System\nZeijsa.exe

C:\Windows\System\saKUdxJ.exe

C:\Windows\System\saKUdxJ.exe

C:\Windows\System\KWuqaVb.exe

C:\Windows\System\KWuqaVb.exe

C:\Windows\System\vECpTFb.exe

C:\Windows\System\vECpTFb.exe

C:\Windows\System\zNUcpYi.exe

C:\Windows\System\zNUcpYi.exe

C:\Windows\System\sTcTugj.exe

C:\Windows\System\sTcTugj.exe

C:\Windows\System\MGHlCdW.exe

C:\Windows\System\MGHlCdW.exe

C:\Windows\System\EPjFpcw.exe

C:\Windows\System\EPjFpcw.exe

C:\Windows\System\FPCsXzi.exe

C:\Windows\System\FPCsXzi.exe

C:\Windows\System\QNrQHTH.exe

C:\Windows\System\QNrQHTH.exe

C:\Windows\System\yKBJsjA.exe

C:\Windows\System\yKBJsjA.exe

C:\Windows\System\WschQYr.exe

C:\Windows\System\WschQYr.exe

C:\Windows\System\kbnoEHd.exe

C:\Windows\System\kbnoEHd.exe

C:\Windows\System\ZALDYBx.exe

C:\Windows\System\ZALDYBx.exe

C:\Windows\System\vjSjnTe.exe

C:\Windows\System\vjSjnTe.exe

C:\Windows\System\pjtBKgg.exe

C:\Windows\System\pjtBKgg.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 93.65.42.20.in-addr.arpa udp

Files

memory/1628-0-0x00007FF638430000-0x00007FF638784000-memory.dmp

memory/1628-1-0x0000023082190000-0x00000230821A0000-memory.dmp

C:\Windows\System\ATWLSHn.exe

MD5 df9e2b454aa14e8a4a8bae86253410bb
SHA1 96f680fcb5ba16a58a86f6c075ebf40f3d432d97
SHA256 6e95d19ca2e3f2879a86cef9a02df10dc7ca7aa702ab6086c1e14269c3973330
SHA512 486eaef6dc10ac265fa3f409bd7e490683de306a13b6603ee153a20772836a4e5f5784d2719562b533a7c6da9694ceae06ea8ee4a5d7ca74bfa3d55bd936240e

memory/4332-8-0x00007FF727650000-0x00007FF7279A4000-memory.dmp

C:\Windows\System\jMcvHrq.exe

MD5 fa4169d7ea13bc73ca2b61d8de3572a8
SHA1 8faa99aa7938d9a44982f6607a650c3dbf9b80dc
SHA256 d04e890d30e1830f1f2701d50e659336a1625789daa2e8da8767c925f3bc71f9
SHA512 ea3594d5294fe3303d93a2d70a12dcba2076aaeb971c42a4d7c6e365a55626bd1dcbae0dcd3bf0ff3643f5d0587acab80bdd0ec6cd3a6f9e04cef840ac851464

C:\Windows\System\whfWcAt.exe

MD5 23fadc2f0d17cc6f452ed1f48089f521
SHA1 e2a43129b7ae39f0604d76cc60f6775cd390ffd6
SHA256 5894c8b7dde947df9ca4aaee8c25bc03fedecf6fd7baee5e067c80fa5f213d32
SHA512 6800bea02e5870ab7a5b2c1bd732ba074a0cc325a6bbeef520954a85afdee82a1772ee152af0e76f3019f93dd8b2fec2f7739802153226ecf4857d1265a11e07

memory/4068-14-0x00007FF7B1430000-0x00007FF7B1784000-memory.dmp

C:\Windows\System\fPxqYHu.exe

MD5 594adb894b586073dff8c850ce2176ef
SHA1 68e76dfa9ad2f0aa58ea572aa699f476c5f1546e
SHA256 39aaff3a0c69a7326575ef887374c384d4a08a851fc93849077688e6f7b1f87a
SHA512 b6de0952c5cac67151e16a4a7acfdce42feed4e98603a4037d4e1dd2b1525aee0a876f59729a832c85824bafb5fc3490d9e128c25fb16f459bd056f3b6028d77

memory/4416-20-0x00007FF782D00000-0x00007FF783054000-memory.dmp

memory/2004-26-0x00007FF6753C0000-0x00007FF675714000-memory.dmp

C:\Windows\System\tkcQmEG.exe

MD5 201ea7b37fffa785ccb1deaf0da9fd02
SHA1 9221d070cc35b246bb28dc592cd7224d1d2c56da
SHA256 e7b929fa44c5b63a2c53bbd6f4e41f6270b2b9a2cfd1ec980e93a8433810b827
SHA512 85efc81e7ab70891465518cf0094c324051cd66ee5095ceb36d02d4fde9475330f4caba258111d69b64855ee90f4f26cce4f6b4ce9600fe53527db3e09e7f7e7

C:\Windows\System\nZeijsa.exe

MD5 51453d292f1d276bb9a2cf3420cb8743
SHA1 dfea8cf05e77906ee81c7bb37cf3a91e79ec65df
SHA256 75014b13f1918caefca838bdcb95040d831fa3219da1f644ea99b489dab6fdeb
SHA512 b022fdc432bcb929f4fb618286c5ee9c911c2b198a657605c0d39042047d6bccb7a7399b4432b08020637764cee51cf6ee284405ca6bb9552f6c647b74504a68

C:\Windows\System\saKUdxJ.exe

MD5 f821a4d9cf5aa9e2f8f864a00c9b08cd
SHA1 a489a4b4743b8f91c831dc2e7812967db0f4dbc0
SHA256 44407e168f3ddb526d9c90044de3a2ee689b91d10f0e9b11f85b3b0a42988735
SHA512 ff5f53c6ed656e9f5edcfa8bed6bad4a4a79e21dae03307ad733003591ec55583ff456abce0bc747982230ca19c9ae3e38daecb2f8233efe53a1b5d0127d11aa

memory/3720-39-0x00007FF72E850000-0x00007FF72EBA4000-memory.dmp

memory/1324-30-0x00007FF7D8D80000-0x00007FF7D90D4000-memory.dmp

memory/2204-44-0x00007FF79C900000-0x00007FF79CC54000-memory.dmp

C:\Windows\System\vECpTFb.exe

MD5 88d5491d3bbcf7a5a8ffa7d886cf3463
SHA1 6d0424f0b2f4245b250a677712590d1067c3be0e
SHA256 24b2df1a6e624d8f1d1fd6a6b2f5ebffa3ed4731b733a5736904d076281df9c0
SHA512 a7679f7c4b1ee91bf6117af9de6093457d110f02239f0f6059a2fe2e879a6b7cc3b298c1048ce2f6f314a3794df3a6b1129d978c3a5d0cef45994b66ca77bb7e

memory/1628-60-0x00007FF638430000-0x00007FF638784000-memory.dmp

C:\Windows\System\zNUcpYi.exe

MD5 21d6edf5a1b12df34189e36d713c403c
SHA1 5f2890118655d1a19feee5687c1f4ed380903e47
SHA256 f8d8c8914e451d3b146f00e99efa894420b22f4b1b120d3a7fe043bfe60296b3
SHA512 99a9d1b40cabe17885681a8829f24d68e2556254a5928f553b2d8cc9493878578609ffecdd44ef3f58c5a16234a0413fcaac15551d6b376a240bdd62b66b4f0c

C:\Windows\System\EPjFpcw.exe

MD5 487f00b58281e34713959e789cc0dbbb
SHA1 b12a653363784a4282133861c38cf6e74ac81f50
SHA256 2b169b9abec9324aeea88dc3dad3c3c26e635063faee45bb1b9eadb242744584
SHA512 35823e2647e64d86944d52d06bc13f487f7b86b31cad94544c7366c589e0e072e372ae416b60328c5350122dc0d9858fc08a92b3c0db83795b22c735f7099bfb

C:\Windows\System\QNrQHTH.exe

MD5 363df6f8611049e0866b2ed629de530f
SHA1 7b3422fcc28e6ed23978abdb905f6d11ffb9e3a3
SHA256 9bcbdc55b0d4d9674aadb438e4f4d8679b8c368dcdde426ae64351482b46358d
SHA512 d9376691bf3a296bd0f062726fff38b5a8a26040e163522a30189719202e58973223ed6b012df1b18138de7f924eea1fe14b4b2e78d183485fb60274520880e1

C:\Windows\System\ZALDYBx.exe

MD5 ca178b2cd37b8e46c31764825065de55
SHA1 0185da1215800f79cbf6d82470b7ba37a9d365bc
SHA256 d373a05aa2eb03d6538b39d29943fc72bef7689566bac049fc1d8d2e44a05eb8
SHA512 b559f86e04041230ff020830a23ac76dc0480560937c813887b2c85e9321789e3f6370fb61b15649e310cde1c3c79868fd9fbc65a54c1dd7da6dcb50012395d2

C:\Windows\System\pjtBKgg.exe

MD5 6b5d5bb71552f25df532fb05efffffc5
SHA1 e8f5b2453b6ad31eee8fb11133b68912d159ad36
SHA256 b7b027f10f3f15647da92a2e08fbeffa6171f3a1200ae3b8d78fce8aa91bf0d0
SHA512 49f731b281c7e07ce84f2f8bfa1ae63bd9eac03641cd263e12700b80d444458dce898ddc9e32e28523f4581fb6b58ebdc9128e2af22cd9f3037f5c5d89c74a38

C:\Windows\System\vjSjnTe.exe

MD5 d5cc80fb77008964e4fd9be33dcda866
SHA1 2a36db80e4e47f18a8d050a1cce0fee9bf00f02e
SHA256 bb5a6bd37b1e7469927b86f37dc43cbb0dc726bd28646a2e003e15cf9ed4611e
SHA512 5090ca9587607dc861836df49e4f2781c72c113613db71e0df3170eb9586bfac86c672402f6ba5b31ed228ba77f0c5458abb07a380e45cdf5f98a1db930e2537

C:\Windows\System\kbnoEHd.exe

MD5 5647155a286ca724e940723301c14fee
SHA1 ebd2b3b695906753bb16d5bf9c23a36d1c3d44a3
SHA256 f30e9b7cbb87649a48a65e7f288a2ea47c0d0488d08c07c71c6b2b0b1dfcb351
SHA512 cdd6cc98ae4a4f4e0bbc69bdd2d25b5dd32ea6022b823d5027993610aae1f02ca766bf09f4e1e6c97da7c8e400128ddc4227af0caff75b55141085fd035f1db2

C:\Windows\System\WschQYr.exe

MD5 54098e61b80aa643127816ca175bbcdf
SHA1 531fe138378c4c89c0800ad2cb5d7657b154d674
SHA256 9c0f628b153a57d2758ac7c5d63d32fb5466f5926fd272ef310078aea45624f5
SHA512 bb75a796d78443fe05b1005edd300ffa80f287a5fef70be643fd8ec0eaa2f14676281c6b8dd2f5b0ccdec0808c23258a7b59f119be60ab70208a97d4f0edcd2f

C:\Windows\System\yKBJsjA.exe

MD5 1fe95ccd294bf378b510d3fc5fe41787
SHA1 e8df34296fce78d0f705d1f77e852cb006461974
SHA256 d97ae65217c160b5fb5ded3d494db1eeeee76150b13d36353f4f55ec5f492676
SHA512 247990943bc7c0fbe3d56d816cb7da2823e24fe95626e5750131503bdc5c887b53f95ea1417729e5e1b98a968426cff34884cc5a2736a18b72f9d6491c5f701f

C:\Windows\System\FPCsXzi.exe

MD5 d9fec0e80a0b0aeb977dbc4ef6ce921a
SHA1 98ce407eaf2b936b785812081e3fb74816e59dee
SHA256 07146b95b34628bad4cc5ac1d6d83a99b1618a13636ab8ebbcebe6741e8f64e5
SHA512 73f3ac66411acf0cb5cee8beee09eecb4316ec49f097039edf572c9a1ff19c6ba734751de0c8672b5f2d09ea292428754a0cc4123cfdc80ed9009434c194d58c

C:\Windows\System\MGHlCdW.exe

MD5 db6c291adcf9a9eeba92c613558cacad
SHA1 f292c5e1ce0f0ae36392f441cba459e0948e1231
SHA256 c22cd0c4bb5da013188c5c6e0c8f3c439abc2189c1d34ca27ddc5ab21b1b26c7
SHA512 becb8247761c26c5e8e4129dc75fd87528f68c9e2b09cecb7536365079b93e6152380178365f698e69aae895d6a3aa3b0608eb4ef45b3080fe3ba80d995e1fc5

C:\Windows\System\sTcTugj.exe

MD5 ef5819f9ef33851585314a49de899a09
SHA1 20ace18d281f862367122a0fc71e70fbce9d4086
SHA256 35673710990702fd999e36cb4083efba324b29c9b7cbdea7802b0fd9e0c002d4
SHA512 632957e08ca4bd39681b7413a594d2f6dd0446176e8c9ca722cc57f775d0cde814cbb5fdf040d1b63e3f86684f81b3e847da4f9f3b289c9a109898fde41161c6

memory/3780-64-0x00007FF704F60000-0x00007FF7052B4000-memory.dmp

memory/1664-59-0x00007FF77A840000-0x00007FF77AB94000-memory.dmp

memory/1452-50-0x00007FF7F9530000-0x00007FF7F9884000-memory.dmp

C:\Windows\System\KWuqaVb.exe

MD5 1290a6f31743e908f5f8c57441cd523d
SHA1 0e6a973fff3ef57dd1e54da7788d6a0a6a3bc39d
SHA256 7c966ddb463caf713523f3287e087e30e2e8685f5d337680da1a0e1242cfa53a
SHA512 710dadee325c6922f7fc7fd94aa9d551e362ee787699e720cdd03c575581e8dd91170c6cdb7ad6e53d40f71eb5e01047d993a5041d20509cf07644d8f74aad68

memory/4332-118-0x00007FF727650000-0x00007FF7279A4000-memory.dmp

memory/3596-120-0x00007FF6EFA00000-0x00007FF6EFD54000-memory.dmp

memory/2764-119-0x00007FF665DE0000-0x00007FF666134000-memory.dmp

memory/4492-121-0x00007FF7B24B0000-0x00007FF7B2804000-memory.dmp

memory/2544-122-0x00007FF6AA6C0000-0x00007FF6AAA14000-memory.dmp

memory/4552-123-0x00007FF687D70000-0x00007FF6880C4000-memory.dmp

memory/4592-124-0x00007FF77EDA0000-0x00007FF77F0F4000-memory.dmp

memory/4116-125-0x00007FF652050000-0x00007FF6523A4000-memory.dmp

memory/2120-126-0x00007FF755F40000-0x00007FF756294000-memory.dmp

memory/1824-128-0x00007FF63FB80000-0x00007FF63FED4000-memory.dmp

memory/3696-127-0x00007FF669170000-0x00007FF6694C4000-memory.dmp

memory/3140-129-0x00007FF78C760000-0x00007FF78CAB4000-memory.dmp

memory/4068-130-0x00007FF7B1430000-0x00007FF7B1784000-memory.dmp

memory/1324-131-0x00007FF7D8D80000-0x00007FF7D90D4000-memory.dmp

memory/3780-132-0x00007FF704F60000-0x00007FF7052B4000-memory.dmp

memory/4332-133-0x00007FF727650000-0x00007FF7279A4000-memory.dmp

memory/4068-134-0x00007FF7B1430000-0x00007FF7B1784000-memory.dmp

memory/4416-135-0x00007FF782D00000-0x00007FF783054000-memory.dmp

memory/2004-136-0x00007FF6753C0000-0x00007FF675714000-memory.dmp

memory/1324-137-0x00007FF7D8D80000-0x00007FF7D90D4000-memory.dmp

memory/3720-138-0x00007FF72E850000-0x00007FF72EBA4000-memory.dmp

memory/2204-139-0x00007FF79C900000-0x00007FF79CC54000-memory.dmp

memory/1452-140-0x00007FF7F9530000-0x00007FF7F9884000-memory.dmp

memory/1664-141-0x00007FF77A840000-0x00007FF77AB94000-memory.dmp

memory/3780-142-0x00007FF704F60000-0x00007FF7052B4000-memory.dmp

memory/2764-143-0x00007FF665DE0000-0x00007FF666134000-memory.dmp

memory/4492-144-0x00007FF7B24B0000-0x00007FF7B2804000-memory.dmp

memory/3596-145-0x00007FF6EFA00000-0x00007FF6EFD54000-memory.dmp

memory/2544-146-0x00007FF6AA6C0000-0x00007FF6AAA14000-memory.dmp

memory/4592-147-0x00007FF77EDA0000-0x00007FF77F0F4000-memory.dmp

memory/4552-148-0x00007FF687D70000-0x00007FF6880C4000-memory.dmp

memory/1824-150-0x00007FF63FB80000-0x00007FF63FED4000-memory.dmp

memory/3140-149-0x00007FF78C760000-0x00007FF78CAB4000-memory.dmp

memory/2120-151-0x00007FF755F40000-0x00007FF756294000-memory.dmp

memory/3696-152-0x00007FF669170000-0x00007FF6694C4000-memory.dmp

memory/4116-153-0x00007FF652050000-0x00007FF6523A4000-memory.dmp