Malware Analysis Report

2024-10-16 03:06

Sample ID 240608-zv3vrsgc3t
Target 2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike
SHA256 45e98c2c34c8af05def1fffcf0ebcb12c4fa5ce84a64ffb003335138f5402c2a
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

45e98c2c34c8af05def1fffcf0ebcb12c4fa5ce84a64ffb003335138f5402c2a

Threat Level: Known bad

The file 2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Detects Reflective DLL injection artifacts

Cobaltstrike

xmrig

Cobaltstrike family

UPX dump on OEP (original entry point)

Cobalt Strike reflective loader

XMRig Miner payload

Xmrig family

UPX dump on OEP (original entry point)

XMRig Miner payload

Detects Reflective DLL injection artifacts

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-08 21:03

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-08 21:03

Reported

2024-06-08 21:05

Platform

win7-20240508-en

Max time kernel

143s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\JNXODcp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KTwtOpY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LAoadhJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ueytarp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KgzuBYN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bZvABRk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mLdcpIJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HHwgJld.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jHBQdfl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\niouaeY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QNMVbYS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hyiBngH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aXRFesW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UgJmSgK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UmjdkJD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rUbePhq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QBPDvrh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fcWjvHS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mNrxWif.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\deRPzqz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DeORxyz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2056 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\JNXODcp.exe
PID 2056 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\JNXODcp.exe
PID 2056 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\JNXODcp.exe
PID 2056 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\KTwtOpY.exe
PID 2056 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\KTwtOpY.exe
PID 2056 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\KTwtOpY.exe
PID 2056 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\mLdcpIJ.exe
PID 2056 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\mLdcpIJ.exe
PID 2056 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\mLdcpIJ.exe
PID 2056 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\rUbePhq.exe
PID 2056 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\rUbePhq.exe
PID 2056 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\rUbePhq.exe
PID 2056 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\LAoadhJ.exe
PID 2056 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\LAoadhJ.exe
PID 2056 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\LAoadhJ.exe
PID 2056 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\hyiBngH.exe
PID 2056 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\hyiBngH.exe
PID 2056 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\hyiBngH.exe
PID 2056 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\ueytarp.exe
PID 2056 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\ueytarp.exe
PID 2056 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\ueytarp.exe
PID 2056 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\aXRFesW.exe
PID 2056 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\aXRFesW.exe
PID 2056 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\aXRFesW.exe
PID 2056 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\HHwgJld.exe
PID 2056 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\HHwgJld.exe
PID 2056 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\HHwgJld.exe
PID 2056 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\KgzuBYN.exe
PID 2056 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\KgzuBYN.exe
PID 2056 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\KgzuBYN.exe
PID 2056 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\QBPDvrh.exe
PID 2056 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\QBPDvrh.exe
PID 2056 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\QBPDvrh.exe
PID 2056 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\jHBQdfl.exe
PID 2056 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\jHBQdfl.exe
PID 2056 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\jHBQdfl.exe
PID 2056 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\fcWjvHS.exe
PID 2056 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\fcWjvHS.exe
PID 2056 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\fcWjvHS.exe
PID 2056 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\bZvABRk.exe
PID 2056 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\bZvABRk.exe
PID 2056 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\bZvABRk.exe
PID 2056 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\mNrxWif.exe
PID 2056 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\mNrxWif.exe
PID 2056 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\mNrxWif.exe
PID 2056 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\deRPzqz.exe
PID 2056 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\deRPzqz.exe
PID 2056 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\deRPzqz.exe
PID 2056 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\UgJmSgK.exe
PID 2056 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\UgJmSgK.exe
PID 2056 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\UgJmSgK.exe
PID 2056 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\niouaeY.exe
PID 2056 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\niouaeY.exe
PID 2056 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\niouaeY.exe
PID 2056 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\DeORxyz.exe
PID 2056 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\DeORxyz.exe
PID 2056 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\DeORxyz.exe
PID 2056 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\QNMVbYS.exe
PID 2056 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\QNMVbYS.exe
PID 2056 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\QNMVbYS.exe
PID 2056 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\UmjdkJD.exe
PID 2056 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\UmjdkJD.exe
PID 2056 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\UmjdkJD.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\JNXODcp.exe

C:\Windows\System\JNXODcp.exe

C:\Windows\System\KTwtOpY.exe

C:\Windows\System\KTwtOpY.exe

C:\Windows\System\mLdcpIJ.exe

C:\Windows\System\mLdcpIJ.exe

C:\Windows\System\rUbePhq.exe

C:\Windows\System\rUbePhq.exe

C:\Windows\System\LAoadhJ.exe

C:\Windows\System\LAoadhJ.exe

C:\Windows\System\hyiBngH.exe

C:\Windows\System\hyiBngH.exe

C:\Windows\System\ueytarp.exe

C:\Windows\System\ueytarp.exe

C:\Windows\System\aXRFesW.exe

C:\Windows\System\aXRFesW.exe

C:\Windows\System\HHwgJld.exe

C:\Windows\System\HHwgJld.exe

C:\Windows\System\KgzuBYN.exe

C:\Windows\System\KgzuBYN.exe

C:\Windows\System\QBPDvrh.exe

C:\Windows\System\QBPDvrh.exe

C:\Windows\System\jHBQdfl.exe

C:\Windows\System\jHBQdfl.exe

C:\Windows\System\fcWjvHS.exe

C:\Windows\System\fcWjvHS.exe

C:\Windows\System\bZvABRk.exe

C:\Windows\System\bZvABRk.exe

C:\Windows\System\mNrxWif.exe

C:\Windows\System\mNrxWif.exe

C:\Windows\System\deRPzqz.exe

C:\Windows\System\deRPzqz.exe

C:\Windows\System\UgJmSgK.exe

C:\Windows\System\UgJmSgK.exe

C:\Windows\System\niouaeY.exe

C:\Windows\System\niouaeY.exe

C:\Windows\System\DeORxyz.exe

C:\Windows\System\DeORxyz.exe

C:\Windows\System\QNMVbYS.exe

C:\Windows\System\QNMVbYS.exe

C:\Windows\System\UmjdkJD.exe

C:\Windows\System\UmjdkJD.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2056-0-0x000000013F930000-0x000000013FC84000-memory.dmp

memory/2056-1-0x0000000000080000-0x0000000000090000-memory.dmp

\Windows\system\JNXODcp.exe

MD5 1e01e986b5a74f509ccfa43d2e065dd5
SHA1 d66e4dc02116b0ac307249bf542f953e6a7e043c
SHA256 18b7b5d358e277cb48a188b018fac1cc939b288ae8e1d1055a70845ee89f1b3a
SHA512 5a7f49531f1f8595ad102c543939a7f8a653b6be5aefd576f076f1aa46e8091cc52ee53e31ebfcf7366b7b82ba23ab8d9a3aae64b1e5f91d4a19b1ff5c95978d

memory/2056-6-0x0000000002280000-0x00000000025D4000-memory.dmp

C:\Windows\system\KTwtOpY.exe

MD5 82a904061ce42678f874e1691a67ef89
SHA1 faf211bacda84ab6194b4e2d7d806d7cf467ff53
SHA256 8445cc920e64c6c358b1d7774c2b6afbc0fc5af3ee4d39b1155b538a44b1c3a3
SHA512 6d0d46720d749a5c806146be49e8968e86b453df9e6740ecddff03035ee5cde147959fbd537b16cc00758ea6ceb014224c463188eff8fd272ec5c41212b98f49

memory/2056-22-0x000000013F530000-0x000000013F884000-memory.dmp

\Windows\system\rUbePhq.exe

MD5 3ed600bb30da6694987526e3f96e36d0
SHA1 1c3a0dc0c2d04c0c019792f72fe19d5f58183346
SHA256 22f4772f18d8ff9098f94188ff6651c43aaed2d8f5a37495d02c65e3b33b1382
SHA512 9c378716db33181205499049d76b3eb614f3535830fabb70ff3f09ffc3ecb09a7c038a144aa4a43b2b71c71c114d31684e38b8419b79aa90fbf910d7a6517288

\Windows\system\mLdcpIJ.exe

MD5 aeb0a4030147f014e6340a9197e638cf
SHA1 30ff5fc52a53f6ce1f2eb641c7f6fc2bfd99d293
SHA256 8c272f8277903f31a0014a77adc6ac399cdacc30f6d6e2bfc6cb9d0821d0dc48
SHA512 9637bcb948f1c540b3e46c06374e05e2e171b6e8d3cbfe37f4a795752c4f6c7081b4c747abaccf28165de4658f5d309d6ec4bd0b516f656e597910ab0c9334f7

C:\Windows\system\hyiBngH.exe

MD5 842e0385dd3799438811b7719fbd478a
SHA1 839532324e75eefb07a90d803e138c5bc02e0c29
SHA256 b007dc91233f5cc2b120a98c750ce267e76d7dca8429c2cd24d6bdef92bf8a9b
SHA512 96a65e7f7a4ac06d4d52ba5b225955ec1864770ddd75d7819cba7e5d0ffb99a3891b3addf259be964745ef3cb8560e301838c0943f98bf89f87381c45a9d18ab

memory/2724-34-0x000000013F660000-0x000000013F9B4000-memory.dmp

\Windows\system\ueytarp.exe

MD5 38d3e0ec7c0528b4c2db226a6f9c111e
SHA1 0bb676a5b46f5cb437e9d494703bdc71cbfbf447
SHA256 5de426422e7ede7036e2408df34df4cd29eaf9c46bf1772a52501bef39ff9c13
SHA512 d80fe5732584a69f27f0f120c26941d875a9783a92e0c3d2e1424fcdc52ecaa35eed42049bbcde76ef0a0171ce0add8fb68278dbb2d2ec304687b1d5b518d05c

memory/2056-42-0x0000000002280000-0x00000000025D4000-memory.dmp

memory/2620-39-0x000000013F220000-0x000000013F574000-memory.dmp

memory/2580-33-0x000000013F530000-0x000000013F884000-memory.dmp

C:\Windows\system\LAoadhJ.exe

MD5 94b64252c9878e2e414cd87cd912ea81
SHA1 6831383efd7860e970faf73f33bc4735da74251f
SHA256 fcb3999a3a33dd8e1c9dec4660f9b2cfa8aa6c410912473eba8704205d80cdec
SHA512 1ffd3c7efb15f3e10f7da08ddb3c825233b20c61c8ed785ae0b28bf8803b45acd441da89034f8ade5d276c5b546b13064d856ce8ffa5fd23c09715854438bd32

memory/2056-30-0x0000000002280000-0x00000000025D4000-memory.dmp

memory/2628-28-0x000000013F020000-0x000000013F374000-memory.dmp

memory/2056-25-0x000000013F020000-0x000000013F374000-memory.dmp

memory/2328-55-0x000000013F880000-0x000000013FBD4000-memory.dmp

memory/2540-68-0x000000013FAB0000-0x000000013FE04000-memory.dmp

C:\Windows\system\jHBQdfl.exe

MD5 de6d38f76eac5f78e248175378042581
SHA1 07b99dd11b423b6baba8d20e0616036cab3cec16
SHA256 ab27a2cfa771639514bed1be3a633c8c6380ac7d24d8b4ff5d8e1fdab6cebb23
SHA512 1b321013e34ffb7c00d075a042b391785e2d813bbda35d96eeb8918e0d13541c31d59178806a0de8be5ae0b8b3757b138344443b56790af2bb2215bed8488b28

C:\Windows\system\fcWjvHS.exe

MD5 19f2c97773068ee2339a21886a73cda6
SHA1 ee8909040596826da32ceb36d28e7d3ce4f59184
SHA256 fe42f362ece28dcd3748fcf21c38106678b4d94652c41a4bc8e93fc81c2a3507
SHA512 c8f84cffc2f59e5282ecb246d01e4c40a92e3e6cc943e55771ca265fe6e5e0c421713aec0f27d1ea57cc14834cfb662bbc5855ca415666f58e33226b30efa91e

C:\Windows\system\deRPzqz.exe

MD5 c814d6d804bff064fc4048fc858c1217
SHA1 c7988c6c51f9f3d8556f7b2df0959a60ed261870
SHA256 f9abb17b1a42693ad66e0292aa36a0000951990d1917be7da1222d09f28816f3
SHA512 f59df5d6e62354d2f5397196c3ff9490b25e41e002b479db0d74a9412192c7201458c600e73c5e569f665a812a97c9ee64f8870bff66380d47e87d0a332b7056

C:\Windows\system\niouaeY.exe

MD5 27cc15827a0b602c385abc1b7d1bb9f7
SHA1 bcac81e15f92f907847fa8042df6ee0d7649a6bb
SHA256 020d3f09726e903b9f0e30278d9ceb3ded3351f096246329b52df249b492e35f
SHA512 eaf6fb20a6f17a52b269211ed75e0f343e2efd19e4cfb72eca9467226b7015dfb418976558dc3d1dfab0968f3a42dc09cf5e3de42239900e50c34127fdb20928

C:\Windows\system\DeORxyz.exe

MD5 9781a30e48f38ee6f0307efd2539fa41
SHA1 860caad4b5813f598ab24cd9802a29d6097b944e
SHA256 f26cf47968e1d7985f77cef37f4126b25c3d12f6492914cc2272e81e32616bd8
SHA512 74fae357687d426f0146ce4da840073220c4a8fc306639e46eb5741fd2c1d8077404ac2a26f62fb30e49b9b5e8fb0f883bee83bbe6d456751e4398f145d1fdb1

\Windows\system\UmjdkJD.exe

MD5 273bf88dcc25f20cbff5951ddb95484d
SHA1 e4bf6bf4d51b0dd147b19bff9f05e1ab26c3c010
SHA256 a8034c07b8316ac6815d4a99b3e5a3dd9fbff396fea574c9609a420033ce7b8e
SHA512 66ddaf85a155d8d4dba7840cc58f391dfbf6bd00b1106e0e00607131a551b711e8477bb330ecbb7bfde08b58d96b2ae518ca0a9523b05939ce10484885d1008a

C:\Windows\system\QNMVbYS.exe

MD5 785e0f7cbb89d3475e0dfa8755c21ed9
SHA1 3d6f4dccd02b8763be688234094bbc1d5864a8cd
SHA256 cfb37ee3d90c6f3d887a46d8c4b8c396f17507cf1474d674548c1287f95f82ca
SHA512 d6342e7faad6c2d2132bf949d17f47085f7254b56ee658b320159283704bc33552851f3932da195e2fcb75ad69d36ffb7299350d554f430d12e45d98770f50ee

C:\Windows\system\UgJmSgK.exe

MD5 0101db1d4f1f5ad2b9bd0fb0cd87c42b
SHA1 0bee9525241a51738f7ac82f8f96c5dfef73e268
SHA256 f8d7162981ec72dd6e21c311af535dd981c7524a1dc0d44aa241b64b5472b054
SHA512 429de2d93aeedfbc082144e88c53729a221f3fa091f5e07897e05552cadab3993f8f524f09ea6c3f61804c8bc5a2a218c0cd0e09987562c0d14be35636f529c4

memory/2620-135-0x000000013F220000-0x000000013F574000-memory.dmp

C:\Windows\system\mNrxWif.exe

MD5 32e0c88c69d963477a57f010273ad4ea
SHA1 81df78eada4ceeaaae268829b3feeea9a9f0973d
SHA256 88fba77e383d590154e5a7c55bcfdc5a188d016996fbc0e243869382bec2f03a
SHA512 6ea86e20b39acb78f3c11883c1739edcc1984e0b32512e0daf3a255acc78b4da7cf492b8c4d6bc2e65710ebe3b3980758c6efec8cc2943c8d5535051d881968e

memory/2056-102-0x0000000002280000-0x00000000025D4000-memory.dmp

memory/2724-101-0x000000013F660000-0x000000013F9B4000-memory.dmp

memory/788-91-0x000000013FE60000-0x00000001401B4000-memory.dmp

memory/2056-90-0x000000013FE60000-0x00000001401B4000-memory.dmp

memory/2628-89-0x000000013F020000-0x000000013F374000-memory.dmp

memory/2568-97-0x000000013FA30000-0x000000013FD84000-memory.dmp

memory/2056-96-0x0000000002280000-0x00000000025D4000-memory.dmp

C:\Windows\system\bZvABRk.exe

MD5 283c24b82de1e0ae12fb89e5a34214b9
SHA1 71cabf75dc4508c095a4b4653c61ff6b5c6d4922
SHA256 30d620d8e048fb7c252e34122578a464f978ca391532b7576c69465c0ffaffd9
SHA512 007663441b0306c8d75638208f9ca737f339f806a2f656e0ec92e6a12b0851331c04be9562f4c3b04eebd93ac57194b5539d1fc4ef7d4bb789bf598f52aa6087

memory/2916-76-0x000000013FAF0000-0x000000013FE44000-memory.dmp

memory/2940-82-0x000000013FAD0000-0x000000013FE24000-memory.dmp

memory/2056-81-0x0000000002280000-0x00000000025D4000-memory.dmp

memory/2952-75-0x000000013FC50000-0x000000013FFA4000-memory.dmp

C:\Windows\system\QBPDvrh.exe

MD5 fe4fb3ea5c44befb78d8aa33bf9d6865
SHA1 d387ee6923aae513d1d81bbc04248619f03e003e
SHA256 859009dbb7eefc4c4711423d64aa0a3ca5b4ab23e2e29c50356a878388c6c85e
SHA512 a355d20ac7775b068cb2978171c534a697ee289da472f8a237e92655b22e6243d3cdcdccd99d19bb3b37facd418105756049760eee59b08ea7a98b8c39c70f8d

C:\Windows\system\KgzuBYN.exe

MD5 e73d5d39dd60687487b8085ed80fd263
SHA1 842feb7d7faa9f1b0dae331533504c97352bd4da
SHA256 c1d3d52efe27b468c9092cb2e1bd8c5628074a1be9a87561a59e615cf6e305b3
SHA512 12e28e6f9938a6b36041c809d61f7f750712d959ddc1ced34435c08aa12199eeecad1be095848e9d71700873661d6cd2d0ecf3c633a87225c2916db456c55022

memory/2468-62-0x000000013FE00000-0x0000000140154000-memory.dmp

memory/2056-61-0x000000013F930000-0x000000013FC84000-memory.dmp

C:\Windows\system\HHwgJld.exe

MD5 2598c4d1ff4e4515e5c9ea0e99fa733f
SHA1 57b8bca1de2ccac93dd6f48d8ff7e1d8acc973ca
SHA256 348b4c43af7929f6b33e297cfb43324658721166db920ee4c044435f6132b125
SHA512 a229507e3d0d0d22d57a2ee7740641a537bb366105f316d21253cc8e7d6f4d701377f955b7540ec7f21bdf71076e809f0fd17d48d8f4df959137517df81a1640

memory/2492-54-0x000000013F970000-0x000000013FCC4000-memory.dmp

memory/2056-53-0x0000000002280000-0x00000000025D4000-memory.dmp

C:\Windows\system\aXRFesW.exe

MD5 4ff0ef27f0bc674e3f4a0974360c3827
SHA1 98414df9ee38755bea13dda0bb960e5230e466dc
SHA256 0c8236e080f55aec73e6fc0e4980e302ebc0ad236c6e0d48005a0d61dd042e89
SHA512 ac63b438dc263e0253b15bf118a4c6a1d928c07b70b3e18207439a749218ba4c0fbfb0941d8d6835813e46043c29fc667fd0337b0f5ac6f14aec306cf4ec8092

memory/2056-38-0x000000013F220000-0x000000013F574000-memory.dmp

memory/2328-136-0x000000013F880000-0x000000013FBD4000-memory.dmp

memory/2704-18-0x000000013FDE0000-0x0000000140134000-memory.dmp

memory/2952-14-0x000000013FC50000-0x000000013FFA4000-memory.dmp

memory/2468-138-0x000000013FE00000-0x0000000140154000-memory.dmp

memory/2540-140-0x000000013FAB0000-0x000000013FE04000-memory.dmp

memory/2056-139-0x0000000002280000-0x00000000025D4000-memory.dmp

memory/2940-141-0x000000013FAD0000-0x000000013FE24000-memory.dmp

memory/2056-142-0x000000013FE60000-0x00000001401B4000-memory.dmp

memory/2568-143-0x000000013FA30000-0x000000013FD84000-memory.dmp

memory/2704-145-0x000000013FDE0000-0x0000000140134000-memory.dmp

memory/2952-144-0x000000013FC50000-0x000000013FFA4000-memory.dmp

memory/2628-146-0x000000013F020000-0x000000013F374000-memory.dmp

memory/2620-147-0x000000013F220000-0x000000013F574000-memory.dmp

memory/2492-148-0x000000013F970000-0x000000013FCC4000-memory.dmp

memory/2724-149-0x000000013F660000-0x000000013F9B4000-memory.dmp

memory/2328-150-0x000000013F880000-0x000000013FBD4000-memory.dmp

memory/2468-151-0x000000013FE00000-0x0000000140154000-memory.dmp

memory/2540-152-0x000000013FAB0000-0x000000013FE04000-memory.dmp

memory/2916-153-0x000000013FAF0000-0x000000013FE44000-memory.dmp

memory/2940-154-0x000000013FAD0000-0x000000013FE24000-memory.dmp

memory/788-155-0x000000013FE60000-0x00000001401B4000-memory.dmp

memory/2568-156-0x000000013FA30000-0x000000013FD84000-memory.dmp

memory/2580-157-0x000000013F530000-0x000000013F884000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-08 21:03

Reported

2024-06-08 21:05

Platform

win10v2004-20240426-en

Max time kernel

140s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\eBhtVOq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LLGDcKH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JQrccko.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zBbSLYk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SijvosA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JaKGINh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LUdBUjr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fmORgnS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YVqpCwI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NEfaJvb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ftHRQUS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\apqqXSS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MFibksA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fXcBGtx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TLvMzwL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PtXLpVB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CTGmziJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\baogdes.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IxLobyj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hUUSSMH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oqWQlcA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 396 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\TLvMzwL.exe
PID 396 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\TLvMzwL.exe
PID 396 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\LUdBUjr.exe
PID 396 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\LUdBUjr.exe
PID 396 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\fmORgnS.exe
PID 396 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\fmORgnS.exe
PID 396 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\hUUSSMH.exe
PID 396 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\hUUSSMH.exe
PID 396 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\PtXLpVB.exe
PID 396 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\PtXLpVB.exe
PID 396 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\oqWQlcA.exe
PID 396 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\oqWQlcA.exe
PID 396 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\YVqpCwI.exe
PID 396 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\YVqpCwI.exe
PID 396 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\eBhtVOq.exe
PID 396 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\eBhtVOq.exe
PID 396 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\NEfaJvb.exe
PID 396 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\NEfaJvb.exe
PID 396 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\JQrccko.exe
PID 396 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\JQrccko.exe
PID 396 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\ftHRQUS.exe
PID 396 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\ftHRQUS.exe
PID 396 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\baogdes.exe
PID 396 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\baogdes.exe
PID 396 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\zBbSLYk.exe
PID 396 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\zBbSLYk.exe
PID 396 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\IxLobyj.exe
PID 396 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\IxLobyj.exe
PID 396 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\apqqXSS.exe
PID 396 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\apqqXSS.exe
PID 396 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\MFibksA.exe
PID 396 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\MFibksA.exe
PID 396 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\SijvosA.exe
PID 396 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\SijvosA.exe
PID 396 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\fXcBGtx.exe
PID 396 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\fXcBGtx.exe
PID 396 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\LLGDcKH.exe
PID 396 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\LLGDcKH.exe
PID 396 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\JaKGINh.exe
PID 396 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\JaKGINh.exe
PID 396 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\CTGmziJ.exe
PID 396 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe C:\Windows\System\CTGmziJ.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_76ce1e03be86043b1e3b8afd75c6b670_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\TLvMzwL.exe

C:\Windows\System\TLvMzwL.exe

C:\Windows\System\LUdBUjr.exe

C:\Windows\System\LUdBUjr.exe

C:\Windows\System\fmORgnS.exe

C:\Windows\System\fmORgnS.exe

C:\Windows\System\hUUSSMH.exe

C:\Windows\System\hUUSSMH.exe

C:\Windows\System\PtXLpVB.exe

C:\Windows\System\PtXLpVB.exe

C:\Windows\System\oqWQlcA.exe

C:\Windows\System\oqWQlcA.exe

C:\Windows\System\YVqpCwI.exe

C:\Windows\System\YVqpCwI.exe

C:\Windows\System\eBhtVOq.exe

C:\Windows\System\eBhtVOq.exe

C:\Windows\System\NEfaJvb.exe

C:\Windows\System\NEfaJvb.exe

C:\Windows\System\JQrccko.exe

C:\Windows\System\JQrccko.exe

C:\Windows\System\ftHRQUS.exe

C:\Windows\System\ftHRQUS.exe

C:\Windows\System\baogdes.exe

C:\Windows\System\baogdes.exe

C:\Windows\System\zBbSLYk.exe

C:\Windows\System\zBbSLYk.exe

C:\Windows\System\IxLobyj.exe

C:\Windows\System\IxLobyj.exe

C:\Windows\System\apqqXSS.exe

C:\Windows\System\apqqXSS.exe

C:\Windows\System\MFibksA.exe

C:\Windows\System\MFibksA.exe

C:\Windows\System\SijvosA.exe

C:\Windows\System\SijvosA.exe

C:\Windows\System\fXcBGtx.exe

C:\Windows\System\fXcBGtx.exe

C:\Windows\System\LLGDcKH.exe

C:\Windows\System\LLGDcKH.exe

C:\Windows\System\JaKGINh.exe

C:\Windows\System\JaKGINh.exe

C:\Windows\System\CTGmziJ.exe

C:\Windows\System\CTGmziJ.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/396-0-0x00007FF608E70000-0x00007FF6091C4000-memory.dmp

memory/396-1-0x00000208C2E40000-0x00000208C2E50000-memory.dmp

C:\Windows\System\TLvMzwL.exe

MD5 2aab6e4a4335207110cf0a8d886d13d0
SHA1 02e07d86634cf5132d0821c9877865417883df9d
SHA256 87bb5e6dfc0a181818337060269aea9887dfc80c7be39a3203f6f673e7651e62
SHA512 a3f82488c7d32af963ce16f7c517e6ac6b41e40bcc18acdb36ef1ce48c52a94e56a364143cdb6043c445b104a9719fe7e37df517647371bd30e87346817f4feb

C:\Windows\System\LUdBUjr.exe

MD5 5074bfec4dd2c4c3ddbd8feb60a7578b
SHA1 adf197d80add17e665a63c6d62fb8c01a0bac4f1
SHA256 d6f604134ca6ffae6315fc6ccc85a02a62d41b3e1abd339b979dd0bc8e9a1d79
SHA512 b28f00bb0a8119de5f250a9c5db6db17a401d2b902f7e946eb01d51ee8fd7c4847eb0267fe6535c2a622c19e47a2d44a98a8beffce2de5541427caa861da751d

memory/2520-17-0x00007FF61C0C0000-0x00007FF61C414000-memory.dmp

C:\Windows\System\fmORgnS.exe

MD5 c4dfee9151d8b1b76eac9130e78440f2
SHA1 bd056932e344af7931a6a544f8ba381a8a167e48
SHA256 ba2821128ee18c82e0be2c6d3d777aa503857eed7de6b823e7a9c706c1571478
SHA512 154f8298cd3ab66f8419265d36fa360fe5132ce31865cac7b4eab1ee559673f7a1bbaa66c96af0d1c2433a7727ad2498e39ee0cedac800f1227eacd4296869a4

C:\Windows\System\hUUSSMH.exe

MD5 b42bdfcc4baf6eaeec523869ff9b7ab8
SHA1 73b4e42960fedfb40c3370403eab224f77048037
SHA256 f5afb8effbc8ff31b1bcd6e50282043f99481191c2417ad250788a78998dd59b
SHA512 a8cafc9f4122fcac0b9aa92428244d5fedef2b3137433b29c4d01978ccb6c6a4fbe9138f1509e8fd4d2f280ac7af5f766114b9d16694b9984b9f01892b8e4c2c

C:\Windows\System\PtXLpVB.exe

MD5 82071b4a7b137d2500634fe92b040e2f
SHA1 1f9b6f97bf9c90582f464017acc9e3df51d2c6bc
SHA256 12fdd487694d8cc6213931967cc8dc801b1987c7aa9f06e3665894c477f23b73
SHA512 102b9746fa0289a5d5c6080e1913d0730415afec3b777979ac1ef59664e930c3f66917680b9cf571fb936d6c3cb8e57e5d6fd3d8a9cc49429455ea612a7c23cd

memory/3400-34-0x00007FF7791A0000-0x00007FF7794F4000-memory.dmp

C:\Windows\System\JQrccko.exe

MD5 3b85f505ae48233a2f32df327021edb3
SHA1 f6f6bfcaa7212585756638d537efc3b5a4be25b2
SHA256 be59d9e0c8c904c6a694106e5efae8fb63f23c5aaaca54763a8639005a7135bf
SHA512 03df19ec78997bf2f22cbbfeeb18d737f210c518258652cce3de6ba5e43c9ebe76c76c9cca77b0782e5b3100bd94c0890133c218ca7445eec42f882ef1cb464c

memory/4908-63-0x00007FF6CBBE0000-0x00007FF6CBF34000-memory.dmp

memory/1288-70-0x00007FF668170000-0x00007FF6684C4000-memory.dmp

memory/4936-74-0x00007FF6CA880000-0x00007FF6CABD4000-memory.dmp

C:\Windows\System\baogdes.exe

MD5 662815b58287536bcf1226ad6cdc48d0
SHA1 25f61b369c1bba8dd3724887dc8d63362ac68d9c
SHA256 bff45ad57714d2fa9ba09e2b92a9587f90787f3abaa131fb7d46c16cfbf43d91
SHA512 cedf1202c6cc67ba2003e03afcbf930638a463720c7ac24d0725fdfd2731e0dea304a2b7e31334d8d5aa357c007080343401bfd2290248768b400351e832fbd8

memory/1556-71-0x00007FF76D200000-0x00007FF76D554000-memory.dmp

C:\Windows\System\ftHRQUS.exe

MD5 d9f37335b24be2a10c2fd417f9241387
SHA1 a7760b49338f3882404c1023dd5ac8ce5d2f6de9
SHA256 4dd9c1ce1a3bb6d04b34e374f5c58b2c16ad3aee10eafc5b2bdea3fd366b7f9e
SHA512 059ba8443517ac78bbf589f577e0436421186542ee38c33f56aa34a8524e7121656c86fa60f713d2b026eec035e5dfddcad88dfd2634e74b3303a84df9921b27

memory/3688-65-0x00007FF729940000-0x00007FF729C94000-memory.dmp

memory/1564-62-0x00007FF7B43C0000-0x00007FF7B4714000-memory.dmp

memory/3196-56-0x00007FF69DDE0000-0x00007FF69E134000-memory.dmp

C:\Windows\System\NEfaJvb.exe

MD5 29a30345972e68a0eeca5be625863699
SHA1 ba150008a420cf9e480ee4650d849148981282ef
SHA256 ccdd9a1d314648e8e0f06ffe0a5c58667d3353c5c64ffdf999cc96dcbd40e614
SHA512 5c4205f12a714352854c4f2430db76f84479e547cd25bb0788b8b4cf94718afd94908c541c5671fb496d8d3d684869a9904091b36117bc9c50b0a8966e947f73

C:\Windows\System\eBhtVOq.exe

MD5 7440e926f1642171b6a674c475a011cb
SHA1 bbb66d7ddf0b7f813277743d1c2c1cb71db9c20e
SHA256 197d1ebedea272cc8124641b4e8069f0f05da31179924b2011a365d6197320a5
SHA512 3222ea49b63d2ed280bc0ad39707cd5c4ca8e48cc8ab5e3aafcf63bf04e46ff97b2dce6103a3e944b35191c3dc2656aa6b0f36eb3db6f9a4f95ec0f129bfe9e4

memory/3564-46-0x00007FF6270D0000-0x00007FF627424000-memory.dmp

C:\Windows\System\YVqpCwI.exe

MD5 e0fed0080ad1e962968cd8b8c9427b6a
SHA1 e217d67d9bec5275454ddd4e2a8868183b3e5406
SHA256 7d3178d438b0f15c3780aa45fe8a43ce2872f9a555c9009d2f775a8d17249f01
SHA512 d6958e65a89903237966f32f35ae1f251f058ba43f823405eb9a332bd85a65a84e40c297c27d106e5c4b465523003a0b79dab51ec3ba7e0374ebd7ede39ac617

C:\Windows\System\oqWQlcA.exe

MD5 0f4eb1463d36dc95af5eb784304e637e
SHA1 060392e0a80eb73acb7394bb044807de6123da33
SHA256 0b9fb8bb58588053b9000073252cc1afba1f75e552737538db3c51b688b6c532
SHA512 bf0ff3022398542160695574d0e881aa987732d9ad431b346a66a798d50bc1d0e292e5b10f1b4e8cb030d0f51735f648a83a2d471aab6fe683ef3abc8f1e53b5

memory/1756-28-0x00007FF64AD60000-0x00007FF64B0B4000-memory.dmp

memory/4852-8-0x00007FF759CE0000-0x00007FF75A034000-memory.dmp

C:\Windows\System\zBbSLYk.exe

MD5 6199f575c52db5b2e40caca12778deb9
SHA1 1f5bfe54465aa2a8dd5742a2baacc816481d5f3c
SHA256 ac8cdb72f109fb154cf6442acf04dab97184c2d08d0808c95389d794aa3acbde
SHA512 c7676d6e1e5b1a2e122e7e3fbb892a0d08dcf1dd6d37a9b40029c8f9f7a50c6f177405e5724b193f7099b52db9aca9765ce4c040d0d38ae24ed1cb4deeb2618c

memory/2804-82-0x00007FF6F2E30000-0x00007FF6F3184000-memory.dmp

C:\Windows\System\IxLobyj.exe

MD5 4bd44957f3f966117e64651ac26ccca4
SHA1 b93f754dd183d5443976915676d714d02593d015
SHA256 9032f201e0a5656d2b2dc35de3a6d79f7d7d88f23a7ce652f19f6d4e933f4f1c
SHA512 8372e501dd7cabaf92f7e225f8e6bdf67b62b1f9fa8dae8bbdd3a1e53efd977636207d7a2e823d9ab014bccee7a4cf53cc170505d077c48e0499043707aa48e3

C:\Windows\System\apqqXSS.exe

MD5 89f96f6acc0f9f1e31ba7593940d823f
SHA1 bac9ba4d74eb5be355600bd4533093e15f826daa
SHA256 cb3f48a9ee88de9f6d01e549956cd504c35e7deb3a09ef8f37ff4582dd27df77
SHA512 a8319330c5dc4e7f59207510025ecc89b7ff950150f1cb71251bfa8ef5af18dfcf492fbd76cc175eee490983524f1a984b3a5532624fa024e457b42d38bb5f3b

memory/1184-90-0x00007FF791EB0000-0x00007FF792204000-memory.dmp

memory/4616-89-0x00007FF7965E0000-0x00007FF796934000-memory.dmp

C:\Windows\System\MFibksA.exe

MD5 defa01d8d6ee00e189434555a7a59fd5
SHA1 790b3c3c8d5e816bcf17a55f02519570880d96c3
SHA256 3d034ccc67dfcee07b2e8fde8b74fd6118e2a95782bd482f0c53558d0b9525e5
SHA512 12628714b0c518177e3b2cf465425b752baf01cf1bbee4ddec33dbfcf52d26921f1e53059a82c39b39847243b8003f98643046dc3ddebff491ae0c035d1a38e4

C:\Windows\System\SijvosA.exe

MD5 fc069da56ae9ce76aa062adfc094c709
SHA1 cc8cba2e634756b7c8297cfe86bfa2afd0ab47bd
SHA256 bdb4b116d7650a32e4bfcb251914e0481e258bceba336a55fe9fce992d3313a6
SHA512 1574d46fcfe1fa139b0f9494ab237f4194863cd7c0f6ee4bab3e4b902af26dac47e22960c0007e5525b74cdbf5c03264408eeb011b812c1aeaed1bf24b1e6dc8

C:\Windows\System\fXcBGtx.exe

MD5 3a5233c4c3faee6fe57b66fd6cf281f0
SHA1 2b4a0a2b6c311a980d1ee497758fd4bfb92f63ee
SHA256 1413dd686cdd64a8ef12fe3c4166420dd16b460266137ffcf82676d1863c5ad8
SHA512 baa0b483e5667b9fd1099c6394446729c794c02a4987e0afff14f4ceb2216a104af29f04f643bfee52bd11a6a7a09a2a618da875375e02564577548bf7dc4bff

memory/1540-117-0x00007FF6B19C0000-0x00007FF6B1D14000-memory.dmp

C:\Windows\System\LLGDcKH.exe

MD5 3841e12428054f3d3d52282b0de14948
SHA1 94374f319786636834256820c3e8426691246a9e
SHA256 c2e5cd0ef0a6dd4885d05d15cee0cb274ba8e2d47ba65cc5fd4a8eb8a574a979
SHA512 d7af3bd6b070c0b76b2ba9211a2ac1264fa245ae0c661f5bcac52d42ed30bb0af86e5c851bc288a40b383e941dd9880f0f2304ea730b047e6bcfc0de9e2cfc30

memory/4820-110-0x00007FF6BDAE0000-0x00007FF6BDE34000-memory.dmp

memory/396-108-0x00007FF608E70000-0x00007FF6091C4000-memory.dmp

memory/1476-102-0x00007FF7D5A50000-0x00007FF7D5DA4000-memory.dmp

memory/828-97-0x00007FF69A330000-0x00007FF69A684000-memory.dmp

C:\Windows\System\JaKGINh.exe

MD5 31ac35f616204b90950f0b1223638d24
SHA1 cecac49e661cdf0d33da7c5bc9b0378b9980479e
SHA256 ce085ac962db7d9223657f0f214a154680cbb3ed9871628a584cea8d7790c9cd
SHA512 899c353fb75717d0a6f50ddc8247f070085ef9c14ad1990e53245e51178697f572b484f07e04d60c02b48addde9625d2214f1465a889ae3f88faecaf58ebc661

memory/1756-128-0x00007FF64AD60000-0x00007FF64B0B4000-memory.dmp

C:\Windows\System\CTGmziJ.exe

MD5 dc2f3326a9c3aa53d6cb44779f3f3a18
SHA1 c6a2c0a6bae34ab034a1038f74fd8ddaa8c4586d
SHA256 83f665193a17bf75456e74104b15b2e157ba3751e6e25418aa14da1b197022f2
SHA512 7c33ee076354e0042618ccf7834dd8c880322193412a41fdada9f4fdf0c3702e36d7443d4d4d821ea1fa8de25b2d7638bdc034dae70fd85a9fae67bb91e3d9f4

memory/2520-125-0x00007FF61C0C0000-0x00007FF61C414000-memory.dmp

memory/4612-130-0x00007FF752D60000-0x00007FF7530B4000-memory.dmp

memory/4376-129-0x00007FF7A7440000-0x00007FF7A7794000-memory.dmp

memory/3688-131-0x00007FF729940000-0x00007FF729C94000-memory.dmp

memory/4936-132-0x00007FF6CA880000-0x00007FF6CABD4000-memory.dmp

memory/1184-133-0x00007FF791EB0000-0x00007FF792204000-memory.dmp

memory/828-134-0x00007FF69A330000-0x00007FF69A684000-memory.dmp

memory/1476-135-0x00007FF7D5A50000-0x00007FF7D5DA4000-memory.dmp

memory/4820-136-0x00007FF6BDAE0000-0x00007FF6BDE34000-memory.dmp

memory/1540-137-0x00007FF6B19C0000-0x00007FF6B1D14000-memory.dmp

memory/4852-138-0x00007FF759CE0000-0x00007FF75A034000-memory.dmp

memory/2520-139-0x00007FF61C0C0000-0x00007FF61C414000-memory.dmp

memory/3196-142-0x00007FF69DDE0000-0x00007FF69E134000-memory.dmp

memory/1564-143-0x00007FF7B43C0000-0x00007FF7B4714000-memory.dmp

memory/3564-144-0x00007FF6270D0000-0x00007FF627424000-memory.dmp

memory/1756-141-0x00007FF64AD60000-0x00007FF64B0B4000-memory.dmp

memory/3400-140-0x00007FF7791A0000-0x00007FF7794F4000-memory.dmp

memory/4936-145-0x00007FF6CA880000-0x00007FF6CABD4000-memory.dmp

memory/1288-148-0x00007FF668170000-0x00007FF6684C4000-memory.dmp

memory/4908-149-0x00007FF6CBBE0000-0x00007FF6CBF34000-memory.dmp

memory/1556-147-0x00007FF76D200000-0x00007FF76D554000-memory.dmp

memory/3688-146-0x00007FF729940000-0x00007FF729C94000-memory.dmp

memory/2804-150-0x00007FF6F2E30000-0x00007FF6F3184000-memory.dmp

memory/4616-151-0x00007FF7965E0000-0x00007FF796934000-memory.dmp

memory/1184-152-0x00007FF791EB0000-0x00007FF792204000-memory.dmp

memory/828-153-0x00007FF69A330000-0x00007FF69A684000-memory.dmp

memory/1476-154-0x00007FF7D5A50000-0x00007FF7D5DA4000-memory.dmp

memory/4820-155-0x00007FF6BDAE0000-0x00007FF6BDE34000-memory.dmp

memory/1540-156-0x00007FF6B19C0000-0x00007FF6B1D14000-memory.dmp

memory/4376-157-0x00007FF7A7440000-0x00007FF7A7794000-memory.dmp

memory/4612-158-0x00007FF752D60000-0x00007FF7530B4000-memory.dmp