Malware Analysis Report

2024-10-16 03:10

Sample ID 240609-1cekwsfh26
Target 2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike
SHA256 4779a6b5c3bb606e6929737e4a58db86c50419f274c5c4cf1b5cd265a75a3815
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4779a6b5c3bb606e6929737e4a58db86c50419f274c5c4cf1b5cd265a75a3815

Threat Level: Known bad

The file 2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

Xmrig family

xmrig

Cobaltstrike

XMRig Miner payload

Cobalt Strike reflective loader

Cobaltstrike family

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

XMRig Miner payload

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-09 21:30

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-09 21:29

Reported

2024-06-09 21:32

Platform

win7-20240508-en

Max time kernel

140s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\HTLkZai.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qQNCGWD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QLGKsVN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TNJKVNK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ygwZQzg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tzGjiqJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pkFkGMy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tbTWPZA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NHiqszG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ItqrNig.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uOdpPso.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VCHXHTN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SQEhXIF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yxdtKaS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\foGWbzn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jaqMdNR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zQcssCB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LWqNinM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QvENAFT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NwzqKsN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZiyaJjI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1852 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\pkFkGMy.exe
PID 1852 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\pkFkGMy.exe
PID 1852 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\pkFkGMy.exe
PID 1852 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\zQcssCB.exe
PID 1852 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\zQcssCB.exe
PID 1852 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\zQcssCB.exe
PID 1852 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\VCHXHTN.exe
PID 1852 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\VCHXHTN.exe
PID 1852 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\VCHXHTN.exe
PID 1852 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\tbTWPZA.exe
PID 1852 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\tbTWPZA.exe
PID 1852 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\tbTWPZA.exe
PID 1852 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\SQEhXIF.exe
PID 1852 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\SQEhXIF.exe
PID 1852 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\SQEhXIF.exe
PID 1852 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\NHiqszG.exe
PID 1852 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\NHiqszG.exe
PID 1852 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\NHiqszG.exe
PID 1852 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\HTLkZai.exe
PID 1852 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\HTLkZai.exe
PID 1852 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\HTLkZai.exe
PID 1852 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\LWqNinM.exe
PID 1852 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\LWqNinM.exe
PID 1852 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\LWqNinM.exe
PID 1852 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\yxdtKaS.exe
PID 1852 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\yxdtKaS.exe
PID 1852 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\yxdtKaS.exe
PID 1852 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\QvENAFT.exe
PID 1852 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\QvENAFT.exe
PID 1852 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\QvENAFT.exe
PID 1852 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\foGWbzn.exe
PID 1852 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\foGWbzn.exe
PID 1852 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\foGWbzn.exe
PID 1852 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\NwzqKsN.exe
PID 1852 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\NwzqKsN.exe
PID 1852 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\NwzqKsN.exe
PID 1852 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\ItqrNig.exe
PID 1852 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\ItqrNig.exe
PID 1852 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\ItqrNig.exe
PID 1852 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZiyaJjI.exe
PID 1852 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZiyaJjI.exe
PID 1852 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZiyaJjI.exe
PID 1852 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\qQNCGWD.exe
PID 1852 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\qQNCGWD.exe
PID 1852 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\qQNCGWD.exe
PID 1852 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\uOdpPso.exe
PID 1852 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\uOdpPso.exe
PID 1852 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\uOdpPso.exe
PID 1852 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\TNJKVNK.exe
PID 1852 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\TNJKVNK.exe
PID 1852 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\TNJKVNK.exe
PID 1852 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\QLGKsVN.exe
PID 1852 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\QLGKsVN.exe
PID 1852 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\QLGKsVN.exe
PID 1852 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\ygwZQzg.exe
PID 1852 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\ygwZQzg.exe
PID 1852 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\ygwZQzg.exe
PID 1852 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\tzGjiqJ.exe
PID 1852 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\tzGjiqJ.exe
PID 1852 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\tzGjiqJ.exe
PID 1852 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\jaqMdNR.exe
PID 1852 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\jaqMdNR.exe
PID 1852 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\jaqMdNR.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\pkFkGMy.exe

C:\Windows\System\pkFkGMy.exe

C:\Windows\System\zQcssCB.exe

C:\Windows\System\zQcssCB.exe

C:\Windows\System\VCHXHTN.exe

C:\Windows\System\VCHXHTN.exe

C:\Windows\System\tbTWPZA.exe

C:\Windows\System\tbTWPZA.exe

C:\Windows\System\SQEhXIF.exe

C:\Windows\System\SQEhXIF.exe

C:\Windows\System\NHiqszG.exe

C:\Windows\System\NHiqszG.exe

C:\Windows\System\HTLkZai.exe

C:\Windows\System\HTLkZai.exe

C:\Windows\System\LWqNinM.exe

C:\Windows\System\LWqNinM.exe

C:\Windows\System\yxdtKaS.exe

C:\Windows\System\yxdtKaS.exe

C:\Windows\System\QvENAFT.exe

C:\Windows\System\QvENAFT.exe

C:\Windows\System\foGWbzn.exe

C:\Windows\System\foGWbzn.exe

C:\Windows\System\NwzqKsN.exe

C:\Windows\System\NwzqKsN.exe

C:\Windows\System\ItqrNig.exe

C:\Windows\System\ItqrNig.exe

C:\Windows\System\ZiyaJjI.exe

C:\Windows\System\ZiyaJjI.exe

C:\Windows\System\qQNCGWD.exe

C:\Windows\System\qQNCGWD.exe

C:\Windows\System\uOdpPso.exe

C:\Windows\System\uOdpPso.exe

C:\Windows\System\TNJKVNK.exe

C:\Windows\System\TNJKVNK.exe

C:\Windows\System\QLGKsVN.exe

C:\Windows\System\QLGKsVN.exe

C:\Windows\System\ygwZQzg.exe

C:\Windows\System\ygwZQzg.exe

C:\Windows\System\tzGjiqJ.exe

C:\Windows\System\tzGjiqJ.exe

C:\Windows\System\jaqMdNR.exe

C:\Windows\System\jaqMdNR.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1852-0-0x000000013F6B0000-0x000000013FA04000-memory.dmp

memory/1852-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\pkFkGMy.exe

MD5 9b88a0dc12e2f1c3eef6bf54f35b6379
SHA1 fc04890e577ef33e6611c8d3b41521feb93dd372
SHA256 1d48bd7a006c324e994b859650e4c45c9b9048dfee33e8321b240e16607b0d0f
SHA512 0e0cadc13a76ee3dff1c9c7887193c19d7cdd5f7205a16a1065a8eef7d90e1241e2ba328c8f054bbe97cb4fa33e272bc45852a0b0daadc3da7c04d0f6a711de8

memory/1852-6-0x00000000023F0000-0x0000000002744000-memory.dmp

C:\Windows\system\VCHXHTN.exe

MD5 7ae683da5839006a226950b10e50e3db
SHA1 895aaa41a20d4bba42e0870a659f950d514e56d7
SHA256 c3ad82901bab4a78ea191679c45577e18b03235146f434e255f68d85fa50e81f
SHA512 fa2af20f3c276d681e312b0100a2d3fc6d23a26827e6cb3f3e78f8a4d51edc1868d203040bf05dbd9899165d6416fb6655c7d9769eaf15f06db8314d8aa86cd6

C:\Windows\system\tbTWPZA.exe

MD5 2f7997422ee3c55e3e21b02cb2afae75
SHA1 159b7d5d33def7f387367ef10082ea3e5e17876d
SHA256 bd30f36772cbfcc16d8fb691ad96af17dc4e442383da5b4e8d5066da5abc7e91
SHA512 1dd2b7b1b5db66472c9e84a8c7656288ad458329672ac9f0a9195cd1e4ecac5dd7cf42a2060ae11dcd3649863ba181eb701b23bee9fe68d6520bc62bc6a36597

memory/1852-22-0x00000000023F0000-0x0000000002744000-memory.dmp

memory/2572-25-0x000000013F630000-0x000000013F984000-memory.dmp

C:\Windows\system\zQcssCB.exe

MD5 67b828e554a5ae91eae0837e09f069c5
SHA1 17fa15e1dfe229ef05c3e51910d3d6ddb24a002d
SHA256 b017391d7fe7dc0d7b0a8ac80b3a5e333732c6048fdf565d7a75ce26b0a7ce14
SHA512 2d2a5679ffb99ae664b2e7070b15888553e4ccd9b118b9c838c3c2485332c0d7fa08490ba1879c9863d6f78ac55dfb01cbb90427e4a1d7afcdce33b29745cd04

memory/2224-28-0x000000013FF30000-0x0000000140284000-memory.dmp

C:\Windows\system\SQEhXIF.exe

MD5 ed2dee693b69ce0087a84a4d7e554dbf
SHA1 ecf15424a0068583205c1468d4074f1841fcce51
SHA256 b74ed7dca4fffa6f142155a866479d3f4bf94df82680ceb1880d8eedc0a400cc
SHA512 2fc1f2110f62f90f3da4f06a30a369a96e4ad15594864cac4632346498a6e346aacf17ff93777710854b08067b720ea9e91797eb05bbfda21575388ce237bafe

memory/1852-37-0x000000013FEA0000-0x00000001401F4000-memory.dmp

C:\Windows\system\NHiqszG.exe

MD5 6cc7c6ce873a150c31ec8d84ce029bdf
SHA1 89680537e2f589687cc11f063820d9f5cebd88e2
SHA256 fdb935ab52fccb93964432711e6a82ca709b40b853017074d7a242858fcb556e
SHA512 d4042581bb6f305d7401faefff76c5d490411f8b398e832b79d7dce9e02ba8d069d38056001105d3b48d60274ee1d3a60321e5d124a980b1051c17b97af5d583

memory/2744-40-0x000000013FEA0000-0x00000001401F4000-memory.dmp

memory/2624-35-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

memory/1852-34-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

memory/2248-13-0x000000013F610000-0x000000013F964000-memory.dmp

memory/1852-52-0x000000013F1F0000-0x000000013F544000-memory.dmp

memory/2640-53-0x000000013F1F0000-0x000000013F544000-memory.dmp

memory/2248-55-0x000000013F610000-0x000000013F964000-memory.dmp

C:\Windows\system\HTLkZai.exe

MD5 f940596492c124eca11b48dd9aa0c8b6
SHA1 9b41e9206679aa5f80fc6b1cf59a7cc174c8c52d
SHA256 bbd506f228328b3660744c6524c66674b797ac24ec2c1a4b1f36ad86905b6413
SHA512 f64877d9387309efca38081d7a9e18a60587fcded02148c3702d29c74904f58594773fd116c829fbb6f30523ef582bdab3d6cae57588c8aa50381d483b388a8c

memory/2508-58-0x000000013F690000-0x000000013F9E4000-memory.dmp

C:\Windows\system\LWqNinM.exe

MD5 af39a8c3c4265719da3e0aea0b8fd9bb
SHA1 1f977ea80bb98fad0f8199f0689c8af191be46b3
SHA256 1fa6a06d44ee554c652d8bb198438796e1d22667cf434203c2a281af7203af8d
SHA512 0d984d802881d91cd93453bbdf5bb5bf91ad2a8f342f222d53ed441d6ded93aee4b3b088401f5651c252c55ff9e06e1a8c69aa7bfb807ce876f060134e2953b7

\Windows\system\yxdtKaS.exe

MD5 e22bf7a71834d66d73cc16c7a44c9d51
SHA1 872492eb460855a02afe5adbaffdb16b0f16e230
SHA256 99d0d7e03908bbd25ee8446fd0f22c7675431979dfa78fbc736f32ce62cd7d4a
SHA512 14584d311c33381c30ff382555c846f2994ee20d1bcc459fff90ade5b856d247beaf5e5b496ddaf319e53fa7ab1b178d0220d704d3153a3252ff7fcda5cf5575

memory/2224-69-0x000000013FF30000-0x0000000140284000-memory.dmp

memory/3068-71-0x000000013FEB0000-0x0000000140204000-memory.dmp

memory/2384-77-0x000000013FEC0000-0x0000000140214000-memory.dmp

memory/2744-96-0x000000013FEA0000-0x00000001401F4000-memory.dmp

C:\Windows\system\QLGKsVN.exe

MD5 023e3d4f2fc6ae1c3ec76c906b887dc6
SHA1 e0754de08f3f40958c635d24b9e7a8ee1b01e6f6
SHA256 39498dcc2769c2ff609571fe257d8830690b858b6b05ac27c19f18e141c49fa1
SHA512 d71c14b66458a761ea6812ccba1326d2ae9e3c4308551cd66932526cb96c9102853e0cc3f7fa931ef6ea236600cd169e7f89a8df22f5823c8775d338a615c1b0

C:\Windows\system\ygwZQzg.exe

MD5 7f573638c8e22022dd5dfb27b8c09bbc
SHA1 e0021efcda9d6de98eab65dad0f1a37c31b351ce
SHA256 cf21f5e9a5b7b1f1ac16f56ec130fe74b15c1cc3b03820c84372b4cf04bcc735
SHA512 5e04e4ef8c6f87b835cb6a88ff562890d2c35e469ed1e9d4e8a0bd8d2c60c3588e756c3b56c1d5bd4dba238611809f6c35b48ffd25889d8b06b09ab7f33b8ab4

\Windows\system\jaqMdNR.exe

MD5 69b1a4b0a22776ece358a5ba4bb8cca4
SHA1 fa80c9afa67afd8be46b737f3fb746d56e5066ae
SHA256 b51c3f2b7e353677a10269da720a912d09992b16c1c6bb5f0131facf9d03d829
SHA512 6f7b54e8729086d637ee700f7413cf57e081bff9450c54e4bdfbefd1c8c6e9259e6e38f1a345ff25eb10a96c493ce447fab61c8d5fd79db0ab5985c5c677df40

C:\Windows\system\tzGjiqJ.exe

MD5 1a40026d37bb906c68f39b864cfbc2f8
SHA1 fb087b85bd4da0e94daeb28023b7f1a63d57c091
SHA256 fac2e2f7536ee0787aabc4f62d50a4107402390961a4a1a942a2d38f3e26d405
SHA512 1dce385e438b79d1d5e6b4d3a518efff19ff5fcd43b347af58fcd654bcd25f4e0020367150e1aaf11ea2ccee39a002c1d710336274a732eadf8bd2af174a2f3c

C:\Windows\system\TNJKVNK.exe

MD5 3c114d37694e4868f124e0b8a4e52932
SHA1 2ff00d0e780f802786d875a2c7900ccb9549729a
SHA256 df830f5004872aa2610e584ad3d1645e7f44e22c153e1e66165f9fc260d78457
SHA512 5f7d5b74900e588223b6a11138e1fa35dd7384dc95ae06f4555afce0ea52434c19130f2ec1e523df3fe9a944c814a4812582b46f3ef78f69fcacb2dbfc37e88e

C:\Windows\system\qQNCGWD.exe

MD5 7319cd32f72dff84c3df2a40277083d9
SHA1 e6194934e10620330d400a7b1010d73bdca53c80
SHA256 2b7eee50c5170a16e71f2ac2064784847044c55f170f6cfe9bacdafe0d092780
SHA512 1a96dfda1f9be9aaf503191dd15d76e14dc8026d89d62f6ae046dd91e12f3b212e44007068fd783551d9e7418d6096403c8dbdcfb6199e589e953c3d84461613

C:\Windows\system\uOdpPso.exe

MD5 73a8f5616aa35326986d84bf09469e48
SHA1 ece82facb5a120cb7b952f4af2fbb55f53ffa8a5
SHA256 f81d2e35904e343e629e0082320513917ea04e918ef93546da900bae434ad59a
SHA512 cb0bd39c469fa49e65d414374cfa0bf3b2bf7ce1533e12e616a9923932939b2d2ce57445f040e7c8ed8a22d4ef506a0f714353e43d79fad902b6afa5c23af568

memory/1364-98-0x000000013FE80000-0x00000001401D4000-memory.dmp

memory/1852-97-0x000000013FE80000-0x00000001401D4000-memory.dmp

C:\Windows\system\ZiyaJjI.exe

MD5 e56aa014dd55849a5d9d097e9e3855ac
SHA1 3f75552d40a8463293018167f5fb620f3e5470ec
SHA256 a7fc8c7294b8c3862b88e61e0032631721f2c2ab5e6f2d9f83957fb445cc37dd
SHA512 d8f4482cbe4213169fdda0f16fc5811eafa413def2e3f5b525e41a63255fdcbc2b247511ac62fbdf776ee62081fd10775699bbf8bdd2bf77f8fcb7efd51d7383

memory/2360-91-0x000000013F770000-0x000000013FAC4000-memory.dmp

C:\Windows\system\ItqrNig.exe

MD5 247b636d058f93164851f9a78934240e
SHA1 07cd6225f10c897252b42b302ffe774e2850f25d
SHA256 060c8a9b0e01a0128984b70e99a78bb20b7c5c8fa83dc878167fcb41d563ba9b
SHA512 5b849a1f467e8f004d0bb08d4be70cd35b332bed5fafa7fc3cd1ecca36718b2cdc473a05f92e3cd09f60bfe24d5094c2f06890a0bf2722dbaa178249e4ea9d2c

memory/1624-85-0x000000013F100000-0x000000013F454000-memory.dmp

memory/1852-84-0x000000013F100000-0x000000013F454000-memory.dmp

memory/2624-83-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

C:\Windows\system\foGWbzn.exe

MD5 3bad29f47325c67c8b98821405a7d2ac
SHA1 4ad7e7305ca02946ad3e9dae04d7c5fab4546d9e
SHA256 0037bf92c6d3bbb963fd898621ff9ddaf3be982489277c181e73885a1eb2fd61
SHA512 b448bf7502b94afce2bfeabfdc53d30e51fd84a03e570c394d8709bc5d8c2290a14b75a34c066b6433328c33dc308ba9f010c67e19d9b897a1f8573b63e39fe7

C:\Windows\system\NwzqKsN.exe

MD5 3aa09174fe7939c3cd116eefbc83c7df
SHA1 7f1d984d7debc7993544ebe3aaf5fc3dba829257
SHA256 185ac90a414527dc1e62765c84a018253c5ccbed1aec6a241a26f811a933a35d
SHA512 1e885e6c8bf95eeff27a340e448ac4616afe621995726846c163b1919e20b26a4461fadf0e22f545ced3009902801fbfb6be9fdb45cdf18fc913c2fe113f6900

memory/1852-70-0x000000013FEB0000-0x0000000140204000-memory.dmp

memory/2588-63-0x000000013FE00000-0x0000000140154000-memory.dmp

C:\Windows\system\QvENAFT.exe

MD5 caec2d14f7040cceb85e60fc633a8f0b
SHA1 5e837d2ec3329e2f1094a5e99e358eb930319451
SHA256 854efbb3e06af32360c607e913f1ab285bfeb8bb41f67ad4e713cf4de8502625
SHA512 acf2ae5dddab09a8ff8d571e55ea40d0eb7e1c951ecf770118a510e40930a3f282cb1d131a648562650bbf66b6a65cc9670b97886ebb833a9a34918fd3a3e6aa

memory/1852-47-0x000000013F6B0000-0x000000013FA04000-memory.dmp

memory/2656-24-0x000000013F7F0000-0x000000013FB44000-memory.dmp

memory/1852-18-0x000000013FF30000-0x0000000140284000-memory.dmp

memory/2640-135-0x000000013F1F0000-0x000000013F544000-memory.dmp

memory/2588-137-0x000000013FE00000-0x0000000140154000-memory.dmp

memory/1852-136-0x000000013FE00000-0x0000000140154000-memory.dmp

memory/1852-138-0x000000013FEB0000-0x0000000140204000-memory.dmp

memory/3068-139-0x000000013FEB0000-0x0000000140204000-memory.dmp

memory/2384-140-0x000000013FEC0000-0x0000000140214000-memory.dmp

memory/1852-141-0x000000013F100000-0x000000013F454000-memory.dmp

memory/1624-142-0x000000013F100000-0x000000013F454000-memory.dmp

memory/2360-144-0x000000013F770000-0x000000013FAC4000-memory.dmp

memory/1852-143-0x00000000023F0000-0x0000000002744000-memory.dmp

memory/1364-146-0x000000013FE80000-0x00000001401D4000-memory.dmp

memory/1852-145-0x000000013FE80000-0x00000001401D4000-memory.dmp

memory/2248-147-0x000000013F610000-0x000000013F964000-memory.dmp

memory/2656-148-0x000000013F7F0000-0x000000013FB44000-memory.dmp

memory/2572-149-0x000000013F630000-0x000000013F984000-memory.dmp

memory/2224-150-0x000000013FF30000-0x0000000140284000-memory.dmp

memory/2744-151-0x000000013FEA0000-0x00000001401F4000-memory.dmp

memory/2624-152-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

memory/2640-153-0x000000013F1F0000-0x000000013F544000-memory.dmp

memory/2508-154-0x000000013F690000-0x000000013F9E4000-memory.dmp

memory/2588-155-0x000000013FE00000-0x0000000140154000-memory.dmp

memory/3068-156-0x000000013FEB0000-0x0000000140204000-memory.dmp

memory/2384-157-0x000000013FEC0000-0x0000000140214000-memory.dmp

memory/1624-158-0x000000013F100000-0x000000013F454000-memory.dmp

memory/2360-159-0x000000013F770000-0x000000013FAC4000-memory.dmp

memory/1364-160-0x000000013FE80000-0x00000001401D4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-09 21:29

Reported

2024-06-09 21:32

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\yxdtKaS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QvENAFT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uOdpPso.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VCHXHTN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tbTWPZA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SQEhXIF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LWqNinM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jaqMdNR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tzGjiqJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pkFkGMy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NHiqszG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ItqrNig.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qQNCGWD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TNJKVNK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ygwZQzg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zQcssCB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HTLkZai.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\foGWbzn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NwzqKsN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZiyaJjI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QLGKsVN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4608 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\pkFkGMy.exe
PID 4608 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\pkFkGMy.exe
PID 4608 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\zQcssCB.exe
PID 4608 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\zQcssCB.exe
PID 4608 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\VCHXHTN.exe
PID 4608 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\VCHXHTN.exe
PID 4608 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\tbTWPZA.exe
PID 4608 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\tbTWPZA.exe
PID 4608 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\SQEhXIF.exe
PID 4608 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\SQEhXIF.exe
PID 4608 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\NHiqszG.exe
PID 4608 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\NHiqszG.exe
PID 4608 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\HTLkZai.exe
PID 4608 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\HTLkZai.exe
PID 4608 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\LWqNinM.exe
PID 4608 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\LWqNinM.exe
PID 4608 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\yxdtKaS.exe
PID 4608 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\yxdtKaS.exe
PID 4608 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\QvENAFT.exe
PID 4608 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\QvENAFT.exe
PID 4608 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\foGWbzn.exe
PID 4608 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\foGWbzn.exe
PID 4608 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\NwzqKsN.exe
PID 4608 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\NwzqKsN.exe
PID 4608 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\ItqrNig.exe
PID 4608 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\ItqrNig.exe
PID 4608 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZiyaJjI.exe
PID 4608 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZiyaJjI.exe
PID 4608 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\qQNCGWD.exe
PID 4608 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\qQNCGWD.exe
PID 4608 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\uOdpPso.exe
PID 4608 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\uOdpPso.exe
PID 4608 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\TNJKVNK.exe
PID 4608 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\TNJKVNK.exe
PID 4608 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\QLGKsVN.exe
PID 4608 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\QLGKsVN.exe
PID 4608 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\ygwZQzg.exe
PID 4608 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\ygwZQzg.exe
PID 4608 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\tzGjiqJ.exe
PID 4608 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\tzGjiqJ.exe
PID 4608 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\jaqMdNR.exe
PID 4608 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe C:\Windows\System\jaqMdNR.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-09_7c771632b64aa458045339ca41876f72_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\pkFkGMy.exe

C:\Windows\System\pkFkGMy.exe

C:\Windows\System\zQcssCB.exe

C:\Windows\System\zQcssCB.exe

C:\Windows\System\VCHXHTN.exe

C:\Windows\System\VCHXHTN.exe

C:\Windows\System\tbTWPZA.exe

C:\Windows\System\tbTWPZA.exe

C:\Windows\System\SQEhXIF.exe

C:\Windows\System\SQEhXIF.exe

C:\Windows\System\NHiqszG.exe

C:\Windows\System\NHiqszG.exe

C:\Windows\System\HTLkZai.exe

C:\Windows\System\HTLkZai.exe

C:\Windows\System\LWqNinM.exe

C:\Windows\System\LWqNinM.exe

C:\Windows\System\yxdtKaS.exe

C:\Windows\System\yxdtKaS.exe

C:\Windows\System\QvENAFT.exe

C:\Windows\System\QvENAFT.exe

C:\Windows\System\foGWbzn.exe

C:\Windows\System\foGWbzn.exe

C:\Windows\System\NwzqKsN.exe

C:\Windows\System\NwzqKsN.exe

C:\Windows\System\ItqrNig.exe

C:\Windows\System\ItqrNig.exe

C:\Windows\System\ZiyaJjI.exe

C:\Windows\System\ZiyaJjI.exe

C:\Windows\System\qQNCGWD.exe

C:\Windows\System\qQNCGWD.exe

C:\Windows\System\uOdpPso.exe

C:\Windows\System\uOdpPso.exe

C:\Windows\System\TNJKVNK.exe

C:\Windows\System\TNJKVNK.exe

C:\Windows\System\QLGKsVN.exe

C:\Windows\System\QLGKsVN.exe

C:\Windows\System\ygwZQzg.exe

C:\Windows\System\ygwZQzg.exe

C:\Windows\System\tzGjiqJ.exe

C:\Windows\System\tzGjiqJ.exe

C:\Windows\System\jaqMdNR.exe

C:\Windows\System\jaqMdNR.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 216.107.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4608-0-0x00007FF668F90000-0x00007FF6692E4000-memory.dmp

memory/4608-1-0x0000021491BD0000-0x0000021491BE0000-memory.dmp

C:\Windows\System\pkFkGMy.exe

MD5 9b88a0dc12e2f1c3eef6bf54f35b6379
SHA1 fc04890e577ef33e6611c8d3b41521feb93dd372
SHA256 1d48bd7a006c324e994b859650e4c45c9b9048dfee33e8321b240e16607b0d0f
SHA512 0e0cadc13a76ee3dff1c9c7887193c19d7cdd5f7205a16a1065a8eef7d90e1241e2ba328c8f054bbe97cb4fa33e272bc45852a0b0daadc3da7c04d0f6a711de8

C:\Windows\System\zQcssCB.exe

MD5 67b828e554a5ae91eae0837e09f069c5
SHA1 17fa15e1dfe229ef05c3e51910d3d6ddb24a002d
SHA256 b017391d7fe7dc0d7b0a8ac80b3a5e333732c6048fdf565d7a75ce26b0a7ce14
SHA512 2d2a5679ffb99ae664b2e7070b15888553e4ccd9b118b9c838c3c2485332c0d7fa08490ba1879c9863d6f78ac55dfb01cbb90427e4a1d7afcdce33b29745cd04

memory/2020-12-0x00007FF68A9B0000-0x00007FF68AD04000-memory.dmp

memory/4320-14-0x00007FF7B9FF0000-0x00007FF7BA344000-memory.dmp

C:\Windows\System\VCHXHTN.exe

MD5 7ae683da5839006a226950b10e50e3db
SHA1 895aaa41a20d4bba42e0870a659f950d514e56d7
SHA256 c3ad82901bab4a78ea191679c45577e18b03235146f434e255f68d85fa50e81f
SHA512 fa2af20f3c276d681e312b0100a2d3fc6d23a26827e6cb3f3e78f8a4d51edc1868d203040bf05dbd9899165d6416fb6655c7d9769eaf15f06db8314d8aa86cd6

memory/4624-18-0x00007FF76E1C0000-0x00007FF76E514000-memory.dmp

C:\Windows\System\tbTWPZA.exe

MD5 2f7997422ee3c55e3e21b02cb2afae75
SHA1 159b7d5d33def7f387367ef10082ea3e5e17876d
SHA256 bd30f36772cbfcc16d8fb691ad96af17dc4e442383da5b4e8d5066da5abc7e91
SHA512 1dd2b7b1b5db66472c9e84a8c7656288ad458329672ac9f0a9195cd1e4ecac5dd7cf42a2060ae11dcd3649863ba181eb701b23bee9fe68d6520bc62bc6a36597

C:\Windows\System\SQEhXIF.exe

MD5 ed2dee693b69ce0087a84a4d7e554dbf
SHA1 ecf15424a0068583205c1468d4074f1841fcce51
SHA256 b74ed7dca4fffa6f142155a866479d3f4bf94df82680ceb1880d8eedc0a400cc
SHA512 2fc1f2110f62f90f3da4f06a30a369a96e4ad15594864cac4632346498a6e346aacf17ff93777710854b08067b720ea9e91797eb05bbfda21575388ce237bafe

C:\Windows\System\NHiqszG.exe

MD5 6cc7c6ce873a150c31ec8d84ce029bdf
SHA1 89680537e2f589687cc11f063820d9f5cebd88e2
SHA256 fdb935ab52fccb93964432711e6a82ca709b40b853017074d7a242858fcb556e
SHA512 d4042581bb6f305d7401faefff76c5d490411f8b398e832b79d7dce9e02ba8d069d38056001105d3b48d60274ee1d3a60321e5d124a980b1051c17b97af5d583

memory/2900-34-0x00007FF7C0DB0000-0x00007FF7C1104000-memory.dmp

memory/4860-37-0x00007FF692200000-0x00007FF692554000-memory.dmp

memory/4856-33-0x00007FF7614A0000-0x00007FF7617F4000-memory.dmp

C:\Windows\System\HTLkZai.exe

MD5 f940596492c124eca11b48dd9aa0c8b6
SHA1 9b41e9206679aa5f80fc6b1cf59a7cc174c8c52d
SHA256 bbd506f228328b3660744c6524c66674b797ac24ec2c1a4b1f36ad86905b6413
SHA512 f64877d9387309efca38081d7a9e18a60587fcded02148c3702d29c74904f58594773fd116c829fbb6f30523ef582bdab3d6cae57588c8aa50381d483b388a8c

memory/884-43-0x00007FF6EB560000-0x00007FF6EB8B4000-memory.dmp

memory/1304-50-0x00007FF738160000-0x00007FF7384B4000-memory.dmp

C:\Windows\System\yxdtKaS.exe

MD5 e22bf7a71834d66d73cc16c7a44c9d51
SHA1 872492eb460855a02afe5adbaffdb16b0f16e230
SHA256 99d0d7e03908bbd25ee8446fd0f22c7675431979dfa78fbc736f32ce62cd7d4a
SHA512 14584d311c33381c30ff382555c846f2994ee20d1bcc459fff90ade5b856d247beaf5e5b496ddaf319e53fa7ab1b178d0220d704d3153a3252ff7fcda5cf5575

memory/3112-54-0x00007FF7B8850000-0x00007FF7B8BA4000-memory.dmp

C:\Windows\System\LWqNinM.exe

MD5 af39a8c3c4265719da3e0aea0b8fd9bb
SHA1 1f977ea80bb98fad0f8199f0689c8af191be46b3
SHA256 1fa6a06d44ee554c652d8bb198438796e1d22667cf434203c2a281af7203af8d
SHA512 0d984d802881d91cd93453bbdf5bb5bf91ad2a8f342f222d53ed441d6ded93aee4b3b088401f5651c252c55ff9e06e1a8c69aa7bfb807ce876f060134e2953b7

C:\Windows\System\QvENAFT.exe

MD5 caec2d14f7040cceb85e60fc633a8f0b
SHA1 5e837d2ec3329e2f1094a5e99e358eb930319451
SHA256 854efbb3e06af32360c607e913f1ab285bfeb8bb41f67ad4e713cf4de8502625
SHA512 acf2ae5dddab09a8ff8d571e55ea40d0eb7e1c951ecf770118a510e40930a3f282cb1d131a648562650bbf66b6a65cc9670b97886ebb833a9a34918fd3a3e6aa

C:\Windows\System\foGWbzn.exe

MD5 3bad29f47325c67c8b98821405a7d2ac
SHA1 4ad7e7305ca02946ad3e9dae04d7c5fab4546d9e
SHA256 0037bf92c6d3bbb963fd898621ff9ddaf3be982489277c181e73885a1eb2fd61
SHA512 b448bf7502b94afce2bfeabfdc53d30e51fd84a03e570c394d8709bc5d8c2290a14b75a34c066b6433328c33dc308ba9f010c67e19d9b897a1f8573b63e39fe7

memory/1092-67-0x00007FF71AFE0000-0x00007FF71B334000-memory.dmp

memory/4608-72-0x00007FF668F90000-0x00007FF6692E4000-memory.dmp

C:\Windows\System\NwzqKsN.exe

MD5 3aa09174fe7939c3cd116eefbc83c7df
SHA1 7f1d984d7debc7993544ebe3aaf5fc3dba829257
SHA256 185ac90a414527dc1e62765c84a018253c5ccbed1aec6a241a26f811a933a35d
SHA512 1e885e6c8bf95eeff27a340e448ac4616afe621995726846c163b1919e20b26a4461fadf0e22f545ced3009902801fbfb6be9fdb45cdf18fc913c2fe113f6900

memory/1520-74-0x00007FF68E770000-0x00007FF68EAC4000-memory.dmp

memory/2020-73-0x00007FF68A9B0000-0x00007FF68AD04000-memory.dmp

memory/1628-62-0x00007FF62F800000-0x00007FF62FB54000-memory.dmp

C:\Windows\System\ItqrNig.exe

MD5 247b636d058f93164851f9a78934240e
SHA1 07cd6225f10c897252b42b302ffe774e2850f25d
SHA256 060c8a9b0e01a0128984b70e99a78bb20b7c5c8fa83dc878167fcb41d563ba9b
SHA512 5b849a1f467e8f004d0bb08d4be70cd35b332bed5fafa7fc3cd1ecca36718b2cdc473a05f92e3cd09f60bfe24d5094c2f06890a0bf2722dbaa178249e4ea9d2c

C:\Windows\System\ZiyaJjI.exe

MD5 e56aa014dd55849a5d9d097e9e3855ac
SHA1 3f75552d40a8463293018167f5fb620f3e5470ec
SHA256 a7fc8c7294b8c3862b88e61e0032631721f2c2ab5e6f2d9f83957fb445cc37dd
SHA512 d8f4482cbe4213169fdda0f16fc5811eafa413def2e3f5b525e41a63255fdcbc2b247511ac62fbdf776ee62081fd10775699bbf8bdd2bf77f8fcb7efd51d7383

C:\Windows\System\qQNCGWD.exe

MD5 7319cd32f72dff84c3df2a40277083d9
SHA1 e6194934e10620330d400a7b1010d73bdca53c80
SHA256 2b7eee50c5170a16e71f2ac2064784847044c55f170f6cfe9bacdafe0d092780
SHA512 1a96dfda1f9be9aaf503191dd15d76e14dc8026d89d62f6ae046dd91e12f3b212e44007068fd783551d9e7418d6096403c8dbdcfb6199e589e953c3d84461613

C:\Windows\System\uOdpPso.exe

MD5 73a8f5616aa35326986d84bf09469e48
SHA1 ece82facb5a120cb7b952f4af2fbb55f53ffa8a5
SHA256 f81d2e35904e343e629e0082320513917ea04e918ef93546da900bae434ad59a
SHA512 cb0bd39c469fa49e65d414374cfa0bf3b2bf7ce1533e12e616a9923932939b2d2ce57445f040e7c8ed8a22d4ef506a0f714353e43d79fad902b6afa5c23af568

memory/2648-104-0x00007FF601D40000-0x00007FF602094000-memory.dmp

C:\Windows\System\TNJKVNK.exe

MD5 3c114d37694e4868f124e0b8a4e52932
SHA1 2ff00d0e780f802786d875a2c7900ccb9549729a
SHA256 df830f5004872aa2610e584ad3d1645e7f44e22c153e1e66165f9fc260d78457
SHA512 5f7d5b74900e588223b6a11138e1fa35dd7384dc95ae06f4555afce0ea52434c19130f2ec1e523df3fe9a944c814a4812582b46f3ef78f69fcacb2dbfc37e88e

memory/4460-107-0x00007FF6F69D0000-0x00007FF6F6D24000-memory.dmp

C:\Windows\System\ygwZQzg.exe

MD5 7f573638c8e22022dd5dfb27b8c09bbc
SHA1 e0021efcda9d6de98eab65dad0f1a37c31b351ce
SHA256 cf21f5e9a5b7b1f1ac16f56ec130fe74b15c1cc3b03820c84372b4cf04bcc735
SHA512 5e04e4ef8c6f87b835cb6a88ff562890d2c35e469ed1e9d4e8a0bd8d2c60c3588e756c3b56c1d5bd4dba238611809f6c35b48ffd25889d8b06b09ab7f33b8ab4

C:\Windows\System\QLGKsVN.exe

MD5 023e3d4f2fc6ae1c3ec76c906b887dc6
SHA1 e0754de08f3f40958c635d24b9e7a8ee1b01e6f6
SHA256 39498dcc2769c2ff609571fe257d8830690b858b6b05ac27c19f18e141c49fa1
SHA512 d71c14b66458a761ea6812ccba1326d2ae9e3c4308551cd66932526cb96c9102853e0cc3f7fa931ef6ea236600cd169e7f89a8df22f5823c8775d338a615c1b0

memory/4572-124-0x00007FF7A73C0000-0x00007FF7A7714000-memory.dmp

C:\Windows\System\tzGjiqJ.exe

MD5 1a40026d37bb906c68f39b864cfbc2f8
SHA1 fb087b85bd4da0e94daeb28023b7f1a63d57c091
SHA256 fac2e2f7536ee0787aabc4f62d50a4107402390961a4a1a942a2d38f3e26d405
SHA512 1dce385e438b79d1d5e6b4d3a518efff19ff5fcd43b347af58fcd654bcd25f4e0020367150e1aaf11ea2ccee39a002c1d710336274a732eadf8bd2af174a2f3c

memory/4928-126-0x00007FF6404B0000-0x00007FF640804000-memory.dmp

memory/5036-125-0x00007FF711870000-0x00007FF711BC4000-memory.dmp

memory/884-121-0x00007FF6EB560000-0x00007FF6EB8B4000-memory.dmp

memory/4024-105-0x00007FF791010000-0x00007FF791364000-memory.dmp

memory/4860-106-0x00007FF692200000-0x00007FF692554000-memory.dmp

memory/4624-100-0x00007FF76E1C0000-0x00007FF76E514000-memory.dmp

memory/4792-93-0x00007FF619630000-0x00007FF619984000-memory.dmp

memory/4320-86-0x00007FF7B9FF0000-0x00007FF7BA344000-memory.dmp

memory/232-82-0x00007FF649F30000-0x00007FF64A284000-memory.dmp

C:\Windows\System\jaqMdNR.exe

MD5 69b1a4b0a22776ece358a5ba4bb8cca4
SHA1 fa80c9afa67afd8be46b737f3fb746d56e5066ae
SHA256 b51c3f2b7e353677a10269da720a912d09992b16c1c6bb5f0131facf9d03d829
SHA512 6f7b54e8729086d637ee700f7413cf57e081bff9450c54e4bdfbefd1c8c6e9259e6e38f1a345ff25eb10a96c493ce447fab61c8d5fd79db0ab5985c5c677df40

memory/1304-133-0x00007FF738160000-0x00007FF7384B4000-memory.dmp

memory/1104-134-0x00007FF788490000-0x00007FF7887E4000-memory.dmp

memory/3112-135-0x00007FF7B8850000-0x00007FF7B8BA4000-memory.dmp

memory/1628-136-0x00007FF62F800000-0x00007FF62FB54000-memory.dmp

memory/1092-137-0x00007FF71AFE0000-0x00007FF71B334000-memory.dmp

memory/1520-138-0x00007FF68E770000-0x00007FF68EAC4000-memory.dmp

memory/4460-139-0x00007FF6F69D0000-0x00007FF6F6D24000-memory.dmp

memory/4928-140-0x00007FF6404B0000-0x00007FF640804000-memory.dmp

memory/2020-141-0x00007FF68A9B0000-0x00007FF68AD04000-memory.dmp

memory/4320-142-0x00007FF7B9FF0000-0x00007FF7BA344000-memory.dmp

memory/4856-143-0x00007FF7614A0000-0x00007FF7617F4000-memory.dmp

memory/2900-144-0x00007FF7C0DB0000-0x00007FF7C1104000-memory.dmp

memory/4624-145-0x00007FF76E1C0000-0x00007FF76E514000-memory.dmp

memory/4860-146-0x00007FF692200000-0x00007FF692554000-memory.dmp

memory/884-147-0x00007FF6EB560000-0x00007FF6EB8B4000-memory.dmp

memory/1304-148-0x00007FF738160000-0x00007FF7384B4000-memory.dmp

memory/3112-149-0x00007FF7B8850000-0x00007FF7B8BA4000-memory.dmp

memory/1628-150-0x00007FF62F800000-0x00007FF62FB54000-memory.dmp

memory/1092-151-0x00007FF71AFE0000-0x00007FF71B334000-memory.dmp

memory/1520-152-0x00007FF68E770000-0x00007FF68EAC4000-memory.dmp

memory/232-153-0x00007FF649F30000-0x00007FF64A284000-memory.dmp

memory/4792-154-0x00007FF619630000-0x00007FF619984000-memory.dmp

memory/4024-156-0x00007FF791010000-0x00007FF791364000-memory.dmp

memory/2648-155-0x00007FF601D40000-0x00007FF602094000-memory.dmp

memory/4460-157-0x00007FF6F69D0000-0x00007FF6F6D24000-memory.dmp

memory/4572-158-0x00007FF7A73C0000-0x00007FF7A7714000-memory.dmp

memory/5036-159-0x00007FF711870000-0x00007FF711BC4000-memory.dmp

memory/4928-160-0x00007FF6404B0000-0x00007FF640804000-memory.dmp

memory/1104-161-0x00007FF788490000-0x00007FF7887E4000-memory.dmp