Malware Analysis Report

2024-10-16 03:05

Sample ID 240609-2cxxxagd66
Target 2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike
SHA256 be73d38918e9895dcffb6eb3b0029b556573695871bf59854ad5659d81a7120d
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

be73d38918e9895dcffb6eb3b0029b556573695871bf59854ad5659d81a7120d

Threat Level: Known bad

The file 2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

XMRig Miner payload

Detects Reflective DLL injection artifacts

Cobaltstrike

xmrig

UPX dump on OEP (original entry point)

Cobaltstrike family

Xmrig family

Cobalt Strike reflective loader

XMRig Miner payload

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-09 22:26

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-09 22:26

Reported

2024-06-09 22:29

Platform

win7-20240508-en

Max time kernel

143s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\YDqFIOf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rdMsPCe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OmWaZwW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ciWwZFg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LyesjEd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SqiGhJL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gbVZdcx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LSpdlOp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KKVvQcQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nHjywUy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AIAwYVK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZaRAumN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ovtDHUV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HaFmuGI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MwUsMae.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vRuDKfB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SqMKUAx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kERTOFH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pndEHaX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eEEIoFE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kllPTPh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1684 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZaRAumN.exe
PID 1684 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZaRAumN.exe
PID 1684 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZaRAumN.exe
PID 1684 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\SqiGhJL.exe
PID 1684 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\SqiGhJL.exe
PID 1684 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\SqiGhJL.exe
PID 1684 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\gbVZdcx.exe
PID 1684 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\gbVZdcx.exe
PID 1684 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\gbVZdcx.exe
PID 1684 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\LyesjEd.exe
PID 1684 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\LyesjEd.exe
PID 1684 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\LyesjEd.exe
PID 1684 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\LSpdlOp.exe
PID 1684 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\LSpdlOp.exe
PID 1684 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\LSpdlOp.exe
PID 1684 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\kllPTPh.exe
PID 1684 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\kllPTPh.exe
PID 1684 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\kllPTPh.exe
PID 1684 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\SqMKUAx.exe
PID 1684 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\SqMKUAx.exe
PID 1684 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\SqMKUAx.exe
PID 1684 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\ovtDHUV.exe
PID 1684 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\ovtDHUV.exe
PID 1684 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\ovtDHUV.exe
PID 1684 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\KKVvQcQ.exe
PID 1684 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\KKVvQcQ.exe
PID 1684 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\KKVvQcQ.exe
PID 1684 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\nHjywUy.exe
PID 1684 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\nHjywUy.exe
PID 1684 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\nHjywUy.exe
PID 1684 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\YDqFIOf.exe
PID 1684 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\YDqFIOf.exe
PID 1684 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\YDqFIOf.exe
PID 1684 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\kERTOFH.exe
PID 1684 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\kERTOFH.exe
PID 1684 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\kERTOFH.exe
PID 1684 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\pndEHaX.exe
PID 1684 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\pndEHaX.exe
PID 1684 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\pndEHaX.exe
PID 1684 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\HaFmuGI.exe
PID 1684 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\HaFmuGI.exe
PID 1684 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\HaFmuGI.exe
PID 1684 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\rdMsPCe.exe
PID 1684 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\rdMsPCe.exe
PID 1684 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\rdMsPCe.exe
PID 1684 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\AIAwYVK.exe
PID 1684 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\AIAwYVK.exe
PID 1684 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\AIAwYVK.exe
PID 1684 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\MwUsMae.exe
PID 1684 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\MwUsMae.exe
PID 1684 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\MwUsMae.exe
PID 1684 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\OmWaZwW.exe
PID 1684 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\OmWaZwW.exe
PID 1684 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\OmWaZwW.exe
PID 1684 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\ciWwZFg.exe
PID 1684 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\ciWwZFg.exe
PID 1684 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\ciWwZFg.exe
PID 1684 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\vRuDKfB.exe
PID 1684 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\vRuDKfB.exe
PID 1684 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\vRuDKfB.exe
PID 1684 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\eEEIoFE.exe
PID 1684 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\eEEIoFE.exe
PID 1684 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\eEEIoFE.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\ZaRAumN.exe

C:\Windows\System\ZaRAumN.exe

C:\Windows\System\SqiGhJL.exe

C:\Windows\System\SqiGhJL.exe

C:\Windows\System\gbVZdcx.exe

C:\Windows\System\gbVZdcx.exe

C:\Windows\System\LyesjEd.exe

C:\Windows\System\LyesjEd.exe

C:\Windows\System\LSpdlOp.exe

C:\Windows\System\LSpdlOp.exe

C:\Windows\System\kllPTPh.exe

C:\Windows\System\kllPTPh.exe

C:\Windows\System\SqMKUAx.exe

C:\Windows\System\SqMKUAx.exe

C:\Windows\System\ovtDHUV.exe

C:\Windows\System\ovtDHUV.exe

C:\Windows\System\KKVvQcQ.exe

C:\Windows\System\KKVvQcQ.exe

C:\Windows\System\nHjywUy.exe

C:\Windows\System\nHjywUy.exe

C:\Windows\System\YDqFIOf.exe

C:\Windows\System\YDqFIOf.exe

C:\Windows\System\kERTOFH.exe

C:\Windows\System\kERTOFH.exe

C:\Windows\System\pndEHaX.exe

C:\Windows\System\pndEHaX.exe

C:\Windows\System\HaFmuGI.exe

C:\Windows\System\HaFmuGI.exe

C:\Windows\System\rdMsPCe.exe

C:\Windows\System\rdMsPCe.exe

C:\Windows\System\AIAwYVK.exe

C:\Windows\System\AIAwYVK.exe

C:\Windows\System\MwUsMae.exe

C:\Windows\System\MwUsMae.exe

C:\Windows\System\OmWaZwW.exe

C:\Windows\System\OmWaZwW.exe

C:\Windows\System\ciWwZFg.exe

C:\Windows\System\ciWwZFg.exe

C:\Windows\System\vRuDKfB.exe

C:\Windows\System\vRuDKfB.exe

C:\Windows\System\eEEIoFE.exe

C:\Windows\System\eEEIoFE.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1684-2-0x000000013F7E0000-0x000000013FB34000-memory.dmp

memory/1684-0-0x00000000000F0000-0x0000000000100000-memory.dmp

C:\Windows\system\ZaRAumN.exe

MD5 02cf513699583893fd20026f396c76ca
SHA1 baf622cdcac5280f3ec3f7fcfa0656fe9b640ac6
SHA256 77629e399a62026897d1766acf633047337d51d964136a3f0a97c97e1942d86b
SHA512 3db670d0f52995e8aba47eeeb146fe9be20daf974a1ea8c748cf27420be6722780402b2a980e2e1f459fd912b1dd491a29d5f326733960506d47f1f6fefb4c77

memory/1684-11-0x000000013FC80000-0x000000013FFD4000-memory.dmp

\Windows\system\SqiGhJL.exe

MD5 e0e67234ade9219dd06d8e0f96bebc18
SHA1 1cf2e6e5fb19c0d1c77d60f19abc7c0a95f60c9a
SHA256 f85082e7f7bc3b720f7b206cc90c085583c38726fe3d5db3e66b9d8ba165bf5e
SHA512 e3be8f9ac3f23e1e092a82b5094f50cdd8a3f330ce66374432e09debc11b8bb05b56c24ffc96a4771574f48f4fddf55af67e86a2875fcace48f974d2e8b5ebba

memory/1684-16-0x000000013FF90000-0x00000001402E4000-memory.dmp

memory/2140-15-0x000000013FF90000-0x00000001402E4000-memory.dmp

C:\Windows\system\gbVZdcx.exe

MD5 461417bb928ba113ea6a368d31cc80ff
SHA1 c46ce77bb37a26a9d9e0b7adb1e2c82ca44e3aea
SHA256 c289c03a2fc401cbde1c1a6cad8916fabf48aeb87b65b80cd2a8dd0659a48f9b
SHA512 cbafb3de61393f7229457ad80dce93bbc9ae6a9d2fe0e3b791838ac3f29020761536e55dcf3cdb627390ad058da6622faddf3604b74fa501d5b6b4587f8d8a95

memory/2712-23-0x000000013F740000-0x000000013FA94000-memory.dmp

memory/1684-21-0x0000000002330000-0x0000000002684000-memory.dmp

C:\Windows\system\LyesjEd.exe

MD5 7784b1c00b0a4b4a28cc30b476e59231
SHA1 79527fe0961a1f8f72bad548ed2c5188c56fda01
SHA256 fb8a56eeb42445999eb6ef10e346acce027d85c4be5fc6a4eeb73bc5bddc08a4
SHA512 bf2382f04631f091a9862d450e8eaeaff6f62c9349b1a91063834aea0ec177a393433b97c161b3ed2a427ca45f276ca1c834c44563537ba80c409094c1afd591

memory/1620-41-0x000000013F8D0000-0x000000013FC24000-memory.dmp

memory/1684-39-0x0000000002330000-0x0000000002684000-memory.dmp

C:\Windows\system\ovtDHUV.exe

MD5 2d2d611c65d9358f7b5c5cd8ed2691ed
SHA1 292b70549a023bed0a6e49d4a01888e383ed4d2d
SHA256 f583e30fe9e8685bd2546bafd3c4abb029c1b543c8756ca120d4e3629a7ada90
SHA512 3eb5507e042eb99c4198371c8abf6c77f97d8fc1a58e1c31e6c2657060ba0411ac137fdb49daa039914a26077d9395f85cbb24da38c6f1e634e195fee897b1f7

memory/2512-60-0x000000013FD10000-0x0000000140064000-memory.dmp

C:\Windows\system\nHjywUy.exe

MD5 7721f3c510bf1bda8cc30e486c27d829
SHA1 28e61a4a6b2247e2b1f627e469383a0427a9a447
SHA256 3adcf7b8a05617a5a290416f6850ba8d61e289ef876f1c713b637310e3904d27
SHA512 4ff0fc0c7d3c6a6a84bfd56f4751ffe2303c4330da77d6ca77f044c05aa5ef1ac948479a199e153dd770a8063c40eee52ffe08c4cc9d468f2a49848fca8b06a2

memory/1684-66-0x000000013FC80000-0x000000013FFD4000-memory.dmp

\Windows\system\kERTOFH.exe

MD5 9df09a6695fcdace1c8e332b6bccbbf9
SHA1 2c98c6fe44057938b0dc66dd9d85500af93ec14e
SHA256 381e6a2354ef22392867dbd997655bf0e42f6dc5151513cb888a5a6596df54d2
SHA512 37b94b526b78ff5fffa6665a0660f86967b4d1e2f754bb75ee4f1d380e842a54e8ddaee098418028b1cf89e52bcde1c2d2bd3b250deee26cb6efa7dbc0fcff71

\Windows\system\vRuDKfB.exe

MD5 16b66f5f690e6719382ffbeff2f84e5e
SHA1 b2f830043f5e6fc02d501a7938e1eafda8ee2a28
SHA256 c104a79e9323df436add9d1959db06dea4b1ad066e05cff1a25022af4c33d24e
SHA512 a5cdd2c65de6ea2035533821b8d1ef379aa4c7fe769f2ca69ee350d28f53214603a77186657f8a9a017fa668bb04cc5d3bbf6539bd35e154cfa576a57a371865

memory/2660-102-0x000000013FEF0000-0x0000000140244000-memory.dmp

\Windows\system\OmWaZwW.exe

MD5 c857f9a51cc50fa3100d8bfcf1ceaac8
SHA1 58ede2bc4c915455b109e89a6abb0e47ae5f4e75
SHA256 56725645849fbefb0ebf826cec4f3db7b36b96b6dbf239ce72aa1453d011c9ba
SHA512 739f954d895d0de772ae9b27abd7cb169cdac5c599e6d1f5da4a2c9d1f7e00202cd68258c9c6b0416badec4969cf20d62df457da84ce4f411e7fa2fc2ffaadde

memory/1684-94-0x0000000002330000-0x0000000002684000-memory.dmp

\Windows\system\AIAwYVK.exe

MD5 d4748c086462f04a91acc6a2397ee10c
SHA1 ac9763687e10f15f83f8ee607e8458edbdcd57b0
SHA256 ca46bdf4e620a16a58ce20360e4848dd0933581f6355dc0e8bf4b841394a75c0
SHA512 cc7627739b3b8bbe4b11c2e654a93047918905726117612d7bc6832cbc7a5e11fccbd41388b2654e3aac5dd47e51ed9ac523faedb761ea5c4231746b9aa6d510

memory/2712-87-0x000000013F740000-0x000000013FA94000-memory.dmp

memory/1684-86-0x000000013FEA0000-0x00000001401F4000-memory.dmp

memory/1968-85-0x000000013FEA0000-0x00000001401F4000-memory.dmp

memory/1684-83-0x000000013F220000-0x000000013F574000-memory.dmp

C:\Windows\system\pndEHaX.exe

MD5 7e17e50bd900922dab03b2a621218e76
SHA1 50b697b40ae5372ade0c225477bcf5ba26ca6f56
SHA256 a987b1528b0fdf21890e9f7fa38167bcca414085bc377d50f4abcebd59b265c7
SHA512 14e0c6ea79b89219b273d8c130fbe0aea587f6a4fe6cbb4bdb96eda9d7135806217c3dab92f3c9031b8dff5cb3516ad5250be3a5d15a337889bdafbd819412e5

\Windows\system\HaFmuGI.exe

MD5 57be43e93a128e2e2325a63cc5f99312
SHA1 2dd308a13036a9b7b7ae54a17fb0b70efac186d2
SHA256 b4e8ca6ad90a9f9fb1770b6a12a98083e7e465383fc688f704579c315ec79d17
SHA512 892a057f0386930b1b842f5b40d7049823e14958425f7b07f0223824830077d5dd088bfc3a03ca13437b3319bebe3c45984b18454b605326f4ae5cd3e71e90f9

memory/2560-76-0x000000013F7E0000-0x000000013FB34000-memory.dmp

C:\Windows\system\eEEIoFE.exe

MD5 9360cdab4408441c83afb1b939114d09
SHA1 a270d822a49cf05a58de541c52a169ed2797aa70
SHA256 bb2a79089982fa7acdf087986b3b19ac6b446ac1d991d66785abd73314fe2cae
SHA512 b16eec7ad76eb8216b786409698e1c982486e2a44d7bdda9cf97b838dc31157d769cda410195926e232a6a77babc2b75d36670a62c80359d1829f2daa08c4350

memory/2580-67-0x000000013FEB0000-0x0000000140204000-memory.dmp

memory/1684-65-0x000000013F7E0000-0x000000013FB34000-memory.dmp

memory/1684-110-0x0000000002330000-0x0000000002684000-memory.dmp

memory/1684-109-0x0000000002330000-0x0000000002684000-memory.dmp

memory/1684-108-0x0000000002330000-0x0000000002684000-memory.dmp

C:\Windows\system\ciWwZFg.exe

MD5 a3ce65484acdf93a16b1eb10c4c89c36
SHA1 3edf1a357736f24b1e52b6d72b0ea0edf66873f9
SHA256 07ea14cf1abec5282a80b33013ad860ecbdf99e5692a7c75eebf15cca8935735
SHA512 b7f5bed628607b670536e37715959eedcf0fdf3fb404799604b7057e51d12d933b7773b4788749118675e639dc48b938257dcf5ff7ad6ef309b007366a66369f

C:\Windows\system\MwUsMae.exe

MD5 3de254f0ac421c4b6af8f10f9e568c06
SHA1 a62cd02903ffe6883966d0e27f2b4844fc53338c
SHA256 4843d79379691a2cc49cbdc048a8e3d1642bf705245e86e7b37c28f596245501
SHA512 ab90298dfa1a7d443290f114a075ba4c040d796310042f99ec91e53348510419112882dba6ffd0f1c81f4b0a7e5bc7f57e7f323662cd3b275013ebe11b0acf43

C:\Windows\system\rdMsPCe.exe

MD5 9cc5ab81ecd2909dd54720f57f514afe
SHA1 8f58d8edfe17defd8938697265e93f19b3a6fc8a
SHA256 c75fbc7ff5af3dc2afed341b58e428ee225e59bc2b8dc37d49f3245f51766c93
SHA512 c1e519b47fb691d63f6b7f7d44d45f395980b4f45c30720d97f333929086c5cb239a510a97d946d9cade0245dc6ab6adfc463371bc1b8c4b96e5a3bd67870e1e

memory/2140-72-0x000000013FF90000-0x00000001402E4000-memory.dmp

C:\Windows\system\YDqFIOf.exe

MD5 5b8ba86d187b726c09f1162edc46f648
SHA1 eab43843724c50d3e39aa7b6e7f412b44c2a3bcb
SHA256 e463e67bf31baf20bfede14aea29ec2aaae4889498942805a89600101db20cb9
SHA512 2057ce2a9a330d86f2eb1f8879aabbbca83b5861e908fa29ba2566f97f733c2edff43f40584e89aecdef41b1917019c1390d9075c82330e3844e73703b0c7c3f

memory/1684-59-0x000000013FD10000-0x0000000140064000-memory.dmp

memory/2556-54-0x000000013FFC0000-0x0000000140314000-memory.dmp

C:\Windows\system\KKVvQcQ.exe

MD5 ab6530356ceb8e525e71493fc3069bb8
SHA1 0b3b07fca4f32dc6845a540387455c974a187b2e
SHA256 d3e7468ec0bfb7890e7d09540db9f62fc663292a6d2f99bd843ed3f1d1d42521
SHA512 235b67312897a6fe5c67ee169a7128aad43252b274665bad1096790910fd80186f0639876cb0fcd77026a9d89ec51e6ef39481ab4fc3846b720b316282338dd9

memory/2696-49-0x000000013F040000-0x000000013F394000-memory.dmp

memory/2976-48-0x000000013F420000-0x000000013F774000-memory.dmp

\Windows\system\kllPTPh.exe

MD5 7350a33f0f43343f26960c97176e9843
SHA1 6b3c44c0c4a11c02686a16b4b3e178a9817effc6
SHA256 d6b0dad5deaceedc28717d2dbcd05034e01e54c07c9aa9119a9204d49f3329d1
SHA512 4d6337f4cdb1a5898a9c811e43fbd61a0b36bf5fdc4e2616f66b13a3c3776e9f8574ef9838a2d8247926021d342377c7821757213514d4ffb9dcf5508c901856

C:\Windows\system\SqMKUAx.exe

MD5 a66403867ad29559f8c1911600ca37c1
SHA1 4cedc8501ed9fc6f4ab860a565c1d25570fcf928
SHA256 94e9fa926cbf4b60819e4694c2f69f76fc127dba72f4a696b9b505e8d10dae6a
SHA512 4d2bf735d8dd789ba9e7341bbdb22274f6a62a0f6a499b83d9dd2a1ac77cfa6ca0e7a6ba8af5ae6b108bed43de93a741cff6cbf31209b8ad018c51d3fa90baee

memory/1684-45-0x000000013F420000-0x000000013F774000-memory.dmp

memory/1684-42-0x000000013F040000-0x000000013F394000-memory.dmp

C:\Windows\system\LSpdlOp.exe

MD5 203599577a96c579487c42ecf0abdb9b
SHA1 dff425450e4e309fa75ba8960bd42ef91c7c6308
SHA256 40ab3ae54ac8651dd3a58263a702b770a2b07b5cd00483ee406ca75ff7b16e30
SHA512 e66a236ec37c524632ffde727050c2d5c9455210e404756c97403e0f3f3971c2b4abc5930cd3ba27a80695c7a15a576c2df798566cabeb81b925f05ac2a0852d

memory/2660-29-0x000000013FEF0000-0x0000000140244000-memory.dmp

memory/1684-28-0x000000013FEF0000-0x0000000140244000-memory.dmp

memory/2980-13-0x000000013FC80000-0x000000013FFD4000-memory.dmp

memory/2696-139-0x000000013F040000-0x000000013F394000-memory.dmp

memory/2976-138-0x000000013F420000-0x000000013F774000-memory.dmp

memory/2556-140-0x000000013FFC0000-0x0000000140314000-memory.dmp

memory/2512-141-0x000000013FD10000-0x0000000140064000-memory.dmp

memory/2580-142-0x000000013FEB0000-0x0000000140204000-memory.dmp

memory/2560-143-0x000000013F7E0000-0x000000013FB34000-memory.dmp

memory/1684-144-0x0000000002330000-0x0000000002684000-memory.dmp

memory/1968-145-0x000000013FEA0000-0x00000001401F4000-memory.dmp

memory/2980-146-0x000000013FC80000-0x000000013FFD4000-memory.dmp

memory/2140-147-0x000000013FF90000-0x00000001402E4000-memory.dmp

memory/2712-148-0x000000013F740000-0x000000013FA94000-memory.dmp

memory/1620-149-0x000000013F8D0000-0x000000013FC24000-memory.dmp

memory/2660-150-0x000000013FEF0000-0x0000000140244000-memory.dmp

memory/2976-153-0x000000013F420000-0x000000013F774000-memory.dmp

memory/2696-155-0x000000013F040000-0x000000013F394000-memory.dmp

memory/2580-157-0x000000013FEB0000-0x0000000140204000-memory.dmp

memory/2556-156-0x000000013FFC0000-0x0000000140314000-memory.dmp

memory/1968-154-0x000000013FEA0000-0x00000001401F4000-memory.dmp

memory/2512-152-0x000000013FD10000-0x0000000140064000-memory.dmp

memory/2560-151-0x000000013F7E0000-0x000000013FB34000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-09 22:26

Reported

2024-06-09 22:29

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\mZbGjsA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MuNLEuK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NIXJYYx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qxMfvQV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dLlgNNF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lyIDEfO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mCPDhwt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GKmHEez.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\keMBunp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JooAfFM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qJwqSJO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dwabhDK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KBbhHcG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jfLQAmX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LjBahVc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HSEEmnA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\btmYHwk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cbBuEpy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zqAHFZa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uPWevJa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vvtXbfJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2508 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\dLlgNNF.exe
PID 2508 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\dLlgNNF.exe
PID 2508 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\mZbGjsA.exe
PID 2508 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\mZbGjsA.exe
PID 2508 wrote to memory of 420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\HSEEmnA.exe
PID 2508 wrote to memory of 420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\HSEEmnA.exe
PID 2508 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\lyIDEfO.exe
PID 2508 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\lyIDEfO.exe
PID 2508 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\btmYHwk.exe
PID 2508 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\btmYHwk.exe
PID 2508 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\mCPDhwt.exe
PID 2508 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\mCPDhwt.exe
PID 2508 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\cbBuEpy.exe
PID 2508 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\cbBuEpy.exe
PID 2508 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\GKmHEez.exe
PID 2508 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\GKmHEez.exe
PID 2508 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\MuNLEuK.exe
PID 2508 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\MuNLEuK.exe
PID 2508 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\zqAHFZa.exe
PID 2508 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\zqAHFZa.exe
PID 2508 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\uPWevJa.exe
PID 2508 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\uPWevJa.exe
PID 2508 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\keMBunp.exe
PID 2508 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\keMBunp.exe
PID 2508 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\vvtXbfJ.exe
PID 2508 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\vvtXbfJ.exe
PID 2508 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\jfLQAmX.exe
PID 2508 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\jfLQAmX.exe
PID 2508 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\qJwqSJO.exe
PID 2508 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\qJwqSJO.exe
PID 2508 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\JooAfFM.exe
PID 2508 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\JooAfFM.exe
PID 2508 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\dwabhDK.exe
PID 2508 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\dwabhDK.exe
PID 2508 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\LjBahVc.exe
PID 2508 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\LjBahVc.exe
PID 2508 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\NIXJYYx.exe
PID 2508 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\NIXJYYx.exe
PID 2508 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\KBbhHcG.exe
PID 2508 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\KBbhHcG.exe
PID 2508 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\qxMfvQV.exe
PID 2508 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe C:\Windows\System\qxMfvQV.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-09_d796d424322cef72677516413c99bd19_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\dLlgNNF.exe

C:\Windows\System\dLlgNNF.exe

C:\Windows\System\mZbGjsA.exe

C:\Windows\System\mZbGjsA.exe

C:\Windows\System\HSEEmnA.exe

C:\Windows\System\HSEEmnA.exe

C:\Windows\System\lyIDEfO.exe

C:\Windows\System\lyIDEfO.exe

C:\Windows\System\btmYHwk.exe

C:\Windows\System\btmYHwk.exe

C:\Windows\System\mCPDhwt.exe

C:\Windows\System\mCPDhwt.exe

C:\Windows\System\cbBuEpy.exe

C:\Windows\System\cbBuEpy.exe

C:\Windows\System\GKmHEez.exe

C:\Windows\System\GKmHEez.exe

C:\Windows\System\MuNLEuK.exe

C:\Windows\System\MuNLEuK.exe

C:\Windows\System\zqAHFZa.exe

C:\Windows\System\zqAHFZa.exe

C:\Windows\System\uPWevJa.exe

C:\Windows\System\uPWevJa.exe

C:\Windows\System\keMBunp.exe

C:\Windows\System\keMBunp.exe

C:\Windows\System\vvtXbfJ.exe

C:\Windows\System\vvtXbfJ.exe

C:\Windows\System\jfLQAmX.exe

C:\Windows\System\jfLQAmX.exe

C:\Windows\System\qJwqSJO.exe

C:\Windows\System\qJwqSJO.exe

C:\Windows\System\JooAfFM.exe

C:\Windows\System\JooAfFM.exe

C:\Windows\System\dwabhDK.exe

C:\Windows\System\dwabhDK.exe

C:\Windows\System\LjBahVc.exe

C:\Windows\System\LjBahVc.exe

C:\Windows\System\NIXJYYx.exe

C:\Windows\System\NIXJYYx.exe

C:\Windows\System\KBbhHcG.exe

C:\Windows\System\KBbhHcG.exe

C:\Windows\System\qxMfvQV.exe

C:\Windows\System\qxMfvQV.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2508-0-0x00007FF75BD00000-0x00007FF75C054000-memory.dmp

memory/2508-1-0x0000022FEC860000-0x0000022FEC870000-memory.dmp

C:\Windows\System\dLlgNNF.exe

MD5 e7e61f2daed3fa9fbd5981e2b302e75d
SHA1 fa976d266c19f068741f7c7cec2ddc8df934a234
SHA256 e139b8d604ba3dbb2f22e8f9a99112ff476f0533ad189077c48f00265690f1c0
SHA512 ecff4a7c81c43210ad00156f3c33913b79faf44aabb264cdb34ed51c2debdcfbeafed6a7c2c4dd337fea9ce521a9ba4cd3cda9e146d45cb72fd12b6a31fbc61f

memory/4220-8-0x00007FF694C00000-0x00007FF694F54000-memory.dmp

C:\Windows\System\mZbGjsA.exe

MD5 36009080d69ef1e1c4f5d1a08492e635
SHA1 7dd33d50d2b7d3f5081a5b329e25d451740d52aa
SHA256 b9341827c6340bc5c88254718570ba815793ecc9ba873570b55abc84c05351c5
SHA512 88ef701d1acfce4d522a59d85b5c0a9b0971e73ad60838ce42cb6ae169fc02686632d99098575acecf5539f89d39609e96437b328c1d3ae81a5d0485b809360f

C:\Windows\System\HSEEmnA.exe

MD5 0a0d91e88c85c9ca09f8095810e9aebc
SHA1 c1cd241dc9ffbd7c76928898ac041f56d8ed1a9a
SHA256 775411b18750bd9e224cc0adf596acb129fc4d93cbec451707b3d370ed9d93d7
SHA512 267e9fe36eb1611481fb63272d682e102fd0cce87d73c6b7256a9e84dab7eb2c2d8baf9bc4f574281373aa5f17223c3129e6dc2194b594953f934570487c8177

memory/2992-17-0x00007FF783140000-0x00007FF783494000-memory.dmp

memory/420-23-0x00007FF6CDBA0000-0x00007FF6CDEF4000-memory.dmp

C:\Windows\System\lyIDEfO.exe

MD5 f861eaf464b9bbc429da475ae8a4a9d2
SHA1 6e08622a29fc3cb261ea3c8af279f6d7e01debef
SHA256 d4af4c8a814f3368089e7acb255ebb701a995886c49d9e035f004bcf18f930e5
SHA512 a7e922b7c1ec243711cbe14313ecfdca74a899a39d3dc4b438c03aa37e9007924cbc1adf1584edc4ae6c8c4313ba546ac751ae93d9dfad3a0810d165b18d9eba

C:\Windows\System\btmYHwk.exe

MD5 07e7f14fdfc3a97e0179b83fa90a17c4
SHA1 4df4c44d4f23629949f1b42f31a0f4df6e63cea5
SHA256 629a3fc678a48f2589ae96291ce0012b7ce1d2d139f535873d83a69cea56657c
SHA512 516dac5fc8201752f50a78e9dd59bbe6ca7c6433fa8bc372859f5728445e84065f19ccbbba0d2df745ef24429978b209dcdeca4b402498e4025b39f3d986fa1b

memory/4452-38-0x00007FF738D60000-0x00007FF7390B4000-memory.dmp

C:\Windows\System\cbBuEpy.exe

MD5 98d7920a11e2dcfd80af6c92023c8af8
SHA1 abb3f35f035e96078942e95ae8ad664ebf0be3c4
SHA256 fa7a70263a318ab1433ecc2d31e30b48a02dc2080a318a65c70e37ddc8ccaaf2
SHA512 5f952292a96f087272eda9a3c82cddf3fb1514750fec16b7d6192bbf40e6efe2b147f3337ce1d0ed491412e6ec3332c841317fa31985bf20969c6b0886aea51e

memory/3596-42-0x00007FF763010000-0x00007FF763364000-memory.dmp

C:\Windows\System\GKmHEez.exe

MD5 9eb5cdcdbe4b1534a56499511d58b519
SHA1 4e291d56e06ec9c90ff77b4c8b3c1a690c65feea
SHA256 0a4cbd71eb2ac5cbd576e2dc261fb227dcb3c48e46061d808a687a11b0920861
SHA512 9344145e14dbaaec6ac83f60c87aabca49925e65affd938f7c547d8d845a49053e79044a8fb0f24bdad8a97275771fe17fb93e9a4de5aa5598ed78b67c7644ff

C:\Windows\System\MuNLEuK.exe

MD5 06d119694eaa6464bb8b930bd2ce9952
SHA1 01cf0c0960666981a1ad632d4f1340fdc751e771
SHA256 8dfb810564a75d82fe079a405a0ccd3eb668785dbb097551b702b8b894e41aea
SHA512 983c806d0aa33559c41ff1a016e788911eb04b7de8e609b58913b34de7c44095ea1de0b439a042f54c90686a57012f298514a224b351242eacaf48f05b6ed77c

C:\Windows\System\zqAHFZa.exe

MD5 6d6ac36a5e3b1b1ecf6d0812e1f48fec
SHA1 1c5c0fa2b0a8af3319b401e16e05b827eef049cb
SHA256 96f8433c17b993fdce4d0e80030b8b077016c3f5df74841e962c7707decf4ca9
SHA512 75d2bf2b22ca8ffef4b4022a679bf830b109be0d0143abab2046a5d74e705f96a29b99039d74068ee9e6ff811f1e4962cf06c07faea80e253f6265ed90c6eea9

C:\Windows\System\uPWevJa.exe

MD5 e7b17a8512dcc169b3d028b66d3fe5fb
SHA1 cd23e379e46d22041e55d8acc173388558f7b42d
SHA256 b0dfacb9e3895c09839318f8f650efea1ca8e017de0e64d62b3b7dfaa5a8868c
SHA512 bea1f1bb6fbe3941fb019055f9122dec0d2805cb64a482c9f9628cfc7e1fefce55b6c922825cefd8a8dd16b26195dc408bab22506c3db1780977393893e07359

C:\Windows\System\keMBunp.exe

MD5 4176808fd14a5440223875a4bea2997c
SHA1 aed1d2316a444142980a75223393f8d8a5d207c3
SHA256 2efbdcee485c65aeaf0f472289ff844721e94655af6469d02f07606e979973dd
SHA512 514f4eec5326184fea527351538d61974c0f44fb2e06c3ae7f039a96f3748a3b31e0ececc8658830e9af768de461b447456d42f3fbe9a723b29f1914c02aea2d

C:\Windows\System\JooAfFM.exe

MD5 e697dfd7d8edc5195950cc069172180c
SHA1 ae402ddfb7e67afdf4f9b289536973a4611e6886
SHA256 5ac639ff44a197d6396d2348db152bdcad4d44a253505e9c9b9d9e3f15d4c27f
SHA512 463f65db221ac45e3da3b2294207fc057a2c7832746ea77810a06aa0954f80172a1e86011a133feef3c4923544a9fd19f58001c489c9f3340c7fd0842d36ccf3

C:\Windows\System\NIXJYYx.exe

MD5 6e77d7bc145efd0089a9874d680fad60
SHA1 9c43e6fa1b008beaa79c795a72d9643cc81359bb
SHA256 414fc3ed1e54c23d902b6f4cf338acaebf9cccbd05d16a1d502b68d7610ef3b3
SHA512 e216889afbd47a9f4df11d07de87f43a6c011b724fedac42e219b624bdf5e0d3cf5c5576b54a7505ded59aac2ea693178565b0a19f0819c0f1f0e42e530af3ca

C:\Windows\System\qxMfvQV.exe

MD5 4e490385646b647ee7939b497e6a62a8
SHA1 63a708aa41f8191b1838065bdcad8383e77ebdea
SHA256 5a7f72c6932bc2f1bf07bfd82e960c7a8359b31ef5dead53cdddbd37d7fa34fb
SHA512 256343c978502f587aaade4c79259d7d7d0670772499141097c85eabc1ebd6d24b245ee0f7751ae7e5b2e7310eaafa653ce88ff36d2ca889d9515cc656ea59e6

C:\Windows\System\KBbhHcG.exe

MD5 70ace0a2372c871e1f24437c42310a83
SHA1 9ee18c39043af2c4d7fb6683758c8927798be9dc
SHA256 8792b15d3841fa6eafc8b4688566a322ae07eacb31875acef88a60de1c6884a4
SHA512 c4964a638be0e94f42c7724ca259889fa1891aebb9df0e7f03e4d6afd277ac7adab3eba10b6a121a3e26f7a8331a7499f23b4356f3d0971f83131dc8fbf3675d

C:\Windows\System\LjBahVc.exe

MD5 a19baf6c5d6502d2ccaeddaf3bba0c45
SHA1 3c48aa7d55c64b396e0099f033f7c82f0aa62bb9
SHA256 9991e53aae65f221991954d70ad9b2a47caebad1ffc13ff33c7635aa641394ec
SHA512 768f8167894b43d62e85cfb2cee6fe5fba6058de2f23e4b99617a3cfbb0b568ce5274c4932ca85b6d652be87ed9f692b828b266875ca7f803e495aa6614574be

C:\Windows\System\dwabhDK.exe

MD5 9ac5353d9127e91ed2d637cdfcc66174
SHA1 1bce71898e076dfb4fe36fc79a900c0b5038bfba
SHA256 f79e19c4dac344c9e1172a1f180c33c4ced441443e2db499132ac1a90ac93fd5
SHA512 3bbd7fe08d9fd9d7abb00fc150ee317b16a3717f6fcb2f9deadf243bce9707f1da8ae593a89b24b138e6759a356aa9c2bbe0360afe921d9afad5369f816a2941

C:\Windows\System\qJwqSJO.exe

MD5 ccf2bb9d568dce7f70712850d0f29024
SHA1 4811e5384d8aeefc53c34d63576f56164de771b6
SHA256 fbab05ba75d452917fffb2e1455a1ffa7847a403ca2d08e43e635b267cf950af
SHA512 6a817909530270b0ba92e31040502f79f85b7bfd9d50593982cdfd2e33686dd19d6da9bae2b07f1d3258cea70e6e31335f52e6441f85d11e481cec7d22ba5798

C:\Windows\System\jfLQAmX.exe

MD5 9ba79c5041f7c003da3e336668130bd3
SHA1 10ba009c8175c5f0cb0e26e6a2cf62b9385e0fe2
SHA256 7ee67fe109e057703334916c3df7dd55005f699abc2dd2822965a081e478d632
SHA512 454401207fa78c207e5b2784ad0b67549a44bada9d4d4f7ea9b5f716139702d5e38829e83dc99de82a9347a8733ce0074aae1ee5d4a9fd4f7b8a4288d7d55ab9

C:\Windows\System\vvtXbfJ.exe

MD5 08a16b4920a3c37d36d648d0efd73d80
SHA1 e74c1f04592ff2645d4ef9c374f02f33873afc87
SHA256 b0621190653e7da20d8af1ba98aad0b6fbbbe5eb76d3de04e3e463f121f7e4f2
SHA512 49df918a18571ab750b546ba9c9cfa226f2acd3731ef20f2c02b14d2088d30c5d69a0a0feff5be06627941a28fe268cec7da8579d0ead0748694b9fd69d140a5

memory/4244-53-0x00007FF782040000-0x00007FF782394000-memory.dmp

memory/3840-46-0x00007FF61C650000-0x00007FF61C9A4000-memory.dmp

memory/2568-43-0x00007FF6EB840000-0x00007FF6EBB94000-memory.dmp

C:\Windows\System\mCPDhwt.exe

MD5 e79c608a0a837beedd42caffddc178bb
SHA1 43c9008f642980859bf8b70dd350458b86942d3d
SHA256 57044da07165a1addc6765a7909ed583e5868af5b6e3fd7685ac528231d70c4b
SHA512 d3541a7465c86a9fc3556225aa9b0ceab77ef552989f564c03cf4a96229796e44ddba337196e78a4a734ee7f02ad2176c5d0418ce04364778afc76d16cfaecce

memory/472-29-0x00007FF744250000-0x00007FF7445A4000-memory.dmp

memory/4960-116-0x00007FF7078A0000-0x00007FF707BF4000-memory.dmp

memory/2796-117-0x00007FF60D790000-0x00007FF60DAE4000-memory.dmp

memory/3640-119-0x00007FF75C1F0000-0x00007FF75C544000-memory.dmp

memory/1680-118-0x00007FF693830000-0x00007FF693B84000-memory.dmp

memory/5076-120-0x00007FF748CD0000-0x00007FF749024000-memory.dmp

memory/2236-122-0x00007FF766290000-0x00007FF7665E4000-memory.dmp

memory/4984-121-0x00007FF7254E0000-0x00007FF725834000-memory.dmp

memory/4260-123-0x00007FF66F780000-0x00007FF66FAD4000-memory.dmp

memory/3752-124-0x00007FF6EAF70000-0x00007FF6EB2C4000-memory.dmp

memory/1720-125-0x00007FF728170000-0x00007FF7284C4000-memory.dmp

memory/1112-127-0x00007FF75FF60000-0x00007FF7602B4000-memory.dmp

memory/2260-126-0x00007FF666780000-0x00007FF666AD4000-memory.dmp

memory/2508-128-0x00007FF75BD00000-0x00007FF75C054000-memory.dmp

memory/4220-129-0x00007FF694C00000-0x00007FF694F54000-memory.dmp

memory/420-130-0x00007FF6CDBA0000-0x00007FF6CDEF4000-memory.dmp

memory/472-131-0x00007FF744250000-0x00007FF7445A4000-memory.dmp

memory/3596-132-0x00007FF763010000-0x00007FF763364000-memory.dmp

memory/3840-133-0x00007FF61C650000-0x00007FF61C9A4000-memory.dmp

memory/4244-134-0x00007FF782040000-0x00007FF782394000-memory.dmp

memory/4220-135-0x00007FF694C00000-0x00007FF694F54000-memory.dmp

memory/2992-136-0x00007FF783140000-0x00007FF783494000-memory.dmp

memory/420-137-0x00007FF6CDBA0000-0x00007FF6CDEF4000-memory.dmp

memory/472-138-0x00007FF744250000-0x00007FF7445A4000-memory.dmp

memory/4452-139-0x00007FF738D60000-0x00007FF7390B4000-memory.dmp

memory/2568-140-0x00007FF6EB840000-0x00007FF6EBB94000-memory.dmp

memory/3596-141-0x00007FF763010000-0x00007FF763364000-memory.dmp

memory/3840-142-0x00007FF61C650000-0x00007FF61C9A4000-memory.dmp

memory/4244-143-0x00007FF782040000-0x00007FF782394000-memory.dmp

memory/2796-144-0x00007FF60D790000-0x00007FF60DAE4000-memory.dmp

memory/4960-145-0x00007FF7078A0000-0x00007FF707BF4000-memory.dmp

memory/1680-146-0x00007FF693830000-0x00007FF693B84000-memory.dmp

memory/3640-149-0x00007FF75C1F0000-0x00007FF75C544000-memory.dmp

memory/2236-150-0x00007FF766290000-0x00007FF7665E4000-memory.dmp

memory/4260-151-0x00007FF66F780000-0x00007FF66FAD4000-memory.dmp

memory/4984-148-0x00007FF7254E0000-0x00007FF725834000-memory.dmp

memory/5076-147-0x00007FF748CD0000-0x00007FF749024000-memory.dmp

memory/3752-154-0x00007FF6EAF70000-0x00007FF6EB2C4000-memory.dmp

memory/1112-153-0x00007FF75FF60000-0x00007FF7602B4000-memory.dmp

memory/2260-152-0x00007FF666780000-0x00007FF666AD4000-memory.dmp

memory/1720-155-0x00007FF728170000-0x00007FF7284C4000-memory.dmp