Malware Analysis Report

2024-10-16 03:05

Sample ID 240609-txfkcsda88
Target 2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike
SHA256 50c482eb8c8ec835a252cabc66a32e1e7e21450e8be87088d6c16a8c93a033d1
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

50c482eb8c8ec835a252cabc66a32e1e7e21450e8be87088d6c16a8c93a033d1

Threat Level: Known bad

The file 2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobalt Strike reflective loader

xmrig

Cobaltstrike family

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

Cobaltstrike

XMRig Miner payload

Xmrig family

Detects Reflective DLL injection artifacts

XMRig Miner payload

UPX dump on OEP (original entry point)

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-09 16:25

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-09 16:25

Reported

2024-06-09 16:28

Platform

win7-20240221-en

Max time kernel

135s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\UHncPDO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rhooWSj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wrKDSEv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cfHqfOK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pmYHerU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WdZPgLu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QLCWpbM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eJgYiNB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PWLYtrI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wHnCrmt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OvTRkqO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rPVrzpw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HJgJCdS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\csPrnRv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xWIddhv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KtHTgMa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aPgQeBR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CHXKUmM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\stXfQbW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TVVkuZG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BMQOGtb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1920 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\TVVkuZG.exe
PID 1920 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\TVVkuZG.exe
PID 1920 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\TVVkuZG.exe
PID 1920 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\xWIddhv.exe
PID 1920 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\xWIddhv.exe
PID 1920 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\xWIddhv.exe
PID 1920 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\QLCWpbM.exe
PID 1920 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\QLCWpbM.exe
PID 1920 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\QLCWpbM.exe
PID 1920 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\KtHTgMa.exe
PID 1920 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\KtHTgMa.exe
PID 1920 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\KtHTgMa.exe
PID 1920 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\PWLYtrI.exe
PID 1920 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\PWLYtrI.exe
PID 1920 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\PWLYtrI.exe
PID 1920 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\BMQOGtb.exe
PID 1920 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\BMQOGtb.exe
PID 1920 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\BMQOGtb.exe
PID 1920 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\aPgQeBR.exe
PID 1920 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\aPgQeBR.exe
PID 1920 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\aPgQeBR.exe
PID 1920 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\wHnCrmt.exe
PID 1920 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\wHnCrmt.exe
PID 1920 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\wHnCrmt.exe
PID 1920 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\OvTRkqO.exe
PID 1920 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\OvTRkqO.exe
PID 1920 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\OvTRkqO.exe
PID 1920 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\CHXKUmM.exe
PID 1920 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\CHXKUmM.exe
PID 1920 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\CHXKUmM.exe
PID 1920 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\eJgYiNB.exe
PID 1920 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\eJgYiNB.exe
PID 1920 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\eJgYiNB.exe
PID 1920 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\rPVrzpw.exe
PID 1920 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\rPVrzpw.exe
PID 1920 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\rPVrzpw.exe
PID 1920 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\UHncPDO.exe
PID 1920 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\UHncPDO.exe
PID 1920 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\UHncPDO.exe
PID 1920 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\rhooWSj.exe
PID 1920 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\rhooWSj.exe
PID 1920 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\rhooWSj.exe
PID 1920 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\HJgJCdS.exe
PID 1920 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\HJgJCdS.exe
PID 1920 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\HJgJCdS.exe
PID 1920 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\wrKDSEv.exe
PID 1920 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\wrKDSEv.exe
PID 1920 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\wrKDSEv.exe
PID 1920 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\cfHqfOK.exe
PID 1920 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\cfHqfOK.exe
PID 1920 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\cfHqfOK.exe
PID 1920 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\pmYHerU.exe
PID 1920 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\pmYHerU.exe
PID 1920 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\pmYHerU.exe
PID 1920 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\stXfQbW.exe
PID 1920 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\stXfQbW.exe
PID 1920 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\stXfQbW.exe
PID 1920 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\csPrnRv.exe
PID 1920 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\csPrnRv.exe
PID 1920 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\csPrnRv.exe
PID 1920 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\WdZPgLu.exe
PID 1920 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\WdZPgLu.exe
PID 1920 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\WdZPgLu.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\TVVkuZG.exe

C:\Windows\System\TVVkuZG.exe

C:\Windows\System\xWIddhv.exe

C:\Windows\System\xWIddhv.exe

C:\Windows\System\QLCWpbM.exe

C:\Windows\System\QLCWpbM.exe

C:\Windows\System\KtHTgMa.exe

C:\Windows\System\KtHTgMa.exe

C:\Windows\System\PWLYtrI.exe

C:\Windows\System\PWLYtrI.exe

C:\Windows\System\BMQOGtb.exe

C:\Windows\System\BMQOGtb.exe

C:\Windows\System\aPgQeBR.exe

C:\Windows\System\aPgQeBR.exe

C:\Windows\System\wHnCrmt.exe

C:\Windows\System\wHnCrmt.exe

C:\Windows\System\OvTRkqO.exe

C:\Windows\System\OvTRkqO.exe

C:\Windows\System\CHXKUmM.exe

C:\Windows\System\CHXKUmM.exe

C:\Windows\System\eJgYiNB.exe

C:\Windows\System\eJgYiNB.exe

C:\Windows\System\rPVrzpw.exe

C:\Windows\System\rPVrzpw.exe

C:\Windows\System\UHncPDO.exe

C:\Windows\System\UHncPDO.exe

C:\Windows\System\rhooWSj.exe

C:\Windows\System\rhooWSj.exe

C:\Windows\System\HJgJCdS.exe

C:\Windows\System\HJgJCdS.exe

C:\Windows\System\wrKDSEv.exe

C:\Windows\System\wrKDSEv.exe

C:\Windows\System\cfHqfOK.exe

C:\Windows\System\cfHqfOK.exe

C:\Windows\System\pmYHerU.exe

C:\Windows\System\pmYHerU.exe

C:\Windows\System\stXfQbW.exe

C:\Windows\System\stXfQbW.exe

C:\Windows\System\csPrnRv.exe

C:\Windows\System\csPrnRv.exe

C:\Windows\System\WdZPgLu.exe

C:\Windows\System\WdZPgLu.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1920-0-0x000000013F8E0000-0x000000013FC34000-memory.dmp

memory/1920-1-0x00000000001F0000-0x0000000000200000-memory.dmp

\Windows\system\TVVkuZG.exe

MD5 ee3645ea2fbadc8592f5a33ea3f21c74
SHA1 8dfeb53a4d3a9a3fcadbbf14a2aba3a825d5f825
SHA256 302cb1415313bcad11b49aca0eec63d187ab87c3f268bf359c07d2c05b975e9f
SHA512 b8452cf078c9ed11cf0adbaf553c0bdb8c0454cfa9ca20967e5adac9ae791492bd14bfba9c487a8802340bcdd082c4225596e2663edc7f6314d8023be44a601a

memory/2632-8-0x000000013FAC0000-0x000000013FE14000-memory.dmp

\Windows\system\xWIddhv.exe

MD5 a06e97fbc136838d39fe3bec045bcb89
SHA1 0c80a8c38cc79bb48d2069efabac7c3317788538
SHA256 24a8fb66a7ac6b16bb4b265e77082a15cf2854a356019596c61d18c7a5656f56
SHA512 4d5dc9efb4b313dc53e89655c0ad9eb81f9d461cbef68f1633be665348ab64b60a8532d42a9dac4e81d10bb796df2045fe21981adf1c4f9707d94850082996d8

memory/1920-12-0x000000013F540000-0x000000013F894000-memory.dmp

C:\Windows\system\QLCWpbM.exe

MD5 8cd5aefb413ce8ff1cf6cb75fe6871ad
SHA1 f35658535d8d3f1c2b3a9c593004a17d092f9cad
SHA256 e424fcb3139f88a68591988bb70b1f7873efda97d3876baccc0ba636687b1c0c
SHA512 524ef3710bff14b8360c7454b2938f91c12ee4bf02702a3ac8213330e3080bd467ef2aa01dfe9fb7060246b84825a596f76fe08651365839a66cbe120ed8e07d

\Windows\system\KtHTgMa.exe

MD5 600af8de23e448e23beed8e7b28e4f5a
SHA1 699e39acd3642c82211048ed200b364d18092451
SHA256 ccd6f0ff0413f839140c2b329e3bbab429a8fc0ff6ea7a644243e2b619813436
SHA512 b55ebdde2a1526676681bb85137338eeb642f69a571ae2de8904a072498edf83d03af8811410abb67099ca2fa4559525af88c4f3d3a6d86231fe7f038c578551

memory/2556-26-0x000000013F570000-0x000000013F8C4000-memory.dmp

memory/2712-27-0x000000013FD90000-0x00000001400E4000-memory.dmp

memory/3024-15-0x000000013F540000-0x000000013F894000-memory.dmp

\Windows\system\BMQOGtb.exe

MD5 586f65445160a0cb8d9ed8433b218a4d
SHA1 2f96689c3b8030cecb35105688f4ce6104bffb07
SHA256 544fe9970956e55be0dad96ba100bd6cd5c7c5e5c3a5769a74076d1e038b588c
SHA512 4ba417bdc3e8ab42e2fb2516471152f91d8c6e8ff070e12ab354786a8a10e3ec87f4ba81a04da38fc4ad6b20062ef638f5e4cc332643cd53dc45b822244d4878

memory/2576-33-0x000000013FDF0000-0x0000000140144000-memory.dmp

memory/2512-38-0x000000013FAE0000-0x000000013FE34000-memory.dmp

C:\Windows\system\PWLYtrI.exe

MD5 e0fd3afa2be58df3c59a55597c753c85
SHA1 b222320a8cd053400fd41d0284a4b3ee3bde5ed3
SHA256 a45cb5ce61abc4022fdff784ec1da96ccf709114c986fde8f71fd852ed6caf0f
SHA512 496374e0570e6b8e0b96c5c880b2b0654aa15acd8c4b27c8728b981bd12a0d81f04fb092da4190cfa731c3684bec1c66c1d2445b4e6a4f3a3664a389dca4f39c

memory/1920-41-0x000000013FFC0000-0x0000000140314000-memory.dmp

\Windows\system\aPgQeBR.exe

MD5 2e3404349867ab72a58d8d00ec81b9f2
SHA1 c3951041617d4015c0257ab6cc7768f4431264a4
SHA256 6b6dc756d0e610045626a3ad3b5df745678253c760766a51474ecca88335f2bd
SHA512 7656aaef87baf48d7cbc6a38ac7c38681824626a2d5dcf645a1cd99db1938c07c78a0ef5e8805ded30f10b6acb08c0447891ede5645193ba69d06cd480c7d637

memory/1920-29-0x000000013F8E0000-0x000000013FC34000-memory.dmp

memory/2632-37-0x000000013FAC0000-0x000000013FE14000-memory.dmp

memory/3024-42-0x000000013F540000-0x000000013F894000-memory.dmp

C:\Windows\system\wHnCrmt.exe

MD5 0f16933097b5f352831d359fe0897524
SHA1 20d8c4e7144806b7478e534ef2d31fba870275f3
SHA256 f85237aec8f23d1cf58357ba85201bf2c89a32de31a86d87c22e5fafc0b785c1
SHA512 26e89fb719b03fedbc097cc8fa070c097d9026e7ee3578348acdfd664f25cbebe118d02c2e241ab37cd88790f7661023867fd60fca1852ab2e604f025a6291ea

memory/2372-54-0x000000013FFC0000-0x0000000140314000-memory.dmp

\Windows\system\CHXKUmM.exe

MD5 d76f3faf242e2cd3bcd0d3a0ec82ed78
SHA1 129d36b955ed65dc65a93d241d4d9de37ba0cba5
SHA256 c96a9001a800d84470199e2fda6e83d5a9f10749f1e09df2954434c2ebee7ecb
SHA512 603073a9006b3dc00512d5399efd2e452a0f2bcaf32d7c0b3c563607106d6347cb165325b41e612d2c632f4263e188f8ff3babee7b48e57c9c30f76a65349d04

memory/1920-60-0x000000013FF60000-0x00000001402B4000-memory.dmp

memory/1920-61-0x000000013F530000-0x000000013F884000-memory.dmp

memory/1920-65-0x000000013FD40000-0x0000000140094000-memory.dmp

memory/2060-66-0x000000013FD40000-0x0000000140094000-memory.dmp

memory/2576-67-0x000000013FDF0000-0x0000000140144000-memory.dmp

memory/2368-70-0x000000013F530000-0x000000013F884000-memory.dmp

memory/2464-57-0x000000013FF60000-0x00000001402B4000-memory.dmp

\Windows\system\OvTRkqO.exe

MD5 d97dbdd8779ab999e33ecb2a106e80a2
SHA1 6c68e490ccd36d25a2760c715df9cfa6054c766a
SHA256 2bca3eb3a55aec744ebf2d8f42e496549dda9e15d46a787999253abc1c87cb53
SHA512 44fee7cc9832ae732e3dbf32114c8fbf54d3c34043c01bb9b7bf7f4250b3b088b5ce0211f6ea1ec31041316c0ee2ea8fd7dbfae1c5c1ef8f436d133a606009e3

memory/2512-72-0x000000013FAE0000-0x000000013FE34000-memory.dmp

\Windows\system\eJgYiNB.exe

MD5 5c5a14864b9d4b46206609cfd2728527
SHA1 603ab2d8298f1281f671d07fe63b48cc1b4c8ed1
SHA256 6c4a128d50c84dde5224dc04dd9ee3d8cec8abc76ceb4b2d97a5f49eaebbd2c5
SHA512 176111c9ef4f79c44a7be7b68e39673578c9ad69e3ad27671ef4fa02a0230e0826dddf0b8a7cfd2b315fc2b871d862401cb4c0bcab297ceac731cb078d6ed91b

\Windows\system\rPVrzpw.exe

MD5 b0753df69c48ed39e508932d09baf40a
SHA1 bb4c53e25cc4034dd8a68692ff1b23cd39d597da
SHA256 d2b0c0c8c1c3f5cb3b08c0085d4fb3a22ea3ecbf3a7c8ec881d1fc8e45631511
SHA512 7c1ee4ef8a08e71e35d200c7db64fe277234a1aa9212171d24967d09277fbeca566edc7b293bfafe49a6f9e5779f6ac8af7cde67254178fadc2217abf0a4a1d9

memory/1920-82-0x000000013FEA0000-0x00000001401F4000-memory.dmp

C:\Windows\system\rhooWSj.exe

MD5 2fd6f0f3afb8d9009ececa840516abc4
SHA1 40b8a6cf13e7081a1b938b84b7d844fd88502e52
SHA256 3cc1e28bdc0f2c1071a090d5f8fdd51b32f0b6fde4fbed51592025393c033469
SHA512 c9b00141bfbb18e58338b699662aa4592466c6ae831836665c91ccecb1a5da28f97de87938f61ed008c7becf815fb0a274192054ea24ceb9c9442958ad384b1d

memory/1920-76-0x000000013FFC0000-0x0000000140314000-memory.dmp

memory/1920-95-0x000000013F1B0000-0x000000013F504000-memory.dmp

\Windows\system\HJgJCdS.exe

MD5 23423b972960c58941086f19d0107472
SHA1 9e5cd88f1c41a1a1be42e8934902b9522848f4db
SHA256 ff1f715684f478eae4d996f9b31bd6b85e555a59b33ac35e3535fbf7b1d49bce
SHA512 f88f42751abd2deff4f4d9fce5e411135872ac1b9e732f108e59f24d04a0dbbab7afaa727decca127a97890d8c3ca6e6f535fb7dc48384191d450c2b1caba2cc

memory/2020-103-0x000000013F1B0000-0x000000013F504000-memory.dmp

memory/1920-102-0x000000013FF60000-0x00000001402B4000-memory.dmp

C:\Windows\system\UHncPDO.exe

MD5 26c572002fe4c0fd41013f2699a484b3
SHA1 dc0ea8211e1480200f64aefca53acc6804528269
SHA256 b627d6ea67f87488879f456dce35c0b3e52aa4cbb5fd32df77848c4e0dd325d4
SHA512 520cafe4a05365de3cb650a9cc62eafade26828506e1b2acd77dfb1a292b82c795c749ff35b664aa50b0ce297817a3be7b6273674c7a3bdb0f772d318e7d69fb

memory/832-99-0x000000013F4E0000-0x000000013F834000-memory.dmp

memory/1920-98-0x000000013F4E0000-0x000000013F834000-memory.dmp

memory/2328-97-0x000000013F920000-0x000000013FC74000-memory.dmp

memory/1920-96-0x000000013F100000-0x000000013F454000-memory.dmp

\Windows\system\cfHqfOK.exe

MD5 ba250b39501d248d7a192786cc12092b
SHA1 60b7ea9e964b8be636a9c6487fcdbc2340c95932
SHA256 1ae7c533e6ba583a2f420cb0cb2b2c70903840ea573097eb076ae7a4b66ec15d
SHA512 07777c901392d877f718c5a40929e6c372aee31f98299defe596c838cc93c8551bf0d705985d69d642bd6dccffaa4e99ec106ccd8e16e2711b0f386d85249bf3

\Windows\system\WdZPgLu.exe

MD5 5fb234d2e7c4507e7f5693d783f73c62
SHA1 eebc16cb5e1cfe13ee0507c1cd019baa9b37ada6
SHA256 b7d4a45a5e3ad4c997da9fddb52d2e3a81cbd44a2eb651d6d4b86aaeeb4333ac
SHA512 32aca68220987e60fd3b8ff0200a7815a24d7930cd9e979660e408c14be2f42d7d51adba797e29c2a559a0f12b65ea5a3ff05b65e16bcd69c3f68f7c84eb82ba

C:\Windows\system\stXfQbW.exe

MD5 5824fc09be8c1efe981db6e1d99d7954
SHA1 3bc4e6b10c32bde9b54008589e81635435918886
SHA256 8e1b88375b9e239e83e01263eb7ad093efa2cca130608745fbf7ed6544126baa
SHA512 8e933a973dd87873fcc3075d42dfb0d83b2d6ac751afa430d51f10c1bf973356317ddd0445fa9c0218be7b9ac0a2b56cc244a3841ca90143b227817244d111a0

C:\Windows\system\csPrnRv.exe

MD5 dd1858fee6c441ed735f7f7cb2415bd0
SHA1 bbedec33e603087ea0e0871f6a8c1f9cdb703b40
SHA256 19a24adf93f8866dcac48f13db11f5aa6c018c2388f371fe47a03be91fe0a57a
SHA512 e8d7e480f0e0b44a9625a0effd182cd5e091243b84168de8aad189af4446e74c85746c592907106305e8c682e2d16a9264f8e7090c22c39449082bdf2642aafb

C:\Windows\system\pmYHerU.exe

MD5 a7358e72b61cad0ad39a400310a9f119
SHA1 37859077fe043b6c6ae2c1840bb0a6d3eabbe8dd
SHA256 b04a3adcddd8c74fba65e3714a343516a2ec9e08cb69cb752a6318673158dc47
SHA512 ae870d05b314f7320826dc9d9f422a47834dc93138c5f30a28764fc0cc54a0d1054b9f6a3c67dfa9719c1d0b716356f80fa6ea5e5a14672ea578a4a0cf6d74b5

C:\Windows\system\wrKDSEv.exe

MD5 0ace70819d694b080ca106d6765eca1b
SHA1 d21c6645af5e4b6427604329b5b3018752dfd653
SHA256 50faeb1187b1306289498270c0863929b989232213ae1060124ceb18260b9f19
SHA512 63bb1e8c10ee1ecf938ef5de4d14608e37f85343755e360c98ab88fe422c8d7df4ae9be98e2c7dfece5bdcf015c3e18118ab9461ae34b301a3d073fbcd4bf820

memory/856-88-0x000000013FEA0000-0x00000001401F4000-memory.dmp

memory/1920-137-0x000000013FD40000-0x0000000140094000-memory.dmp

memory/2060-138-0x000000013FD40000-0x0000000140094000-memory.dmp

memory/1920-139-0x000000013FEA0000-0x00000001401F4000-memory.dmp

memory/1920-140-0x000000013F100000-0x000000013F454000-memory.dmp

memory/832-141-0x000000013F4E0000-0x000000013F834000-memory.dmp

memory/2020-142-0x000000013F1B0000-0x000000013F504000-memory.dmp

memory/2632-143-0x000000013FAC0000-0x000000013FE14000-memory.dmp

memory/3024-144-0x000000013F540000-0x000000013F894000-memory.dmp

memory/2556-145-0x000000013F570000-0x000000013F8C4000-memory.dmp

memory/2712-146-0x000000013FD90000-0x00000001400E4000-memory.dmp

memory/2512-147-0x000000013FAE0000-0x000000013FE34000-memory.dmp

memory/2464-148-0x000000013FF60000-0x00000001402B4000-memory.dmp

memory/2372-149-0x000000013FFC0000-0x0000000140314000-memory.dmp

memory/2368-151-0x000000013F530000-0x000000013F884000-memory.dmp

memory/2576-150-0x000000013FDF0000-0x0000000140144000-memory.dmp

memory/2060-152-0x000000013FD40000-0x0000000140094000-memory.dmp

memory/856-153-0x000000013FEA0000-0x00000001401F4000-memory.dmp

memory/2328-154-0x000000013F920000-0x000000013FC74000-memory.dmp

memory/832-155-0x000000013F4E0000-0x000000013F834000-memory.dmp

memory/2020-156-0x000000013F1B0000-0x000000013F504000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-09 16:25

Reported

2024-06-09 16:28

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\csPrnRv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xWIddhv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PWLYtrI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CHXKUmM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UHncPDO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rhooWSj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HJgJCdS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cfHqfOK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BMQOGtb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aPgQeBR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wHnCrmt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pmYHerU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KtHTgMa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OvTRkqO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wrKDSEv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\stXfQbW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TVVkuZG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QLCWpbM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eJgYiNB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rPVrzpw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WdZPgLu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2964 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\TVVkuZG.exe
PID 2964 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\TVVkuZG.exe
PID 2964 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\xWIddhv.exe
PID 2964 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\xWIddhv.exe
PID 2964 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\QLCWpbM.exe
PID 2964 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\QLCWpbM.exe
PID 2964 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\KtHTgMa.exe
PID 2964 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\KtHTgMa.exe
PID 2964 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\PWLYtrI.exe
PID 2964 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\PWLYtrI.exe
PID 2964 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\BMQOGtb.exe
PID 2964 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\BMQOGtb.exe
PID 2964 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\aPgQeBR.exe
PID 2964 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\aPgQeBR.exe
PID 2964 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\wHnCrmt.exe
PID 2964 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\wHnCrmt.exe
PID 2964 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\OvTRkqO.exe
PID 2964 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\OvTRkqO.exe
PID 2964 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\CHXKUmM.exe
PID 2964 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\CHXKUmM.exe
PID 2964 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\eJgYiNB.exe
PID 2964 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\eJgYiNB.exe
PID 2964 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\rPVrzpw.exe
PID 2964 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\rPVrzpw.exe
PID 2964 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\UHncPDO.exe
PID 2964 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\UHncPDO.exe
PID 2964 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\rhooWSj.exe
PID 2964 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\rhooWSj.exe
PID 2964 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\HJgJCdS.exe
PID 2964 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\HJgJCdS.exe
PID 2964 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\wrKDSEv.exe
PID 2964 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\wrKDSEv.exe
PID 2964 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\cfHqfOK.exe
PID 2964 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\cfHqfOK.exe
PID 2964 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\pmYHerU.exe
PID 2964 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\pmYHerU.exe
PID 2964 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\stXfQbW.exe
PID 2964 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\stXfQbW.exe
PID 2964 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\csPrnRv.exe
PID 2964 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\csPrnRv.exe
PID 2964 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\WdZPgLu.exe
PID 2964 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe C:\Windows\System\WdZPgLu.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-09_99013db6f273c39df318ad99b26ae7e2_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\TVVkuZG.exe

C:\Windows\System\TVVkuZG.exe

C:\Windows\System\xWIddhv.exe

C:\Windows\System\xWIddhv.exe

C:\Windows\System\QLCWpbM.exe

C:\Windows\System\QLCWpbM.exe

C:\Windows\System\KtHTgMa.exe

C:\Windows\System\KtHTgMa.exe

C:\Windows\System\PWLYtrI.exe

C:\Windows\System\PWLYtrI.exe

C:\Windows\System\BMQOGtb.exe

C:\Windows\System\BMQOGtb.exe

C:\Windows\System\aPgQeBR.exe

C:\Windows\System\aPgQeBR.exe

C:\Windows\System\wHnCrmt.exe

C:\Windows\System\wHnCrmt.exe

C:\Windows\System\OvTRkqO.exe

C:\Windows\System\OvTRkqO.exe

C:\Windows\System\CHXKUmM.exe

C:\Windows\System\CHXKUmM.exe

C:\Windows\System\eJgYiNB.exe

C:\Windows\System\eJgYiNB.exe

C:\Windows\System\rPVrzpw.exe

C:\Windows\System\rPVrzpw.exe

C:\Windows\System\UHncPDO.exe

C:\Windows\System\UHncPDO.exe

C:\Windows\System\rhooWSj.exe

C:\Windows\System\rhooWSj.exe

C:\Windows\System\HJgJCdS.exe

C:\Windows\System\HJgJCdS.exe

C:\Windows\System\wrKDSEv.exe

C:\Windows\System\wrKDSEv.exe

C:\Windows\System\cfHqfOK.exe

C:\Windows\System\cfHqfOK.exe

C:\Windows\System\pmYHerU.exe

C:\Windows\System\pmYHerU.exe

C:\Windows\System\stXfQbW.exe

C:\Windows\System\stXfQbW.exe

C:\Windows\System\csPrnRv.exe

C:\Windows\System\csPrnRv.exe

C:\Windows\System\WdZPgLu.exe

C:\Windows\System\WdZPgLu.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2964-0-0x00007FF794440000-0x00007FF794794000-memory.dmp

memory/2964-1-0x00000277A1210000-0x00000277A1220000-memory.dmp

C:\Windows\System\TVVkuZG.exe

MD5 ee3645ea2fbadc8592f5a33ea3f21c74
SHA1 8dfeb53a4d3a9a3fcadbbf14a2aba3a825d5f825
SHA256 302cb1415313bcad11b49aca0eec63d187ab87c3f268bf359c07d2c05b975e9f
SHA512 b8452cf078c9ed11cf0adbaf553c0bdb8c0454cfa9ca20967e5adac9ae791492bd14bfba9c487a8802340bcdd082c4225596e2663edc7f6314d8023be44a601a

memory/2824-8-0x00007FF69FDC0000-0x00007FF6A0114000-memory.dmp

C:\Windows\System\xWIddhv.exe

MD5 a06e97fbc136838d39fe3bec045bcb89
SHA1 0c80a8c38cc79bb48d2069efabac7c3317788538
SHA256 24a8fb66a7ac6b16bb4b265e77082a15cf2854a356019596c61d18c7a5656f56
SHA512 4d5dc9efb4b313dc53e89655c0ad9eb81f9d461cbef68f1633be665348ab64b60a8532d42a9dac4e81d10bb796df2045fe21981adf1c4f9707d94850082996d8

C:\Windows\System\QLCWpbM.exe

MD5 8cd5aefb413ce8ff1cf6cb75fe6871ad
SHA1 f35658535d8d3f1c2b3a9c593004a17d092f9cad
SHA256 e424fcb3139f88a68591988bb70b1f7873efda97d3876baccc0ba636687b1c0c
SHA512 524ef3710bff14b8360c7454b2938f91c12ee4bf02702a3ac8213330e3080bd467ef2aa01dfe9fb7060246b84825a596f76fe08651365839a66cbe120ed8e07d

memory/1452-20-0x00007FF603800000-0x00007FF603B54000-memory.dmp

memory/2756-14-0x00007FF61A930000-0x00007FF61AC84000-memory.dmp

C:\Windows\System\KtHTgMa.exe

MD5 600af8de23e448e23beed8e7b28e4f5a
SHA1 699e39acd3642c82211048ed200b364d18092451
SHA256 ccd6f0ff0413f839140c2b329e3bbab429a8fc0ff6ea7a644243e2b619813436
SHA512 b55ebdde2a1526676681bb85137338eeb642f69a571ae2de8904a072498edf83d03af8811410abb67099ca2fa4559525af88c4f3d3a6d86231fe7f038c578551

C:\Windows\System\BMQOGtb.exe

MD5 586f65445160a0cb8d9ed8433b218a4d
SHA1 2f96689c3b8030cecb35105688f4ce6104bffb07
SHA256 544fe9970956e55be0dad96ba100bd6cd5c7c5e5c3a5769a74076d1e038b588c
SHA512 4ba417bdc3e8ab42e2fb2516471152f91d8c6e8ff070e12ab354786a8a10e3ec87f4ba81a04da38fc4ad6b20062ef638f5e4cc332643cd53dc45b822244d4878

C:\Windows\System\PWLYtrI.exe

MD5 e0fd3afa2be58df3c59a55597c753c85
SHA1 b222320a8cd053400fd41d0284a4b3ee3bde5ed3
SHA256 a45cb5ce61abc4022fdff784ec1da96ccf709114c986fde8f71fd852ed6caf0f
SHA512 496374e0570e6b8e0b96c5c880b2b0654aa15acd8c4b27c8728b981bd12a0d81f04fb092da4190cfa731c3684bec1c66c1d2445b4e6a4f3a3664a389dca4f39c

C:\Windows\System\aPgQeBR.exe

MD5 2e3404349867ab72a58d8d00ec81b9f2
SHA1 c3951041617d4015c0257ab6cc7768f4431264a4
SHA256 6b6dc756d0e610045626a3ad3b5df745678253c760766a51474ecca88335f2bd
SHA512 7656aaef87baf48d7cbc6a38ac7c38681824626a2d5dcf645a1cd99db1938c07c78a0ef5e8805ded30f10b6acb08c0447891ede5645193ba69d06cd480c7d637

C:\Windows\System\wHnCrmt.exe

MD5 0f16933097b5f352831d359fe0897524
SHA1 20d8c4e7144806b7478e534ef2d31fba870275f3
SHA256 f85237aec8f23d1cf58357ba85201bf2c89a32de31a86d87c22e5fafc0b785c1
SHA512 26e89fb719b03fedbc097cc8fa070c097d9026e7ee3578348acdfd664f25cbebe118d02c2e241ab37cd88790f7661023867fd60fca1852ab2e604f025a6291ea

memory/4260-46-0x00007FF7F88F0000-0x00007FF7F8C44000-memory.dmp

memory/4320-45-0x00007FF7C7FD0000-0x00007FF7C8324000-memory.dmp

memory/3628-37-0x00007FF7C23B0000-0x00007FF7C2704000-memory.dmp

memory/1276-36-0x00007FF76C110000-0x00007FF76C464000-memory.dmp

memory/2008-28-0x00007FF6B97A0000-0x00007FF6B9AF4000-memory.dmp

C:\Windows\System\OvTRkqO.exe

MD5 d97dbdd8779ab999e33ecb2a106e80a2
SHA1 6c68e490ccd36d25a2760c715df9cfa6054c766a
SHA256 2bca3eb3a55aec744ebf2d8f42e496549dda9e15d46a787999253abc1c87cb53
SHA512 44fee7cc9832ae732e3dbf32114c8fbf54d3c34043c01bb9b7bf7f4250b3b088b5ce0211f6ea1ec31041316c0ee2ea8fd7dbfae1c5c1ef8f436d133a606009e3

memory/748-56-0x00007FF632C40000-0x00007FF632F94000-memory.dmp

C:\Windows\System\CHXKUmM.exe

MD5 d76f3faf242e2cd3bcd0d3a0ec82ed78
SHA1 129d36b955ed65dc65a93d241d4d9de37ba0cba5
SHA256 c96a9001a800d84470199e2fda6e83d5a9f10749f1e09df2954434c2ebee7ecb
SHA512 603073a9006b3dc00512d5399efd2e452a0f2bcaf32d7c0b3c563607106d6347cb165325b41e612d2c632f4263e188f8ff3babee7b48e57c9c30f76a65349d04

memory/3428-64-0x00007FF6863B0000-0x00007FF686704000-memory.dmp

C:\Windows\System\rPVrzpw.exe

MD5 b0753df69c48ed39e508932d09baf40a
SHA1 bb4c53e25cc4034dd8a68692ff1b23cd39d597da
SHA256 d2b0c0c8c1c3f5cb3b08c0085d4fb3a22ea3ecbf3a7c8ec881d1fc8e45631511
SHA512 7c1ee4ef8a08e71e35d200c7db64fe277234a1aa9212171d24967d09277fbeca566edc7b293bfafe49a6f9e5779f6ac8af7cde67254178fadc2217abf0a4a1d9

C:\Windows\System\HJgJCdS.exe

MD5 23423b972960c58941086f19d0107472
SHA1 9e5cd88f1c41a1a1be42e8934902b9522848f4db
SHA256 ff1f715684f478eae4d996f9b31bd6b85e555a59b33ac35e3535fbf7b1d49bce
SHA512 f88f42751abd2deff4f4d9fce5e411135872ac1b9e732f108e59f24d04a0dbbab7afaa727decca127a97890d8c3ca6e6f535fb7dc48384191d450c2b1caba2cc

memory/816-92-0x00007FF7A2350000-0x00007FF7A26A4000-memory.dmp

C:\Windows\System\wrKDSEv.exe

MD5 0ace70819d694b080ca106d6765eca1b
SHA1 d21c6645af5e4b6427604329b5b3018752dfd653
SHA256 50faeb1187b1306289498270c0863929b989232213ae1060124ceb18260b9f19
SHA512 63bb1e8c10ee1ecf938ef5de4d14608e37f85343755e360c98ab88fe422c8d7df4ae9be98e2c7dfece5bdcf015c3e18118ab9461ae34b301a3d073fbcd4bf820

memory/4880-96-0x00007FF7A0060000-0x00007FF7A03B4000-memory.dmp

memory/4788-98-0x00007FF6B8680000-0x00007FF6B89D4000-memory.dmp

C:\Windows\System\cfHqfOK.exe

MD5 ba250b39501d248d7a192786cc12092b
SHA1 60b7ea9e964b8be636a9c6487fcdbc2340c95932
SHA256 1ae7c533e6ba583a2f420cb0cb2b2c70903840ea573097eb076ae7a4b66ec15d
SHA512 07777c901392d877f718c5a40929e6c372aee31f98299defe596c838cc93c8551bf0d705985d69d642bd6dccffaa4e99ec106ccd8e16e2711b0f386d85249bf3

C:\Windows\System\pmYHerU.exe

MD5 a7358e72b61cad0ad39a400310a9f119
SHA1 37859077fe043b6c6ae2c1840bb0a6d3eabbe8dd
SHA256 b04a3adcddd8c74fba65e3714a343516a2ec9e08cb69cb752a6318673158dc47
SHA512 ae870d05b314f7320826dc9d9f422a47834dc93138c5f30a28764fc0cc54a0d1054b9f6a3c67dfa9719c1d0b716356f80fa6ea5e5a14672ea578a4a0cf6d74b5

C:\Windows\System\csPrnRv.exe

MD5 dd1858fee6c441ed735f7f7cb2415bd0
SHA1 bbedec33e603087ea0e0871f6a8c1f9cdb703b40
SHA256 19a24adf93f8866dcac48f13db11f5aa6c018c2388f371fe47a03be91fe0a57a
SHA512 e8d7e480f0e0b44a9625a0effd182cd5e091243b84168de8aad189af4446e74c85746c592907106305e8c682e2d16a9264f8e7090c22c39449082bdf2642aafb

memory/4392-126-0x00007FF602470000-0x00007FF6027C4000-memory.dmp

memory/2384-131-0x00007FF7D8790000-0x00007FF7D8AE4000-memory.dmp

C:\Windows\System\WdZPgLu.exe

MD5 5fb234d2e7c4507e7f5693d783f73c62
SHA1 eebc16cb5e1cfe13ee0507c1cd019baa9b37ada6
SHA256 b7d4a45a5e3ad4c997da9fddb52d2e3a81cbd44a2eb651d6d4b86aaeeb4333ac
SHA512 32aca68220987e60fd3b8ff0200a7815a24d7930cd9e979660e408c14be2f42d7d51adba797e29c2a559a0f12b65ea5a3ff05b65e16bcd69c3f68f7c84eb82ba

memory/3628-128-0x00007FF7C23B0000-0x00007FF7C2704000-memory.dmp

memory/1276-127-0x00007FF76C110000-0x00007FF76C464000-memory.dmp

memory/3904-125-0x00007FF7FB710000-0x00007FF7FBA64000-memory.dmp

C:\Windows\System\stXfQbW.exe

MD5 5824fc09be8c1efe981db6e1d99d7954
SHA1 3bc4e6b10c32bde9b54008589e81635435918886
SHA256 8e1b88375b9e239e83e01263eb7ad093efa2cca130608745fbf7ed6544126baa
SHA512 8e933a973dd87873fcc3075d42dfb0d83b2d6ac751afa430d51f10c1bf973356317ddd0445fa9c0218be7b9ac0a2b56cc244a3841ca90143b227817244d111a0

memory/3764-119-0x00007FF77E880000-0x00007FF77EBD4000-memory.dmp

memory/4608-106-0x00007FF704060000-0x00007FF7043B4000-memory.dmp

memory/1388-93-0x00007FF7D1500000-0x00007FF7D1854000-memory.dmp

memory/2824-86-0x00007FF69FDC0000-0x00007FF6A0114000-memory.dmp

C:\Windows\System\rhooWSj.exe

MD5 2fd6f0f3afb8d9009ececa840516abc4
SHA1 40b8a6cf13e7081a1b938b84b7d844fd88502e52
SHA256 3cc1e28bdc0f2c1071a090d5f8fdd51b32f0b6fde4fbed51592025393c033469
SHA512 c9b00141bfbb18e58338b699662aa4592466c6ae831836665c91ccecb1a5da28f97de87938f61ed008c7becf815fb0a274192054ea24ceb9c9442958ad384b1d

C:\Windows\System\UHncPDO.exe

MD5 26c572002fe4c0fd41013f2699a484b3
SHA1 dc0ea8211e1480200f64aefca53acc6804528269
SHA256 b627d6ea67f87488879f456dce35c0b3e52aa4cbb5fd32df77848c4e0dd325d4
SHA512 520cafe4a05365de3cb650a9cc62eafade26828506e1b2acd77dfb1a292b82c795c749ff35b664aa50b0ce297817a3be7b6273674c7a3bdb0f772d318e7d69fb

memory/216-75-0x00007FF7A7B50000-0x00007FF7A7EA4000-memory.dmp

memory/2964-74-0x00007FF794440000-0x00007FF794794000-memory.dmp

memory/1404-71-0x00007FF6A5D70000-0x00007FF6A60C4000-memory.dmp

C:\Windows\System\eJgYiNB.exe

MD5 5c5a14864b9d4b46206609cfd2728527
SHA1 603ab2d8298f1281f671d07fe63b48cc1b4c8ed1
SHA256 6c4a128d50c84dde5224dc04dd9ee3d8cec8abc76ceb4b2d97a5f49eaebbd2c5
SHA512 176111c9ef4f79c44a7be7b68e39673578c9ad69e3ad27671ef4fa02a0230e0826dddf0b8a7cfd2b315fc2b871d862401cb4c0bcab297ceac731cb078d6ed91b

memory/4320-132-0x00007FF7C7FD0000-0x00007FF7C8324000-memory.dmp

memory/4260-133-0x00007FF7F88F0000-0x00007FF7F8C44000-memory.dmp

memory/216-134-0x00007FF7A7B50000-0x00007FF7A7EA4000-memory.dmp

memory/4788-135-0x00007FF6B8680000-0x00007FF6B89D4000-memory.dmp

memory/4608-136-0x00007FF704060000-0x00007FF7043B4000-memory.dmp

memory/3904-137-0x00007FF7FB710000-0x00007FF7FBA64000-memory.dmp

memory/2384-138-0x00007FF7D8790000-0x00007FF7D8AE4000-memory.dmp

memory/2824-139-0x00007FF69FDC0000-0x00007FF6A0114000-memory.dmp

memory/2756-140-0x00007FF61A930000-0x00007FF61AC84000-memory.dmp

memory/1452-141-0x00007FF603800000-0x00007FF603B54000-memory.dmp

memory/2008-142-0x00007FF6B97A0000-0x00007FF6B9AF4000-memory.dmp

memory/1276-143-0x00007FF76C110000-0x00007FF76C464000-memory.dmp

memory/3628-144-0x00007FF7C23B0000-0x00007FF7C2704000-memory.dmp

memory/4320-145-0x00007FF7C7FD0000-0x00007FF7C8324000-memory.dmp

memory/4260-146-0x00007FF7F88F0000-0x00007FF7F8C44000-memory.dmp

memory/748-147-0x00007FF632C40000-0x00007FF632F94000-memory.dmp

memory/3428-148-0x00007FF6863B0000-0x00007FF686704000-memory.dmp

memory/1404-149-0x00007FF6A5D70000-0x00007FF6A60C4000-memory.dmp

memory/216-150-0x00007FF7A7B50000-0x00007FF7A7EA4000-memory.dmp

memory/1388-151-0x00007FF7D1500000-0x00007FF7D1854000-memory.dmp

memory/816-152-0x00007FF7A2350000-0x00007FF7A26A4000-memory.dmp

memory/4880-153-0x00007FF7A0060000-0x00007FF7A03B4000-memory.dmp

memory/3764-155-0x00007FF77E880000-0x00007FF77EBD4000-memory.dmp

memory/4788-154-0x00007FF6B8680000-0x00007FF6B89D4000-memory.dmp

memory/4608-156-0x00007FF704060000-0x00007FF7043B4000-memory.dmp

memory/3904-157-0x00007FF7FB710000-0x00007FF7FBA64000-memory.dmp

memory/2384-159-0x00007FF7D8790000-0x00007FF7D8AE4000-memory.dmp

memory/4392-158-0x00007FF602470000-0x00007FF6027C4000-memory.dmp