Malware Analysis Report

2024-10-16 03:05

Sample ID 240609-wkavfsdh59
Target 2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike
SHA256 decba63529a0136329c056891ce393eeda36f8762b67a52c41d4f161d2f7622f
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

decba63529a0136329c056891ce393eeda36f8762b67a52c41d4f161d2f7622f

Threat Level: Known bad

The file 2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Xmrig family

Detects Reflective DLL injection artifacts

xmrig

UPX dump on OEP (original entry point)

Cobaltstrike

XMRig Miner payload

Cobaltstrike family

Cobalt Strike reflective loader

UPX dump on OEP (original entry point)

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-09 17:58

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-09 17:58

Reported

2024-06-09 18:01

Platform

win7-20240508-en

Max time kernel

138s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\XnUXFiD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\udSaMLU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GOFqNKd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TaRCfQs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IFUuBwL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eOhUvzN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jnHITZm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\toYMnnB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QJcCJSf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KBaCzRc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fpXwZIm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QwmOEer.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IcQNEeZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ttNTiqj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qKboJdI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BazUNzI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qooemgK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sUFVDxD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OVjePoD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RdyrQqy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZkzHBFe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2428 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\XnUXFiD.exe
PID 2428 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\XnUXFiD.exe
PID 2428 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\XnUXFiD.exe
PID 2428 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\jnHITZm.exe
PID 2428 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\jnHITZm.exe
PID 2428 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\jnHITZm.exe
PID 2428 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\sUFVDxD.exe
PID 2428 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\sUFVDxD.exe
PID 2428 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\sUFVDxD.exe
PID 2428 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\OVjePoD.exe
PID 2428 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\OVjePoD.exe
PID 2428 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\OVjePoD.exe
PID 2428 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\QwmOEer.exe
PID 2428 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\QwmOEer.exe
PID 2428 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\QwmOEer.exe
PID 2428 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\toYMnnB.exe
PID 2428 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\toYMnnB.exe
PID 2428 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\toYMnnB.exe
PID 2428 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\RdyrQqy.exe
PID 2428 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\RdyrQqy.exe
PID 2428 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\RdyrQqy.exe
PID 2428 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\udSaMLU.exe
PID 2428 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\udSaMLU.exe
PID 2428 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\udSaMLU.exe
PID 2428 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\GOFqNKd.exe
PID 2428 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\GOFqNKd.exe
PID 2428 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\GOFqNKd.exe
PID 2428 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\QJcCJSf.exe
PID 2428 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\QJcCJSf.exe
PID 2428 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\QJcCJSf.exe
PID 2428 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\KBaCzRc.exe
PID 2428 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\KBaCzRc.exe
PID 2428 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\KBaCzRc.exe
PID 2428 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\fpXwZIm.exe
PID 2428 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\fpXwZIm.exe
PID 2428 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\fpXwZIm.exe
PID 2428 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZkzHBFe.exe
PID 2428 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZkzHBFe.exe
PID 2428 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZkzHBFe.exe
PID 2428 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\TaRCfQs.exe
PID 2428 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\TaRCfQs.exe
PID 2428 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\TaRCfQs.exe
PID 2428 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\IcQNEeZ.exe
PID 2428 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\IcQNEeZ.exe
PID 2428 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\IcQNEeZ.exe
PID 2428 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ttNTiqj.exe
PID 2428 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ttNTiqj.exe
PID 2428 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ttNTiqj.exe
PID 2428 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\IFUuBwL.exe
PID 2428 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\IFUuBwL.exe
PID 2428 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\IFUuBwL.exe
PID 2428 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\qKboJdI.exe
PID 2428 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\qKboJdI.exe
PID 2428 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\qKboJdI.exe
PID 2428 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\BazUNzI.exe
PID 2428 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\BazUNzI.exe
PID 2428 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\BazUNzI.exe
PID 2428 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\eOhUvzN.exe
PID 2428 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\eOhUvzN.exe
PID 2428 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\eOhUvzN.exe
PID 2428 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\qooemgK.exe
PID 2428 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\qooemgK.exe
PID 2428 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\qooemgK.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\XnUXFiD.exe

C:\Windows\System\XnUXFiD.exe

C:\Windows\System\jnHITZm.exe

C:\Windows\System\jnHITZm.exe

C:\Windows\System\sUFVDxD.exe

C:\Windows\System\sUFVDxD.exe

C:\Windows\System\OVjePoD.exe

C:\Windows\System\OVjePoD.exe

C:\Windows\System\QwmOEer.exe

C:\Windows\System\QwmOEer.exe

C:\Windows\System\toYMnnB.exe

C:\Windows\System\toYMnnB.exe

C:\Windows\System\RdyrQqy.exe

C:\Windows\System\RdyrQqy.exe

C:\Windows\System\udSaMLU.exe

C:\Windows\System\udSaMLU.exe

C:\Windows\System\GOFqNKd.exe

C:\Windows\System\GOFqNKd.exe

C:\Windows\System\QJcCJSf.exe

C:\Windows\System\QJcCJSf.exe

C:\Windows\System\KBaCzRc.exe

C:\Windows\System\KBaCzRc.exe

C:\Windows\System\fpXwZIm.exe

C:\Windows\System\fpXwZIm.exe

C:\Windows\System\ZkzHBFe.exe

C:\Windows\System\ZkzHBFe.exe

C:\Windows\System\TaRCfQs.exe

C:\Windows\System\TaRCfQs.exe

C:\Windows\System\IcQNEeZ.exe

C:\Windows\System\IcQNEeZ.exe

C:\Windows\System\ttNTiqj.exe

C:\Windows\System\ttNTiqj.exe

C:\Windows\System\IFUuBwL.exe

C:\Windows\System\IFUuBwL.exe

C:\Windows\System\qKboJdI.exe

C:\Windows\System\qKboJdI.exe

C:\Windows\System\BazUNzI.exe

C:\Windows\System\BazUNzI.exe

C:\Windows\System\eOhUvzN.exe

C:\Windows\System\eOhUvzN.exe

C:\Windows\System\qooemgK.exe

C:\Windows\System\qooemgK.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2428-0-0x000000013F060000-0x000000013F3B4000-memory.dmp

memory/2428-1-0x0000000000080000-0x0000000000090000-memory.dmp

C:\Windows\system\XnUXFiD.exe

MD5 cdb9b4d2b6af453f225e2e944a469dcb
SHA1 cff41a4eb97206cf69cbd695787d82d0b85e177c
SHA256 b66b99d5a9a3f8b1c4ff09ac1b767b25f61ea94cca6e123e4ec17db62a28d042
SHA512 6440c499c31fc6f4c55ee6f33e576cc2d45968e8e815990e9fda768bfada5f885a869d0a73c01f9789a032aef1ad625fd958dbb800d988a88f92daa949538d92

\Windows\system\jnHITZm.exe

MD5 5a188ae5f4bb3df4e133d6783fe6276f
SHA1 e0c68901873b6cfeb47519135ef6659e9b549909
SHA256 44c5f67bf4b17a787dd47ea2e71171fa9788409279072eed335e5f3eb8dacc17
SHA512 c4eeda9d80dce3ecb7a95bbfdd578f80ef6f86dab57aa16f69c0e375e8e7c2373381216365c2d4bb386fc2b1a7586c1428a69ce5aa21e08c33ad372d2a97ea72

memory/2428-11-0x0000000002260000-0x00000000025B4000-memory.dmp

memory/2132-13-0x000000013F260000-0x000000013F5B4000-memory.dmp

C:\Windows\system\OVjePoD.exe

MD5 e70a95cf45fd60d5c8cbc34da2954885
SHA1 b6384d36692e2f3944469c6cff40201abe5dcd9b
SHA256 71d3a1df4e92fb708039200c946527d6ab19e1bf66ba947a16e1a03f45f78f07
SHA512 0624e26a4be7e4a84f4f99149fea7bc779ef65b1ec08e39bb7298c1e6edf6ae396ecc715130cc9653a0a94604eb2ec2eb86c9c80306c0a38613c196291105c43

C:\Windows\system\QwmOEer.exe

MD5 73672f99601a3b961fe65100f79c3e6e
SHA1 6364d4fea46ac01c4024bb689ab29299ccf66473
SHA256 748f52d18103231846873a9f2a0f8f813cc14d374d243618a971d345cebaadb7
SHA512 3dae9afb79812f3efc9e59fee914b7b1fd6e5850c5a983060bae1ab18e205cfd632c7a5294777945c64c1023de779b481886961b95ec44ad3563323297fbc6b3

memory/2480-35-0x000000013F7C0000-0x000000013FB14000-memory.dmp

\Windows\system\udSaMLU.exe

MD5 60c40f24cb2f5e70091c29c0b497f985
SHA1 d2f3ce6fa48fe15957e9b4aa89d2f6d80116e855
SHA256 f32a81526043c00edda44dae800aa3d921668b93bd72b64823e010de1824cf25
SHA512 a723d7726a6a40cb484d9cb4db858ba303fab0a214169b6718bf502d45b448a3a8ba258ed2a181a82940d9f85a110a6e5fecaa94c649463b591c87cf283c73cd

memory/2100-44-0x000000013FC30000-0x000000013FF84000-memory.dmp

C:\Windows\system\udSaMLU.exe

MD5 18247d7880140b18ecd39ee1adfc731b
SHA1 a157eaa9dd320bef6dfdb40a50d13608394c09ca
SHA256 652d7057f0ddb4d1a2f5d0f36605fc024f3683e540781cf247d44de8bd9de6cf
SHA512 86e803ee8318313ac7802d21e9ddf99485d8242e09c937616b13b7f0891cbb086eda558be30105ad71b938275dcac935eb0d6bca4b99ccf49510a012cfc00f29

memory/2716-55-0x000000013F390000-0x000000013F6E4000-memory.dmp

memory/1516-56-0x000000013F3F0000-0x000000013F744000-memory.dmp

memory/2428-57-0x000000013FC30000-0x000000013FF84000-memory.dmp

\Windows\system\RdyrQqy.exe

MD5 3841d3131bdc70a1cf74942213460680
SHA1 e066ede4ce1cfdb2ea8111ae73f718eb8b157bd9
SHA256 b4d269eec56539100336c47edcf07ade25ee028ddd2f468b5ccafc2495eaa0a4
SHA512 77b6c9843e542c6ef34515300b738e90e6b505a929acee13a482482161e043ddee1028dddba920c8c9ca07a42160a603ae89b3ec75270ab6e028949695a5b7fe

C:\Windows\system\RdyrQqy.exe

MD5 71d538eb8d5f32334be0c3f28761127f
SHA1 8c4fb67098d51ec7175bb77ec5b24a17ac5bc862
SHA256 392c96347bd1703f0196deaaf542f53bf39d38a881c1aa574974c7703b72f7a4
SHA512 479856522a366a460c431d4a5843787145b1fea0ecf82e26b79d01626087c4d8ef033cef844b1d1bc2c723695cd61ca2a4dd030110e6a423cffb9326134c4b1e

memory/2660-65-0x000000013F910000-0x000000013FC64000-memory.dmp

memory/2708-66-0x000000013F190000-0x000000013F4E4000-memory.dmp

memory/3060-49-0x000000013FFD0000-0x0000000140324000-memory.dmp

C:\Windows\system\GOFqNKd.exe

MD5 4fcf4934143db424ccf986d18e167d5d
SHA1 03a0e4fdcc1460a1f12f29f988492a7c15140132
SHA256 60a159c7bc3bffc2cccbaccf3ed9bc9500137a62789800dd5d5fd77beea5969f
SHA512 e943c2bc8d866d99478b93b35901a35f4a933783e40f14815239ff1a00daf2c8d0f577628ad1d7960e693080a67e74658a86bdefc6a7b6072dade7f4ae16a25c

memory/2524-63-0x000000013F440000-0x000000013F794000-memory.dmp

C:\Windows\system\fpXwZIm.exe

MD5 ec7b50fc6706ca48adc68513d369b392
SHA1 d395ba9c60749fdac4e7a0705ecd1827b7e65264
SHA256 caf26093059014458f8b5f07d90100537481c36ba957bcd6e10e4e82788bccb4
SHA512 209e384efb0f4fb596078b19b882191ebc7520f6b81e090c2a8b261414a670e2f40c8add6c00686f3d66a1c50dc41c085389bcae97345e27c446b2d965ab0499

memory/2548-77-0x000000013FD40000-0x0000000140094000-memory.dmp

memory/2428-76-0x000000013FD40000-0x0000000140094000-memory.dmp

memory/2428-87-0x000000013F060000-0x000000013F3B4000-memory.dmp

C:\Windows\system\TaRCfQs.exe

MD5 a1a74511bab4d3b13c630d0344d753d2
SHA1 6f04d808868a80d5a239e45c1c29e630be50e351
SHA256 6842cdd6f6ba56bb73b813d414392d41f9b3ca807b0a6f5357959edc28b7e997
SHA512 5613e9d82e21e34e1ddc4d6af3345230f74913675619ba959a18f4d7f584dda93ac608f0aec20832ec78a72086bd2eef8c174c27c2db194f482f6dbb7cf27d94

memory/2428-89-0x0000000002260000-0x00000000025B4000-memory.dmp

memory/2952-88-0x000000013F040000-0x000000013F394000-memory.dmp

memory/2960-93-0x000000013F1F0000-0x000000013F544000-memory.dmp

C:\Windows\system\ZkzHBFe.exe

MD5 467f4878f1fbc1413a365ac04fb3d56f
SHA1 b8e505a70fffbb3f7e2e7a49d10ec46db36bc79b
SHA256 75183c86fa400f25860933789472a80dfc4302426e7a28506a3e77cf25c00e6d
SHA512 222a5a17bc555a17179b6cd838292f25170ac70d784c144371d8274f3660f59171d733a96ee52a8caab10f1557ace015673ee69fb38611b02778016ff8ef3114

memory/2428-84-0x0000000002260000-0x00000000025B4000-memory.dmp

memory/2764-72-0x000000013F660000-0x000000013F9B4000-memory.dmp

C:\Windows\system\KBaCzRc.exe

MD5 bd1ec483da728155b9b7edd3a9e0caeb
SHA1 59672e7ac30da64ced2a5ef30b81cf31c85bf884
SHA256 9c0a76a903d738a450c394c1844f42adf0543ad572c1b1f298e47d21f10a5b40
SHA512 fb584ced5d9459b5ea3f419c00511d0c7467f5cee295711b8b2be76464fcb7c4aa8c8302820ae9c798a44216bbc9f9c2f1faba7da96cd7a2579c7af4885a31eb

memory/2428-61-0x000000013F440000-0x000000013F794000-memory.dmp

memory/2428-59-0x000000013FFD0000-0x0000000140324000-memory.dmp

C:\Windows\system\QJcCJSf.exe

MD5 0466f9b4627fdb5113626f8ca0cfc8ab
SHA1 27aabcd5bd1b6d29e568dd40fcdedf530d3f9ca1
SHA256 1cd5b6b37c03eb0bc2dc7cc5d972847b071d9b6d392f9721c8506480358c7006
SHA512 4588dac83f1a06f18815e8ab880b634b2a379fbc2e84b61e48f8d781bc176b0d9ffdf3fce27e0bba4bc5f0d4bcbec2aff3fc9cbc3460edcefcfa80e8e83a1d12

memory/2428-53-0x0000000002260000-0x00000000025B4000-memory.dmp

C:\Windows\system\toYMnnB.exe

MD5 a3558d6de228b2ee9ca137c00c50b0cd
SHA1 75b765434cfdc979fd5a5503fc04175275b159df
SHA256 3262f36921f55ec65d87cf3b0850fd10e4f8fe15d17750265297398ef21f668f
SHA512 5ed3be04d5a11ea7c5b95b242c2e56f029ff607e6ed0bcf7ff6896ac18d2ba4bbf1a3f74fdbe8f5447217ed5f9db82733fe5bc2bbb9ad9788808075d814cc032

memory/2428-23-0x000000013F3F0000-0x000000013F744000-memory.dmp

C:\Windows\system\sUFVDxD.exe

MD5 0b0b09fc97547c7fb070763cb9448b72
SHA1 b725ac17deadda85da8fb5db7d8d61b5766984b6
SHA256 7f812ae7bd10426e9b5482433973e9acc1fa3d1279c95f32d59cc72419ef1daa
SHA512 3cf86ff1e92893e10f500d81257e9b5fdbf6413e580624ccd877d5a458631c2060b829297377f01cf0a5ca6aba6ea29179d190ca3a97db77d32aca5a89c18980

memory/2936-17-0x000000013FFD0000-0x0000000140324000-memory.dmp

\Windows\system\ttNTiqj.exe

MD5 484e2393d6765a29d161714a7314f401
SHA1 cb122ba5781c4a5affe5eeb8e6df94ef7f9c46ae
SHA256 576c9d2a67466fd17c47a60f06f1372a37e2768858237a80da0ff05276e1ab5c
SHA512 d0f6d02d3e61a9e6affcee112d9071cafdd9c01912d894a86b58d7b8fd9303504ffdd0f96ba599907b6272a491fe16616f95518599545745c70d67dcb1729a9d

C:\Windows\system\qKboJdI.exe

MD5 e2c3788aea105ae2c645d890031cdd96
SHA1 9785b4990925c677443358d9d62e22ef3e9bffc1
SHA256 0db9f8c95a904f0829c0f0845ac45435b95e5ea8f5a792ba5a4860f0a9aa8bea
SHA512 4e7f66fe5c936858cdc04ab9a77f3c3b565907c841aafebeeacf3407334d74b37e38f000b2169da7b9c0ecd2341888581a94ab7ac5757b06a8febca38f0f2841

C:\Windows\system\IFUuBwL.exe

MD5 8eb60047f4cddf245eff814bcad5361d
SHA1 d21255f0d3f2e54d732f316ae06f312103acc3f1
SHA256 08aedb4257c05db387cea6f2be7d039b6f95abd0e294a713a66d10955dfc31e0
SHA512 c046ab3e01c51a57015f98b6a3e03057694bbfb41351859ac2bfe2f792463a84320bfb2c3a572718e8d623f0fcad30da2a400fb6a22ce9a2d6ef8c5e3dd8d7c2

C:\Windows\system\BazUNzI.exe

MD5 e9c2fa97c6ed832e333c91479306ba60
SHA1 271b60b4217d7c915470e1a5de5596c60cd22171
SHA256 bab8c31fb1970bb2682a12f0efc817506654b32f6605a6f4f50260b71d7d0dc0
SHA512 00f5c420f289e9045f31e08c64c8c5f5a67b8355e857ecd03670e1bcb384b5ae1f2d1e76b07362acd700130065dbfc85c1375a37eff3b6888ea4c29ee47c7359

C:\Windows\system\eOhUvzN.exe

MD5 11f89c193fd4b58fb7f0873c5fa351d7
SHA1 da4cabf0f40c38ec49704a60b179a1788ccf2da7
SHA256 1a83ee90f1ba3e8013b96c3f9251df427f50194b12ce66c62fdd318bffbb7e63
SHA512 467319358fa41558fc5bcfda39ec7f2549ce069c44696422243bec4e325a7576338204156c386a691eb9910f396ed1a5c378eb8eff62bcb9ac7baa9a16e95b47

C:\Windows\system\IcQNEeZ.exe

MD5 bb12847a012e290e9097106598099db4
SHA1 deccbb54ec622da7feecdfda3cd81a645a4f16e5
SHA256 8a18f4740bef321c85e136128c821d367674d095558b0ddbec21791c5db705d3
SHA512 38cdadb7c73ae42f47a3b7eb496eff74deac3cd16e65c57fd3576d4635e5e2c93471729b77398afc80eaf8ea6464dadb35d22ede3bb95762cd576afc1473202f

C:\Windows\system\qooemgK.exe

MD5 7e386f08f871c55a336ddaeac74cc69a
SHA1 b551b4ec3be803f3c140c7c134b24a7de96d44f7
SHA256 7f9f25bae120034e6100edeb88a27a642a41aa01bd13e3d01315c4fbdedbd76b
SHA512 df81d06d3c910b6b19695deeaf4b580c4d6843f0434109f1fa76d67139a78c2bdb9422938c9262231d824ff1b9d8758ddc33e870e16caf8a993a1596ae350830

memory/2708-131-0x000000013F190000-0x000000013F4E4000-memory.dmp

memory/2764-132-0x000000013F660000-0x000000013F9B4000-memory.dmp

memory/2548-133-0x000000013FD40000-0x0000000140094000-memory.dmp

memory/2428-134-0x0000000002260000-0x00000000025B4000-memory.dmp

memory/2952-135-0x000000013F040000-0x000000013F394000-memory.dmp

memory/2960-136-0x000000013F1F0000-0x000000013F544000-memory.dmp

memory/2132-137-0x000000013F260000-0x000000013F5B4000-memory.dmp

memory/2936-138-0x000000013FFD0000-0x0000000140324000-memory.dmp

memory/2100-142-0x000000013FC30000-0x000000013FF84000-memory.dmp

memory/2716-143-0x000000013F390000-0x000000013F6E4000-memory.dmp

memory/3060-141-0x000000013FFD0000-0x0000000140324000-memory.dmp

memory/2524-144-0x000000013F440000-0x000000013F794000-memory.dmp

memory/2660-145-0x000000013F910000-0x000000013FC64000-memory.dmp

memory/2480-140-0x000000013F7C0000-0x000000013FB14000-memory.dmp

memory/1516-139-0x000000013F3F0000-0x000000013F744000-memory.dmp

memory/2764-147-0x000000013F660000-0x000000013F9B4000-memory.dmp

memory/2548-146-0x000000013FD40000-0x0000000140094000-memory.dmp

memory/2960-148-0x000000013F1F0000-0x000000013F544000-memory.dmp

memory/2708-149-0x000000013F190000-0x000000013F4E4000-memory.dmp

memory/2952-150-0x000000013F040000-0x000000013F394000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-09 17:58

Reported

2024-06-09 18:00

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\EFfKAJj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nXtHFJN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HVHOYEx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZdbVEjk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pkiEtYA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HeGItKS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gNiNOyP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FlgnTcB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BCOsxWh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VnvhMZR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iRJWlpo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gtJnKiC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kQBEPxz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vlWzEGC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sPbqidl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dubLnmC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wclZURQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PZUjVRx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BNnsIMp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cYMiDGM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tVIjQlO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1532 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\HVHOYEx.exe
PID 1532 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\HVHOYEx.exe
PID 1532 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\BNnsIMp.exe
PID 1532 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\BNnsIMp.exe
PID 1532 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\iRJWlpo.exe
PID 1532 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\iRJWlpo.exe
PID 1532 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\gNiNOyP.exe
PID 1532 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\gNiNOyP.exe
PID 1532 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\gtJnKiC.exe
PID 1532 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\gtJnKiC.exe
PID 1532 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZdbVEjk.exe
PID 1532 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZdbVEjk.exe
PID 1532 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\cYMiDGM.exe
PID 1532 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\cYMiDGM.exe
PID 1532 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\FlgnTcB.exe
PID 1532 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\FlgnTcB.exe
PID 1532 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\EFfKAJj.exe
PID 1532 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\EFfKAJj.exe
PID 1532 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\kQBEPxz.exe
PID 1532 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\kQBEPxz.exe
PID 1532 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\vlWzEGC.exe
PID 1532 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\vlWzEGC.exe
PID 1532 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\nXtHFJN.exe
PID 1532 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\nXtHFJN.exe
PID 1532 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\BCOsxWh.exe
PID 1532 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\BCOsxWh.exe
PID 1532 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\pkiEtYA.exe
PID 1532 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\pkiEtYA.exe
PID 1532 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\VnvhMZR.exe
PID 1532 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\VnvhMZR.exe
PID 1532 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\sPbqidl.exe
PID 1532 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\sPbqidl.exe
PID 1532 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\dubLnmC.exe
PID 1532 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\dubLnmC.exe
PID 1532 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\wclZURQ.exe
PID 1532 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\wclZURQ.exe
PID 1532 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\HeGItKS.exe
PID 1532 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\HeGItKS.exe
PID 1532 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\PZUjVRx.exe
PID 1532 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\PZUjVRx.exe
PID 1532 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\tVIjQlO.exe
PID 1532 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe C:\Windows\System\tVIjQlO.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-09_d0f94366a44c8c0b253405c33b7d1ba9_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\HVHOYEx.exe

C:\Windows\System\HVHOYEx.exe

C:\Windows\System\BNnsIMp.exe

C:\Windows\System\BNnsIMp.exe

C:\Windows\System\iRJWlpo.exe

C:\Windows\System\iRJWlpo.exe

C:\Windows\System\gNiNOyP.exe

C:\Windows\System\gNiNOyP.exe

C:\Windows\System\gtJnKiC.exe

C:\Windows\System\gtJnKiC.exe

C:\Windows\System\ZdbVEjk.exe

C:\Windows\System\ZdbVEjk.exe

C:\Windows\System\cYMiDGM.exe

C:\Windows\System\cYMiDGM.exe

C:\Windows\System\FlgnTcB.exe

C:\Windows\System\FlgnTcB.exe

C:\Windows\System\EFfKAJj.exe

C:\Windows\System\EFfKAJj.exe

C:\Windows\System\kQBEPxz.exe

C:\Windows\System\kQBEPxz.exe

C:\Windows\System\vlWzEGC.exe

C:\Windows\System\vlWzEGC.exe

C:\Windows\System\nXtHFJN.exe

C:\Windows\System\nXtHFJN.exe

C:\Windows\System\BCOsxWh.exe

C:\Windows\System\BCOsxWh.exe

C:\Windows\System\pkiEtYA.exe

C:\Windows\System\pkiEtYA.exe

C:\Windows\System\VnvhMZR.exe

C:\Windows\System\VnvhMZR.exe

C:\Windows\System\sPbqidl.exe

C:\Windows\System\sPbqidl.exe

C:\Windows\System\dubLnmC.exe

C:\Windows\System\dubLnmC.exe

C:\Windows\System\wclZURQ.exe

C:\Windows\System\wclZURQ.exe

C:\Windows\System\HeGItKS.exe

C:\Windows\System\HeGItKS.exe

C:\Windows\System\PZUjVRx.exe

C:\Windows\System\PZUjVRx.exe

C:\Windows\System\tVIjQlO.exe

C:\Windows\System\tVIjQlO.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 11.173.189.20.in-addr.arpa udp

Files

memory/1532-0-0x00007FF70F060000-0x00007FF70F3B4000-memory.dmp

memory/1532-1-0x000001E444160000-0x000001E444170000-memory.dmp

C:\Windows\System\HVHOYEx.exe

MD5 ef96084927b1e4706c6554fec5ffef80
SHA1 d9071665ebc9773a6fa4913cfd2d17a49b921638
SHA256 a83f0550c133ed4ca479b27893537d3a9321b3c92184ed74c8bacd9929ab4699
SHA512 0390a50842620fef9ccd46298df8818477b2d49301c83e3b1a11e60a8b05338efdeb64b0117f9c5f8e2849984ba5711e32a59fd3622bf8dcbcbfd46bdd8d7f93

memory/996-8-0x00007FF6236B0000-0x00007FF623A04000-memory.dmp

C:\Windows\System\BNnsIMp.exe

MD5 492174d936ae2361d5177255069403bf
SHA1 77408ac9fac8211b15a18f461cf4e56d3e088d22
SHA256 018d41dad793599a36f1e0d02210db3083b574f82fdad61877eb425574c54d04
SHA512 30ad4e05f89ca66d20434d59076f56ca2828db15e09469bdee452862f9e672e786f0a54879cf51c96fc73b6886dca37f7e91a061e8797a495e2fe58e53c5f12f

C:\Windows\System\iRJWlpo.exe

MD5 d0030bad1492cdfaa90d93b509f30920
SHA1 f85f573b318209f303adcdbf18d59faf5b80a4b5
SHA256 cfe205482513dc5dcaa9a340dd1c41c71f93a23fe3c605335b4071e93c1bf01d
SHA512 9b0182f357fdcb39b9871e6f4eb9cd49eaf10c2d76feeb6eb0a1256d541855044f3cf82f282a51b28420f94cfa09a5d515e86f990161a2fd03360184a4ee7eb6

memory/4412-24-0x00007FF633290000-0x00007FF6335E4000-memory.dmp

C:\Windows\System\gNiNOyP.exe

MD5 abff19123c6c355354d6962c332665e5
SHA1 31fda3998742f4d4a5ba3d61999c4bca7e4835c4
SHA256 3bc0fdf83a4efeadfa165898fe8493bbb7d2c3cf1d1639d46c179e3ae8ac0d2e
SHA512 9a2f051345bd75c52000d1f5488f74a4b33243fe9715cd6d20c5f76e5c9c079d1f8171d2d9bbce0577440c892d8fb27d441e7f4bd16b381a4f6485df7fcc0043

C:\Windows\System\ZdbVEjk.exe

MD5 c4ff13c607fc6c20d6ac025d70987f9a
SHA1 cd632b09d7368763bd1b50f6044c9e584fcd9cd9
SHA256 53af948e4e0ec436f795ebd05c5a4a37d69ed610775eac2b75844cd8fbd3925e
SHA512 b2d0b23452cf47bc83f0267f12e16aea28be017a83d8ea0f4d570a641969126167c79521c722a20f39222097c0d3ec6b304e83fe63d2ac2a9418edb21e54e5e4

C:\Windows\System\cYMiDGM.exe

MD5 6923975fa55045a530fb322841f2ddfe
SHA1 2b382f49e4318f220f899782d1f4f045c3b80618
SHA256 83348d53bd6a1a1dfa109672d150602ef1684ede7eca578be788dd161e9061ff
SHA512 575fbcbd8e3f2bb29f6b18643149e22bd716f8ea07aa5355a13c4b6f32826e18373422dddb429e9adabf5116f605a72adde0267bff95dc8ad3b02620b38a0c07

memory/4584-39-0x00007FF794170000-0x00007FF7944C4000-memory.dmp

memory/540-44-0x00007FF626050000-0x00007FF6263A4000-memory.dmp

C:\Windows\System\gtJnKiC.exe

MD5 968e303c9e579d9449ddfc0c931d04eb
SHA1 23c1b65691f8dc3003b904a618f7612bed2d17d2
SHA256 962e15a52b040e2826f9d87d61596951698d3517beeb2d50f4d9f90bdf840075
SHA512 3c8ff0ebf7f4d40676d86221f51dce86e884f17f68df2068dbfbe9665221cb489c3eabfaf809e00879d61aed9882f5689526de4f37bd62413f9c7b474385fb76

memory/3956-33-0x00007FF7C84B0000-0x00007FF7C8804000-memory.dmp

memory/3212-19-0x00007FF6231D0000-0x00007FF623524000-memory.dmp

memory/4296-23-0x00007FF610930000-0x00007FF610C84000-memory.dmp

C:\Windows\System\FlgnTcB.exe

MD5 b9518031864d1e150fc5ffe2998bc992
SHA1 f8873ead00bf75de5a5f7783cd815d6512eb2fc1
SHA256 8ffbef81fee286079a224417377988d2a14cc453f447b5aa6b79dc8b68cd0a45
SHA512 f133a897a97c71902fe00531ea92c5a05877ff9236817e41bf07c91afd61bb240a84f09c56400b8493d68695f55a8b363e96918e3b6cd3b959e02ea562742ce7

C:\Windows\System\EFfKAJj.exe

MD5 d6645014f0bf76fb98f342ac2be5a8a0
SHA1 2c7cdb6ca1eb12830e1c185c594fad79368e22e6
SHA256 374fc140c4d718d002e78c9e462a80df75306375d73fbbcef5f222aaff26519d
SHA512 26d536d68c081761ad052747a783d4fafd264525939ebe0ea99816b6d502a8590989110a9260b7bc6f3fc40e1570b987a07c4ffa0ee782699778fae82f02c038

memory/1680-50-0x00007FF7F0780000-0x00007FF7F0AD4000-memory.dmp

C:\Windows\System\kQBEPxz.exe

MD5 0e27abfde6ad8c43ef187ec23e63eff1
SHA1 cd8954c5ba585cae0d6898e55384936276896b62
SHA256 4f361907ccad2d2a51e1f4532d51e1335baa6875e768042f34b3927aa4c68f65
SHA512 67fb36eee34e795acead3f4715b4f94c99c9e5c353014f55c2ad8075eb014037fe4639b1ff3a061b469ec8919cc640ca36768f1fb966830f4f3a3c6dee76d0c6

memory/4680-54-0x00007FF6BF640000-0x00007FF6BF994000-memory.dmp

memory/1532-62-0x00007FF70F060000-0x00007FF70F3B4000-memory.dmp

memory/4432-63-0x00007FF6C2440000-0x00007FF6C2794000-memory.dmp

C:\Windows\System\vlWzEGC.exe

MD5 12a90f447533c3a1949dc51f291c7ce1
SHA1 f44bcb1ac414d80ea00dfdbfa036b9fdd94bb9c5
SHA256 801a7833706ef1481eaf73e1e5abc63ffb7156a7483610e3e59bb8ac780e4f77
SHA512 1491cbb04c34addfaa8fe2f7515cd55e666bc7954a5373aa9da32027c1833e2059f0b00ccebd9c80eb2d7f0d73e7c43421155f11a1f4b7ea973988fbd6527150

memory/3212-69-0x00007FF6231D0000-0x00007FF623524000-memory.dmp

memory/4692-70-0x00007FF7D3280000-0x00007FF7D35D4000-memory.dmp

C:\Windows\System\nXtHFJN.exe

MD5 f0ccd3d0f248e6dc7adbb8ae15b21642
SHA1 4d25d2a90c4235164df0d82b5342a1d67d389dd2
SHA256 da397a8bd675fcbc927482456cf34af9da54341b3b31f5c1e5f44f0ec2514c4f
SHA512 b75d3265ea39ffb0f79f9fa4b83f17d57692ccbb5b4c79cbd7f8b98f4ae4e1d9126ca4a2b63fcb46daf8d077fc88c105d6afa5608f306ab5cc75ac5f878a2ec2

memory/1316-76-0x00007FF61D0C0000-0x00007FF61D414000-memory.dmp

C:\Windows\System\BCOsxWh.exe

MD5 c5c1da3f86830bf50a00c35c7b78b5c6
SHA1 05821501fa0ed7a4a801f31a7deed5af3ae9fe75
SHA256 3a98742de44e511cc4bc67fd0f9b56c12d7e54a4a24db337b16d3c879f1ebdb0
SHA512 b1a61ae07620f14fe6dc32ee07b6bdcb5d6ac1b27716c5cd57dc72d6bc3fcc79e58098760318c3678e12d36ea6a3a0f387c97f3d88ee49ad4ee27eb83da36d30

memory/1256-82-0x00007FF7DEBE0000-0x00007FF7DEF34000-memory.dmp

C:\Windows\System\pkiEtYA.exe

MD5 00eb867da51e3f99018a2bafea84e0d1
SHA1 d44eb6f384ac95a652e21b7d0127a96a24d57ff0
SHA256 7a2c8164dbffca9ad94eaa2a8597c4c8d2ce9af7ba4b42f29bfef2e567417c23
SHA512 29b1a83b578889f2afa067fcbda637e56cbaa1e9f772b0574e05b679a4e545f028038b8f562edfc0d5d0cc26d6c44485b05715bad7ebf0f2e336099ee5bd635c

memory/2152-87-0x00007FF6CA3C0000-0x00007FF6CA714000-memory.dmp

memory/4412-86-0x00007FF633290000-0x00007FF6335E4000-memory.dmp

C:\Windows\System\VnvhMZR.exe

MD5 edd24db7ee0e47ede0029e6be35dc3c3
SHA1 8aba1d9f4504c28f76bb7e782d2e02827c818196
SHA256 0fb2645512ac655c37475d2f3c8f5f0f6f9b1859acf66503247e75073197de0a
SHA512 b598790677d15c82a8895e39d08eb84a899d0b0e6842855a33cc2a6766a8f53fd169dc31f8e772bb6f6f3e87324abd6530a8a4566eff1cadb74c5fa54cf444dc

memory/3956-93-0x00007FF7C84B0000-0x00007FF7C8804000-memory.dmp

memory/1660-96-0x00007FF7DBA20000-0x00007FF7DBD74000-memory.dmp

C:\Windows\System\sPbqidl.exe

MD5 b5692af7f0d64ac3281ff43f997f4a48
SHA1 0aaaa1c690112dec35f9379f0765a9c995194d4b
SHA256 1109d23a14406c7a1cbebc3f5ee4b454180dbb8c7c5ffe9633599eae1f480e73
SHA512 5f23c5ce502daf7b38c1dbbc5874ae370599b9d9ba2e3dc5a474ecc76da026c558afdef731c76bb12178288215629d337c19972de2ced504b44f90ec72c98054

memory/4584-102-0x00007FF794170000-0x00007FF7944C4000-memory.dmp

memory/3988-103-0x00007FF6AA030000-0x00007FF6AA384000-memory.dmp

C:\Windows\System\HeGItKS.exe

MD5 d2af9d6f6c6e2bfd93674bd509637053
SHA1 8740d988f07f976e9801208b7525311071f2cd12
SHA256 7595bb0e6ca9033d61a761a7f89c4ea716df7b176d61a5e9dd5aa430808e8620
SHA512 1ef6ff51837a017fe4789c5052594ab74d11a092a072f4d3ea978c8fb00cc9218588acb646040328d8559ab9b365d68fa3529bb2eb09ea403a2544f04c0a5f0f

memory/1072-116-0x00007FF7A37C0000-0x00007FF7A3B14000-memory.dmp

memory/2372-114-0x00007FF7A0020000-0x00007FF7A0374000-memory.dmp

C:\Windows\System\wclZURQ.exe

MD5 1bccbc90c6085c82d440f50cfe2da3d2
SHA1 d1568b626a7d2b9aa7b1a8ab06637ae5d43a6c58
SHA256 116638a400c151371b99e5cf48497ce0d7c998277205a4cb4b38ee45e30f0924
SHA512 3a9da468a023ea98e1fa88f4ff56f3e38fbe2a9cd66e4f57b8639d49cda0da7947f1896477c88fba9e7717122fc816ae092ad734808906bda3be4c62398d83ad

C:\Windows\System\dubLnmC.exe

MD5 bd653e74a633e1fa071c8f28c40e2e17
SHA1 bbd6b7b7525663d61a7491d263d24e6b3485148e
SHA256 681aac75ed2ae59eef0c4b4161fcda4a9d0027f74bd7c3b78cb7d4fbffd0ae92
SHA512 83c0d4715958c56622e49367b23900f7e83bf71ef5a1feed21da40afa6b92d5f86714e238ebfca3f9d160a1726159e68f8d5f7a12226eafa5d26023bdfd785c6

C:\Windows\System\PZUjVRx.exe

MD5 e1e1b5027ae640f68fbcc6746875c9ff
SHA1 6c3cef0b1f7c7ab61cf4fcfd44c9b064f0b0b373
SHA256 828c2ddfee429d7055ef2aa5dc446d2b8efa20e641a0fc449ceac10a91c43b8c
SHA512 669cafda91cb09f9c4791fd82629065cae552d8926b47e67c2deedd8b940144863874ca151e4d6a0cb60a4691facb4a404bc48c7870958728922f65f4f3a60f4

memory/4680-127-0x00007FF6BF640000-0x00007FF6BF994000-memory.dmp

memory/1644-128-0x00007FF6D1F50000-0x00007FF6D22A4000-memory.dmp

memory/3752-121-0x00007FF679610000-0x00007FF679964000-memory.dmp

C:\Windows\System\tVIjQlO.exe

MD5 8ff669b89e21c1713d5c9f756eafc51a
SHA1 a3341f052e35de4fb1d51f3c7b04e46c026524f3
SHA256 7f0bf531805ce65248658a3df1585da53f96711142d5120e1a51e7897ad021de
SHA512 de562b5995223938df4447bb5710ea93de5acf53a11af0d9fb144ae288e0736732eddd6e56c7010fc7fda6a7225b5a1f1d0497e17c3d7f65e33b39ef4ec1efa1

memory/1116-133-0x00007FF728E00000-0x00007FF729154000-memory.dmp

memory/2152-134-0x00007FF6CA3C0000-0x00007FF6CA714000-memory.dmp

memory/996-135-0x00007FF6236B0000-0x00007FF623A04000-memory.dmp

memory/3212-136-0x00007FF6231D0000-0x00007FF623524000-memory.dmp

memory/4296-137-0x00007FF610930000-0x00007FF610C84000-memory.dmp

memory/4412-138-0x00007FF633290000-0x00007FF6335E4000-memory.dmp

memory/3956-139-0x00007FF7C84B0000-0x00007FF7C8804000-memory.dmp

memory/540-141-0x00007FF626050000-0x00007FF6263A4000-memory.dmp

memory/4584-140-0x00007FF794170000-0x00007FF7944C4000-memory.dmp

memory/1680-142-0x00007FF7F0780000-0x00007FF7F0AD4000-memory.dmp

memory/4432-144-0x00007FF6C2440000-0x00007FF6C2794000-memory.dmp

memory/4680-143-0x00007FF6BF640000-0x00007FF6BF994000-memory.dmp

memory/4692-145-0x00007FF7D3280000-0x00007FF7D35D4000-memory.dmp

memory/1316-146-0x00007FF61D0C0000-0x00007FF61D414000-memory.dmp

memory/1256-147-0x00007FF7DEBE0000-0x00007FF7DEF34000-memory.dmp

memory/2152-148-0x00007FF6CA3C0000-0x00007FF6CA714000-memory.dmp

memory/1660-149-0x00007FF7DBA20000-0x00007FF7DBD74000-memory.dmp

memory/3988-150-0x00007FF6AA030000-0x00007FF6AA384000-memory.dmp

memory/2372-152-0x00007FF7A0020000-0x00007FF7A0374000-memory.dmp

memory/1072-151-0x00007FF7A37C0000-0x00007FF7A3B14000-memory.dmp

memory/3752-153-0x00007FF679610000-0x00007FF679964000-memory.dmp

memory/1644-154-0x00007FF6D1F50000-0x00007FF6D22A4000-memory.dmp

memory/1116-155-0x00007FF728E00000-0x00007FF729154000-memory.dmp