Malware Analysis Report

2024-10-16 03:05

Sample ID 240610-gd1d7sde37
Target 2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike
SHA256 c0f7a107794476afd64e4f9999299f0d8b747fb2a8090b6d914fbb66468bcf64
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c0f7a107794476afd64e4f9999299f0d8b747fb2a8090b6d914fbb66468bcf64

Threat Level: Known bad

The file 2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Xmrig family

XMRig Miner payload

Cobalt Strike reflective loader

Detects Reflective DLL injection artifacts

xmrig

Cobaltstrike

Cobaltstrike family

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

XMRig Miner payload

UPX dump on OEP (original entry point)

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-10 05:42

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 05:42

Reported

2024-06-10 05:45

Platform

win7-20240508-en

Max time kernel

144s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\qtCkGFT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ofhjbxc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xzvpMEh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NDWFkdv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AYWETFM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rcuORUV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RAabGwG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VHCgQim.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BpeRmOQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GUrqGiH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kUNjVVC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sRzHWzx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\phluZHd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cLRpNXW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DarVDWZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DqnbQDP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ORZxVie.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KaaOuUd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uNHjTTy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HWrpaDa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wvbaixL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1192 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\qtCkGFT.exe
PID 1192 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\qtCkGFT.exe
PID 1192 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\qtCkGFT.exe
PID 1192 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\ORZxVie.exe
PID 1192 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\ORZxVie.exe
PID 1192 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\ORZxVie.exe
PID 1192 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\KaaOuUd.exe
PID 1192 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\KaaOuUd.exe
PID 1192 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\KaaOuUd.exe
PID 1192 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\RAabGwG.exe
PID 1192 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\RAabGwG.exe
PID 1192 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\RAabGwG.exe
PID 1192 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\phluZHd.exe
PID 1192 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\phluZHd.exe
PID 1192 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\phluZHd.exe
PID 1192 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\VHCgQim.exe
PID 1192 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\VHCgQim.exe
PID 1192 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\VHCgQim.exe
PID 1192 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\uNHjTTy.exe
PID 1192 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\uNHjTTy.exe
PID 1192 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\uNHjTTy.exe
PID 1192 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\cLRpNXW.exe
PID 1192 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\cLRpNXW.exe
PID 1192 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\cLRpNXW.exe
PID 1192 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\DarVDWZ.exe
PID 1192 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\DarVDWZ.exe
PID 1192 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\DarVDWZ.exe
PID 1192 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\ofhjbxc.exe
PID 1192 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\ofhjbxc.exe
PID 1192 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\ofhjbxc.exe
PID 1192 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\BpeRmOQ.exe
PID 1192 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\BpeRmOQ.exe
PID 1192 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\BpeRmOQ.exe
PID 1192 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\xzvpMEh.exe
PID 1192 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\xzvpMEh.exe
PID 1192 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\xzvpMEh.exe
PID 1192 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\HWrpaDa.exe
PID 1192 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\HWrpaDa.exe
PID 1192 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\HWrpaDa.exe
PID 1192 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\wvbaixL.exe
PID 1192 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\wvbaixL.exe
PID 1192 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\wvbaixL.exe
PID 1192 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\GUrqGiH.exe
PID 1192 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\GUrqGiH.exe
PID 1192 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\GUrqGiH.exe
PID 1192 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\NDWFkdv.exe
PID 1192 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\NDWFkdv.exe
PID 1192 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\NDWFkdv.exe
PID 1192 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\DqnbQDP.exe
PID 1192 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\DqnbQDP.exe
PID 1192 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\DqnbQDP.exe
PID 1192 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\AYWETFM.exe
PID 1192 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\AYWETFM.exe
PID 1192 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\AYWETFM.exe
PID 1192 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\kUNjVVC.exe
PID 1192 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\kUNjVVC.exe
PID 1192 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\kUNjVVC.exe
PID 1192 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\rcuORUV.exe
PID 1192 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\rcuORUV.exe
PID 1192 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\rcuORUV.exe
PID 1192 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\sRzHWzx.exe
PID 1192 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\sRzHWzx.exe
PID 1192 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\sRzHWzx.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\qtCkGFT.exe

C:\Windows\System\qtCkGFT.exe

C:\Windows\System\ORZxVie.exe

C:\Windows\System\ORZxVie.exe

C:\Windows\System\KaaOuUd.exe

C:\Windows\System\KaaOuUd.exe

C:\Windows\System\RAabGwG.exe

C:\Windows\System\RAabGwG.exe

C:\Windows\System\phluZHd.exe

C:\Windows\System\phluZHd.exe

C:\Windows\System\VHCgQim.exe

C:\Windows\System\VHCgQim.exe

C:\Windows\System\uNHjTTy.exe

C:\Windows\System\uNHjTTy.exe

C:\Windows\System\cLRpNXW.exe

C:\Windows\System\cLRpNXW.exe

C:\Windows\System\DarVDWZ.exe

C:\Windows\System\DarVDWZ.exe

C:\Windows\System\ofhjbxc.exe

C:\Windows\System\ofhjbxc.exe

C:\Windows\System\BpeRmOQ.exe

C:\Windows\System\BpeRmOQ.exe

C:\Windows\System\xzvpMEh.exe

C:\Windows\System\xzvpMEh.exe

C:\Windows\System\HWrpaDa.exe

C:\Windows\System\HWrpaDa.exe

C:\Windows\System\wvbaixL.exe

C:\Windows\System\wvbaixL.exe

C:\Windows\System\GUrqGiH.exe

C:\Windows\System\GUrqGiH.exe

C:\Windows\System\NDWFkdv.exe

C:\Windows\System\NDWFkdv.exe

C:\Windows\System\DqnbQDP.exe

C:\Windows\System\DqnbQDP.exe

C:\Windows\System\AYWETFM.exe

C:\Windows\System\AYWETFM.exe

C:\Windows\System\kUNjVVC.exe

C:\Windows\System\kUNjVVC.exe

C:\Windows\System\rcuORUV.exe

C:\Windows\System\rcuORUV.exe

C:\Windows\System\sRzHWzx.exe

C:\Windows\System\sRzHWzx.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1192-2-0x000000013FED0000-0x0000000140224000-memory.dmp

memory/1192-0-0x0000000000080000-0x0000000000090000-memory.dmp

\Windows\system\qtCkGFT.exe

MD5 c98aa2fa499340c8ef2be4535656217a
SHA1 607118c48a3bacab88276975583723fa0d28319f
SHA256 8eb0960515cdb47f5680881e8a081e00bf041a02d6fa64c19b61b4747394fcde
SHA512 249d5c3c57aee0d5170668fe8be23031c13ae55c202abc693f5eef57435de1dda84998ba3d6ba30b86c0dd9a756f0091a4b9feb2cec1170b483a63850cb0ef59

memory/2872-8-0x000000013FD60000-0x00000001400B4000-memory.dmp

memory/1192-9-0x00000000023A0000-0x00000000026F4000-memory.dmp

C:\Windows\system\KaaOuUd.exe

MD5 0627e582cad3613b36750c660513eb5c
SHA1 39b51c5ae1b21501dec75a64d2aa8118c7dc8409
SHA256 e929a119adeff943a809f2805f90a82778bc59af88ffc110187d5b2815a73689
SHA512 cc1be97162188eb97fb07ec42b6fad6cb682529456554290bb5ea1f142684afe6234ddf0be789f1e4e12b85c18015d9f24a1f5e97a3162ce8024cf95ca03ede4

C:\Windows\system\ORZxVie.exe

MD5 55fa3cee9db19c9e3913ef69e4b1ed26
SHA1 137687ad99ad3e765b11c5009f431b24b1f852a6
SHA256 f77d101aa842143bf2f2babeb4b3f2d1494178525e8a5ef4c4f84505c2d38968
SHA512 80555d6f19b84c925d77639c6f6a709b15a3464ff944f15bac8515339912e1b6551a0270369b0ac8d1f2cc64f57f206a8603b019da856f4b91bcb5375134a94c

memory/2576-23-0x000000013F8A0000-0x000000013FBF4000-memory.dmp

memory/1192-22-0x000000013F8A0000-0x000000013FBF4000-memory.dmp

C:\Windows\system\RAabGwG.exe

MD5 65b4888989ac4fd0e62f7e1be3a55c0d
SHA1 252f10b927235100182df4d2943117ea1c5c2842
SHA256 8c4e1e88b7d51374156961b973350543477d053c05cd51914a7c7cb6a07dadfe
SHA512 d905b849148fb845b0dc6fbaf89b2a3f5fca28f239ab7998c416ae1f83dd2bf49b8954da5d2ca7aef11d2688a1f1528617b84b063d2589d17157937d3a72d145

C:\Windows\system\phluZHd.exe

MD5 52ef8425890d780c6c2e4960c37e51c1
SHA1 e8d61a55ecb607324961c78392d30a34b452eb1a
SHA256 9c7c5a66887f54ce0861ce5b47cfc9cd50abe58bf6aee920a730116f59fb9edd
SHA512 38273d65fc5ed50ba8c82b44d15de8ecf94ab4bf5f08c23ad199f238c28b71a2dab3a706a0efa068caf540a8a1b86b0c21a71edf4e7e48208b9de20d0bf288de

memory/2628-37-0x000000013F1D0000-0x000000013F524000-memory.dmp

memory/1192-43-0x00000000023A0000-0x00000000026F4000-memory.dmp

C:\Windows\system\uNHjTTy.exe

MD5 7260dcbb683f3ba0f0e8ba54e993f4df
SHA1 9a945230f272babadc9d8c2efca9838da312a850
SHA256 5d952449453781745f756c5a898d12afb3cc6a1a462a9c35e5ba5b2aacbe88f9
SHA512 383d3559c502f3f5bb3888c23998b8bedeba3a7a12ff850f3b4ea6a400555b48065914ab63dc2cdc81b2bd2e6acdd8cf098f85921ca4643edac50a43192dc06c

memory/2504-51-0x000000013F3C0000-0x000000013F714000-memory.dmp

memory/1192-64-0x000000013FED0000-0x0000000140224000-memory.dmp

\Windows\system\BpeRmOQ.exe

MD5 3c3581179faeab449739dadb1cc832ce
SHA1 62673b2b0515e792677d08b9d66de2239263dddb
SHA256 fd80d1fa24c332fcf3506dfaa00e9768cb5f92f597ea3b7c9ff6629a4c5622d2
SHA512 74d4b69375a617499790085755765646ca00c9be6ce06bcb25efaecf7d680f79bdb3c57daecb66197188cfcba28458e4f5882f693df4a1f4d1310fa098e3a4d6

C:\Windows\system\ofhjbxc.exe

MD5 cc674c5e5ff64f94b6d6b3655f003da6
SHA1 6f20c081ecd79df9d035bc68b5b913c79dac9472
SHA256 9a4de7b16de63e60e8c001740fcc7ab4f66d2c42ad17e9024c545ab616935af2
SHA512 632d91471a8e7c7300ad8efec245089424af51ce20df681eebf6a9083008d3abcb5b1607b9d8572bc01b1071c2771d4140b2a04aed5650f3b13509a13e3fa247

memory/1192-88-0x000000013F300000-0x000000013F654000-memory.dmp

memory/2328-95-0x000000013FE70000-0x00000001401C4000-memory.dmp

memory/1192-108-0x000000013FB50000-0x000000013FEA4000-memory.dmp

C:\Windows\system\DqnbQDP.exe

MD5 da2e1929c5ef3fba6e6c4eafaf239236
SHA1 0e464df5e073b969ffa316eb1f7ba6c05953975d
SHA256 311cc5fe11aece0b972a0629993172654c2fc4c25cbbe598535ccb205bd84404
SHA512 605569eddbd3b60b720127eb82421d697bff52724d7ddaadf4e9a0b8786bfb04765e2f0e354b29e5b245a959cea9682672a33ab8c8eb227e3236f914bb0e3114

C:\Windows\system\sRzHWzx.exe

MD5 d3b932dcc59603f789407c01382ad5e2
SHA1 9ab68a24fc9e3ca5ee0f19c6fc915c7c0809e83d
SHA256 348665d024e38965d9234f010c2d871647c1df9aee0669e81a069986fc31f7ff
SHA512 1fc5310701693317e60abef43bb78dd4ff3c9421ea8f5b45e2f80a83f5b846510e52f31b0a4acde9f437bfe357593db16e6cc225faa7516f201fdee7f9e1c73b

C:\Windows\system\rcuORUV.exe

MD5 792ebaf8b083792a667076f341db71dd
SHA1 e2871b6ca7ff79bd0eb7ffb09288314b2b75ba89
SHA256 2fae1590bb7d017f1025a832261429abd044a6ecb0c4541fb1df07b1f1648152
SHA512 edd6f489b73314a08b9bf146f208a577cbd83359318f0fb4c6cfa22998cecf13820593266b18a09f3f9921fb1f61ec1d1b20722c7e75b81087e3c83cf86f9d54

C:\Windows\system\kUNjVVC.exe

MD5 07dca5e6580575a8a6f1173643f6d9d9
SHA1 00de09251a772166be94a4097fa8526fa398ce5d
SHA256 86273869384c3b1ec6f1be70d12043ccb0950eb494dd696507b2cbd395e08254
SHA512 7ba3f6577363877e033d94bd01c1ff24183b7a881ae87cd4a4100df1a48642f684e86691a8403b349dacf164cb78a41408f87da1a725c7a7656a70490de66cd7

C:\Windows\system\AYWETFM.exe

MD5 ced1b628422f7aad25b2f66ee9adb33b
SHA1 37f6cc99f8cfb3c149894dc775ed002e6be76dae
SHA256 6847a36b3094b1b9a740eec908118582ef922e8a52ae7b6648cd6e0ecee6f807
SHA512 43e2b040439f1c234ef387d1442edf4573b8fe64fc455794010d296ab12828bcd1ee0b848fc3ad6a777d43bff8b9076d22d7f52b361e1e9dc1f51ccb79c76455

C:\Windows\system\NDWFkdv.exe

MD5 9f9b472e83a1d6c9bf7e3e7a356637d2
SHA1 e292d2e2b8a14395c0aa4f1c75d8d9ff75ab81ea
SHA256 272bd8bb326c359439974a02bdfa0910a17f8269e34e5d6c538ea0039a2e3429
SHA512 b0d0d6e3d6e52698e646af9362fae8c63d347092efd300d95f51e5bfcf7d6285e44ad4e80fb876e119b2c7730801869e7cf05807483e9c1e0264f27d0a6cd49d

C:\Windows\system\GUrqGiH.exe

MD5 e0b3e54336c5a4770bd9df5ec2b018fb
SHA1 ae9f8a23a3a8bdff3ea72426add901c88bea9ed7
SHA256 553b19cd5151a120f51d9c846368e49825b604150abe77585c33bf5781f8ffcf
SHA512 728e7e4ae869e0e55fe50f07b07059ad8e5d97ef02c08695c2818a43a79fdb9dca10007e6bc317f225bbc2aaf32aa215cb70593bbb70a752ab04b8e031a7f7be

memory/1772-100-0x000000013FEA0000-0x00000001401F4000-memory.dmp

memory/1192-99-0x00000000023A0000-0x00000000026F4000-memory.dmp

C:\Windows\system\wvbaixL.exe

MD5 15ab84f567572f0e271e0849f4fbd92f
SHA1 03bbbda62fb459199fcf3bcb5c8a3e098fd6eae4
SHA256 b9f43f4f0d932b43047260a8deab1838f8df2536ec1836a5a66a8af6052fc00e
SHA512 39daf88c213050df778f6c49a1252ac129cd2217ea09be84cf9fc6bdebfd6c1f59b13f5884d6d422dd782bc86aa5a9838857338dbd1f3543166d3581d7866e54

C:\Windows\system\HWrpaDa.exe

MD5 91b46dd8a46a5d995819f1eb664c7db1
SHA1 94e8bbad810edf274ae879bf76a00bdc19a74424
SHA256 70954e926577f7124411644b244b71a208fdc9d4c05f2592303ee9d92002b11c
SHA512 3470da31e81eaa0fa333ad603992a5a2ea32e4e8006e81a25ab84e29b25ffd2bdc8076e8f40c4dd6c94414292bee0affbe56366eae44016dbf623f56e68a3680

memory/1192-90-0x00000000023A0000-0x00000000026F4000-memory.dmp

memory/2900-89-0x000000013F300000-0x000000013F654000-memory.dmp

C:\Windows\system\xzvpMEh.exe

MD5 bd522959fc9a352329c759fc1b02d7e0
SHA1 0ca43329da019f8bb38196b7546bbf8f10c9871c
SHA256 08607ad05ef7206491066f9de1191e373259b6754c6a293fa94cba25135041e9
SHA512 3648ba55175cb9efe7fcbebd175c55339fb11f1a6f6e9e83a94003dcebaf1077d4307c959bbd84f48cd6278736b765172c607f60ca2f9cef8875493bad0fcd23

memory/2968-87-0x000000013F580000-0x000000013F8D4000-memory.dmp

memory/2512-80-0x000000013FAC0000-0x000000013FE14000-memory.dmp

memory/1192-75-0x000000013FAC0000-0x000000013FE14000-memory.dmp

memory/2612-74-0x000000013F660000-0x000000013F9B4000-memory.dmp

memory/2312-73-0x000000013F7C0000-0x000000013FB14000-memory.dmp

memory/2872-67-0x000000013FD60000-0x00000001400B4000-memory.dmp

memory/2520-65-0x000000013F570000-0x000000013F8C4000-memory.dmp

memory/2744-58-0x000000013F910000-0x000000013FC64000-memory.dmp

memory/1192-57-0x000000013F910000-0x000000013FC64000-memory.dmp

C:\Windows\system\cLRpNXW.exe

MD5 9cac380d5d100c3a5f89871eb2050174
SHA1 428c3637050a1233efe2d8bb05bb09a0cd8d08ce
SHA256 05b8a1767e8722057db908380243f6037ae84b422808a2d1f426b59de1dc92d2
SHA512 f806142df912404c1caa0176edaa4f5a127e05ace565fa2495ad1858001fdb97a0da9d61633b399e415f2eafb139d85f81a9b9ba0d085a1990e59c4d34a0ec3e

C:\Windows\system\DarVDWZ.exe

MD5 f2989c1a18f13a62cc11c12b66ab9acf
SHA1 69769d6fb17b9d9ca0e39ad5cd781d7a42d29d6d
SHA256 81f993db3ba3bf7a26e976124e3cddf6d85207595aeb6c55eaa9fd5dea7fe73f
SHA512 7255b78af8748559f3102976c24421b621808a2a42f1447ec1e00aad6271d19b74003575cf351dc61bf9cc1745726525bb2caf38a85c32d0166cdb210d296d42

memory/1192-50-0x000000013F3C0000-0x000000013F714000-memory.dmp

memory/2832-44-0x000000013FF00000-0x0000000140254000-memory.dmp

C:\Windows\system\VHCgQim.exe

MD5 8466fd1c3a1b44ba2820909beba4ec89
SHA1 70b3af49b45176465acd55daa4c38109980d3310
SHA256 b9f93bb5852617df9f866dd3e43f349d4bfc8db478fd1c45e113f88200168b65
SHA512 4fded91a435a9668708a649bc444299750917172591891069793b42712249448ee40d81399716baa72977b86894c3996786e2870aa671983cb6898dd86715050

memory/1192-36-0x000000013F1D0000-0x000000013F524000-memory.dmp

memory/2968-29-0x000000013F580000-0x000000013F8D4000-memory.dmp

memory/1192-28-0x000000013F580000-0x000000013F8D4000-memory.dmp

memory/2312-19-0x000000013F7C0000-0x000000013FB14000-memory.dmp

memory/1192-17-0x000000013F7C0000-0x000000013FB14000-memory.dmp

memory/1192-138-0x000000013FAC0000-0x000000013FE14000-memory.dmp

memory/1192-139-0x000000013F300000-0x000000013F654000-memory.dmp

memory/1192-140-0x00000000023A0000-0x00000000026F4000-memory.dmp

memory/1772-141-0x000000013FEA0000-0x00000001401F4000-memory.dmp

memory/1192-142-0x000000013FB50000-0x000000013FEA4000-memory.dmp

memory/2872-143-0x000000013FD60000-0x00000001400B4000-memory.dmp

memory/2312-145-0x000000013F7C0000-0x000000013FB14000-memory.dmp

memory/2576-144-0x000000013F8A0000-0x000000013FBF4000-memory.dmp

memory/2968-146-0x000000013F580000-0x000000013F8D4000-memory.dmp

memory/2628-147-0x000000013F1D0000-0x000000013F524000-memory.dmp

memory/2832-148-0x000000013FF00000-0x0000000140254000-memory.dmp

memory/2504-149-0x000000013F3C0000-0x000000013F714000-memory.dmp

memory/2744-150-0x000000013F910000-0x000000013FC64000-memory.dmp

memory/2520-151-0x000000013F570000-0x000000013F8C4000-memory.dmp

memory/2612-152-0x000000013F660000-0x000000013F9B4000-memory.dmp

memory/2512-153-0x000000013FAC0000-0x000000013FE14000-memory.dmp

memory/2900-154-0x000000013F300000-0x000000013F654000-memory.dmp

memory/2328-155-0x000000013FE70000-0x00000001401C4000-memory.dmp

memory/1772-156-0x000000013FEA0000-0x00000001401F4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 05:42

Reported

2024-06-10 05:45

Platform

win10v2004-20240426-en

Max time kernel

137s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\jATxYRT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tSKtLeg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CTCtSZz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xZrgAmP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FAcoBxr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WaLJrEy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GUksFQa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ETHeeKW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FIapuog.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\teeQZgL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rIMuSYs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xKikjob.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AFyzcBF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YJKqZBK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YJhEodi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MrtSmYD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yVBEbea.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XZhUeQy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EyETLIH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NeIBuJM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WuFvLnb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4904 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\teeQZgL.exe
PID 4904 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\teeQZgL.exe
PID 4904 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\jATxYRT.exe
PID 4904 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\jATxYRT.exe
PID 4904 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\tSKtLeg.exe
PID 4904 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\tSKtLeg.exe
PID 4904 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\rIMuSYs.exe
PID 4904 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\rIMuSYs.exe
PID 4904 wrote to memory of 424 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\FIapuog.exe
PID 4904 wrote to memory of 424 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\FIapuog.exe
PID 4904 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\XZhUeQy.exe
PID 4904 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\XZhUeQy.exe
PID 4904 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\EyETLIH.exe
PID 4904 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\EyETLIH.exe
PID 4904 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\CTCtSZz.exe
PID 4904 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\CTCtSZz.exe
PID 4904 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\xKikjob.exe
PID 4904 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\xKikjob.exe
PID 4904 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\AFyzcBF.exe
PID 4904 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\AFyzcBF.exe
PID 4904 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\YJKqZBK.exe
PID 4904 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\YJKqZBK.exe
PID 4904 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\xZrgAmP.exe
PID 4904 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\xZrgAmP.exe
PID 4904 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\NeIBuJM.exe
PID 4904 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\NeIBuJM.exe
PID 4904 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\YJhEodi.exe
PID 4904 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\YJhEodi.exe
PID 4904 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\FAcoBxr.exe
PID 4904 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\FAcoBxr.exe
PID 4904 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\WaLJrEy.exe
PID 4904 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\WaLJrEy.exe
PID 4904 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\MrtSmYD.exe
PID 4904 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\MrtSmYD.exe
PID 4904 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\yVBEbea.exe
PID 4904 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\yVBEbea.exe
PID 4904 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\WuFvLnb.exe
PID 4904 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\WuFvLnb.exe
PID 4904 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\GUksFQa.exe
PID 4904 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\GUksFQa.exe
PID 4904 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\ETHeeKW.exe
PID 4904 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe C:\Windows\System\ETHeeKW.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\teeQZgL.exe

C:\Windows\System\teeQZgL.exe

C:\Windows\System\jATxYRT.exe

C:\Windows\System\jATxYRT.exe

C:\Windows\System\tSKtLeg.exe

C:\Windows\System\tSKtLeg.exe

C:\Windows\System\rIMuSYs.exe

C:\Windows\System\rIMuSYs.exe

C:\Windows\System\FIapuog.exe

C:\Windows\System\FIapuog.exe

C:\Windows\System\XZhUeQy.exe

C:\Windows\System\XZhUeQy.exe

C:\Windows\System\EyETLIH.exe

C:\Windows\System\EyETLIH.exe

C:\Windows\System\CTCtSZz.exe

C:\Windows\System\CTCtSZz.exe

C:\Windows\System\xKikjob.exe

C:\Windows\System\xKikjob.exe

C:\Windows\System\AFyzcBF.exe

C:\Windows\System\AFyzcBF.exe

C:\Windows\System\YJKqZBK.exe

C:\Windows\System\YJKqZBK.exe

C:\Windows\System\xZrgAmP.exe

C:\Windows\System\xZrgAmP.exe

C:\Windows\System\NeIBuJM.exe

C:\Windows\System\NeIBuJM.exe

C:\Windows\System\YJhEodi.exe

C:\Windows\System\YJhEodi.exe

C:\Windows\System\FAcoBxr.exe

C:\Windows\System\FAcoBxr.exe

C:\Windows\System\WaLJrEy.exe

C:\Windows\System\WaLJrEy.exe

C:\Windows\System\MrtSmYD.exe

C:\Windows\System\MrtSmYD.exe

C:\Windows\System\yVBEbea.exe

C:\Windows\System\yVBEbea.exe

C:\Windows\System\WuFvLnb.exe

C:\Windows\System\WuFvLnb.exe

C:\Windows\System\GUksFQa.exe

C:\Windows\System\GUksFQa.exe

C:\Windows\System\ETHeeKW.exe

C:\Windows\System\ETHeeKW.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4904-0-0x00007FF7185E0000-0x00007FF718934000-memory.dmp

memory/4904-1-0x000001D981170000-0x000001D981180000-memory.dmp

C:\Windows\System\teeQZgL.exe

MD5 64f7f7d60341fa724fd8c37fd0fbb639
SHA1 af8dad5a181c0bc39b64a45f995b27b1877b50f4
SHA256 2ef81828a9c7f63efb274bf452bb23f478e95da2295dfc5c930974869ba82589
SHA512 090c9b9cd2689d1ab22dece0257a6f5dce73260e11cfa99217f5a5806b79033535bec9617937710d29a1516bd16b5367ea92143679bbdab53f3e0fc5a5787acf

memory/4420-8-0x00007FF6FEF70000-0x00007FF6FF2C4000-memory.dmp

C:\Windows\System\jATxYRT.exe

MD5 5f215b05b3ed868c5974b3faef81b0fe
SHA1 10b0466e06dbd8ef51376885c049bd583b38e37b
SHA256 caa401b20d419d6b9937ef04c578d4fa93f76ebfe852df06b3cad638f625a1d8
SHA512 871f6dea1b2f436314142ca7e94cbc28fb680e9217fa7390d286c05ad204b3a677ee71c7eac9ac35faca6cfc5973d4bda274680147c1c7b2213266ac17a0f586

memory/3592-16-0x00007FF731DC0000-0x00007FF732114000-memory.dmp

C:\Windows\System\tSKtLeg.exe

MD5 89adb504a9dde8c043329e5d701f9ef0
SHA1 789a32227eb06f0937e639aab6bd06bb3d7079a6
SHA256 0c1aa59c3d4b7442bf3073baf140d4108eb487f0c9bb7d15fb00190746b7d0bd
SHA512 b4c02f6f014e14bb090b486ddd6e56e05f64e3d7b68b3ca2de0639d1cb7fdb5d68c0cdbc562fd04fd418fc162162f0e400d2831b8bcfb82052b9a39aa69cd8cf

C:\Windows\System\rIMuSYs.exe

MD5 d177625671944b2951da31ad8068ca6e
SHA1 51a87cbd680948a162940a742bfd5764092411e3
SHA256 5680a6319fccc34cce374d3007be99d6a32ad14390737f589f37a6509e70ca0c
SHA512 5665c436754bf5a4f7e642648ce8419b10d9a98d2bcb4f2f1071d404172fac8e7e395ae7a7db38d49333df51d33feebae6cb34e69c2f62f82b77f14109e0b8e9

C:\Windows\System\FIapuog.exe

MD5 b0d85a5b81ec04486b8394a1fb9e44aa
SHA1 b4383abe73f81d107aec2459ddaa6fcfcf1f210e
SHA256 416dafcacdd02d8878d2a869a688496ceecfafec91e63be057306001d2e07925
SHA512 2fdb5aa133d0d015db339e0fa898f7b3c94dc9a14be426c895a2faab51baf5b0963cf767fb35cebbb2b28a54483c6f1db6fa276b67ae6a75162a20933edff0fd

C:\Windows\System\EyETLIH.exe

MD5 a3cfe0ca1fceacf8e01fad5f83040c53
SHA1 eea7990b5b3d6133e44f54296a8032a85f2c8fcc
SHA256 953e90a42df361e8ad6bc35a79293f9ffe832d89fdcae1f7a78cdfb130cb3acf
SHA512 0990cb4f3731b59d19399ff15b8528a95f8160e18cf6d5b927ad03a8652ac9b342f3bbf2b3250c1189c85a958124bc6a114359ea5dd1f8773addc81d63184170

C:\Windows\System\CTCtSZz.exe

MD5 7f6910b1b2ce821ee07584a8e3045978
SHA1 42c68df82452236b446e19d753056a4014a0ccd2
SHA256 ecaddb75f4a597225c41595055cc72dbf75cea52b855f327aa7729c0cb75a251
SHA512 f75d769d5e4a85a6b7d548df4d23eec29360e27e834a8f19debc660e6444a4562ab46aa7f06cb6e2567c75570720b112d7ac637dabdaa40263119771e6e3595c

memory/2064-47-0x00007FF61B990000-0x00007FF61BCE4000-memory.dmp

C:\Windows\System\AFyzcBF.exe

MD5 fd9b2a2104ef2910ba18f368c5862624
SHA1 96186cc308bd01889645a9c31476aa5fcf08e51f
SHA256 4f466ad041364fcb6f44d18fa2df8c19fac208fceb9fd542f52e7da3504be94d
SHA512 56aad11ad08091d13e2d67c03af30bec684b13cfb1e9fd57c89a66a8e7b1530092f2b2df1b6c6b9a64803155bfdcc3a3000e2c9ad1cf3941b87979dce01a6894

memory/2604-59-0x00007FF674E00000-0x00007FF675154000-memory.dmp

memory/2552-60-0x00007FF79A4A0000-0x00007FF79A7F4000-memory.dmp

memory/4084-61-0x00007FF6A17D0000-0x00007FF6A1B24000-memory.dmp

memory/3764-54-0x00007FF6844B0000-0x00007FF684804000-memory.dmp

C:\Windows\System\xKikjob.exe

MD5 24fc3f864a8def52fa8967e9aefb2d19
SHA1 530ae0893dc6bd5e7ed6115e2d2bdaa4492d9b26
SHA256 6d9f3aaf4fa81d2ae591206ecc509a8c5ab97045c3f2982bb5f6256cd8ce0341
SHA512 14654b2d1230435bcc961fe5fb1cc81c4332002b2d0896dbef39de80ab7489988b7b111be66c84a19145abc1a2259615b0d272d785542daf1665d66b7dd88117

C:\Windows\System\XZhUeQy.exe

MD5 1d54c1bf0b7a03f5dba03d5a7d316fff
SHA1 4429ecebbf360f885ef8d37a04ee211d0b5960cb
SHA256 8a5fa9728f81b99eda1d418819581bd7990e6150a63bfd7a4a8497facf32e535
SHA512 69693038aba13c6e6a59d86e684b53e76d8dc23a6fd32975ca6066472849e40777ae5710b7c7b29a76ac2d4c54bc797753f9b2b6f4db77bf651cd8ea5b1a1b22

memory/424-34-0x00007FF7D2EB0000-0x00007FF7D3204000-memory.dmp

memory/1592-26-0x00007FF792FC0000-0x00007FF793314000-memory.dmp

memory/1588-25-0x00007FF73C8E0000-0x00007FF73CC34000-memory.dmp

memory/4860-67-0x00007FF6D5870000-0x00007FF6D5BC4000-memory.dmp

C:\Windows\System\xZrgAmP.exe

MD5 3c6b1b75a7962e0804b42b62868b5a55
SHA1 fb09238aecf796e5c1fe2ac6c20974e7f400083a
SHA256 0cfa23a3a57d75cbe4e666d1ba4ffbf83d04436f266d0ba0efad40c283bb7905
SHA512 9fd394730f1a699959ce952afa3ca6d88bf30097f24c0db9041b8f23e8efece13c39c298314e6b8d87d9b182082e02251badf18a4fa4f5a1db3fb0498b2aabd4

C:\Windows\System\NeIBuJM.exe

MD5 f3ad0755e07e9690993c0e3e03060826
SHA1 61fc93bc2571b95c845a372a9caf88a4b69a914d
SHA256 92a40c99469a47c6dfed59194a605fac281595e3fd28a2a277750edf6541ae54
SHA512 a4e9da827024668a3052b9e35ab5551eb2e1171d547a64a259585dc27ca5911c2073ab4e8713728a5f2c783d2b999f1e6471c56454153d40912f1297341e39f5

memory/5112-73-0x00007FF693450000-0x00007FF6937A4000-memory.dmp

C:\Windows\System\YJKqZBK.exe

MD5 3e5e36635a109ad85289742fb91b1ed8
SHA1 9bf9c9b01b96f36e69fd9dffe8327ff7ea986fde
SHA256 0a77787778f2819e7789388c83e1e12bc9c1309983125dbfaaa48f87dbd34b5a
SHA512 da831bdc34cf1be626ec7dadbaefd4ca8137778f152dd5107584fb8f0807ec4ffc3ef6b7a5ff6db397080dc7259276ffd3402cd2038e11b2a7c307561ff86c21

C:\Windows\System\YJhEodi.exe

MD5 2e7bcc96e5bd98dfa44646a26325f3d7
SHA1 bf80dffb91689a594303c2080645ac8d3b34706d
SHA256 b55ba00d9bc3cda67f9c441fe6634b215c8d0280d9e42880f6da1426b3ea4e28
SHA512 cdca1b8efee60f53e3107ebfcdf78481460a68d83b92ecbc7ecd9624d6ab490c7a5768b6ca394c43c5058ea6b9d842da8dc7fd03f71fd73869eaae08bd6384eb

C:\Windows\System\FAcoBxr.exe

MD5 ddf169cfa4dab25891f106f5ed7c9417
SHA1 99732bdce0bbeef11348aec3a5ca39f541622fc6
SHA256 d3aaa49576e6d9c527fc594a5a0f891d66a7b118668291514ed900634ee58d3c
SHA512 0f7c2d5e65459a7f0b942dd275a671b73d5ae6b9da7c4211708d93c407ee9c2e19b72c954ac8f18bd3918160b8bbf05dc269efabb66ad915e14ae31cd48b1a2d

memory/676-90-0x00007FF74CA50000-0x00007FF74CDA4000-memory.dmp

memory/4420-92-0x00007FF6FEF70000-0x00007FF6FF2C4000-memory.dmp

memory/588-91-0x00007FF720610000-0x00007FF720964000-memory.dmp

memory/4904-88-0x00007FF7185E0000-0x00007FF718934000-memory.dmp

memory/2560-82-0x00007FF656460000-0x00007FF6567B4000-memory.dmp

C:\Windows\System\WaLJrEy.exe

MD5 9baeb8461892bec9ee81d968e9729f70
SHA1 c6094a4874c300afd7503ee720e9d2fb17e7b52b
SHA256 e4b190ea43c6907ffb2a686e5fe0fde965c05536ddf43bd1a61229f18dd73fd3
SHA512 312c6843a0e655c37d16094e7a1509706f2508e571bace356e0c7e1060bef9c7161d739dd4e810a282d3603a32c3c2452dd505b8a19eab2ca638368069c0d606

C:\Windows\System\MrtSmYD.exe

MD5 50e305d55f76d13a8ba5d01eadcaa8d3
SHA1 58ff79013730f0de2b9eb260c17fe51a5793d24e
SHA256 5afef8cd2b5585b13ab6c16b918648301a383e232e44a190676abb03809162e4
SHA512 9bde1b2456672cf90ce1c667f030d2eb098f7ddd414465663ddea995760d7f510c6a596f6c914d3d9eb675621dbe04a05cf934010b0d03e51d543dfbce924953

memory/3592-105-0x00007FF731DC0000-0x00007FF732114000-memory.dmp

memory/3496-108-0x00007FF7C8F50000-0x00007FF7C92A4000-memory.dmp

memory/2604-116-0x00007FF674E00000-0x00007FF675154000-memory.dmp

C:\Windows\System\WuFvLnb.exe

MD5 e905d7d9187596527f0d6ad3aa0e2583
SHA1 5a040947bdd90b4250dfbea88b37b50bffade5d5
SHA256 db570419d8c1a509b376b354377c259c4dfad46c298530b1167b98abba323c17
SHA512 5d4f16999bfec7e4ff900becfa9b0b328a51cf77784482054b3bca6d7b7bd268676228309d91e12152005d974e920dec2849fcf15fca95033c32c97d03cc5f9b

C:\Windows\System\GUksFQa.exe

MD5 b4f078e7bbee5b45381d000fdbb06f58
SHA1 f33cbb4a50ba772a48669614fb8446f4c19489fb
SHA256 248b6168f8d2d5077dd439ec46c7f1056665e4c4cdd17a76516c27f141e8d19e
SHA512 29d0840730ce95eb67c66cb65f78d9e16e76cb321a683b9f762bd29700d90b60012ada9fa58388fa6107cd8f3d66dc52e31be992c152498dac5626f654d1dc28

memory/696-124-0x00007FF7DF450000-0x00007FF7DF7A4000-memory.dmp

C:\Windows\System\ETHeeKW.exe

MD5 1dada9ef837d9cdbcbbdda4243ef55df
SHA1 315b2c3459e8d48343dd8298e2c3259dbf52f02b
SHA256 50502f7fcaff9e7caa72125ea291998e52d2125074bed64dfabac206e196e54c
SHA512 a1f17f3bbbe65ff04caa6a1b591d9377cb4b7c23488d177f32df5a5fb1707baa2ac3292c157304b1d1da7762e705293414f3c5034f0cf2db88e9230917386e9a

memory/4448-117-0x00007FF7A3DA0000-0x00007FF7A40F4000-memory.dmp

C:\Windows\System\yVBEbea.exe

MD5 7febca8ab9fee9abf1b5327b5bb27cda
SHA1 04e1682d191cf9e6ad571829d1f0e4b263da0278
SHA256 b1369e9140fb243cbae8725d68f78d0dc57857373fe7775c941ba1578aa553e9
SHA512 533d0e221008e3afe8b134aa1af773860fb67a5d8e13024e99e9c43285a60736e0d199807c5f061fc939fcc7693f3557fb93053a3dd76721f988172d2b5fc2eb

memory/3580-106-0x00007FF76E950000-0x00007FF76ECA4000-memory.dmp

memory/2932-130-0x00007FF6E0210000-0x00007FF6E0564000-memory.dmp

memory/4860-132-0x00007FF6D5870000-0x00007FF6D5BC4000-memory.dmp

memory/4508-131-0x00007FF76ED70000-0x00007FF76F0C4000-memory.dmp

memory/5112-133-0x00007FF693450000-0x00007FF6937A4000-memory.dmp

memory/588-134-0x00007FF720610000-0x00007FF720964000-memory.dmp

memory/696-135-0x00007FF7DF450000-0x00007FF7DF7A4000-memory.dmp

memory/4420-136-0x00007FF6FEF70000-0x00007FF6FF2C4000-memory.dmp

memory/3592-137-0x00007FF731DC0000-0x00007FF732114000-memory.dmp

memory/1588-138-0x00007FF73C8E0000-0x00007FF73CC34000-memory.dmp

memory/1592-139-0x00007FF792FC0000-0x00007FF793314000-memory.dmp

memory/424-140-0x00007FF7D2EB0000-0x00007FF7D3204000-memory.dmp

memory/2064-142-0x00007FF61B990000-0x00007FF61BCE4000-memory.dmp

memory/3764-141-0x00007FF6844B0000-0x00007FF684804000-memory.dmp

memory/2552-143-0x00007FF79A4A0000-0x00007FF79A7F4000-memory.dmp

memory/4084-144-0x00007FF6A17D0000-0x00007FF6A1B24000-memory.dmp

memory/2604-145-0x00007FF674E00000-0x00007FF675154000-memory.dmp

memory/4860-146-0x00007FF6D5870000-0x00007FF6D5BC4000-memory.dmp

memory/5112-147-0x00007FF693450000-0x00007FF6937A4000-memory.dmp

memory/2560-148-0x00007FF656460000-0x00007FF6567B4000-memory.dmp

memory/676-149-0x00007FF74CA50000-0x00007FF74CDA4000-memory.dmp

memory/588-150-0x00007FF720610000-0x00007FF720964000-memory.dmp

memory/3580-151-0x00007FF76E950000-0x00007FF76ECA4000-memory.dmp

memory/3496-152-0x00007FF7C8F50000-0x00007FF7C92A4000-memory.dmp

memory/4448-153-0x00007FF7A3DA0000-0x00007FF7A40F4000-memory.dmp

memory/2932-154-0x00007FF6E0210000-0x00007FF6E0564000-memory.dmp

memory/4508-156-0x00007FF76ED70000-0x00007FF76F0C4000-memory.dmp

memory/696-155-0x00007FF7DF450000-0x00007FF7DF7A4000-memory.dmp