Malware Analysis Report

2024-10-16 03:05

Sample ID 240610-h8mx2aee39
Target 2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike
SHA256 a68bfbb56f837cf1ff160268161fd52d1d76c07380038da8ac16ba70de1f86e7
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a68bfbb56f837cf1ff160268161fd52d1d76c07380038da8ac16ba70de1f86e7

Threat Level: Known bad

The file 2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

xmrig

Cobalt Strike reflective loader

Detects Reflective DLL injection artifacts

Xmrig family

Cobaltstrike

UPX dump on OEP (original entry point)

Cobaltstrike family

XMRig Miner payload

Detects Reflective DLL injection artifacts

XMRig Miner payload

UPX dump on OEP (original entry point)

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-10 07:25

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 07:24

Reported

2024-06-10 07:27

Platform

win7-20240508-en

Max time kernel

136s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\qNtGZgH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IiCXkDB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DLSDDPu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XlvKLzj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zxuUdZk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EIlQuwa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uQjsPLW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XgsxlOY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QXCoGGU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bFhNQex.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rrtKoEk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bOJMHNH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GzAjCzs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BBrLAHZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XUdFcVM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pzlMwnd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QpSmZeA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WHhOIZx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zxEgolI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wBdHWcd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uEqXaYn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2232 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\wBdHWcd.exe
PID 2232 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\wBdHWcd.exe
PID 2232 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\wBdHWcd.exe
PID 2232 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\pzlMwnd.exe
PID 2232 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\pzlMwnd.exe
PID 2232 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\pzlMwnd.exe
PID 2232 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\qNtGZgH.exe
PID 2232 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\qNtGZgH.exe
PID 2232 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\qNtGZgH.exe
PID 2232 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\XgsxlOY.exe
PID 2232 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\XgsxlOY.exe
PID 2232 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\XgsxlOY.exe
PID 2232 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\QXCoGGU.exe
PID 2232 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\QXCoGGU.exe
PID 2232 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\QXCoGGU.exe
PID 2232 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\QpSmZeA.exe
PID 2232 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\QpSmZeA.exe
PID 2232 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\QpSmZeA.exe
PID 2232 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\IiCXkDB.exe
PID 2232 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\IiCXkDB.exe
PID 2232 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\IiCXkDB.exe
PID 2232 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\DLSDDPu.exe
PID 2232 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\DLSDDPu.exe
PID 2232 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\DLSDDPu.exe
PID 2232 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\XlvKLzj.exe
PID 2232 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\XlvKLzj.exe
PID 2232 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\XlvKLzj.exe
PID 2232 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\WHhOIZx.exe
PID 2232 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\WHhOIZx.exe
PID 2232 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\WHhOIZx.exe
PID 2232 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\bFhNQex.exe
PID 2232 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\bFhNQex.exe
PID 2232 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\bFhNQex.exe
PID 2232 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\rrtKoEk.exe
PID 2232 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\rrtKoEk.exe
PID 2232 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\rrtKoEk.exe
PID 2232 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\zxEgolI.exe
PID 2232 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\zxEgolI.exe
PID 2232 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\zxEgolI.exe
PID 2232 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\zxuUdZk.exe
PID 2232 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\zxuUdZk.exe
PID 2232 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\zxuUdZk.exe
PID 2232 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\EIlQuwa.exe
PID 2232 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\EIlQuwa.exe
PID 2232 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\EIlQuwa.exe
PID 2232 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\bOJMHNH.exe
PID 2232 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\bOJMHNH.exe
PID 2232 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\bOJMHNH.exe
PID 2232 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\GzAjCzs.exe
PID 2232 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\GzAjCzs.exe
PID 2232 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\GzAjCzs.exe
PID 2232 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\BBrLAHZ.exe
PID 2232 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\BBrLAHZ.exe
PID 2232 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\BBrLAHZ.exe
PID 2232 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\XUdFcVM.exe
PID 2232 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\XUdFcVM.exe
PID 2232 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\XUdFcVM.exe
PID 2232 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\uEqXaYn.exe
PID 2232 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\uEqXaYn.exe
PID 2232 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\uEqXaYn.exe
PID 2232 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\uQjsPLW.exe
PID 2232 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\uQjsPLW.exe
PID 2232 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\uQjsPLW.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\wBdHWcd.exe

C:\Windows\System\wBdHWcd.exe

C:\Windows\System\pzlMwnd.exe

C:\Windows\System\pzlMwnd.exe

C:\Windows\System\qNtGZgH.exe

C:\Windows\System\qNtGZgH.exe

C:\Windows\System\XgsxlOY.exe

C:\Windows\System\XgsxlOY.exe

C:\Windows\System\QXCoGGU.exe

C:\Windows\System\QXCoGGU.exe

C:\Windows\System\QpSmZeA.exe

C:\Windows\System\QpSmZeA.exe

C:\Windows\System\IiCXkDB.exe

C:\Windows\System\IiCXkDB.exe

C:\Windows\System\DLSDDPu.exe

C:\Windows\System\DLSDDPu.exe

C:\Windows\System\XlvKLzj.exe

C:\Windows\System\XlvKLzj.exe

C:\Windows\System\WHhOIZx.exe

C:\Windows\System\WHhOIZx.exe

C:\Windows\System\bFhNQex.exe

C:\Windows\System\bFhNQex.exe

C:\Windows\System\rrtKoEk.exe

C:\Windows\System\rrtKoEk.exe

C:\Windows\System\zxEgolI.exe

C:\Windows\System\zxEgolI.exe

C:\Windows\System\zxuUdZk.exe

C:\Windows\System\zxuUdZk.exe

C:\Windows\System\EIlQuwa.exe

C:\Windows\System\EIlQuwa.exe

C:\Windows\System\bOJMHNH.exe

C:\Windows\System\bOJMHNH.exe

C:\Windows\System\GzAjCzs.exe

C:\Windows\System\GzAjCzs.exe

C:\Windows\System\BBrLAHZ.exe

C:\Windows\System\BBrLAHZ.exe

C:\Windows\System\XUdFcVM.exe

C:\Windows\System\XUdFcVM.exe

C:\Windows\System\uEqXaYn.exe

C:\Windows\System\uEqXaYn.exe

C:\Windows\System\uQjsPLW.exe

C:\Windows\System\uQjsPLW.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2232-1-0x000000013F770000-0x000000013FAC4000-memory.dmp

memory/2232-0-0x00000000003F0000-0x0000000000400000-memory.dmp

memory/2232-7-0x000000013F340000-0x000000013F694000-memory.dmp

C:\Windows\system\wBdHWcd.exe

MD5 663affe80915189dc9c5b585f36299c0
SHA1 b14402bbb800b9f4d2b3cc7082f4b8604dcbef24
SHA256 2e6078258203bf874805530da985a12fdbb7ee07158b966030205929efd41580
SHA512 8a4bcc6618fa0a3a12b447381473900f9c256f95dfd0a39341b5cf773cc73dfcbc309c3f4cd35e229ad141ad961502fb4d26103e89636ab86e53326cbcd2fccb

C:\Windows\system\pzlMwnd.exe

MD5 5e0ac260d060e1563baaaa07f11b986a
SHA1 cc9bcd72f3ae67f36d7a277835d0cd23ed291cfe
SHA256 1f3dbfe8cbe29ff72aa01053fd7fc24d706c73f3fff367d9e6295fc264a9d853
SHA512 12a2abc3d9bd19aa02dcee52e5ec0d94a19c9ea2dd1307be2de5f680dad5c8a1aa39102619e4043d4ba4e32437e928c65444029f299bcb8604826abc8768c134

C:\Windows\system\qNtGZgH.exe

MD5 be2a325e9131200ef0d31f64b4d95b91
SHA1 f061544cd6e73f41d21560dabeb3ac5a4218db93
SHA256 4cec39489eda4050726225347359d2b182398cb921a23a40efafe97986226720
SHA512 235ce57f234f13e0ad3fef016c5491799fcbe6d6d350c5346333d1f6ded14d5e86297b62def74c7582edf439cdad1fdb2cdef03be28da5546a27aff211ab3040

C:\Windows\system\XgsxlOY.exe

MD5 4385c9e4f54eb8a131162f84f4d17313
SHA1 7b719e340d75c9616a52091ff74fe6808943b598
SHA256 46072cf7c16e71e4a4aa045b5466beba3f74c8a09617408fda94688d6c0091bc
SHA512 7a3e193459e7e6cfec74ff857e4cc5e3922d59e37a617799da2375925add2d3ceefee978921ba5f332e2b9b817fc6cf0a5ddbee2557aa5bf01a324d813e98b3e

C:\Windows\system\QXCoGGU.exe

MD5 90203667c004bf07f179460652c4a907
SHA1 357934cbce46974395183198bc3288977675ca52
SHA256 658e82bd2c25f7009d9d1519f0eb39794eee6c294da128b4eb25f22d30c46a7a
SHA512 5ffd3967230b457efa0a8b2b8388829ecb632cdc99df11237792dd1cceaa3c803b86d0484aa8ac1c5bde0ca8e78591b13d376e0231f8a9d6bf8e9a301f5e0760

C:\Windows\system\IiCXkDB.exe

MD5 c4b9c3e6afffb5df10fe291b2bb5dcc1
SHA1 557aaaf0dc26b57613179f22236e8e3abee79daa
SHA256 03b8a0cb6a9a25d511940312007fad0796aa739e4398889061886997044dfc65
SHA512 f3fb9c26b3396bedc78ee91187f0e30ac3e22b4b3a462c47aff489c82b072cbdc689d102dc4879dc2f962ff23cd1a99ab50039879192442a2dbb3849afa74f57

C:\Windows\system\DLSDDPu.exe

MD5 bef43b28e0e93d2b3cc97592624ca333
SHA1 c236503e50d31e1f81d193a1e6f4806b24a657ae
SHA256 f7ef99eede76aa65e687299d0e864aeb85c94550be049e9bd3b1b84b174520f1
SHA512 df49ac23a226f3244bac8d73d5e14b4e76c305098a619cb0dbf7bb955e1d62d46f8d2bf944b89b083cb9ae577bf3e265d553e477321df55ad4b627b20c516854

C:\Windows\system\XlvKLzj.exe

MD5 b63479e79576e0a7a5630766200ee77f
SHA1 9ae918ff22be26d39c5081a09444027ab97a6277
SHA256 018a75b37f53a55f6271dc1b006049d2812982e6ed7a01715ef781df0c7e5b75
SHA512 90498b591b223b53892d103a8995a1db872fd7cc690d3c9abd23d30a5338203f25d6defeafa752750044869dd03afc2e0bbb91546228982836cefdecab1c17c9

C:\Windows\system\WHhOIZx.exe

MD5 430d98fc8cdc23b80ea55dabcdff8b0e
SHA1 6f76dfb66479009ca7b50c702b08d42e0b3ad62d
SHA256 209e68294710c604eb2ca85be1de17e2bd3a39c48fb42ff52769a3ce4f03298c
SHA512 eeac79de2a285ddff1e93ff1b88396d5a2025c436cbdb5d0aa032c56fb87c0d1fe844dc32c5136baea75115d8dc8a7f3be9b78751162df1503c4ff4342f66b30

C:\Windows\system\zxEgolI.exe

MD5 9ce9f55365cea035e6fb5749fde4f298
SHA1 0989191a88bf2de87aa024df9dc4afbec6899f55
SHA256 19fcadd769ef4c5499813823fa754f675f9b11be1e6de58480527fb5ff036cfc
SHA512 28cd9881adc5771cbd4c9fa4bd5ea6cb9592785fd0b7d62fd9d1a09bf56bdde1b4d510a27cc6f23bc275cda54429e04d6a849a4c1c40c039c5c7cec779f4af1e

C:\Windows\system\EIlQuwa.exe

MD5 24f1fda4b9d525daa29c2ae83eb4a16f
SHA1 962de5fc29bc312154d4a6a40068d36d01d03b12
SHA256 97463ce984f19eb573f50b35c0920c23fc40fcd3081ea1ea0e7c5965cbedc506
SHA512 a76c75cf7c04f9ec9b5056ad04cafea80642c530775d7797e059d6061174b0baa6bb8afd59acafbdf23b780818ff6bc5d0897da2f9008199afcd1acf60aedba1

C:\Windows\system\XUdFcVM.exe

MD5 cf07e20c84cc414fb40a5af0d384ecb2
SHA1 b7911dbc6df69d42303a03b7155d96eafcf5f304
SHA256 642bf1bf3a39e05220249dadfe1f825c1ce4c03f3d73eed4cbd6ce9d9b1460b1
SHA512 4a6b115de94d07ae12d75c983e8f5a877226846b523bd0a8fa3d6d5209581ef0b0889d5e8dea86b96b4f8a17a361d84a9079053ed5f829e9c5b80d88e4db6637

C:\Windows\system\uQjsPLW.exe

MD5 3bbb180a33a8e0b9837fb18fc6e97c6a
SHA1 44ded321120ffab0c4699e88b8a3d56b86ada9fa
SHA256 160bd6aead16d1771894169c8cd5e7a0b64e750537512f46f9f51ac6e44b899a
SHA512 d479bef438b76c58b337288f6b56ebeced0a0155f3ca34e824a77649e2f56401ef61ec8d74e4bd282448600b7785ea557cf20537537eae70385406f4471f2191

C:\Windows\system\uEqXaYn.exe

MD5 6c4f6d307f6fa9637618ac6329f92578
SHA1 93e08d060cdd01089baf285498c14588dd706c78
SHA256 226f609aff9c54dc1a5da2b7bcf9f7de210ff60a1e06b15c6895176ecc6b733a
SHA512 9a83e908fc106b0f6f38cacbbfac3a58516b7bbb3f95369cd2ae60c51e8eed11cc299c1a10a831379de7cb91a5eb08ef47f36508d0269be1b763782ebf55df43

C:\Windows\system\BBrLAHZ.exe

MD5 38e4b247fd4bc52e9aa37648b84984df
SHA1 cee52c2e920d9b5c4bc2b27a1c711059286baae7
SHA256 d9bab6e041f8b0cacd0e94f95de0a7adcd96dbf76ac142b3343bf984c790ee7f
SHA512 4f4e0b8598135caa573466406ffda4dae9eb37bb6c94d0d3a568bd2aa1b4b5e4d1fb71f9b62f28ecb0d1699a36eaf922a6ad3028e1bc1df2c6539eb702706991

C:\Windows\system\GzAjCzs.exe

MD5 d3ef8342783aaf6efa10823eb92f065c
SHA1 0efdec05d6f4da8a02f9fd13b8f1bac8b272f351
SHA256 db85aafcbd9105ce1c0315300a160283cab507a8173d4afb423aa5849af9ba2b
SHA512 0dc7f307e740dfe415777dd3c252452f786ce282211db3c455ab536462eccb93f6ccdd8485b3754bed95a4555c7b07afc52db28be221ef55754c0233e92734e9

\Windows\system\GzAjCzs.exe

MD5 1d51a6f9f8f706d40a78f27cac287065
SHA1 981c2096ede4558d1ebc91ef5d6ea849a5e05a26
SHA256 15b21f96ab3bc949c328ae89ca4b8971cb600187d8a414a03ad62deea81f4ef1
SHA512 f88e4c79c055461a937a826fa6bbc551f208f7399466fa47521581ae4db3bc5d256e1bf01ae134b570a11c9d09f89930e6add7d4c8135ba334d8b29af2c44c97

memory/2232-93-0x00000000024D0000-0x0000000002824000-memory.dmp

memory/2232-109-0x000000013F100000-0x000000013F454000-memory.dmp

memory/2328-112-0x000000013FBC0000-0x000000013FF14000-memory.dmp

memory/2232-111-0x000000013FBC0000-0x000000013FF14000-memory.dmp

memory/2988-110-0x000000013F100000-0x000000013F454000-memory.dmp

memory/2232-133-0x000000013F3E0000-0x000000013F734000-memory.dmp

memory/2232-134-0x000000013FEB0000-0x0000000140204000-memory.dmp

memory/2552-132-0x000000013FC90000-0x000000013FFE4000-memory.dmp

memory/2232-131-0x000000013FC90000-0x000000013FFE4000-memory.dmp

memory/2612-130-0x000000013F170000-0x000000013F4C4000-memory.dmp

memory/2232-129-0x000000013F170000-0x000000013F4C4000-memory.dmp

memory/2856-128-0x000000013F5F0000-0x000000013F944000-memory.dmp

memory/2940-126-0x000000013F360000-0x000000013F6B4000-memory.dmp

memory/2232-125-0x000000013F360000-0x000000013F6B4000-memory.dmp

memory/2880-116-0x000000013FD90000-0x00000001400E4000-memory.dmp

memory/2232-115-0x000000013FD90000-0x00000001400E4000-memory.dmp

memory/2712-108-0x000000013FB60000-0x000000013FEB4000-memory.dmp

memory/2232-107-0x000000013FB60000-0x000000013FEB4000-memory.dmp

memory/2840-106-0x000000013F030000-0x000000013F384000-memory.dmp

memory/2232-105-0x000000013F030000-0x000000013F384000-memory.dmp

memory/2688-104-0x000000013F610000-0x000000013F964000-memory.dmp

memory/2232-103-0x00000000024D0000-0x0000000002824000-memory.dmp

memory/1580-102-0x000000013F1B0000-0x000000013F504000-memory.dmp

memory/2232-101-0x000000013F1B0000-0x000000013F504000-memory.dmp

memory/3060-100-0x000000013F5E0000-0x000000013F934000-memory.dmp

memory/1344-92-0x000000013FEB0000-0x0000000140204000-memory.dmp

memory/2372-88-0x000000013F340000-0x000000013F694000-memory.dmp

C:\Windows\system\bOJMHNH.exe

MD5 cf04457e2d6ab9cd51c64fbe1668c80e
SHA1 8adeb366c49c91c689385af867b3957f753a1cb6
SHA256 1df44bd1a6c1fae667c9d1b2554f27c2e2c4564a9d38bfc78b3ada0f12bf8909
SHA512 1a433440f17b9096411c960e7a26bfe8d712b5155bcaf3e42ed3f1a2cfa51152dd7bba844e863501829a5a2dabbcadde792a6a815943b4dbc23ef0e2c4faf003

C:\Windows\system\zxuUdZk.exe

MD5 e797e92a71021619b097ae8fbac1fe7d
SHA1 0ef322320e521228467531e313f6894cfc732511
SHA256 fa67af7c377aecafcdda6d469d4fbf1eb2311ef86de0745d2d15b5b3a6b307cc
SHA512 078bbd0e8b9ceb8160f482bbd8cf5a8b49eb258b431daec75b3c7b5ac36906d8c09cf3e5e194ea5646de473a23bf3d19e23a793b86f6cce74a022f891e67bb28

C:\Windows\system\rrtKoEk.exe

MD5 eb4e7074c87125542ce65ad2969c8e55
SHA1 daaf83fe4c6a17b8f4c9d8e8c5710d0f50741664
SHA256 56679e8eb3774ac1df76c05c38adb506727fe4f06f5d79d7b5785f9a34eb2db6
SHA512 dbcf931134a3ca096a1ae2cd4e2953b189a9e6d3edce06fa6ccd92189b72e2153ec1b1098edc3d475bbd26d46db0e506d153753f3f42e8637bc5e94b7c032641

C:\Windows\system\bFhNQex.exe

MD5 99043fcc87b99e8f50dc187ac855ab6d
SHA1 79f090ed958b848efad445745d66de5e920f4491
SHA256 87afbd936c9d8a13ab7deddabb6b83cec1fd5bf4335a2a14815401c0c1385237
SHA512 9640d1baf87786098f32b6f529436e3c8186770fd2482c9de5c26cd1d6b104d614f0ade20005cccb8626309c75b408d6025af1d65dc51d6a93b43a80c413271a

C:\Windows\system\QpSmZeA.exe

MD5 836854b9dc48e7e87d5504e2584a2f4e
SHA1 363157d971444dedbb3392457c5b47b34e27bfff
SHA256 022be373597595219fb188665a87005b550873aa616eb640030b38edbccc6123
SHA512 a08f06ec04d60651381ac19cfce01b2285d0589c8f442fe7aeacc9fe44f1eea6dfdecd3f0bb38d32cee6796abb65dc15c9577d6dff9f09fa0af0e818c86db788

memory/2232-136-0x000000013F340000-0x000000013F694000-memory.dmp

memory/2232-135-0x000000013F770000-0x000000013FAC4000-memory.dmp

memory/2372-137-0x000000013F340000-0x000000013F694000-memory.dmp

memory/1580-140-0x000000013F1B0000-0x000000013F504000-memory.dmp

memory/2840-141-0x000000013F030000-0x000000013F384000-memory.dmp

memory/2988-142-0x000000013F100000-0x000000013F454000-memory.dmp

memory/2880-143-0x000000013FD90000-0x00000001400E4000-memory.dmp

memory/2232-139-0x000000013F1B0000-0x000000013F504000-memory.dmp

memory/1344-138-0x000000013FEB0000-0x0000000140204000-memory.dmp

memory/2232-144-0x000000013FEB0000-0x0000000140204000-memory.dmp

memory/2372-145-0x000000013F340000-0x000000013F694000-memory.dmp

memory/2712-148-0x000000013FB60000-0x000000013FEB4000-memory.dmp

memory/3060-147-0x000000013F5E0000-0x000000013F934000-memory.dmp

memory/2688-146-0x000000013F610000-0x000000013F964000-memory.dmp

memory/2612-151-0x000000013F170000-0x000000013F4C4000-memory.dmp

memory/2328-150-0x000000013FBC0000-0x000000013FF14000-memory.dmp

memory/2940-149-0x000000013F360000-0x000000013F6B4000-memory.dmp

memory/1580-152-0x000000013F1B0000-0x000000013F504000-memory.dmp

memory/2552-155-0x000000013FC90000-0x000000013FFE4000-memory.dmp

memory/1344-156-0x000000013FEB0000-0x0000000140204000-memory.dmp

memory/2856-158-0x000000013F5F0000-0x000000013F944000-memory.dmp

memory/2880-157-0x000000013FD90000-0x00000001400E4000-memory.dmp

memory/2840-154-0x000000013F030000-0x000000013F384000-memory.dmp

memory/2988-153-0x000000013F100000-0x000000013F454000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 07:24

Reported

2024-06-10 07:27

Platform

win10v2004-20240426-en

Max time kernel

138s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\tQJcDKl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AoFtlYZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yFFnsNs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lDhHGFY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VAvvfhh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rRxUAWu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eudteDv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OfnyLFo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tooVMgW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FkBSrhy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qymAgeF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qWbVHAx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PWSbQWE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pgGmQmm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EFMDsiT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VQrMuEo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KgPGzVU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wtAoVrD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fkoqXuN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SqUIseM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eUItebq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2372 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\tQJcDKl.exe
PID 2372 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\tQJcDKl.exe
PID 2372 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\VQrMuEo.exe
PID 2372 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\VQrMuEo.exe
PID 2372 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\PWSbQWE.exe
PID 2372 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\PWSbQWE.exe
PID 2372 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\pgGmQmm.exe
PID 2372 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\pgGmQmm.exe
PID 2372 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\AoFtlYZ.exe
PID 2372 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\AoFtlYZ.exe
PID 2372 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\OfnyLFo.exe
PID 2372 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\OfnyLFo.exe
PID 2372 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\yFFnsNs.exe
PID 2372 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\yFFnsNs.exe
PID 2372 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\lDhHGFY.exe
PID 2372 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\lDhHGFY.exe
PID 2372 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\VAvvfhh.exe
PID 2372 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\VAvvfhh.exe
PID 2372 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\KgPGzVU.exe
PID 2372 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\KgPGzVU.exe
PID 2372 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\wtAoVrD.exe
PID 2372 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\wtAoVrD.exe
PID 2372 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\rRxUAWu.exe
PID 2372 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\rRxUAWu.exe
PID 2372 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\tooVMgW.exe
PID 2372 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\tooVMgW.exe
PID 2372 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\fkoqXuN.exe
PID 2372 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\fkoqXuN.exe
PID 2372 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\FkBSrhy.exe
PID 2372 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\FkBSrhy.exe
PID 2372 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\SqUIseM.exe
PID 2372 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\SqUIseM.exe
PID 2372 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\qymAgeF.exe
PID 2372 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\qymAgeF.exe
PID 2372 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\EFMDsiT.exe
PID 2372 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\EFMDsiT.exe
PID 2372 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\eudteDv.exe
PID 2372 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\eudteDv.exe
PID 2372 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\eUItebq.exe
PID 2372 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\eUItebq.exe
PID 2372 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\qWbVHAx.exe
PID 2372 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe C:\Windows\System\qWbVHAx.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_3bbe2f96f21c1579ff4204741c8c542a_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\tQJcDKl.exe

C:\Windows\System\tQJcDKl.exe

C:\Windows\System\VQrMuEo.exe

C:\Windows\System\VQrMuEo.exe

C:\Windows\System\PWSbQWE.exe

C:\Windows\System\PWSbQWE.exe

C:\Windows\System\pgGmQmm.exe

C:\Windows\System\pgGmQmm.exe

C:\Windows\System\AoFtlYZ.exe

C:\Windows\System\AoFtlYZ.exe

C:\Windows\System\OfnyLFo.exe

C:\Windows\System\OfnyLFo.exe

C:\Windows\System\yFFnsNs.exe

C:\Windows\System\yFFnsNs.exe

C:\Windows\System\lDhHGFY.exe

C:\Windows\System\lDhHGFY.exe

C:\Windows\System\VAvvfhh.exe

C:\Windows\System\VAvvfhh.exe

C:\Windows\System\KgPGzVU.exe

C:\Windows\System\KgPGzVU.exe

C:\Windows\System\wtAoVrD.exe

C:\Windows\System\wtAoVrD.exe

C:\Windows\System\rRxUAWu.exe

C:\Windows\System\rRxUAWu.exe

C:\Windows\System\tooVMgW.exe

C:\Windows\System\tooVMgW.exe

C:\Windows\System\fkoqXuN.exe

C:\Windows\System\fkoqXuN.exe

C:\Windows\System\FkBSrhy.exe

C:\Windows\System\FkBSrhy.exe

C:\Windows\System\SqUIseM.exe

C:\Windows\System\SqUIseM.exe

C:\Windows\System\qymAgeF.exe

C:\Windows\System\qymAgeF.exe

C:\Windows\System\EFMDsiT.exe

C:\Windows\System\EFMDsiT.exe

C:\Windows\System\eudteDv.exe

C:\Windows\System\eudteDv.exe

C:\Windows\System\eUItebq.exe

C:\Windows\System\eUItebq.exe

C:\Windows\System\qWbVHAx.exe

C:\Windows\System\qWbVHAx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 52.111.227.11:443 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2372-0-0x00007FF6CE0B0000-0x00007FF6CE404000-memory.dmp

memory/2372-1-0x0000018963CB0000-0x0000018963CC0000-memory.dmp

C:\Windows\System\tQJcDKl.exe

MD5 6dec87fc0f7ba22f00ee917fb459a843
SHA1 470ba7dfae5901193e04945a8a9fce46b6769e1f
SHA256 55608a4a13f6e28fde2ef3cf777c852b1626a2b65bc8e0bce326100eaa1f9e08
SHA512 b7c159e2620c31496d57ded7863aeef6b193e521634fc449a017647eb68c4c3a5e4e2294cb2376768c4a6f216ae58c49ff11d52b155bbd9c21f2ec510ca36243

memory/2876-8-0x00007FF7D5BB0000-0x00007FF7D5F04000-memory.dmp

C:\Windows\System\VQrMuEo.exe

MD5 72deaebd05fe40a0b9ee77ab49d78702
SHA1 4cfe0c2834b6e019d7df84b7768a0e3d4c9ca564
SHA256 9dd20e95ba4cf47b56f34c604017a84a0d57a4e45c26b0d3d9bcbe153effa632
SHA512 c1a8145272080482d2b0ce56dd974a00d69cda6b983f4061ea4ca58598a380606a6f0822eb22e50042164a306bd335d187d2d8373294b47665ea4ada92da1f0b

C:\Windows\System\PWSbQWE.exe

MD5 c75c58f18329bd20290f2bbc4eb95168
SHA1 db74c19607fd8bac361360400ff19531cd61f9ff
SHA256 9fbb02546ab52d202830af9b0a7ffc3b33f340d063bcd4b3662e22c36a47ec2a
SHA512 e271e6e2b54438024152ea95c85504c5ae28af3336e7584952371303691d2811ec1ef7c1d5f42e79fea9500bfef7fb4b024ae2c110ec9d8fefc7fca3a571ff04

memory/4372-14-0x00007FF71FF30000-0x00007FF720284000-memory.dmp

C:\Windows\System\pgGmQmm.exe

MD5 f9eea8336434c64cd7c0fd8f8ef71472
SHA1 c83461c4bf765b7a8ef67e50d6092bd481fa62f5
SHA256 d8834478fb70510eb29f837f8f26c761aeb3ccd6029264969f05c89c08f027a3
SHA512 e9fae94bc37b5cb3e1c639f2d9572041fd89a7922bdda76428f6868a084ecb1a88c4674621cdd3edfe2e477c5d1bf47274a9d49a470f14d7ea766607dc1aa86d

memory/2864-20-0x00007FF682D10000-0x00007FF683064000-memory.dmp

C:\Windows\System\AoFtlYZ.exe

MD5 4339387cf5720915090a8ed2c322961e
SHA1 454c6bad05a1a03c7202b25a5d4c15ec663495cf
SHA256 893c139698c5013d27be650ca5cabbe5844a8eb6e75c7ccd3a3a0aa19e0b63bc
SHA512 54bddccbb7a8653931f5b1df0128c139239406df47464da9a93262b2ead2071e41d39ac181794f6794fec42773afbfb0c5b789d1647803a28974dea9365c03ef

memory/3028-32-0x00007FF751C00000-0x00007FF751F54000-memory.dmp

C:\Windows\System\OfnyLFo.exe

MD5 8f9bb384ac6628e1b361bd98d36b185f
SHA1 e7837937c7627b04f7f467bba513b98d2edef5c5
SHA256 3eefa84b70fcd84cca65d53e7d8393e11d74a9ac392a778b1993f9fb81735edf
SHA512 b26e1932152601e6d93e16fc9a1ad7ec64f483c145682d5250de27624d7fe52349fec407771d386f05d9a0f700387b981069cb2639dd5229a9fc7a3ced4b90b9

C:\Windows\System\yFFnsNs.exe

MD5 5419a73b8d52816495af1cb578c03a54
SHA1 0ed6a1e6686b7f8d8d61feed5a63346eeaedb447
SHA256 7bbff49756e434989884819e71a66d277b417b0c128bb8e4272a1ceb8157bd3b
SHA512 ebb9f3c48a7a7e56fd038a90d179f45743d4005129ad03c24d5079062d8bdedfe33adbab89202a4f345736c04577aa44c6808c9e07cbfc759f664c09aa10f3d9

memory/2468-42-0x00007FF665D90000-0x00007FF6660E4000-memory.dmp

C:\Windows\System\lDhHGFY.exe

MD5 ca6de229e075a06c9bdd8eef51fd16d7
SHA1 bd8cd35046cd18c980772d4743683cc466afbd55
SHA256 c9da7c26b702d5a70d79938afb1782330e85a67d634f0ef9ae06b4c5a4b615e5
SHA512 c58f7c09e078e929a65169dc181ea94026afbb15a41d23fcd4f1634f882a3d24da53f0dc116af6c9b95376f58ec9266ac79a0c3a46b2441f4bf8be551d9e6197

C:\Windows\System\VAvvfhh.exe

MD5 317155fbd032854645205cd0e460691e
SHA1 3fbd0ceee65c3ff19031d1c5ee3da3c4e91d5849
SHA256 19c34d8b908a189958876b54a40f35262d0ca85340ffbb2028c9ffe93c7cdf2d
SHA512 2f58cb2a5f7a7ad75eac44d8efaade4ca581469e91fc6659e622bbc3a9f03f4a96e96d7f2abc5d58a0eae69fdb44a0fd23957ebe99629fd36682f55c0b805b32

memory/768-52-0x00007FF6DD930000-0x00007FF6DDC84000-memory.dmp

memory/1236-36-0x00007FF634010000-0x00007FF634364000-memory.dmp

memory/4856-26-0x00007FF7684E0000-0x00007FF768834000-memory.dmp

memory/5016-56-0x00007FF7964A0000-0x00007FF7967F4000-memory.dmp

memory/2372-62-0x00007FF6CE0B0000-0x00007FF6CE404000-memory.dmp

memory/3464-63-0x00007FF63D760000-0x00007FF63DAB4000-memory.dmp

C:\Windows\System\wtAoVrD.exe

MD5 1b746d3274658525892c315ca99853c1
SHA1 4fb0c56acc918e9e9b8378b763291096c006b381
SHA256 dc0f0ac79829af0f0fc20d8642502614379b39b60f4c2ae19d2d23dd66df399b
SHA512 071489c057d371b17e589cc1120327be3dafcd187cb379622cf13661b59971cf7db8453287b154ad414ddd58217e76abe5f02b26859b9f91f2a1b05be2aa49d4

memory/2876-71-0x00007FF7D5BB0000-0x00007FF7D5F04000-memory.dmp

C:\Windows\System\rRxUAWu.exe

MD5 629567db3ce4ff6965f69a35d859dba2
SHA1 e09333f190fd6f1bdb707a56cb94e67df14d37fe
SHA256 3e1586cada73be4cf17ac52817d650a0ba567cf4e2706ed993bc2b050a4c4ef2
SHA512 f9b8624238e958b354cf83685e65c457e14814bc170336babf82511055b49e313b59d4b61ddbf07b9f37827e15c30befb0047a5e08d656c85d34ffa6995f69cf

memory/3140-72-0x00007FF603600000-0x00007FF603954000-memory.dmp

C:\Windows\System\KgPGzVU.exe

MD5 5d66efe224bd7a022dd572954e190afc
SHA1 ff239bffcb015d92acf645574521f14839706da2
SHA256 be53ae9f1afb9f92829642ef6f0e8992fabcc67f3ae4d7f6a92acfb079a40f01
SHA512 cb6606f42a716ecf5d642e5f65a6970e2f7f908595fc25f969a8ca7dc250ed74ecb451518155ab81711acf54d9dff7302774834f6d7142ea66d140bbf70f8256

memory/4240-81-0x00007FF6BBBE0000-0x00007FF6BBF34000-memory.dmp

memory/232-91-0x00007FF7D9EB0000-0x00007FF7DA204000-memory.dmp

memory/4856-89-0x00007FF7684E0000-0x00007FF768834000-memory.dmp

C:\Windows\System\SqUIseM.exe

MD5 2455f8c4e3d9e594d8b4a1159c00f0c4
SHA1 72f4ce9d06c9be2a25f61036b801e3f703839e46
SHA256 7b5f985cbb1dc2b74b2b79068e7d0ddb307d93b63e66490c5078c07b777edd30
SHA512 691e7ef357437312fcf9acc6ab4bfef98c186fe40edb0072258bf6213715a2c80e12385ba953566e9601409b7bf7be1de3d1e1a048a9214c0657109383e8388f

memory/4220-113-0x00007FF62B9E0000-0x00007FF62BD34000-memory.dmp

memory/1236-112-0x00007FF634010000-0x00007FF634364000-memory.dmp

memory/1824-121-0x00007FF72BED0000-0x00007FF72C224000-memory.dmp

C:\Windows\System\eUItebq.exe

MD5 e3d49cf7d281892fc5be8bc68c529bcc
SHA1 952bbf1b9a4a181f9a654b0b096d36d998fdb189
SHA256 f59bf67ca90f56699b85f06898c19d156c476a2b62d990d3232e2b54960ae54a
SHA512 bf17bf76edcb6c5b00430718ee4f097344c96256f38fbc7bcdec363af6bdf51cee08215d4e272a44fcd8b8daaf2fbb9b6eb2b43dff9e208a010d82f6362fcde8

memory/4360-128-0x00007FF69D5C0000-0x00007FF69D914000-memory.dmp

memory/4552-127-0x00007FF7A8330000-0x00007FF7A8684000-memory.dmp

C:\Windows\System\eudteDv.exe

MD5 a2c317df42c7ee904cc6a987b1e10b83
SHA1 32aa0b66c123c67e7ec97a90a8fabd83dab86b87
SHA256 f97bbd990e7b7a865c0e0e626b6a2307acc5517875f05a75eefa5ce297b5c265
SHA512 5b7937fcb20219d2b9170bbe906c16f4d235ac8a5b797234012c0e04740ec2aa5766af474a4f0d24cc0dd1751c9db65449162aa66c9881c59bcd650dee9f66c2

memory/2468-122-0x00007FF665D90000-0x00007FF6660E4000-memory.dmp

memory/4460-118-0x00007FF61CED0000-0x00007FF61D224000-memory.dmp

C:\Windows\System\EFMDsiT.exe

MD5 ec5693e5103596e8d4b8d9eac7be0186
SHA1 409832003d8f08b1d3d05187935678921e964f7c
SHA256 72f7796cf333573e399eacec1bf43f84987dddd7c5c32043a57f306d4eee8ba6
SHA512 00269caa6184f3ae4eb9fad087126d9e6c3724cfedb26f0573f055f5ce09f1f9e869eac4d1a2c7049448473d459b8374532d74cac3123ef6c3d09669d6134abc

C:\Windows\System\qymAgeF.exe

MD5 211bb4221f2642f1146b92aa05a0ceac
SHA1 57c04dbf92fc81207fea0ce725638eefa98d1446
SHA256 5c2c7895ad7b3fbe07b4f596bbd079cf82135affcdfb2ce319ad947a854cac51
SHA512 03b86a7c2b2ea57614b3019c20a4c20e430a01bae2503f22f9e29fc16820fa2442c713c4170311125c71e20abe6f6a8888f6637171614dcd42cdc56c34644f13

memory/224-99-0x00007FF763AB0000-0x00007FF763E04000-memory.dmp

C:\Windows\System\FkBSrhy.exe

MD5 8d788d0fa2290fe1936afe3d7a505eb2
SHA1 36aab12a72a487db85d7bf51b23ac9a8ae17f375
SHA256 bc51180d4df38567be77130542b5fe46dc7e9c269a211d4f5e36475a8921b54a
SHA512 bd1862f8e84b956e518b7db29416c7fc68edefc7fb9f90c7588e6d809a3aba069282f847ccc3a0a1591cb123d4cf5ad26a58ad5b2ecb6af98dde61c169ee9f96

C:\Windows\System\fkoqXuN.exe

MD5 0eccae85ae5c58b6ae1d8899cd5085e5
SHA1 bafb4da52155a18a2421c39b343cfa8bb49c5925
SHA256 4fbe103c8bfed161295e43ed6e3546d5bbe5242e99fa23c231b4944eee38760e
SHA512 f6822d426bdba20ee7ed52a30ca883ce1c6e0d499dc78227f37661040688f3c822e7b6fff90880a55af8050735c2712a451642262d256d96e9fee9604df5c08b

memory/444-83-0x00007FF74DAF0000-0x00007FF74DE44000-memory.dmp

memory/2864-82-0x00007FF682D10000-0x00007FF683064000-memory.dmp

C:\Windows\System\tooVMgW.exe

MD5 d6176ff7934dbbde3f63962e9bea8463
SHA1 420a4895b85f7d7b947124876aa2382d0039df84
SHA256 cec8344986243b0e0f95abeaab37682bbc7e89e27d72e5aa5013e28b9271a548
SHA512 e67d9381dc0470a315bf41ae7bc7d38e120eb96de97d5ccc6af84707819f08a2f4e2ae51e9a98d2e4c1a42f0b8044ab7fd84d06522aef537f6f74853f554d9a1

C:\Windows\System\qWbVHAx.exe

MD5 317f31fd2644ea8fd80064c321965edd
SHA1 495304caf59fd8a1afde5dfce1a148a62c135760
SHA256 29b1582c437ed66d8875c039e5aaa285c8de77ebe459e9962f86939bda234e8e
SHA512 acd686560f67c1dd05f3bb63aba253ad57053b2745566cd65a0f63bf096001f7f354f4731eafe20d1438a77e50beff3d7abef56eb8d5c5b826be78870685d148

memory/4808-133-0x00007FF6B03F0000-0x00007FF6B0744000-memory.dmp

memory/4240-134-0x00007FF6BBBE0000-0x00007FF6BBF34000-memory.dmp

memory/444-135-0x00007FF74DAF0000-0x00007FF74DE44000-memory.dmp

memory/232-136-0x00007FF7D9EB0000-0x00007FF7DA204000-memory.dmp

memory/224-137-0x00007FF763AB0000-0x00007FF763E04000-memory.dmp

memory/4552-138-0x00007FF7A8330000-0x00007FF7A8684000-memory.dmp

memory/2876-139-0x00007FF7D5BB0000-0x00007FF7D5F04000-memory.dmp

memory/4372-140-0x00007FF71FF30000-0x00007FF720284000-memory.dmp

memory/2864-141-0x00007FF682D10000-0x00007FF683064000-memory.dmp

memory/4856-142-0x00007FF7684E0000-0x00007FF768834000-memory.dmp

memory/3028-143-0x00007FF751C00000-0x00007FF751F54000-memory.dmp

memory/1236-144-0x00007FF634010000-0x00007FF634364000-memory.dmp

memory/2468-145-0x00007FF665D90000-0x00007FF6660E4000-memory.dmp

memory/768-146-0x00007FF6DD930000-0x00007FF6DDC84000-memory.dmp

memory/5016-147-0x00007FF7964A0000-0x00007FF7967F4000-memory.dmp

memory/3464-148-0x00007FF63D760000-0x00007FF63DAB4000-memory.dmp

memory/3140-149-0x00007FF603600000-0x00007FF603954000-memory.dmp

memory/4240-150-0x00007FF6BBBE0000-0x00007FF6BBF34000-memory.dmp

memory/444-151-0x00007FF74DAF0000-0x00007FF74DE44000-memory.dmp

memory/224-152-0x00007FF763AB0000-0x00007FF763E04000-memory.dmp

memory/232-154-0x00007FF7D9EB0000-0x00007FF7DA204000-memory.dmp

memory/4460-155-0x00007FF61CED0000-0x00007FF61D224000-memory.dmp

memory/1824-156-0x00007FF72BED0000-0x00007FF72C224000-memory.dmp

memory/4360-158-0x00007FF69D5C0000-0x00007FF69D914000-memory.dmp

memory/4552-157-0x00007FF7A8330000-0x00007FF7A8684000-memory.dmp

memory/4220-153-0x00007FF62B9E0000-0x00007FF62BD34000-memory.dmp

memory/4808-159-0x00007FF6B03F0000-0x00007FF6B0744000-memory.dmp