Malware Analysis Report

2024-10-16 03:05

Sample ID 240610-kdrnvafb24
Target 2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike
SHA256 c37eb2c40bc8aa574296fb57ce7c6702fcf5b46c71fd1df61389e62554b82652
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c37eb2c40bc8aa574296fb57ce7c6702fcf5b46c71fd1df61389e62554b82652

Threat Level: Known bad

The file 2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Detects Reflective DLL injection artifacts

XMRig Miner payload

Cobaltstrike

Xmrig family

Cobaltstrike family

xmrig

Cobalt Strike reflective loader

UPX dump on OEP (original entry point)

XMRig Miner payload

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-10 08:29

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 08:29

Reported

2024-06-10 08:31

Platform

win7-20231129-en

Max time kernel

137s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\tMTgDmC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ISybEKC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\toqenLd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NyMhfnT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SALqMvv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CPzsdaq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RNRQpgr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NyqGdGq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UzIgcNL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xvSNfDS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tpGNpqm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QdHPKXG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ldgNxaV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BcYYZxd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dHXJnWF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ekPniQc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pNWWhbW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RPBHFLR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BzgtDGn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jdXJEaO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VGCbAMZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1712 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\UzIgcNL.exe
PID 1712 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\UzIgcNL.exe
PID 1712 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\UzIgcNL.exe
PID 1712 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\tMTgDmC.exe
PID 1712 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\tMTgDmC.exe
PID 1712 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\tMTgDmC.exe
PID 1712 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\NyMhfnT.exe
PID 1712 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\NyMhfnT.exe
PID 1712 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\NyMhfnT.exe
PID 1712 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\SALqMvv.exe
PID 1712 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\SALqMvv.exe
PID 1712 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\SALqMvv.exe
PID 1712 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\BcYYZxd.exe
PID 1712 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\BcYYZxd.exe
PID 1712 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\BcYYZxd.exe
PID 1712 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\dHXJnWF.exe
PID 1712 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\dHXJnWF.exe
PID 1712 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\dHXJnWF.exe
PID 1712 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\ekPniQc.exe
PID 1712 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\ekPniQc.exe
PID 1712 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\ekPniQc.exe
PID 1712 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\pNWWhbW.exe
PID 1712 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\pNWWhbW.exe
PID 1712 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\pNWWhbW.exe
PID 1712 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\ISybEKC.exe
PID 1712 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\ISybEKC.exe
PID 1712 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\ISybEKC.exe
PID 1712 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\xvSNfDS.exe
PID 1712 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\xvSNfDS.exe
PID 1712 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\xvSNfDS.exe
PID 1712 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\RPBHFLR.exe
PID 1712 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\RPBHFLR.exe
PID 1712 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\RPBHFLR.exe
PID 1712 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\tpGNpqm.exe
PID 1712 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\tpGNpqm.exe
PID 1712 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\tpGNpqm.exe
PID 1712 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\CPzsdaq.exe
PID 1712 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\CPzsdaq.exe
PID 1712 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\CPzsdaq.exe
PID 1712 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\BzgtDGn.exe
PID 1712 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\BzgtDGn.exe
PID 1712 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\BzgtDGn.exe
PID 1712 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\RNRQpgr.exe
PID 1712 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\RNRQpgr.exe
PID 1712 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\RNRQpgr.exe
PID 1712 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\jdXJEaO.exe
PID 1712 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\jdXJEaO.exe
PID 1712 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\jdXJEaO.exe
PID 1712 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\toqenLd.exe
PID 1712 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\toqenLd.exe
PID 1712 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\toqenLd.exe
PID 1712 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\VGCbAMZ.exe
PID 1712 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\VGCbAMZ.exe
PID 1712 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\VGCbAMZ.exe
PID 1712 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\QdHPKXG.exe
PID 1712 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\QdHPKXG.exe
PID 1712 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\QdHPKXG.exe
PID 1712 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\NyqGdGq.exe
PID 1712 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\NyqGdGq.exe
PID 1712 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\NyqGdGq.exe
PID 1712 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\ldgNxaV.exe
PID 1712 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\ldgNxaV.exe
PID 1712 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\ldgNxaV.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\UzIgcNL.exe

C:\Windows\System\UzIgcNL.exe

C:\Windows\System\tMTgDmC.exe

C:\Windows\System\tMTgDmC.exe

C:\Windows\System\NyMhfnT.exe

C:\Windows\System\NyMhfnT.exe

C:\Windows\System\SALqMvv.exe

C:\Windows\System\SALqMvv.exe

C:\Windows\System\BcYYZxd.exe

C:\Windows\System\BcYYZxd.exe

C:\Windows\System\dHXJnWF.exe

C:\Windows\System\dHXJnWF.exe

C:\Windows\System\ekPniQc.exe

C:\Windows\System\ekPniQc.exe

C:\Windows\System\pNWWhbW.exe

C:\Windows\System\pNWWhbW.exe

C:\Windows\System\ISybEKC.exe

C:\Windows\System\ISybEKC.exe

C:\Windows\System\xvSNfDS.exe

C:\Windows\System\xvSNfDS.exe

C:\Windows\System\RPBHFLR.exe

C:\Windows\System\RPBHFLR.exe

C:\Windows\System\tpGNpqm.exe

C:\Windows\System\tpGNpqm.exe

C:\Windows\System\CPzsdaq.exe

C:\Windows\System\CPzsdaq.exe

C:\Windows\System\BzgtDGn.exe

C:\Windows\System\BzgtDGn.exe

C:\Windows\System\RNRQpgr.exe

C:\Windows\System\RNRQpgr.exe

C:\Windows\System\jdXJEaO.exe

C:\Windows\System\jdXJEaO.exe

C:\Windows\System\toqenLd.exe

C:\Windows\System\toqenLd.exe

C:\Windows\System\VGCbAMZ.exe

C:\Windows\System\VGCbAMZ.exe

C:\Windows\System\QdHPKXG.exe

C:\Windows\System\QdHPKXG.exe

C:\Windows\System\NyqGdGq.exe

C:\Windows\System\NyqGdGq.exe

C:\Windows\System\ldgNxaV.exe

C:\Windows\System\ldgNxaV.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1712-0-0x000000013FF00000-0x0000000140254000-memory.dmp

memory/1712-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\UzIgcNL.exe

MD5 074073c05e07dc18bed8fe0a9317d2a3
SHA1 e26078e00c31bdec44509d665800214e3fb0806e
SHA256 ee3e2e4efb92651927525fb94df5693504f9e1c84db327876110b1ce61ff7924
SHA512 f46f6750ff6b5e1202545715a98202868131ea25c5606034aed2b049c2f5ec8b33c38225be02f0643907b889acbd6544034febd19c25005ba1f063c773e21d62

memory/1712-6-0x0000000002400000-0x0000000002754000-memory.dmp

memory/2372-9-0x000000013FFF0000-0x0000000140344000-memory.dmp

C:\Windows\system\tMTgDmC.exe

MD5 e919da89f139c34624be7ff770e074f1
SHA1 091103cc088b77f752d6ae860eae914b985f58c3
SHA256 dfbb31efb9d251c7589207bfcf80cb8e22dd0e5832983b3bf2785a143352cb88
SHA512 0c66b780cc7a0995e92026572b60a83abc98b24b241c13f4a94f50b474750b1e9d7ced285a75a3457ddba5cff991ea797a4518b913faa0a1b0a892bd80aad96b

memory/2400-16-0x000000013F6C0000-0x000000013FA14000-memory.dmp

memory/1712-14-0x000000013F6C0000-0x000000013FA14000-memory.dmp

C:\Windows\system\NyMhfnT.exe

MD5 c389743c3e0c3c2aad5a0204914bd0fe
SHA1 3e5ca33160322509fe007d47b9152c4b19176bc3
SHA256 10760ae5fa1fa9c1bf2e827a0e8d605819945c2dc5bb673f5756252edb1ffc16
SHA512 31e41e84d01d2c12becf6618278c904fcf29fae0b9b086c6453ad8f8892454e04a549c2ed6369c9db511bcc0d4a88d97a0dcadb62a4d9df010e94fc7fd5b9f5b

C:\Windows\system\SALqMvv.exe

MD5 0428687c0f09cbed174ad0d3e516edae
SHA1 f30caa7d763f38cef7d5e0f04bb32704e3391e46
SHA256 d1b9e01e71cdeeb773f36acaafcd58856d24b3740f4ddc7e9cf6dcb9834b7735
SHA512 993b205504c0f4af04bb147984d598c02b26e303fecbc28a199999b8ae3bb23b39a4a2ed5cb3ed5c5730e4cc04826e13f6b900bf84c1b4b6d55a7475c0a08cd0

memory/2552-29-0x000000013F490000-0x000000013F7E4000-memory.dmp

memory/1712-28-0x000000013F490000-0x000000013F7E4000-memory.dmp

\Windows\system\BcYYZxd.exe

MD5 fc3accb50880168ddae19412d800d68a
SHA1 7991097771c7ae094088ec7739701d336b301433
SHA256 fd5cdc7f479b96fff058941e380571e42734da93f87db961ba3950476ab35f0a
SHA512 775e973f82757a3c4759a2b0235acf30e62dcdefc77e0354e407c2a7d660a773f5c6f9db776111a7c16c7aa6617279d41e63c56de1a79c38a94d3306b8c2847d

memory/1712-32-0x000000013F6D0000-0x000000013FA24000-memory.dmp

memory/1712-21-0x000000013F300000-0x000000013F654000-memory.dmp

memory/2740-25-0x000000013F300000-0x000000013F654000-memory.dmp

memory/2616-38-0x000000013F6D0000-0x000000013FA24000-memory.dmp

memory/1712-43-0x000000013FF00000-0x0000000140254000-memory.dmp

memory/2692-44-0x000000013FDC0000-0x0000000140114000-memory.dmp

\Windows\system\dHXJnWF.exe

MD5 ef220b8ddd69264ba45b812699285259
SHA1 c37e115d347bebe3386d3814c52c09f13da8f424
SHA256 fd804f862500469d0cb8b50efc7f61373cb4401907802c6c9774e287f88e5c04
SHA512 98010a63ea64df79384557322297414f2824868872dbb106d7826a3010dee7b95a487db5fb085b50a368d6e248790d08c368e6c19c2986d160b3c876f8070d4e

\Windows\system\ekPniQc.exe

MD5 bef4340c9dd4f0fab2663cf84b5714ff
SHA1 535528dc6d38294fcf2c9b7722f00f8d8f90d4a1
SHA256 653188f864b89540cdd6ce4a9c6737753e31ce4ec0ce5123827292df94ca33dc
SHA512 4d90bf1be1cf776ba36509f366aa55bdd04a58cedfcce38b59f53d92b18919f772354493981dbaf248accc300a951aa84fad165779d81c4916f51006fc31b7da

C:\Windows\system\pNWWhbW.exe

MD5 29a63f246b95061fffdffd68f6336fc9
SHA1 33e2abf24410532e48dcc4950aa718f9c6826562
SHA256 cab26e6d9e74133182022a5bb87de1e80ad2c41d6ebd05322fac53eb94003cb3
SHA512 80dac8cd3094beaa9795f61ea9ac0b54aaf451622bc29ac1933b34e440cd20d79ee68745825bb5ff0ed2a029ba74e074fc27c2a902511ef74878699b39b430a5

memory/2372-56-0x000000013FFF0000-0x0000000140344000-memory.dmp

memory/2488-57-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

memory/2576-50-0x000000013F8B0000-0x000000013FC04000-memory.dmp

C:\Windows\system\ISybEKC.exe

MD5 1fa7769a3aa3b52ee59430dca3fffb42
SHA1 e8f383cc876eac5a60aad39014d1e6e896490c45
SHA256 1da39503a34e6b4ba3ee19d23f9b39af898df8e76fb113f3781261a27b5fb7c6
SHA512 1f2b9a8e9a00d7bf854312e6d5874c015f640ee0a60afd0c47539e13873b52851c436fc0c799452eb31c70c678cf2f49ffc2726bb971c2d7e0c8ed7d273ab3a5

memory/1712-65-0x000000013F210000-0x000000013F564000-memory.dmp

memory/940-66-0x000000013F210000-0x000000013F564000-memory.dmp

memory/2740-64-0x000000013F300000-0x000000013F654000-memory.dmp

memory/2400-63-0x000000013F6C0000-0x000000013FA14000-memory.dmp

\Windows\system\xvSNfDS.exe

MD5 93bcb0b14473e06ba99888194e857db5
SHA1 9052f2a51aeaea4ae52ae219ce08347c74c637ff
SHA256 39558e7b41650a665b9670207428f4e42c8dcb6207ad93266db4ffe394bc4957
SHA512 b1ceb995bd9bf3ccd9f8f6a1604a98b7e3a73f0790ede3041efc37bd009b366a2129380199f4fe3473f5fbccd551692c55ded28fb50436c85206df2dc8aff874

\Windows\system\RPBHFLR.exe

MD5 9415807da0994cf2dfc4708897cc69be
SHA1 34cbed343567b8d18ce7c89dcd56b1f21dc24f55
SHA256 7978d073a7fec4fa42b578b77fbc64901a2958cd3b7e07bc57029171c08b297b
SHA512 809e0648bcbf3cefefdbda0f1ca00317a98b7a8af0061595ffeb32eb64cd11b178a341e7f35f4b61ff691ecb39ac0a74058463e000229e9aaeec59298ceabaf2

memory/1712-79-0x000000013F410000-0x000000013F764000-memory.dmp

memory/2616-85-0x000000013F6D0000-0x000000013FA24000-memory.dmp

memory/1712-87-0x000000013F210000-0x000000013F564000-memory.dmp

memory/2912-89-0x000000013F210000-0x000000013F564000-memory.dmp

C:\Windows\system\tpGNpqm.exe

MD5 b078032715d85c16dbcce7a6ef82add7
SHA1 64aea06ef663ca93b50c2b259313f078378ab7de
SHA256 3ba3f230771144445365de76918f27371f8d4c3142ca35ba73ba9df13f86b8fb
SHA512 ce1b9c59aa2b65daed029c127d3b502396aa02b3d209e6971c1ab598c73b52bae6a370ad24a5331559cad1d9269fcf439212201003220fc081413695b43360a6

memory/2972-80-0x000000013F410000-0x000000013F764000-memory.dmp

memory/2552-77-0x000000013F490000-0x000000013F7E4000-memory.dmp

memory/1824-94-0x000000013FCC0000-0x0000000140014000-memory.dmp

\Windows\system\jdXJEaO.exe

MD5 96f7c6503709a2211c120e67a748b200
SHA1 a7f4f247861189723756843164542c332f100368
SHA256 713053a7542c6b1db524a4702815ce62172b1e34865cdb5debc9b9239efeed0a
SHA512 efa9cb45e8f714aff0c66a1b7da545837894ac60d604db964b54fbd6a2492aa9f9f6f49b75fdc6f0b7bc2abc231c5d7dcf3c47e49d9282821bbe130f047b4fee

C:\Windows\system\toqenLd.exe

MD5 637190c36b305f69aac0d6c54b0ba242
SHA1 d44f127f1ffaaa2ce6c64e16c12d9809594d9ee7
SHA256 3c3589f5877b1b572e758f51231cf2b8a87aa57bdd637d395f117c1821d787e8
SHA512 3b17e49faee2f0cb561264273077ce78a7b457e65607374bc638c4a077cb83cccf2f96c90a033897f64db8358fb0533c8ef453eae04e55599b4fab88750ff1ed

C:\Windows\system\NyqGdGq.exe

MD5 e268912e5f1b4fe51e2e0f9182aa627b
SHA1 fd3f95d56581466610930042c24ed80ba04375c4
SHA256 ef397cc987795024b571bda7c132e70ee1359fb806cccb1a825bc6993e6b81aa
SHA512 45e0caf09f8f0fe326ef5e2b3048f8ee6a2718bfca2c9020c17b59fe207fae4461fdf465be77e657bdeea47e6d3103143d97c3e4e7e9c3ee7095af76acb67ecc

\Windows\system\ldgNxaV.exe

MD5 d7a85ddd6e51d1848505ed85de76a06a
SHA1 69bebe32fc0fe5eb55359bf6b6fe87714a4f2680
SHA256 54b535fe887902d3562cac4170bbc015399e784653957771896caac70705a86f
SHA512 133078615965c2c171b0acfabe941c4a7c882a77749bfa68fe9a1c8dc2ad982f83914e7581322274d8550324bdb70041184473c2eb3e8455f8103e92f08b700c

C:\Windows\system\QdHPKXG.exe

MD5 8aeb3378c19a4de8ff1392b54f51b78e
SHA1 4845b5812e68f4aa5019c0793d51c659267f3a59
SHA256 9907370cbc6172d2ee1663c1508bf2af88967494a0d22dceaa7b681406608ede
SHA512 86dfdbb63afa743b050cc4b60d424dc3572f7abf35dbb94e4d4308f0045938214ed1de9f1aee22a707f2d5d85d7c208517ca1203bb6c14339dc4743819135e2d

C:\Windows\system\VGCbAMZ.exe

MD5 b10ccd0cb1fcb597542002b8cef5a214
SHA1 804a2ae5883d3b0ce2ac3856430102a1e56bf205
SHA256 348d6c193aefb18ae625804efa6cefc27b9fca9145f1589a28ba33e45bb35f6a
SHA512 e9e9569e13fda8a4b4b0f2d4e3d8425247ecbea5698fff5f2f71251daba046cc03c5012728ab6bfbcff063dce7b66ff85fda16029ca3ddb0405932b105868a31

C:\Windows\system\RNRQpgr.exe

MD5 5e67a4a151549f3ec82443a12e69ff5b
SHA1 97efab2db80808e151fbfc681267c5146169a09d
SHA256 79d735bc139329c71cc9a564e781843a970495b7d8b2424ff55908526a6325ab
SHA512 b7e4f07b5d34985ff390715b9d4c0f56823dd12ffef4c4b1610f10cd7005e70447fedf846382e4c6c73ee3335e39d7ba8f63956dc440b0b861a3438ea43f6399

memory/1800-100-0x000000013FB10000-0x000000013FE64000-memory.dmp

memory/1712-99-0x000000013FB10000-0x000000013FE64000-memory.dmp

C:\Windows\system\BzgtDGn.exe

MD5 bd389841cd67af7173f39d4d2f3bebf9
SHA1 95d4381be75411089b8f392f8ca22e294f44ace1
SHA256 6987642dcb4e6d31e5ef7f763acf751c5375e6e1a495d61f9bb85fa5bd962c3c
SHA512 0613d482a3d1d9c783f70eb9971e9ce3b6ec633aa3ccc37e32247353a21725cfba05dfd5aa027f280756f4677f6ffaf00594f4389766cdce330f378683a64eaf

C:\Windows\system\CPzsdaq.exe

MD5 e7ceee3036ad9e051ddfeb744463c607
SHA1 0195b0aaee4bfc8c6cb123aab8e9d9b479f961ae
SHA256 fded4560e60d9d59baec99bb61a6acc7837782aeb35b43e269a0aa9d247b0987
SHA512 a2257989c5da1a7115af8365554cd1fb04f9c6c86af1cfc5a6253436eeb3710e6dd6125f7390b0cb6bf82a28a2dedbff64384b46170e0f4e72b142362c705068

memory/2532-73-0x000000013F890000-0x000000013FBE4000-memory.dmp

memory/1712-72-0x000000013F890000-0x000000013FBE4000-memory.dmp

memory/1712-137-0x000000013F210000-0x000000013F564000-memory.dmp

memory/1712-138-0x000000013F890000-0x000000013FBE4000-memory.dmp

memory/1712-139-0x000000013F410000-0x000000013F764000-memory.dmp

memory/2972-140-0x000000013F410000-0x000000013F764000-memory.dmp

memory/1712-141-0x000000013F210000-0x000000013F564000-memory.dmp

memory/2912-142-0x000000013F210000-0x000000013F564000-memory.dmp

memory/1712-143-0x0000000002400000-0x0000000002754000-memory.dmp

memory/1824-144-0x000000013FCC0000-0x0000000140014000-memory.dmp

memory/1800-145-0x000000013FB10000-0x000000013FE64000-memory.dmp

memory/2372-146-0x000000013FFF0000-0x0000000140344000-memory.dmp

memory/2400-147-0x000000013F6C0000-0x000000013FA14000-memory.dmp

memory/2740-148-0x000000013F300000-0x000000013F654000-memory.dmp

memory/2552-149-0x000000013F490000-0x000000013F7E4000-memory.dmp

memory/2692-150-0x000000013FDC0000-0x0000000140114000-memory.dmp

memory/2616-151-0x000000013F6D0000-0x000000013FA24000-memory.dmp

memory/2576-152-0x000000013F8B0000-0x000000013FC04000-memory.dmp

memory/2488-153-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

memory/940-154-0x000000013F210000-0x000000013F564000-memory.dmp

memory/2532-155-0x000000013F890000-0x000000013FBE4000-memory.dmp

memory/2972-156-0x000000013F410000-0x000000013F764000-memory.dmp

memory/2912-157-0x000000013F210000-0x000000013F564000-memory.dmp

memory/1824-158-0x000000013FCC0000-0x0000000140014000-memory.dmp

memory/1800-159-0x000000013FB10000-0x000000013FE64000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 08:29

Reported

2024-06-10 08:32

Platform

win10v2004-20240426-en

Max time kernel

141s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\gQBxBER.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RejVoIv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KwENJgJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bCZjQdf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UiYkZDv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wqnMwyW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sILNLJI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xWokFdl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YccMvoE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CDqztkE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ojhgsGM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IXPEFgc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dMmXJlK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BDHcJpf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\szpBgXh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RLVTufY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oVMPaGm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IcHamls.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tQBDVYU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QlCNkvT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NvNoFWr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2284 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\YccMvoE.exe
PID 2284 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\YccMvoE.exe
PID 2284 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\NvNoFWr.exe
PID 2284 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\NvNoFWr.exe
PID 2284 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\wqnMwyW.exe
PID 2284 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\wqnMwyW.exe
PID 2284 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\szpBgXh.exe
PID 2284 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\szpBgXh.exe
PID 2284 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\RLVTufY.exe
PID 2284 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\RLVTufY.exe
PID 2284 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\gQBxBER.exe
PID 2284 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\gQBxBER.exe
PID 2284 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\oVMPaGm.exe
PID 2284 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\oVMPaGm.exe
PID 2284 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\IcHamls.exe
PID 2284 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\IcHamls.exe
PID 2284 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\CDqztkE.exe
PID 2284 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\CDqztkE.exe
PID 2284 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\RejVoIv.exe
PID 2284 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\RejVoIv.exe
PID 2284 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\ojhgsGM.exe
PID 2284 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\ojhgsGM.exe
PID 2284 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\tQBDVYU.exe
PID 2284 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\tQBDVYU.exe
PID 2284 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\IXPEFgc.exe
PID 2284 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\IXPEFgc.exe
PID 2284 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\dMmXJlK.exe
PID 2284 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\dMmXJlK.exe
PID 2284 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\QlCNkvT.exe
PID 2284 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\QlCNkvT.exe
PID 2284 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\sILNLJI.exe
PID 2284 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\sILNLJI.exe
PID 2284 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\KwENJgJ.exe
PID 2284 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\KwENJgJ.exe
PID 2284 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\bCZjQdf.exe
PID 2284 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\bCZjQdf.exe
PID 2284 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\BDHcJpf.exe
PID 2284 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\BDHcJpf.exe
PID 2284 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\UiYkZDv.exe
PID 2284 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\UiYkZDv.exe
PID 2284 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\xWokFdl.exe
PID 2284 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe C:\Windows\System\xWokFdl.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e307d69d16ac5b81f18a685d75eaf83_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\YccMvoE.exe

C:\Windows\System\YccMvoE.exe

C:\Windows\System\NvNoFWr.exe

C:\Windows\System\NvNoFWr.exe

C:\Windows\System\wqnMwyW.exe

C:\Windows\System\wqnMwyW.exe

C:\Windows\System\szpBgXh.exe

C:\Windows\System\szpBgXh.exe

C:\Windows\System\RLVTufY.exe

C:\Windows\System\RLVTufY.exe

C:\Windows\System\gQBxBER.exe

C:\Windows\System\gQBxBER.exe

C:\Windows\System\oVMPaGm.exe

C:\Windows\System\oVMPaGm.exe

C:\Windows\System\IcHamls.exe

C:\Windows\System\IcHamls.exe

C:\Windows\System\CDqztkE.exe

C:\Windows\System\CDqztkE.exe

C:\Windows\System\RejVoIv.exe

C:\Windows\System\RejVoIv.exe

C:\Windows\System\ojhgsGM.exe

C:\Windows\System\ojhgsGM.exe

C:\Windows\System\tQBDVYU.exe

C:\Windows\System\tQBDVYU.exe

C:\Windows\System\IXPEFgc.exe

C:\Windows\System\IXPEFgc.exe

C:\Windows\System\dMmXJlK.exe

C:\Windows\System\dMmXJlK.exe

C:\Windows\System\QlCNkvT.exe

C:\Windows\System\QlCNkvT.exe

C:\Windows\System\sILNLJI.exe

C:\Windows\System\sILNLJI.exe

C:\Windows\System\KwENJgJ.exe

C:\Windows\System\KwENJgJ.exe

C:\Windows\System\bCZjQdf.exe

C:\Windows\System\bCZjQdf.exe

C:\Windows\System\BDHcJpf.exe

C:\Windows\System\BDHcJpf.exe

C:\Windows\System\UiYkZDv.exe

C:\Windows\System\UiYkZDv.exe

C:\Windows\System\xWokFdl.exe

C:\Windows\System\xWokFdl.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2284-0-0x00007FF72DD80000-0x00007FF72E0D4000-memory.dmp

memory/2284-1-0x0000017E143F0000-0x0000017E14400000-memory.dmp

C:\Windows\System\YccMvoE.exe

MD5 f3dced515424961a03aef9e314b7010c
SHA1 31aa12a05afe15cf68102a9cddbb970daa698089
SHA256 54d9100a8c2e1d2f7bbee5c75b57e11887d857f629e6e74276f8c17fbdb1f697
SHA512 dc2ce970bd99d635d2dc2d7113c5e427a9c28ff1d64be96bf9f181b66e4916cbe8ecb603a9bf445599da47aef3ca207f49e0ac835b7c6a977a0ab497c92462ed

memory/4100-8-0x00007FF6EB9D0000-0x00007FF6EBD24000-memory.dmp

C:\Windows\System\wqnMwyW.exe

MD5 e36013bd8d6c78eeb40d7af5ca1a0024
SHA1 aa2f76dc793a52eb17e6dc687eee4fbab3730edc
SHA256 e3ad8fb3bfa5b90bc1b87bf512046a2f2f6eccc5df5125efa9918222f63917ba
SHA512 9514ebed2ca0012d8acdf889a4227e48c2160d9edab00f61fd75222456991d1011bef3f899649498bc175a6d66798d15fc3a3c680f6f28f79bc6588754b58f11

memory/4924-12-0x00007FF73BF70000-0x00007FF73C2C4000-memory.dmp

memory/572-18-0x00007FF692730000-0x00007FF692A84000-memory.dmp

C:\Windows\System\szpBgXh.exe

MD5 f23c6c996a350f3281eff4994fb33032
SHA1 9f19141726a45fd109b5a2a52fc08c0339694a71
SHA256 c61a5a5692536fa7d8bba33b860579c71827bd41cdeee91fa41005ebfed6f43d
SHA512 9d10ac9cadbf9a75f6c460e9b58df51a22ffd0703ad8573967d0b622c635ee055de3f12d8a6d836a8c210047a335f6a7bdc382e8500b0df6d437482fc72d55c0

C:\Windows\System\NvNoFWr.exe

MD5 c4876528035752b254f1bb2430088e73
SHA1 cd5225927ae2cbe7631753a9e80ab5e4cf880ec9
SHA256 611e395f37e4578d1a5b1829625c67e387f0193088fdd10891144fec9deadfbc
SHA512 3629db9803b82db1553599f09abe292caf13b68e698a2c14f7e77d41d21896efb69d59706450e72df02c066e982754f76005757feb10b0d0ea21555152b65a1c

C:\Windows\System\RLVTufY.exe

MD5 b23baf0d0f4f7c96c189557e4bf8deab
SHA1 a74979a0df54ceb5cb361da0bd3d994c01474d78
SHA256 0a226aec27643913b22153720e50a098a513a66bbc7f3d3aa49f57c66cfbc159
SHA512 64bf224bc01e2ea0d0f5ddd20587d20ad9898a6d7cd92243a385e024ee79c923d88ab501a1ef1bfe25ef4f95196af9a33b6c7954249ccee1fd01c48bb4a2da57

memory/1528-35-0x00007FF6A1DE0000-0x00007FF6A2134000-memory.dmp

C:\Windows\System\gQBxBER.exe

MD5 11b934f00491b07af7b279ec51be4ffd
SHA1 03ec7afa2f4c9425cc75a61304fe8fc8d78979a7
SHA256 c7e0f7ee80f836ef3d1cba39a946a72bbea51f4ac23369a2ba74d2fa2084cb96
SHA512 a85197ba82ed6a8a5bfd381c5bb0779c0b929b3329b72110620fd8ecea6e92a6f1391e9f9c6d3fbf77d764e4e413c631ee7670b55c80d360218438d175b93c91

memory/5104-36-0x00007FF6D7480000-0x00007FF6D77D4000-memory.dmp

memory/440-27-0x00007FF6BEFE0000-0x00007FF6BF334000-memory.dmp

C:\Windows\System\oVMPaGm.exe

MD5 6c6ca3c49ae5f6dfd68ea02d64142ca0
SHA1 85afc85e4ebf8cd58a9c2c1afd0b9fac95bd795b
SHA256 850188dc48899bf9098fd75cb1ee0f8f771979578d4a972be5245729f2481075
SHA512 366984610df8047524e7c391d8068df40e4ffc504edcb26748dbd5a4458fbd099290795147e4632536e30c92f72225f8daae469e39c0ae1834531cb847cafdde

memory/2472-42-0x00007FF636060000-0x00007FF6363B4000-memory.dmp

C:\Windows\System\CDqztkE.exe

MD5 a0ce5349032d76b21e7f98e6b83aa776
SHA1 19461a9365bf58f7791cd91a1a57e667ec8d7ce1
SHA256 f428107e55e89046df2baf56041c210e199c483cabf72a68c06b92bf8c320409
SHA512 66f35aff821c283bc242969527dde1dccba71a08732605c148137c88954bd7f4b04c663410bc83bbd70051742f42f1639249dc2b1d01bb247830aee07578b636

C:\Windows\System\RejVoIv.exe

MD5 162c2d01c900e5ed958b2cf7ac40ea71
SHA1 92c384985ff7c8cd16841d1fc625a9069a7d03f7
SHA256 dbcebb223e6fb64574424eeb83e11221b21034f6e5c30c16ce79aa0ed5bba1fa
SHA512 5217951af6e47826a0bdbb856f64c8f45e19c62b2152739152046cb0183a4d5babd22a94f23b18894ad9bbd0d2ead07238e5acde3a57c6ea5ad160df455c2431

C:\Windows\System\IXPEFgc.exe

MD5 24ffecc958620f5f9473f5faad7569dd
SHA1 8899869b4450c97250a843711d3eb3940d7c5082
SHA256 795af3068ea0a68067f64ca467da004ae01ebe153d387be8f1dde0197da2a0dd
SHA512 d35fe742e0231e4c7239f248e0b0c78d1615c027fc72194cebd7201f2e6494d1cc2c9598f50cbb8658cf60fc080d5c178d8f816bf140fb48b174bf2d9f0fd2a2

C:\Windows\System\QlCNkvT.exe

MD5 9ae6993883e63e88632d4dc82725d749
SHA1 db919a22ba99c32c81db164ff517c81c0c215156
SHA256 06f122ac12f130642d2ae31c7ff80dcf7cf0804a66941530c32a523a782a5afc
SHA512 b974c55462732700b0c9e1659bddb3c4c95d9577cd5f3233a8fe6d810acc6753382f312fc42e5d906ccb8ed2facf193218b318432f5a2173b685d57634deee62

memory/4560-91-0x00007FF603190000-0x00007FF6034E4000-memory.dmp

C:\Windows\System\sILNLJI.exe

MD5 107d86450c46ec33242e730238e87e34
SHA1 bbdc7e69d6788737143e661bfbf7b42c60a0c93d
SHA256 ae0b40f0c458b421e906686bd8f50710c8ea4eb23d51b0377e1451be28a2df1b
SHA512 6a7eebd28a2595cdd5ed637d475d70479d9a2613cbf61cacb2d07da21aa0e903df90d828531fb5be564f97a0573051e2688ed5fc165a732b7c6889fdeefaecb1

C:\Windows\System\KwENJgJ.exe

MD5 1fec43d27f0b52a58f27f7d9b239dc9c
SHA1 938b23cf8fc2c1bd6b68ce4733b71397763b8814
SHA256 b0a409d71fb178ff03ec949c78d51fccac1edef2f1d236a1cea251887e6659f6
SHA512 88bf7740ac690791e910b9e5b29b06020c80e57f6723a1596d706e2a495f1f44a4aba8c89f4a34128061484542f41aeab76065433b4ab74b29e1afe2207373b9

C:\Windows\System\BDHcJpf.exe

MD5 b970bb31af28443e508fa92f21be6732
SHA1 4609613dd9accb0e561b813bffcb8d64c1ef81fa
SHA256 265c73a24d929e78e8f38f095bb035335198de7e2251a2407d659ba8b456f1a2
SHA512 f44330a9baf26cf54a6a6f1d8a399460cbf41c3ba1ad9b16d066c701625b522ce1d2e73e5af6704cd510edeb01df5657bdb6ecce4811481c9652d9b488aff329

C:\Windows\System\xWokFdl.exe

MD5 1bca0f29ffab9c1fd0b4fefb89524a83
SHA1 3b3c328ef05ac2f16a567fc6b5d047af5ae3f636
SHA256 b8b24c4b033d6e7c817929b9b0bca253afc814c0dd972d08ab93c74161c0ccc6
SHA512 2ea4b22defedad7cdc5b18086d28a839099b2e466e95f6f46702cb3e7dc1de6069fe3cbfca0884c1739a51b886c32bcd0b0b953d680adf9976f21d90337368eb

C:\Windows\System\UiYkZDv.exe

MD5 310025bb61540be6855d87ebc1b8d27a
SHA1 cf1c2414b9d2db650a86f9bb64e71fcc433f4b67
SHA256 1cbf1ecf26477a57d9fa8f260987675c2481112d6ba2ca784ce99eae1705c541
SHA512 63669f33597fe1aacbd14f1b054aa7d36c8078520375d29e6b36832d32c683cd9c41ee94d449e384d68ad727db749330aaa9e5c3df1af7d6957c1dadbd1e1747

C:\Windows\System\bCZjQdf.exe

MD5 eeb67ad957799b9c2cce591c37511797
SHA1 cc0819fb762e9b4fd1808faccbabef4f08b3131e
SHA256 6132b35d8957348c95b26cdb043cc02f76386bce5b7bcd92165c8238ba9eb4a4
SHA512 66814e0e4a2c1788073cf3456f7ecc34523b1244566c376d507154525dddbf42650390a55e77fd2765195ad46367a46b46ecd5dc57ea76f0670b444c9be0cae8

memory/2284-98-0x00007FF72DD80000-0x00007FF72E0D4000-memory.dmp

memory/3908-92-0x00007FF653900000-0x00007FF653C54000-memory.dmp

memory/648-88-0x00007FF78CF60000-0x00007FF78D2B4000-memory.dmp

C:\Windows\System\dMmXJlK.exe

MD5 ab30a0fe3837c6627443ee361b70c5d9
SHA1 e995670f84da145aa7346eedb3e36735ea63b1c0
SHA256 aab6330e18d98f6b94a4a6f3b0694c46ac94875adb034430f10ab69a7a52ae3a
SHA512 9b5f7aae109dbdfeeb57a9ebef41e594a5743ee803037233730d7fa21d171b43630d8f72f66a21188c75fadf8d7772e5cfba906f3933804add2b348631c9c491

memory/4260-84-0x00007FF6EB4F0000-0x00007FF6EB844000-memory.dmp

memory/2060-75-0x00007FF6F0440000-0x00007FF6F0794000-memory.dmp

C:\Windows\System\ojhgsGM.exe

MD5 529e7cdfd74ee057564f61b2c785e509
SHA1 67fd985038cafb63d8c812cbb02f3496f627b051
SHA256 2c81d1791097ef2c8b47aa20d49c69277fe9d17c87fb55463b29463ef3e5626d
SHA512 ecd8f8d533634cf98566de112f2dda2fa9f5b20f765a2f67d83cf5be8b6c86f19fc4c6861baf98b8e08fa03d92107ddbf4ae45d7e6b6d22efcb62bda2c04a51d

C:\Windows\System\tQBDVYU.exe

MD5 774dc800d16f4faeab2d2573c09fc4d9
SHA1 da3ff8fb794e68c727774156bc0e5a5f1bb7aa25
SHA256 51877316bf080f1dd176ec8637e85b5031318b405049ccd782cf4c5daaa43376
SHA512 1001ce75d8675f4ee99f8f4b7c76d6712a7086cef57ed72a285ad93e191a87e8a0fcd8448e3b7534f9d08757873fc19a83f45d2ff9e72daab8dfa17b91168b90

memory/952-56-0x00007FF612900000-0x00007FF612C54000-memory.dmp

memory/1008-52-0x00007FF705320000-0x00007FF705674000-memory.dmp

C:\Windows\System\IcHamls.exe

MD5 7061caf90040c17b34576dc2254a280b
SHA1 3c271d49c3728be3dff4b77cf83b46bbfdfaee2e
SHA256 285b00cb5aa3bf3ca9d17d049111fc53729d16ec68d91e591cb412254dcd8c43
SHA512 39154d5a20e046b9e92f2349707dd87a54d6328fa5d14ce22e914ee50297702081328ab3ed9baffe80196d687b4107c08fbc0361937235718215133cc0d38294

memory/3748-122-0x00007FF6B2740000-0x00007FF6B2A94000-memory.dmp

memory/4824-123-0x00007FF79FC80000-0x00007FF79FFD4000-memory.dmp

memory/1460-124-0x00007FF76BEE0000-0x00007FF76C234000-memory.dmp

memory/1572-125-0x00007FF6DBD10000-0x00007FF6DC064000-memory.dmp

memory/4804-127-0x00007FF6CEBD0000-0x00007FF6CEF24000-memory.dmp

memory/4100-128-0x00007FF6EB9D0000-0x00007FF6EBD24000-memory.dmp

memory/384-129-0x00007FF783150000-0x00007FF7834A4000-memory.dmp

memory/4828-126-0x00007FF6CDA10000-0x00007FF6CDD64000-memory.dmp

memory/4924-130-0x00007FF73BF70000-0x00007FF73C2C4000-memory.dmp

memory/572-131-0x00007FF692730000-0x00007FF692A84000-memory.dmp

memory/5104-132-0x00007FF6D7480000-0x00007FF6D77D4000-memory.dmp

memory/2472-133-0x00007FF636060000-0x00007FF6363B4000-memory.dmp

memory/952-134-0x00007FF612900000-0x00007FF612C54000-memory.dmp

memory/1008-135-0x00007FF705320000-0x00007FF705674000-memory.dmp

memory/2060-136-0x00007FF6F0440000-0x00007FF6F0794000-memory.dmp

memory/4560-137-0x00007FF603190000-0x00007FF6034E4000-memory.dmp

memory/3908-138-0x00007FF653900000-0x00007FF653C54000-memory.dmp

memory/4100-139-0x00007FF6EB9D0000-0x00007FF6EBD24000-memory.dmp

memory/4924-140-0x00007FF73BF70000-0x00007FF73C2C4000-memory.dmp

memory/572-141-0x00007FF692730000-0x00007FF692A84000-memory.dmp

memory/440-142-0x00007FF6BEFE0000-0x00007FF6BF334000-memory.dmp

memory/1528-143-0x00007FF6A1DE0000-0x00007FF6A2134000-memory.dmp

memory/5104-144-0x00007FF6D7480000-0x00007FF6D77D4000-memory.dmp

memory/2472-145-0x00007FF636060000-0x00007FF6363B4000-memory.dmp

memory/952-146-0x00007FF612900000-0x00007FF612C54000-memory.dmp

memory/1008-147-0x00007FF705320000-0x00007FF705674000-memory.dmp

memory/2060-148-0x00007FF6F0440000-0x00007FF6F0794000-memory.dmp

memory/3748-149-0x00007FF6B2740000-0x00007FF6B2A94000-memory.dmp

memory/4260-150-0x00007FF6EB4F0000-0x00007FF6EB844000-memory.dmp

memory/648-151-0x00007FF78CF60000-0x00007FF78D2B4000-memory.dmp

memory/4824-152-0x00007FF79FC80000-0x00007FF79FFD4000-memory.dmp

memory/4560-153-0x00007FF603190000-0x00007FF6034E4000-memory.dmp

memory/3908-154-0x00007FF653900000-0x00007FF653C54000-memory.dmp

memory/384-155-0x00007FF783150000-0x00007FF7834A4000-memory.dmp

memory/1460-156-0x00007FF76BEE0000-0x00007FF76C234000-memory.dmp

memory/4804-158-0x00007FF6CEBD0000-0x00007FF6CEF24000-memory.dmp

memory/1572-159-0x00007FF6DBD10000-0x00007FF6DC064000-memory.dmp

memory/4828-157-0x00007FF6CDA10000-0x00007FF6CDD64000-memory.dmp