Malware Analysis Report

2024-10-16 03:07

Sample ID 240608-exaa1sgh4x
Target 2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike
SHA256 c3e0edc380ba1652971834f4c15b72f2e9f5db0441cafdcb351438179cc4e4fe
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c3e0edc380ba1652971834f4c15b72f2e9f5db0441cafdcb351438179cc4e4fe

Threat Level: Known bad

The file 2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobaltstrike

XMRig Miner payload

UPX dump on OEP (original entry point)

xmrig

Cobalt Strike reflective loader

Cobaltstrike family

Detects Reflective DLL injection artifacts

Xmrig family

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

XMRig Miner payload

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-08 04:18

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-08 04:18

Reported

2024-06-08 04:21

Platform

win7-20240508-en

Max time kernel

135s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\Vnmsqqi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JTwtSgq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vCAuASS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yRatOOi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nnQmUNj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UekdhIj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tiQiMtm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IDPlxFk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BoQnfab.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UwIAHwQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NyJxBgm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PcPUFQq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QthkMUu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FkJoAIP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ONSAprv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XmjLCtc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EojtsyN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OwcDVnK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FkBjZBp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MvKbPSV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UWHDCPJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1508 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\FkJoAIP.exe
PID 1508 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\FkJoAIP.exe
PID 1508 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\FkJoAIP.exe
PID 1508 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\ONSAprv.exe
PID 1508 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\ONSAprv.exe
PID 1508 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\ONSAprv.exe
PID 1508 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\XmjLCtc.exe
PID 1508 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\XmjLCtc.exe
PID 1508 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\XmjLCtc.exe
PID 1508 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\vCAuASS.exe
PID 1508 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\vCAuASS.exe
PID 1508 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\vCAuASS.exe
PID 1508 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\BoQnfab.exe
PID 1508 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\BoQnfab.exe
PID 1508 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\BoQnfab.exe
PID 1508 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\EojtsyN.exe
PID 1508 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\EojtsyN.exe
PID 1508 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\EojtsyN.exe
PID 1508 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\OwcDVnK.exe
PID 1508 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\OwcDVnK.exe
PID 1508 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\OwcDVnK.exe
PID 1508 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\FkBjZBp.exe
PID 1508 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\FkBjZBp.exe
PID 1508 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\FkBjZBp.exe
PID 1508 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\PcPUFQq.exe
PID 1508 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\PcPUFQq.exe
PID 1508 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\PcPUFQq.exe
PID 1508 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\yRatOOi.exe
PID 1508 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\yRatOOi.exe
PID 1508 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\yRatOOi.exe
PID 1508 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\Vnmsqqi.exe
PID 1508 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\Vnmsqqi.exe
PID 1508 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\Vnmsqqi.exe
PID 1508 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\QthkMUu.exe
PID 1508 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\QthkMUu.exe
PID 1508 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\QthkMUu.exe
PID 1508 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\nnQmUNj.exe
PID 1508 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\nnQmUNj.exe
PID 1508 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\nnQmUNj.exe
PID 1508 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\MvKbPSV.exe
PID 1508 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\MvKbPSV.exe
PID 1508 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\MvKbPSV.exe
PID 1508 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\UWHDCPJ.exe
PID 1508 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\UWHDCPJ.exe
PID 1508 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\UWHDCPJ.exe
PID 1508 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\UekdhIj.exe
PID 1508 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\UekdhIj.exe
PID 1508 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\UekdhIj.exe
PID 1508 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\JTwtSgq.exe
PID 1508 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\JTwtSgq.exe
PID 1508 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\JTwtSgq.exe
PID 1508 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\tiQiMtm.exe
PID 1508 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\tiQiMtm.exe
PID 1508 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\tiQiMtm.exe
PID 1508 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\IDPlxFk.exe
PID 1508 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\IDPlxFk.exe
PID 1508 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\IDPlxFk.exe
PID 1508 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\UwIAHwQ.exe
PID 1508 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\UwIAHwQ.exe
PID 1508 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\UwIAHwQ.exe
PID 1508 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\NyJxBgm.exe
PID 1508 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\NyJxBgm.exe
PID 1508 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\NyJxBgm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\FkJoAIP.exe

C:\Windows\System\FkJoAIP.exe

C:\Windows\System\ONSAprv.exe

C:\Windows\System\ONSAprv.exe

C:\Windows\System\XmjLCtc.exe

C:\Windows\System\XmjLCtc.exe

C:\Windows\System\vCAuASS.exe

C:\Windows\System\vCAuASS.exe

C:\Windows\System\BoQnfab.exe

C:\Windows\System\BoQnfab.exe

C:\Windows\System\EojtsyN.exe

C:\Windows\System\EojtsyN.exe

C:\Windows\System\OwcDVnK.exe

C:\Windows\System\OwcDVnK.exe

C:\Windows\System\FkBjZBp.exe

C:\Windows\System\FkBjZBp.exe

C:\Windows\System\PcPUFQq.exe

C:\Windows\System\PcPUFQq.exe

C:\Windows\System\yRatOOi.exe

C:\Windows\System\yRatOOi.exe

C:\Windows\System\Vnmsqqi.exe

C:\Windows\System\Vnmsqqi.exe

C:\Windows\System\QthkMUu.exe

C:\Windows\System\QthkMUu.exe

C:\Windows\System\nnQmUNj.exe

C:\Windows\System\nnQmUNj.exe

C:\Windows\System\MvKbPSV.exe

C:\Windows\System\MvKbPSV.exe

C:\Windows\System\UWHDCPJ.exe

C:\Windows\System\UWHDCPJ.exe

C:\Windows\System\UekdhIj.exe

C:\Windows\System\UekdhIj.exe

C:\Windows\System\JTwtSgq.exe

C:\Windows\System\JTwtSgq.exe

C:\Windows\System\tiQiMtm.exe

C:\Windows\System\tiQiMtm.exe

C:\Windows\System\IDPlxFk.exe

C:\Windows\System\IDPlxFk.exe

C:\Windows\System\UwIAHwQ.exe

C:\Windows\System\UwIAHwQ.exe

C:\Windows\System\NyJxBgm.exe

C:\Windows\System\NyJxBgm.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1508-0-0x000000013FA50000-0x000000013FDA4000-memory.dmp

memory/1508-1-0x00000000002F0000-0x0000000000300000-memory.dmp

\Windows\system\FkJoAIP.exe

MD5 e1752158b755a05e70e46991ef769488
SHA1 4e5632b376b920d8ddb1f7341ac1247d3f632d4d
SHA256 6d9ef2daa7b90b8d6352fc80d2c38b7d013fd0122ca035eca57b32e84039bd72
SHA512 f3d872404bd46a0b271264ce70caaf05274e22bae623899d0e5d609185df32639e8f3cce42a3478cc4e8f8bad5aec586e2a32bcc3611ee1d857f2fe4bbac2110

C:\Windows\system\ONSAprv.exe

MD5 eb8d25cfbfee160c651521be7b369792
SHA1 ac1115fa3ac40b34e300da9f0f5f5dc287e55cc4
SHA256 f970be617c70fe881b7e554c59839dc812bcd3967b8c9e0ad064ea07014b42c8
SHA512 c516bd883615ac4b03011c2a438179a299759e74b1f8b9703b3872085b866c3e05dbcc8171903ec4af90f541149f25684417c8e1fbc5f2c3fb02f296228d1b1a

C:\Windows\system\XmjLCtc.exe

MD5 b2791449fcefcc0688c4943fcf189ac8
SHA1 81508589ad6ea2d41ae6c08c103f0a29369fbacf
SHA256 a58bb1f41f07a0b6d30e3806775cde237901e11917ab99dd149f44bae436a8e5
SHA512 78ac63fe8b43478775fdcbbc6d59930c605f697f5ba0e1b27b5af6950ab7b89f0e76a49e4484611070494313c33be03e69dc97740633dc6468f0aa393ed69e40

\Windows\system\vCAuASS.exe

MD5 2da8fe4f730d09f46b8faeab20ef7640
SHA1 1aa02a21ffd289352ab2a7a9da629a22683b0574
SHA256 88fde3655637a75387c176465ee780a673438d53941e14e44ad53b526a4b0300
SHA512 75aee4fd38baab40d9d1f77335215e244698a7a91eb8c85f777885c5f2e7c17469885bb8a0f129c2a683b3b12ed538d99393e5a002c2e6ad5c859e1470d457da

C:\Windows\system\BoQnfab.exe

MD5 d7014d19b7692664a5ee9ce70f5b614e
SHA1 d8a04573fb0ecfce1a13b322f45f53075960046c
SHA256 7574dacd0048dabd01f7970bc07f423b9ddc2b2b7d39f66aafb12e1fc5303dc6
SHA512 21e98b1facfe2378d2d4a37aaa920fbb7e2c44e60da212e929ab4880a1d3921b564ef55d7c632c2e15cbf3fea678ec78fe07f31eac459b921f96ea79597eaf3c

C:\Windows\system\EojtsyN.exe

MD5 b7f4d19383c9bbd79070d36503d82c7b
SHA1 ab3169fd3f1067a11e0a5186bb41b925cbe00b60
SHA256 bb56d4f19f2d4fcde214d6d2666fc5ae04ba5daf655a121246d7db4363ed8e6a
SHA512 cbaf12a27f3b0b702a17fb6b00285556e937f1712c7a6c4bfe26162cf4a4d39bb2d779a65e909219dbf79f07c13cf6b83f96e5a26ebeaf4d3d4d7783e526e1b2

C:\Windows\system\OwcDVnK.exe

MD5 08a0340dea2fb9dec723d4ddd7ed8aa1
SHA1 68c84322e05be3b0681824492a3af773f0e6e77b
SHA256 3e453bf91eb253db5a9b38c744fffaeaf88a533aafae4f853562ff70e0d587a4
SHA512 6e124151938be1d5de24c78ba002820e5e7dee055fb4a7dffac5224205200564e428c5bdeb6bda1f7744ada3bb2298869a7cbdbb7d78c08fc2e786e967749315

C:\Windows\system\FkBjZBp.exe

MD5 99d129b02e64f1ce33df8b60e6daa4e8
SHA1 7da94f816176d0b0812c2bb9e2a635694ba3d0ec
SHA256 ca96f72e4beee81847192529b95f3f11882ebd66a7135a2a2324b89de0867520
SHA512 d9eecde2124eddd2820a2d977b09fbebc19ce12226a367c560d1fc9907e881abcc63ce2f7e420b122f63f6aa54c75f55a126fd4463923b4586908964770382ba

C:\Windows\system\PcPUFQq.exe

MD5 7fd945f0f1a41e7f160e219e2d3e55e7
SHA1 d7e0b3189bbcd1c7235566ad45be0d4416ec20e1
SHA256 db2e29c77d718b524c4515969d65d7fa39746cb1aab0a69e0819ecabbfb34d29
SHA512 e4f081efc221f49a4f660f4914949924b0a93643f59a51b6aae0ae378501205822d66e00e2296e302ea23f9208f1a464ee719898af9d09658b973eb43bb25ac8

C:\Windows\system\Vnmsqqi.exe

MD5 20ddcf1e5ca51acae88ca9cee4bfb787
SHA1 292dcd916ad31ae37388d897238e4ad2fcf8ff0f
SHA256 d79d01e90bfe323e786d6feb8a0dfa42d70de34cfa16c96c754f81720795577b
SHA512 ff4ab42f58739769ad45725b0942a0ab13c0b9dd62c9ddd025c138ad8388e5ee9f2a4a94ce49711de36009803652f311268a153b63e193e307ac58a50a8590ac

C:\Windows\system\tiQiMtm.exe

MD5 3ef93bac881ba4431c5aef7b6c78614e
SHA1 dee96033e0075e487cbc8dc05ff918cb03cf9184
SHA256 e0cb57410a2cc146c5432453feb72787d18653a191410c664d1f14e84c05d98c
SHA512 dbd107ee11547a364386078ca40093eb7a2fcd87221c14681b44c02f4016ca8d5afddc2d6b34507ce3ffc1cfe34d26d7160f20fa3ef8db6f5759a23cc8542749

\Windows\system\UwIAHwQ.exe

MD5 30386e5f405dffd2de7481daed73c1c8
SHA1 b2f3fd3c41fe2dbe4856e9a51459729f51d61547
SHA256 481686b8977069b65e7176eeb30d15f23e5237869d0f3c1f69a298dccf85b503
SHA512 0fadd3f1e57cf17b8af340b1caf18f12484013c2b540290c4cd40a6b0740d4fd0128cc6b0ca45b519badd96bea28b278d7183d8242431ee56a4cda8ddb7b49c5

C:\Windows\system\NyJxBgm.exe

MD5 49aee70bf267e7d2f41a0ecc07fa1aed
SHA1 4b1d9cc705e5f97f0853df6d01035c3b80bec186
SHA256 366e9142de354d90b46cd5c36efde492dba63551c0dac17326004f1c3d8d4ec3
SHA512 d49f185e784a8876b64f43985af96860768bef94e424822e7820a0b4fff04447657c4df1621cb1008c2377a4a2cbd77d207bee6a35c29bab6185e0c44bf2b3ca

C:\Windows\system\IDPlxFk.exe

MD5 5e88c76a15631fa85da79a1940d70b2d
SHA1 b48581de432b58d62c010044e2f596482f02f703
SHA256 fbd33763c0889f60c798414b9bd4b19b2f1f9cf8d2d8497810c723e407da2e18
SHA512 21cd851e12bbad16edccf5724b0873cb30956e90b08f03ede0ed5fd00083cc49591397ebc7d1663c6acf4df687c02fbcb723fbd380a87451e5d146d3b31dcd0f

memory/2700-125-0x000000013FB80000-0x000000013FED4000-memory.dmp

memory/1508-128-0x000000013F2F0000-0x000000013F644000-memory.dmp

memory/1508-127-0x000000013F180000-0x000000013F4D4000-memory.dmp

memory/2532-126-0x000000013FB90000-0x000000013FEE4000-memory.dmp

memory/2684-124-0x000000013FB60000-0x000000013FEB4000-memory.dmp

memory/2696-123-0x000000013FFE0000-0x0000000140334000-memory.dmp

memory/1508-122-0x000000013FFE0000-0x0000000140334000-memory.dmp

memory/2540-121-0x000000013F510000-0x000000013F864000-memory.dmp

memory/1508-120-0x000000013F510000-0x000000013F864000-memory.dmp

memory/2808-119-0x000000013F5E0000-0x000000013F934000-memory.dmp

memory/1508-118-0x000000013F5E0000-0x000000013F934000-memory.dmp

memory/2276-117-0x000000013F060000-0x000000013F3B4000-memory.dmp

memory/1508-116-0x000000013F060000-0x000000013F3B4000-memory.dmp

memory/2660-115-0x000000013F7F0000-0x000000013FB44000-memory.dmp

memory/2916-114-0x000000013FB30000-0x000000013FE84000-memory.dmp

memory/2736-113-0x000000013F830000-0x000000013FB84000-memory.dmp

memory/2652-112-0x000000013F760000-0x000000013FAB4000-memory.dmp

memory/2604-111-0x000000013FC30000-0x000000013FF84000-memory.dmp

memory/1508-110-0x00000000023E0000-0x0000000002734000-memory.dmp

memory/2116-109-0x000000013F2F0000-0x000000013F644000-memory.dmp

memory/1864-108-0x000000013F520000-0x000000013F874000-memory.dmp

memory/1508-107-0x000000013F520000-0x000000013F874000-memory.dmp

C:\Windows\system\JTwtSgq.exe

MD5 14eda6ae283eb82dac772ad02ce668aa
SHA1 40cc899ac6e2809fe9d516c6e15e28dbe0278590
SHA256 79f782b615ae7ab35ddb17da0dde99dd1d86a3d6b9aff3698f330415c3b064ba
SHA512 7b118fe1e5b384eeab96bb99ee4e37ca98c027be57102f38650855a0afcdf01338cea66ae50cdd658eafcc3b49744674c3485a94945f5fb4cb913dc439c82aef

C:\Windows\system\UekdhIj.exe

MD5 58a1c099f109d8754c6bd915152ca134
SHA1 7365cf14a6c03de0c4d1e97fa00040a1c9ad9f86
SHA256 f0a825b759734c117024ebe451bd69dd2d82d8e80a7e68ef788b517d810d99f1
SHA512 d6c92607f4a4148932cf657e40706819d7a928192f0ee7e80610e8e3a7db2482f96289da7503ee4be59f3ad581cbe90e4e547a2262d1fde10e543fa92148d40b

C:\Windows\system\UWHDCPJ.exe

MD5 7e6821f0b20efc8b97b7e602fd22eafd
SHA1 55cdcd25dc4e131706819ac5d6adeeb791f2f2ba
SHA256 7206dbb6450cdd1feaedaee5c9180e9f1570e1b6f76c25a1f39fb7c4c82ad5ef
SHA512 9fd32d2ca2be007ca9ecb5dd060bef091bef7089a3cf1883e9ff3ac2fac6232c5ddb41e99821f4d5eceda72e25a971bf0eff527318832a1cfd73089e57a77b61

C:\Windows\system\MvKbPSV.exe

MD5 2e0cd6d01e96e9b8472bf8de03ecff78
SHA1 d336674034c8f1a394333ec74e5e43ec141e279f
SHA256 fae0ac8781602b880279bb4b6ef08d55f48a0d5060c917556a7c1375f76a90ab
SHA512 d0bad42be8f180d228244a4ef46021a3b34f3faafe12ff70375d9ece079026c2f451f166fdec0f7ee75c84526480140008812904e133d0577528cfbebe0f09d8

C:\Windows\system\nnQmUNj.exe

MD5 ee9fce39e6cd086497b820fab6383484
SHA1 97dd1aedeb6f77dd08b2f1e65693217236c40e1e
SHA256 34739d73fac1c69b194721d75ee48f1d5ed2db5176b6534cee79fb4f40a09bdd
SHA512 ca3644ac94a66f62a4cad308d1059db00225de0f90780aeed1325e2dc1e6f80e8f6f4b6b60ec31b34821e5f70e5dbf10a5deb2ef9b710a4d15b2537a21966eb8

C:\Windows\system\QthkMUu.exe

MD5 c82595569818b027c8a811fac388c474
SHA1 8684c0bec76447d34b2d7366ddc590e5fc21c4b1
SHA256 c8f1671b09b7fcd21a7b9f2291a184541d0d15bde7bcd8f34a634bb219e558cb
SHA512 645691618b2eeaa0c9d1407907419f5dea788c7642f4fa8f3d0f9458f0271c7a39be7acafef423dbad9a5dd051c0030dce4c5f1734e218d6e9994a31cfeecae8

C:\Windows\system\yRatOOi.exe

MD5 2e5cadb7f4f4b82440d04ac810e2280c
SHA1 d034a3702f6ea2952b6a7ab205ca625eceaf38d9
SHA256 d1f86deef991d650c729a38eb1d21510b97f27d1906dabe12562d2eea1a333f0
SHA512 f62c5556c4b42a2e33929dfc2ee15191f303a096c3e5f65947f0e09112de29c05b1383a6d4227d02daa286d7e3df246623cd42883ddc353b25643658eb041e22

memory/1508-129-0x000000013FA50000-0x000000013FDA4000-memory.dmp

memory/1508-130-0x000000013F520000-0x000000013F874000-memory.dmp

memory/1864-131-0x000000013F520000-0x000000013F874000-memory.dmp

memory/2700-137-0x000000013FB80000-0x000000013FED4000-memory.dmp

memory/2696-136-0x000000013FFE0000-0x0000000140334000-memory.dmp

memory/2808-135-0x000000013F5E0000-0x000000013F934000-memory.dmp

memory/2660-134-0x000000013F7F0000-0x000000013FB44000-memory.dmp

memory/2604-133-0x000000013FC30000-0x000000013FF84000-memory.dmp

memory/2532-144-0x000000013FB90000-0x000000013FEE4000-memory.dmp

memory/2684-143-0x000000013FB60000-0x000000013FEB4000-memory.dmp

memory/2540-142-0x000000013F510000-0x000000013F864000-memory.dmp

memory/2276-141-0x000000013F060000-0x000000013F3B4000-memory.dmp

memory/2916-140-0x000000013FB30000-0x000000013FE84000-memory.dmp

memory/2652-139-0x000000013F760000-0x000000013FAB4000-memory.dmp

memory/2116-138-0x000000013F2F0000-0x000000013F644000-memory.dmp

memory/2736-132-0x000000013F830000-0x000000013FB84000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-08 04:18

Reported

2024-06-08 04:21

Platform

win10v2004-20240426-en

Max time kernel

134s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\aUKkoBW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZARMArD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IMlTLjz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HFNhGgh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YrmfWDK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pAQGVpj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TCsAxdk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yeKqTEf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RMGjlir.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mwgyoSd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dBYpokm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jgqdDsV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jwMIrak.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VKdFNtM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tdPyoYB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zfviUJA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RPFiAHW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YZRnNdL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SsrKXSL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rzSIdld.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QTdasCd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1168 wrote to memory of 5312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\IMlTLjz.exe
PID 1168 wrote to memory of 5312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\IMlTLjz.exe
PID 1168 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\jwMIrak.exe
PID 1168 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\jwMIrak.exe
PID 1168 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\yeKqTEf.exe
PID 1168 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\yeKqTEf.exe
PID 1168 wrote to memory of 5364 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\VKdFNtM.exe
PID 1168 wrote to memory of 5364 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\VKdFNtM.exe
PID 1168 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\RPFiAHW.exe
PID 1168 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\RPFiAHW.exe
PID 1168 wrote to memory of 5764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\HFNhGgh.exe
PID 1168 wrote to memory of 5764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\HFNhGgh.exe
PID 1168 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\YZRnNdL.exe
PID 1168 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\YZRnNdL.exe
PID 1168 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\YrmfWDK.exe
PID 1168 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\YrmfWDK.exe
PID 1168 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\RMGjlir.exe
PID 1168 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\RMGjlir.exe
PID 1168 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\SsrKXSL.exe
PID 1168 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\SsrKXSL.exe
PID 1168 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\rzSIdld.exe
PID 1168 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\rzSIdld.exe
PID 1168 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\QTdasCd.exe
PID 1168 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\QTdasCd.exe
PID 1168 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\mwgyoSd.exe
PID 1168 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\mwgyoSd.exe
PID 1168 wrote to memory of 5336 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\pAQGVpj.exe
PID 1168 wrote to memory of 5336 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\pAQGVpj.exe
PID 1168 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\TCsAxdk.exe
PID 1168 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\TCsAxdk.exe
PID 1168 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\dBYpokm.exe
PID 1168 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\dBYpokm.exe
PID 1168 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\aUKkoBW.exe
PID 1168 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\aUKkoBW.exe
PID 1168 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\zfviUJA.exe
PID 1168 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\zfviUJA.exe
PID 1168 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\tdPyoYB.exe
PID 1168 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\tdPyoYB.exe
PID 1168 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\jgqdDsV.exe
PID 1168 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\jgqdDsV.exe
PID 1168 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZARMArD.exe
PID 1168 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZARMArD.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\IMlTLjz.exe

C:\Windows\System\IMlTLjz.exe

C:\Windows\System\jwMIrak.exe

C:\Windows\System\jwMIrak.exe

C:\Windows\System\yeKqTEf.exe

C:\Windows\System\yeKqTEf.exe

C:\Windows\System\VKdFNtM.exe

C:\Windows\System\VKdFNtM.exe

C:\Windows\System\RPFiAHW.exe

C:\Windows\System\RPFiAHW.exe

C:\Windows\System\HFNhGgh.exe

C:\Windows\System\HFNhGgh.exe

C:\Windows\System\YZRnNdL.exe

C:\Windows\System\YZRnNdL.exe

C:\Windows\System\YrmfWDK.exe

C:\Windows\System\YrmfWDK.exe

C:\Windows\System\RMGjlir.exe

C:\Windows\System\RMGjlir.exe

C:\Windows\System\SsrKXSL.exe

C:\Windows\System\SsrKXSL.exe

C:\Windows\System\rzSIdld.exe

C:\Windows\System\rzSIdld.exe

C:\Windows\System\QTdasCd.exe

C:\Windows\System\QTdasCd.exe

C:\Windows\System\mwgyoSd.exe

C:\Windows\System\mwgyoSd.exe

C:\Windows\System\pAQGVpj.exe

C:\Windows\System\pAQGVpj.exe

C:\Windows\System\TCsAxdk.exe

C:\Windows\System\TCsAxdk.exe

C:\Windows\System\dBYpokm.exe

C:\Windows\System\dBYpokm.exe

C:\Windows\System\aUKkoBW.exe

C:\Windows\System\aUKkoBW.exe

C:\Windows\System\zfviUJA.exe

C:\Windows\System\zfviUJA.exe

C:\Windows\System\tdPyoYB.exe

C:\Windows\System\tdPyoYB.exe

C:\Windows\System\jgqdDsV.exe

C:\Windows\System\jgqdDsV.exe

C:\Windows\System\ZARMArD.exe

C:\Windows\System\ZARMArD.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1168-0-0x00007FF6DD380000-0x00007FF6DD6D4000-memory.dmp

memory/1168-1-0x000001E750AD0000-0x000001E750AE0000-memory.dmp

C:\Windows\System\IMlTLjz.exe

MD5 92b2be58e354baf918b1fb0b4d8064e6
SHA1 de267289ad7821a3f2c31822e464ca3bd53996bf
SHA256 eb6bbd4fb2274f598995a6eac25deee9ccfa854e7679986c68fa30bc369b551d
SHA512 cb66d81da9e5f6b45f07e3c8a25a2fb440b22bde0e94b8cf8d844d0196eece86fb3c6e9a28bdfd22b900ed85049eca3920e5aafb8d47f001b47d50aa3ab1cdab

memory/5312-8-0x00007FF7071F0000-0x00007FF707544000-memory.dmp

C:\Windows\System\jwMIrak.exe

MD5 ca72f189eb3433ee2d6dc4ab5440ccad
SHA1 ee79994330f98365860eb452bc603957eb1d2e24
SHA256 b9e2269c4d947e0681cfba3d9994346e83374379676c557a72e5d27aec9ec233
SHA512 1ec24d2aeaf305677a6a091b3f3c390e52bb1249d23f0edc396025df435c227a3c20fb6e07c049dfd8b1e53144208f33233c079bda262435999d1a4e82ec664c

C:\Windows\System\yeKqTEf.exe

MD5 b3bd384ba76ea9762ff50304d4c6e9e0
SHA1 bf651e2a66ff6dffd464e8bf2bfa685b3974bfd6
SHA256 2b28d6671be232dbed5d92005be8c3dabf98423a0e88621d4f44c04b70ad2abd
SHA512 7d29711bf301283c9030a564ec485d0e2b315c49245fe6483c2825d3fd514380a19d8c0ab2119fe11bc89d64861072da8cbcfdc62859cfdceec411383a2e795d

memory/1236-14-0x00007FF6D3620000-0x00007FF6D3974000-memory.dmp

C:\Windows\System\VKdFNtM.exe

MD5 74e5936d0e1cc34246142bdcf9c4938d
SHA1 33e9687791d50ddb12e95ddb8ea392662fc645ca
SHA256 fc03508191960c9097d23b924401f0b77991faa3dc3e498d253f631d88bc221f
SHA512 757f709e1d16756ef34fe864b31630a15f04e8bf979c5e15d49609f34deb5bcdf5c302edf1e4dc3b2bb9a0ad5fdb2b3d631dffc2edee35cfd8d134917c375071

memory/5364-25-0x00007FF604A10000-0x00007FF604D64000-memory.dmp

C:\Windows\System\RPFiAHW.exe

MD5 6e721f2ac4558d7f46d4118213e230b5
SHA1 70db4e044848f8b38fd39daa0ce7172703dc2cb4
SHA256 9510f1e9bedc9d131149738021d2c816eaebc0aaf5cc70980d458fcce21fcaeb
SHA512 8a6d0d22cf5f80d194890d35cd5abb118ce109674a79b0ba8704e2b54ba2f2eb0188ed42709d0c78cea49c7b5ec98982ce55eb195ad37de08e2adde2ee51761b

memory/3808-22-0x00007FF7FA6C0000-0x00007FF7FAA14000-memory.dmp

memory/2656-32-0x00007FF663160000-0x00007FF6634B4000-memory.dmp

C:\Windows\System\HFNhGgh.exe

MD5 ba61fd9d0ef86c46b79a20c7926fb7c8
SHA1 0b153edeab08f5e5e186f42c6f1b971215208ee5
SHA256 60e97f3acce2b28aa81c39f83b426ff7d9cd8c355af4e544ed80612b17fddfe7
SHA512 216aca381325834cff1645d1bd195242b38356abb4e416d0d2f3d8cde948f90b10e44381e07849397fcf587bb7d70584ad10b8644302066de4f92c8ddcfb0179

C:\Windows\System\YZRnNdL.exe

MD5 9321947a1d266c97bf646889f33f054a
SHA1 d18d9a75f33892a18d0b3b7abb12059bae8998f6
SHA256 befb3b296e4239322fadd37e26cf55c8da1460f41bb0389388168b639b89601d
SHA512 77a2e5cb949a745cc334e40c79d81389c9c360df8f028626a3f5cbfdce407e5306c51c067ff05a0fc8b88a21e588cf719474935e32f13b2a31f8a409840b1389

memory/3912-45-0x00007FF64A800000-0x00007FF64AB54000-memory.dmp

memory/5764-41-0x00007FF784540000-0x00007FF784894000-memory.dmp

C:\Windows\System\YrmfWDK.exe

MD5 d3e89294aae854d5c3e8cb28c32807a6
SHA1 fd12dca46b3834056077810946b999fe72cea8fc
SHA256 45daab2300c33a64cc2417050246735cc53060dcc0e99b9bb4b05018e6f35ccd
SHA512 09e049b8c1f130450e1166bce7742b2795242c48ebc2519f3df7b4bc2dd83836d323c7d1c714d6aeb540612567feb0ea3762156a67d1f72308937652d8ba3fd1

C:\Windows\System\SsrKXSL.exe

MD5 5bbaa0e4f530147b31609d142d9c2505
SHA1 ea2e0ece1687d0e158582d68b983802b3c4402cb
SHA256 c43d8833cb03e5ac7396771cbc95395bc3da6ef2f9988f44fed0f428aad8f236
SHA512 f63be0c4bba5c47269327dabf7dc7c5be5fc5889a58f0cdbe69da7707f7c76f06be8282cf1a0eb1f775235f3b4045688db4600b652338961ad1ea70fa50bee3d

memory/1964-68-0x00007FF7A8650000-0x00007FF7A89A4000-memory.dmp

C:\Windows\System\QTdasCd.exe

MD5 19bc3ca42f4bd7306bfed7b42f812ab1
SHA1 56b9fec5b69e12835399d1ce3a666dd9df513b2b
SHA256 4ba25f848141ef5b4c0f7fbf71f38863452847d06705db88243f1d1a37179b09
SHA512 423348a6c8a0cced0296550709e4151cd43b54eed044d470b802be47742987c66259d4dd8a71fc09c717ca56f98b35ba4b188bc3bbbdbbf2cc8ff30bacd13b4a

C:\Windows\System\mwgyoSd.exe

MD5 f3952202723ee28509b98cdfc4ca6f81
SHA1 b3b7a87bc25b13026d5c15607f135c6cd716ba7b
SHA256 9ea7153d935067aa0e6a12d8dc59e579c76b58028706a8f16bf29ab2661102d7
SHA512 12fb0345266cd68dea180bdae096c90f43572e07c3832d294dd1161f4ed0c022de7217ec9dc339cd20545862269eb378e4ca2f12e74f197987de76071253db16

C:\Windows\System\pAQGVpj.exe

MD5 790667ac9ac708ca8f68dee04cb018df
SHA1 d5e3ba6bf7763bb2e33014c69b9621a1154e2769
SHA256 7630ad56796a1d9e74427309d7987ad0ecd4f22a72021a4bf521a98af540e7a7
SHA512 86c16b125155d23c3c65f348d6edff1948e4a62bffd04f41ee1387f7b143c37914cb0903c8bbcd9c08dc280d579e8931514ff1e67e866a04936ed0c69605c54e

C:\Windows\System\TCsAxdk.exe

MD5 ba4ec592413203ff282011a8279e3f37
SHA1 4652104cdda12804b239cb830a1319919a25adfa
SHA256 ce76d7a86a90faf958704f431b6c07970ae70dc0242d22231a85f4baea065ee9
SHA512 66102f1be0b7d603fcfb049393e940cc64ad1d7db33710ca159c6dc3110cbfdd249b52cb0f0ee24e29510d1638a82d2ab8fb0b91fed409db912390a8f9b5628e

C:\Windows\System\aUKkoBW.exe

MD5 f1adf94e744db78acf964d96439f37f6
SHA1 43889f79d7577bddac5c8074ad5aa1b3c8294601
SHA256 8efc9a4230234bfb960e0cee357234a6b9c392fd47cd74a20231efcfdda863d6
SHA512 3fd96e5ba575644d91613882e441d1e5d9f05598d098494f818ba026a205d347e5d116aa5f9e5b733fa8a09df335fbe5a5e51d5c469cae9c47f6be47679eb49c

C:\Windows\System\tdPyoYB.exe

MD5 b8b7f6402aada946193bc28803666b18
SHA1 76ae1b748519e1b4bf545ced95d879f2c893aac3
SHA256 73004624f5036fe9d094375f88fdde6bc80cf61371322fb3d0db92b8886c6fbc
SHA512 c618e62082e3f46cd35708160389075f027f8f1bcd7232b2fe1dc95cca44cb585f3ad27ac58f8ff59f7936bbe6a9ddc0bcfb2d05bf712ced4f23cac60e02b932

memory/852-128-0x00007FF6CF2F0000-0x00007FF6CF644000-memory.dmp

memory/3604-131-0x00007FF7C1D50000-0x00007FF7C20A4000-memory.dmp

C:\Windows\System\ZARMArD.exe

MD5 ed43655df2ac288c3e12fdadf0a74e4d
SHA1 837cfef1226df966e40a50b014d78c1544a97a82
SHA256 9b976d72c8a6c95cf354705d4ce474912e02c77d1a4b2a6cd12352fff6ee7f2f
SHA512 0aa59b4af2abd065cbeeb634e6bb8e098ad92b4b5db9ccf58f754b9b139765190eba6f7cda3f54f63869b1cccac21d98b7fb794974ad9ab9233127a1badbce7d

memory/3912-127-0x00007FF64A800000-0x00007FF64AB54000-memory.dmp

C:\Windows\System\jgqdDsV.exe

MD5 f8038ce8b27815aa499d8c518ab0da80
SHA1 15eb0bc8c341668204551ea29efdf93e6ba27279
SHA256 198693f3d23de3c99441c1b0d82f4cc159d9f9d33048586c60c44e50bc3af44d
SHA512 f6bb23f6297809018cbd13845b6c72e620977003fee622eb3418eb99968cc917c319bcb4d6ad389a6474af8193222dfacb1a15fe527476c6a916356c3a87c6f6

memory/1556-124-0x00007FF7AD9F0000-0x00007FF7ADD44000-memory.dmp

C:\Windows\System\zfviUJA.exe

MD5 03f4e5387b6d3dcfc6829b63c64c232a
SHA1 1dc8e7f8acfb2091e7337093da7bedd309603c15
SHA256 6e24aefbb53bf4348f4d0035d10d4bf2dfaa2a4efe1a8607930f18a9388a6de8
SHA512 3361f7dd0050747f651c27a98eb76acb5d0631664cf5f7491dced1572a202511c89b079bc50955e0c5f74f830ca467ef7485c34a0d91526cbfe23560ee2269e6

memory/1708-120-0x00007FF64A740000-0x00007FF64AA94000-memory.dmp

memory/3036-118-0x00007FF7BDFC0000-0x00007FF7BE314000-memory.dmp

memory/3748-109-0x00007FF6CB870000-0x00007FF6CBBC4000-memory.dmp

memory/5364-105-0x00007FF604A10000-0x00007FF604D64000-memory.dmp

memory/2988-104-0x00007FF6C7490000-0x00007FF6C77E4000-memory.dmp

C:\Windows\System\dBYpokm.exe

MD5 5e8c5fbd23eb1f35c12b5b7f8101d562
SHA1 1f1ed010c4649051c1691017404b6446103348f9
SHA256 17a69f3639e0b04d6ea4884e1352f39258c8b131c681a18600c4ded39bd5abc9
SHA512 cb797278003ddddbbb40b7bf261261e29ba28b3d37ef5092939226e4533b523dbcf9d0df0efac508801f28e66ad24b445d25807874dc20730e427a5e55a5c1a8

memory/5336-97-0x00007FF622470000-0x00007FF6227C4000-memory.dmp

memory/4484-96-0x00007FF7EF470000-0x00007FF7EF7C4000-memory.dmp

memory/3640-92-0x00007FF7BE870000-0x00007FF7BEBC4000-memory.dmp

memory/5112-91-0x00007FF65D9F0000-0x00007FF65DD44000-memory.dmp

memory/3808-77-0x00007FF7FA6C0000-0x00007FF7FAA14000-memory.dmp

C:\Windows\System\rzSIdld.exe

MD5 52c0cb829bec8318c982865002405878
SHA1 7b01bafbc66e39571526e2eecfad4eff80101928
SHA256 5299f8f482c3cec5b1a3db9d931c2d2abf3a36e9aff410e2c71b2d7e54565523
SHA512 f8d0786140b734ee832085c8b5a9d5df2fbf4cf71b065e71a949fa450ccbcab98a45cf6bca226812064dc7206c5aae3f38a0f9a7d1e0f702dc34b8557a4f870c

memory/1888-69-0x00007FF6D3300000-0x00007FF6D3654000-memory.dmp

memory/1168-63-0x00007FF6DD380000-0x00007FF6DD6D4000-memory.dmp

memory/4820-61-0x00007FF672E80000-0x00007FF6731D4000-memory.dmp

C:\Windows\System\RMGjlir.exe

MD5 bf537357a260f175fcb0f5d3c1c6996d
SHA1 c3f4e2bd821c6c06b76fe58932ef49b6d08350ea
SHA256 02efc071a2ac1de3f01250716e00c24fd50e000e410bf2f404c4395bf9627d7c
SHA512 e9743445b7afc1222cab7d224c9ffd90250bd55e2b500218de0805c127108dfc1327cb1cd05ea811c3ef8f672f1e2a017c89d360935ef39c6ed6b9d0abd62dba

memory/3604-51-0x00007FF7C1D50000-0x00007FF7C20A4000-memory.dmp

memory/1964-133-0x00007FF7A8650000-0x00007FF7A89A4000-memory.dmp

memory/4484-135-0x00007FF7EF470000-0x00007FF7EF7C4000-memory.dmp

memory/1888-134-0x00007FF6D3300000-0x00007FF6D3654000-memory.dmp

memory/2988-136-0x00007FF6C7490000-0x00007FF6C77E4000-memory.dmp

memory/3748-137-0x00007FF6CB870000-0x00007FF6CBBC4000-memory.dmp

memory/3036-138-0x00007FF7BDFC0000-0x00007FF7BE314000-memory.dmp

memory/1708-139-0x00007FF64A740000-0x00007FF64AA94000-memory.dmp

memory/852-140-0x00007FF6CF2F0000-0x00007FF6CF644000-memory.dmp

memory/5312-141-0x00007FF7071F0000-0x00007FF707544000-memory.dmp

memory/1236-142-0x00007FF6D3620000-0x00007FF6D3974000-memory.dmp

memory/3808-143-0x00007FF7FA6C0000-0x00007FF7FAA14000-memory.dmp

memory/2656-145-0x00007FF663160000-0x00007FF6634B4000-memory.dmp

memory/5364-144-0x00007FF604A10000-0x00007FF604D64000-memory.dmp

memory/5764-146-0x00007FF784540000-0x00007FF784894000-memory.dmp

memory/3912-147-0x00007FF64A800000-0x00007FF64AB54000-memory.dmp

memory/4820-148-0x00007FF672E80000-0x00007FF6731D4000-memory.dmp

memory/3604-149-0x00007FF7C1D50000-0x00007FF7C20A4000-memory.dmp

memory/1964-150-0x00007FF7A8650000-0x00007FF7A89A4000-memory.dmp

memory/5112-152-0x00007FF65D9F0000-0x00007FF65DD44000-memory.dmp

memory/1888-151-0x00007FF6D3300000-0x00007FF6D3654000-memory.dmp

memory/3640-153-0x00007FF7BE870000-0x00007FF7BEBC4000-memory.dmp

memory/5336-154-0x00007FF622470000-0x00007FF6227C4000-memory.dmp

memory/2988-155-0x00007FF6C7490000-0x00007FF6C77E4000-memory.dmp

memory/1556-157-0x00007FF7AD9F0000-0x00007FF7ADD44000-memory.dmp

memory/3748-156-0x00007FF6CB870000-0x00007FF6CBBC4000-memory.dmp

memory/4484-158-0x00007FF7EF470000-0x00007FF7EF7C4000-memory.dmp

memory/1708-159-0x00007FF64A740000-0x00007FF64AA94000-memory.dmp

memory/852-160-0x00007FF6CF2F0000-0x00007FF6CF644000-memory.dmp

memory/3036-161-0x00007FF7BDFC0000-0x00007FF7BE314000-memory.dmp