Malware Analysis Report

2024-10-16 03:08

Sample ID 240608-k1nkpsbe56
Target 2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike
SHA256 6ea274aa925818a86a00bd0e3f34b677ae5aac9db0e232694e6238f99b6ec894
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6ea274aa925818a86a00bd0e3f34b677ae5aac9db0e232694e6238f99b6ec894

Threat Level: Known bad

The file 2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobalt Strike reflective loader

Cobaltstrike

UPX dump on OEP (original entry point)

Xmrig family

Detects Reflective DLL injection artifacts

Cobaltstrike family

XMRig Miner payload

xmrig

Detects Reflective DLL injection artifacts

XMRig Miner payload

UPX dump on OEP (original entry point)

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-08 09:04

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-08 09:04

Reported

2024-06-08 09:06

Platform

win7-20240215-en

Max time kernel

135s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\haOCwEt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LsLcBaR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OLzcbvX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kdLkOfz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NpaMfBR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PkBjCsn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kfLuEEy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WFKMele.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\heeOkeT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ftUJfRy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZUavGAv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KYhByon.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TzxQAId.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kOhnqYb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ePpTzQk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CkhXWsA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kgYxpJp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\opyAfxo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aZQbJPj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pIYPmda.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rksIDPY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2616 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\PkBjCsn.exe
PID 2616 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\PkBjCsn.exe
PID 2616 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\PkBjCsn.exe
PID 2616 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\KYhByon.exe
PID 2616 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\KYhByon.exe
PID 2616 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\KYhByon.exe
PID 2616 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\opyAfxo.exe
PID 2616 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\opyAfxo.exe
PID 2616 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\opyAfxo.exe
PID 2616 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\kfLuEEy.exe
PID 2616 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\kfLuEEy.exe
PID 2616 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\kfLuEEy.exe
PID 2616 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\LsLcBaR.exe
PID 2616 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\LsLcBaR.exe
PID 2616 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\LsLcBaR.exe
PID 2616 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\OLzcbvX.exe
PID 2616 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\OLzcbvX.exe
PID 2616 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\OLzcbvX.exe
PID 2616 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\kdLkOfz.exe
PID 2616 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\kdLkOfz.exe
PID 2616 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\kdLkOfz.exe
PID 2616 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\aZQbJPj.exe
PID 2616 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\aZQbJPj.exe
PID 2616 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\aZQbJPj.exe
PID 2616 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\TzxQAId.exe
PID 2616 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\TzxQAId.exe
PID 2616 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\TzxQAId.exe
PID 2616 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\kOhnqYb.exe
PID 2616 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\kOhnqYb.exe
PID 2616 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\kOhnqYb.exe
PID 2616 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\ePpTzQk.exe
PID 2616 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\ePpTzQk.exe
PID 2616 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\ePpTzQk.exe
PID 2616 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\pIYPmda.exe
PID 2616 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\pIYPmda.exe
PID 2616 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\pIYPmda.exe
PID 2616 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\ftUJfRy.exe
PID 2616 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\ftUJfRy.exe
PID 2616 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\ftUJfRy.exe
PID 2616 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZUavGAv.exe
PID 2616 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZUavGAv.exe
PID 2616 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZUavGAv.exe
PID 2616 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\rksIDPY.exe
PID 2616 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\rksIDPY.exe
PID 2616 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\rksIDPY.exe
PID 2616 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\NpaMfBR.exe
PID 2616 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\NpaMfBR.exe
PID 2616 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\NpaMfBR.exe
PID 2616 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\CkhXWsA.exe
PID 2616 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\CkhXWsA.exe
PID 2616 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\CkhXWsA.exe
PID 2616 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\WFKMele.exe
PID 2616 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\WFKMele.exe
PID 2616 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\WFKMele.exe
PID 2616 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\heeOkeT.exe
PID 2616 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\heeOkeT.exe
PID 2616 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\heeOkeT.exe
PID 2616 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\kgYxpJp.exe
PID 2616 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\kgYxpJp.exe
PID 2616 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\kgYxpJp.exe
PID 2616 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\haOCwEt.exe
PID 2616 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\haOCwEt.exe
PID 2616 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\haOCwEt.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\PkBjCsn.exe

C:\Windows\System\PkBjCsn.exe

C:\Windows\System\KYhByon.exe

C:\Windows\System\KYhByon.exe

C:\Windows\System\opyAfxo.exe

C:\Windows\System\opyAfxo.exe

C:\Windows\System\kfLuEEy.exe

C:\Windows\System\kfLuEEy.exe

C:\Windows\System\LsLcBaR.exe

C:\Windows\System\LsLcBaR.exe

C:\Windows\System\OLzcbvX.exe

C:\Windows\System\OLzcbvX.exe

C:\Windows\System\kdLkOfz.exe

C:\Windows\System\kdLkOfz.exe

C:\Windows\System\aZQbJPj.exe

C:\Windows\System\aZQbJPj.exe

C:\Windows\System\TzxQAId.exe

C:\Windows\System\TzxQAId.exe

C:\Windows\System\kOhnqYb.exe

C:\Windows\System\kOhnqYb.exe

C:\Windows\System\ePpTzQk.exe

C:\Windows\System\ePpTzQk.exe

C:\Windows\System\pIYPmda.exe

C:\Windows\System\pIYPmda.exe

C:\Windows\System\ftUJfRy.exe

C:\Windows\System\ftUJfRy.exe

C:\Windows\System\ZUavGAv.exe

C:\Windows\System\ZUavGAv.exe

C:\Windows\System\rksIDPY.exe

C:\Windows\System\rksIDPY.exe

C:\Windows\System\NpaMfBR.exe

C:\Windows\System\NpaMfBR.exe

C:\Windows\System\CkhXWsA.exe

C:\Windows\System\CkhXWsA.exe

C:\Windows\System\WFKMele.exe

C:\Windows\System\WFKMele.exe

C:\Windows\System\heeOkeT.exe

C:\Windows\System\heeOkeT.exe

C:\Windows\System\kgYxpJp.exe

C:\Windows\System\kgYxpJp.exe

C:\Windows\System\haOCwEt.exe

C:\Windows\System\haOCwEt.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2616-0-0x00000000001F0000-0x0000000000200000-memory.dmp

memory/2616-2-0x000000013FD10000-0x0000000140064000-memory.dmp

\Windows\system\PkBjCsn.exe

MD5 010d1eb14a124426e3ed44123460ed71
SHA1 412bde327a68f5376f49fc5ff88fba9a20764f38
SHA256 7a1458dd7c37c6c0fcd4d1625e769beec0299e6acb36b98f4e78ead1fc3c7a2a
SHA512 d689cabde710536d18cd270d2f3d0e7bf0ab99e602cff8da9dd221bd29fa1997fc98442defaae191f261004daae9984296d15b09593201f9cc0095e2e2995f56

memory/2616-6-0x00000000023D0000-0x0000000002724000-memory.dmp

memory/3040-8-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

C:\Windows\system\KYhByon.exe

MD5 d56028a7f67e7670639c6df0d60332dc
SHA1 07a7296c37a4b8203978a8641271b8525377154c
SHA256 8b20c53461383353c2e1239a4c25856436544e2b06535e930270e0e4bbe34331
SHA512 bc699b7c0dd71f5ee73e2cc008a1d5251a5015c7a96d80811cc12d20d438ca3f0c64d75844f2d17c55f2699e3c713e730731d41a212e110bf90398fd0e2847ca

C:\Windows\system\opyAfxo.exe

MD5 c0302d361a99561f12dfa5d14564f3db
SHA1 ba205699bed7d0813ae5324589352d136cb36e52
SHA256 e5470591d85d3c29cf89bd481289eb8ff394a5cd3aea31b566c85663d56662df
SHA512 1ec893ccce7e10941bcc8866e4c90e4ed6b11a44f5bfc6ef4491071c6821dcc5ad0f2fdbba12b3e97734915979b499ac44516253141149500ec75fcf14b3d68e

C:\Windows\system\kfLuEEy.exe

MD5 23a993567a4f3a71d41ccea15983ea19
SHA1 3fb8c72f8a67274225f834f188f60d03c457855e
SHA256 f40c0495cc376144c29cb9930c58d5036adc56fd4a92273be08786156d065320
SHA512 3a5b2c092c39849a9076cd55c1d489632a04a48dfa8c93f291adf05607dc3414e7623490c7d775bd8598523249636adfebbd11848e05ba079063d651d8379f3a

C:\Windows\system\LsLcBaR.exe

MD5 26ad591567da8d01d706ca5cda50f41e
SHA1 85cf81a91fd5c1c08a9e2282ed12b5d64ebef801
SHA256 e52d5d356437160591db88a66c7881d3d2153a3052937130550bedd969dade47
SHA512 ebcd21b0abc3ae805cbdaa85b1d15351433eab751990de002b435e45990ef118894c86c6d92d48550660fac30c5b51a20f491f7c363ed3ef2d151f9662e3ce12

C:\Windows\system\OLzcbvX.exe

MD5 400ea84e424d01b38494ef40af37ba15
SHA1 c14c68925c52119eeb1a77fd9df2f1833116e1fd
SHA256 90101176b2d335cf27dec45f85dc6b37ad77a01b7d9b63fdaa2809c252fbb848
SHA512 00eff9fe9d9b3e844401ceb27f0ced7726b461e3125b863c4238e2080366a7da4462fa5d50b58d93f89e641a0d3ebf18fbc15191df3b712f562ac850ef2204b2

C:\Windows\system\aZQbJPj.exe

MD5 d6b7e9087da029a8803f4539628e51e9
SHA1 fc0fe52e906addb74cf47b6597c4e9fb2456e43d
SHA256 bbfd9264936a0e2a00d7b76089bd18210847370e1457eded66d254c29428c525
SHA512 8b3a27cb8296a06d99c65dd8a29c21ccb99aaaf4263df9b27a212a1c9afa2f1d0c9c519aee78f7e899bc412f925a919c2b848f7156cfd23eba14c6e6df679422

C:\Windows\system\kOhnqYb.exe

MD5 ceff06aed7982bc97b10677f5709dd9e
SHA1 008e04bf9576dde09ce8d5047e7289397aea189e
SHA256 880ab6cc3a3408d6265dddb4ae625ffd5f4de28d9083bfbed9fb578438d8e9c2
SHA512 577c8300b5bc29b7bc503b7b18fe2052c566055f62a1534ea9a20e9d2ef72b77530cd9316e3df970e0f8ac0525812785eca7063082e9e907f3b7d928df0d5c92

C:\Windows\system\NpaMfBR.exe

MD5 a40f3a854a279cbe41370f4db5027b1e
SHA1 c7f30292a658396fcd4526ad776632f5c12a6aba
SHA256 977b1206f3f4c1472999bbd261706af9143a7d72d3dbd80f9070408a8bc8b3bb
SHA512 b544b6600d76b2971d540b7baaf975e6a409cd42804a6d4fc74c080becf0871299f3d82e28d69da4ace5d36666a9f094de66a9b277450d28cd5ec4ccdc045e18

C:\Windows\system\WFKMele.exe

MD5 97b3d902457f382ba75656f5cca01f7e
SHA1 7331d99bd432182ce359dc0aae6f0bb411e8842c
SHA256 85461ff96705173f1b3f768e501253e9153db925f2e3b9e998d678e71b7a3a22
SHA512 5f0a822f8c6bbfab62dd0e82779b80b49aa02dbb9ee64bba82a4facb8dfa35e4e82ce0e708669d5d4fb178ada83cf35203e17cd1a8bd001cd178c6759a2e521c

C:\Windows\system\kgYxpJp.exe

MD5 4ef0b5f96c395a11c39001002687c867
SHA1 8dcb91c9ba23ede035ae69d5a480efcd33e7093e
SHA256 2bb2bc26545d8dabd8219448c9dbc4a4f06af34eebb3580630ca947a20d7823d
SHA512 7c5fad93a7a99b2dba099df9eadfe1664b45f0e73e9a7de4f3a85afe54f1dd043c1d072e4b821a7f84638a624855f95b16ed8470f345c433cfed4fd3e8baf29d

\Windows\system\haOCwEt.exe

MD5 bf84ccdfeb55cef0a9517ef9f490e76c
SHA1 6f5329a43599be1fa8f059bb53ee2a4486f97a84
SHA256 39675f0620061cc431b791abf1c4db36738feb580614812c2e5627cf6330d1da
SHA512 be1511d35ce170719e3e93ff7b8a401992318de61bb008e05df12655e2f03a0a788746d8b7e21a5c86dacfea87dcc49af82b70805e2ae85e5f555c5d3fc3e543

memory/2616-110-0x000000013F6F0000-0x000000013FA44000-memory.dmp

memory/2628-115-0x000000013F200000-0x000000013F554000-memory.dmp

memory/2508-125-0x000000013F200000-0x000000013F554000-memory.dmp

memory/2616-127-0x000000013F960000-0x000000013FCB4000-memory.dmp

memory/2616-129-0x000000013F830000-0x000000013FB84000-memory.dmp

memory/548-130-0x000000013F830000-0x000000013FB84000-memory.dmp

memory/2948-128-0x000000013F960000-0x000000013FCB4000-memory.dmp

memory/2936-126-0x000000013FDB0000-0x0000000140104000-memory.dmp

memory/2616-124-0x000000013F200000-0x000000013F554000-memory.dmp

memory/2432-123-0x000000013F480000-0x000000013F7D4000-memory.dmp

memory/2616-122-0x000000013F480000-0x000000013F7D4000-memory.dmp

memory/2396-121-0x000000013FA20000-0x000000013FD74000-memory.dmp

memory/2616-120-0x00000000023D0000-0x0000000002724000-memory.dmp

memory/2476-119-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

memory/2616-118-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

memory/2472-117-0x000000013F450000-0x000000013F7A4000-memory.dmp

memory/2616-116-0x000000013F450000-0x000000013F7A4000-memory.dmp

memory/2616-114-0x000000013F200000-0x000000013F554000-memory.dmp

memory/2732-113-0x000000013F270000-0x000000013F5C4000-memory.dmp

memory/2616-112-0x000000013F270000-0x000000013F5C4000-memory.dmp

memory/2640-111-0x000000013F6F0000-0x000000013FA44000-memory.dmp

memory/2616-109-0x000000013F390000-0x000000013F6E4000-memory.dmp

C:\Windows\system\heeOkeT.exe

MD5 8c8a6650273cef75288e71f0c0a6e2b9
SHA1 868c5c5ffc165cd512b345a877ca34792f9a8388
SHA256 13d8d119a5e53507d5d786c34cf963a766a431afaaddaf0a6a51f6448b06668f
SHA512 b4e6a6fd3c9d912ae2d173c8da5a4b5a6b64dbc6044c1f88ff4874189e03fb73b5ed658fc7fb7b38929bf9630fbcd2d8669a3425edc3c51b458efa7d93bd1026

C:\Windows\system\CkhXWsA.exe

MD5 99fdf9d74952b452a539f7cfc924587b
SHA1 8f925dfab5d56801e55a0f6b13d8e5ebabc08c6c
SHA256 6427a06fe66484161318ba1a48474935ea869cf6f3d521132ed941723b86d645
SHA512 fbac48267bf707834884f45dd1d4ca42d0c7b77beccb8cd5ef744e24986d15e4a3b91698b4c21513ff004a349760d42c5dbb31e85c3004842a60c3374388edb5

memory/2616-133-0x000000013F070000-0x000000013F3C4000-memory.dmp

memory/2656-134-0x000000013F390000-0x000000013F6E4000-memory.dmp

memory/2692-132-0x000000013F370000-0x000000013F6C4000-memory.dmp

memory/2616-131-0x000000013F370000-0x000000013F6C4000-memory.dmp

C:\Windows\system\rksIDPY.exe

MD5 8d398a80689ceef19b102810a6a0f319
SHA1 d2fe7f476d90e76d791ac8c01d899f2ba13a06ec
SHA256 d196a40c9131d7b557c004d5e06d34f8fc66777d5538938620771fd39c337342
SHA512 b05d9da39a7b109c8568a3d363dad063b6e6d2e3dad7ec02ad87bf5bbdd97f53e6593dd1b495c73c6162f92e59e8dbd8e9d30ed062d776de4ba87f59ae94536b

C:\Windows\system\ZUavGAv.exe

MD5 9f2af2d903b29f3f3d83d3b99b9742a1
SHA1 d01eb7ca958d0f9d24de7fbf07ed18f2d6a4c308
SHA256 d401b0962288b0e89da560f8db88fdff77e76fa83f98ca6649547940bbc537b5
SHA512 3be189df930d3472cb7de732fdae3cb8b06ce9904af16d5f2638b641ff6361ffa3037ad1cd84ee404fe89fb66b1314906ffa298a140fd58c64fc5ad76a8f20bd

C:\Windows\system\ftUJfRy.exe

MD5 a98954c50aae9dd7c13cb8b3618eaa1a
SHA1 b98785706fb3d451a959b9dfc973e0a25616b5a1
SHA256 d174bb69c26226e4e5fac612f71d959e2495ad8a3eff7ade3ac68d8b421f4ff7
SHA512 240340424a57d314eddf3f7c411e6656a60149a3ddb2e50daa2f5aa0dcfb7c7f315b7863ea7b6fd3b1ba0ed472cc951e479ff2433094f2cb107cfda5e74024f6

C:\Windows\system\ePpTzQk.exe

MD5 089b2b7463f783e217d73b8ec4669e87
SHA1 74598a0e73c83aeab760b8651fe7794ac9cb167b
SHA256 7e70e65a954eb76794a69f412b59503dd67f3558b1b8f25313fa98a0776eadb1
SHA512 9d8a31b7ea0160c5c3cb6886ec180b69bc46b58e3b88bc0d0f0804c0cfb270386025d47b578150b83bb548c6360627996fe92b8fd9eac6328ef1f396e406ae3d

C:\Windows\system\pIYPmda.exe

MD5 f31afc802c6720053625fed465f16413
SHA1 c6f795cb53170b81595e127450eb3d20c595c286
SHA256 a9300b3adbd830f2b62dac3d3222e1f0800c8f32dfc132d9b586a38238d6923e
SHA512 5f1fbf4cdde880be30e8b57b214b75af3a3bb39da85a9f4a17c8de4ef09acdf807a2a74a50e247cde6a682be1f9b1d77f77e02a06c583ca817ab7cbab794a2cc

C:\Windows\system\TzxQAId.exe

MD5 0ef483813706cd1b2eff360ef2aac989
SHA1 2d19c2d6820200ce1b27e5c088651645b97b8a02
SHA256 cc222c1691d4970eaefd938592a48ca08694b2bf0898106b2e880593e2d01336
SHA512 e201996005a448648f0313ac5f8b7e5b667743cd257556da00066b75974d807710e2a095705aabaa992847db61f596a797c2664592ff3c94e40a1d581d59a6a4

C:\Windows\system\kdLkOfz.exe

MD5 d39cad1019ff3a58a8d8617884d0e53a
SHA1 79780703a46f456a6590e9243db9410758fdb1c6
SHA256 d3f0d1c3554a5f84e28b727d2f212af1ff59a5c6d6908968d13610e4422e34b7
SHA512 599d228dbba16e0fff8fd0ceb9ae40d645fbed025fdb63276a62108528076095a250889b69f5458f9dc1722f2ef895fc313a8fd0853e813f44166922f95c2a76

memory/2616-135-0x000000013FD10000-0x0000000140064000-memory.dmp

memory/3040-136-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

memory/3040-137-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

memory/2656-138-0x000000013F390000-0x000000013F6E4000-memory.dmp

memory/2640-139-0x000000013F6F0000-0x000000013FA44000-memory.dmp

memory/2732-140-0x000000013F270000-0x000000013F5C4000-memory.dmp

memory/2628-141-0x000000013F200000-0x000000013F554000-memory.dmp

memory/2472-142-0x000000013F450000-0x000000013F7A4000-memory.dmp

memory/2476-143-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

memory/2396-144-0x000000013FA20000-0x000000013FD74000-memory.dmp

memory/2432-145-0x000000013F480000-0x000000013F7D4000-memory.dmp

memory/2508-146-0x000000013F200000-0x000000013F554000-memory.dmp

memory/2936-147-0x000000013FDB0000-0x0000000140104000-memory.dmp

memory/2692-150-0x000000013F370000-0x000000013F6C4000-memory.dmp

memory/548-149-0x000000013F830000-0x000000013FB84000-memory.dmp

memory/2948-148-0x000000013F960000-0x000000013FCB4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-08 09:04

Reported

2024-06-08 09:06

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\WNORmkU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PhhfwHr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BbVkmLf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rQGbmFu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uGIVGVI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\Vjpfpaf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bTIWWIM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RUeQpcj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\obUFaEJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CZgaMfJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iQdFyVA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SlnGsVg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WHaBAXc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KnwEZor.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\woqEzcE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dBsVzWk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TBhMmKk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SLebjxk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lcWZwPS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TUVOMTf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tgCXGRN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4808 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\TUVOMTf.exe
PID 4808 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\TUVOMTf.exe
PID 4808 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\WHaBAXc.exe
PID 4808 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\WHaBAXc.exe
PID 4808 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\PhhfwHr.exe
PID 4808 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\PhhfwHr.exe
PID 4808 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\KnwEZor.exe
PID 4808 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\KnwEZor.exe
PID 4808 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\bTIWWIM.exe
PID 4808 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\bTIWWIM.exe
PID 4808 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\RUeQpcj.exe
PID 4808 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\RUeQpcj.exe
PID 4808 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\uGIVGVI.exe
PID 4808 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\uGIVGVI.exe
PID 4808 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\tgCXGRN.exe
PID 4808 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\tgCXGRN.exe
PID 4808 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\Vjpfpaf.exe
PID 4808 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\Vjpfpaf.exe
PID 4808 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\woqEzcE.exe
PID 4808 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\woqEzcE.exe
PID 4808 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\BbVkmLf.exe
PID 4808 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\BbVkmLf.exe
PID 4808 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\obUFaEJ.exe
PID 4808 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\obUFaEJ.exe
PID 4808 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\dBsVzWk.exe
PID 4808 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\dBsVzWk.exe
PID 4808 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\CZgaMfJ.exe
PID 4808 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\CZgaMfJ.exe
PID 4808 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\iQdFyVA.exe
PID 4808 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\iQdFyVA.exe
PID 4808 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\WNORmkU.exe
PID 4808 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\WNORmkU.exe
PID 4808 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\SlnGsVg.exe
PID 4808 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\SlnGsVg.exe
PID 4808 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\TBhMmKk.exe
PID 4808 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\TBhMmKk.exe
PID 4808 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\SLebjxk.exe
PID 4808 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\SLebjxk.exe
PID 4808 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\rQGbmFu.exe
PID 4808 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\rQGbmFu.exe
PID 4808 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\lcWZwPS.exe
PID 4808 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe C:\Windows\System\lcWZwPS.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_22cfecb668528e4063d5457313c71c6c_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\TUVOMTf.exe

C:\Windows\System\TUVOMTf.exe

C:\Windows\System\WHaBAXc.exe

C:\Windows\System\WHaBAXc.exe

C:\Windows\System\PhhfwHr.exe

C:\Windows\System\PhhfwHr.exe

C:\Windows\System\KnwEZor.exe

C:\Windows\System\KnwEZor.exe

C:\Windows\System\bTIWWIM.exe

C:\Windows\System\bTIWWIM.exe

C:\Windows\System\RUeQpcj.exe

C:\Windows\System\RUeQpcj.exe

C:\Windows\System\uGIVGVI.exe

C:\Windows\System\uGIVGVI.exe

C:\Windows\System\tgCXGRN.exe

C:\Windows\System\tgCXGRN.exe

C:\Windows\System\Vjpfpaf.exe

C:\Windows\System\Vjpfpaf.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3124,i,15721081447618313297,6839074028983272033,262144 --variations-seed-version --mojo-platform-channel-handle=4660 /prefetch:8

C:\Windows\System\woqEzcE.exe

C:\Windows\System\woqEzcE.exe

C:\Windows\System\BbVkmLf.exe

C:\Windows\System\BbVkmLf.exe

C:\Windows\System\obUFaEJ.exe

C:\Windows\System\obUFaEJ.exe

C:\Windows\System\dBsVzWk.exe

C:\Windows\System\dBsVzWk.exe

C:\Windows\System\CZgaMfJ.exe

C:\Windows\System\CZgaMfJ.exe

C:\Windows\System\iQdFyVA.exe

C:\Windows\System\iQdFyVA.exe

C:\Windows\System\WNORmkU.exe

C:\Windows\System\WNORmkU.exe

C:\Windows\System\SlnGsVg.exe

C:\Windows\System\SlnGsVg.exe

C:\Windows\System\TBhMmKk.exe

C:\Windows\System\TBhMmKk.exe

C:\Windows\System\SLebjxk.exe

C:\Windows\System\SLebjxk.exe

C:\Windows\System\rQGbmFu.exe

C:\Windows\System\rQGbmFu.exe

C:\Windows\System\lcWZwPS.exe

C:\Windows\System\lcWZwPS.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4808-0-0x00007FF7143F0000-0x00007FF714744000-memory.dmp

memory/4808-1-0x00000285D4C10000-0x00000285D4C20000-memory.dmp

C:\Windows\System\TUVOMTf.exe

MD5 919ba07af50e10f0ef22abec1bb151bd
SHA1 8dd462dec3fd50711c41be0f9b6e10e642b88558
SHA256 8c842b53946eea50200ae5ba5ba5da6b695096a6acccb08095b6b7e129149e98
SHA512 3a56d33123ebe2efa1a78524a111b8f296562c079180bc6985b3c9cac83a70a591bc673f183994a1a60a836672cda5c1b0257fd13a28a1e5affebe9243451226

memory/3612-9-0x00007FF6BD350000-0x00007FF6BD6A4000-memory.dmp

C:\Windows\System\PhhfwHr.exe

MD5 dd69d2c7870b390a01068ee49100487a
SHA1 6d0972150b5c5e73cada6db944dda2b9f3503c89
SHA256 a21f9eb4f5bee9e6034f9fe293ff5d0ef51560380b9b477ccfe095e7a88b55ac
SHA512 0658fe21ea52852e90748ff598a36df6cf887efb6c3b5c05f44886942b5f0a65ff5c40de890a6ce786c10e652b4e28b67ed503b1e5710c9bb1a9918ce59ef5c6

C:\Windows\System\WHaBAXc.exe

MD5 2a0ee99c29716ef0795f2fa85088c321
SHA1 87b76e7e0f55c7a6e909f62aa0d30be9a09491e2
SHA256 abb0b9d35c368a31b599492317cb73b548e7835a802157303b1b8e452bee2235
SHA512 d7cee8aa4574a9650b9259520dc1121a5747d001c2ac9d58dbd4d130d9dfb61ad49edbf3cd82be0709549b21ff4bccc60475295353a8de69a8ac56c53edea18f

memory/3124-20-0x00007FF626040000-0x00007FF626394000-memory.dmp

memory/1556-16-0x00007FF78D340000-0x00007FF78D694000-memory.dmp

C:\Windows\System\KnwEZor.exe

MD5 4020239607cc08b80016026a95ec10cb
SHA1 951c2b2faf6c6ea3e337ae26b2d94c6b7721d680
SHA256 49c64985d73baee13f66119725e9670cda64ab90ff20fc17fc26b105dad11950
SHA512 0c602362562d081c7c4d659f93004d892e0f3f4c2757f277c4fb74bb1e0a1fdd21ed1269f8e6d5b7db6342922d492ece542c70674b0b5c22f74333019c18ceb4

C:\Windows\System\bTIWWIM.exe

MD5 b4d6a702de531acc326d6ca2f01f9911
SHA1 9af352c25147595db57367a94082fcb8e1b82e4a
SHA256 e067f7a5720864080e04dbe19e37db2e2451ed8886e911047bfeb210cf228f3a
SHA512 112f5b098e1615b6886273b23b995f472d6a490f0ad7380af3f8dba004b3248a9862d811d4437916376f95ee643b8db937b471537cc68753d3736b5138fc3c4f

C:\Windows\System\RUeQpcj.exe

MD5 3e380138fae5a4e3654574eed80814c7
SHA1 1f76bbdb56bd5106971070021ba156197a6e722e
SHA256 d0647a206c7ba5f0051bd0fdf4541b77332d305e7de50d54515a14762a2b382b
SHA512 0d8507aeec7009d30c34bfe20345cf2575d64edbac699df42ca04e7da14157d6c32e451edc217ae345b253d13b3277c5717108da70efd4540bc3fc95c2578cdf

C:\Windows\System\uGIVGVI.exe

MD5 661f2549669cf10b2a08bc1ad8f9d5af
SHA1 73a4ebf657f5a83c961418162f517e8d4ba1a8ce
SHA256 3859a375f8d92a56e65e218909874dd084454eec61aa827ca28de5b2880b5193
SHA512 6ba00e9553a200104ea2488e39ffcf06f060544bbcbd8fc328f6f26473823b510fd24dc7ae0965f223f450e4be846796bb5b914fe2a24e86d7b437834beeb768

memory/3564-42-0x00007FF798100000-0x00007FF798454000-memory.dmp

memory/1232-40-0x00007FF6CF380000-0x00007FF6CF6D4000-memory.dmp

memory/3528-33-0x00007FF6FA390000-0x00007FF6FA6E4000-memory.dmp

memory/4504-24-0x00007FF66B010000-0x00007FF66B364000-memory.dmp

C:\Windows\System\tgCXGRN.exe

MD5 8c548bf9b36aec9bcc02a04795549411
SHA1 ec63a9233ccdfa74b5a5bbea9fcd413d3508a005
SHA256 58ced8dd4c3b0c65ba9b2b31bdf38bf828482e7cdb29bf10466e1ea587e50c72
SHA512 f1687efc1aa085640036f58f8c521dc58caae46899b726dcd9d5d5b6284b71ffeb63927bfa37ec52d2976b486204bf213ff72ec592150fb9b999da3a1f4af52f

C:\Windows\System\Vjpfpaf.exe

MD5 38bb1cc5ce9c50c59fc7e6625fc1051b
SHA1 90fbfb44af7ef264fbe3e41987bb5e5c2a911b0c
SHA256 fc1e69b28f3a589ccbd1dd8d6268904c00a9dc9712aaa6f80e32a2ec68a3ce82
SHA512 30f27fd342115f1bdfe1663f6724f42696870c125f8268eca58d533641c89e40ed465f3e6c874dd4bbb26a8d31cc7966cfc7e09925b50bc6ed6dfe37f1769e65

memory/1832-50-0x00007FF7B28F0000-0x00007FF7B2C44000-memory.dmp

C:\Windows\System\woqEzcE.exe

MD5 0310000481264d4644f1b7b483298a8e
SHA1 6e1ab3708276c0b32d9324ea8a5fab4851a64f8e
SHA256 18912905b1e2f6265371c67f72371e86b54f63279719da9c35a70fc64d1cae55
SHA512 6db30427dce98e04281a2ea247ec693fec7218c406b8aefeb3f55ce974e81c105e3b9515a1fd69ca3dac37ce1dd90c3c7f2b5267297366373bf6e44093308bb8

C:\Windows\System\BbVkmLf.exe

MD5 66fb32c59a6dfabe7080dcf9ed9773dc
SHA1 76e5139cefa75c544a10a192c7fe162bb42ffbcc
SHA256 0455d973d087e3da827702e0c901bae85065ddb0562aea2bc6160594d2cb9b0c
SHA512 0e318ab66796eaa43776950f9fe3285d8b85617e081e59c4e4dd86c5c2be93b9a37afd7da43f501d9dfe30febd65e26418c0b40a9a3a2e420460d61f96b95b86

C:\Windows\System\dBsVzWk.exe

MD5 26b3bdffac4221d92d08b4ed8b37d683
SHA1 53071baea2f74a14357562c6fe413ed077c00755
SHA256 6d6cfe285bf81c625dabc9f6b13438abd4cc83a9701cbe707f2d554290e1cb46
SHA512 7ff0a31446022e2af2f64e78a27eec248b9f008e0a4e04d1289633d3aaf91fa9a1a7022d2de3e256d708b3af289d0b8bdceb7ff8e487103ddbfbc2e306b0fa39

C:\Windows\System\CZgaMfJ.exe

MD5 670f46d4287d813f57bdba762ed824f9
SHA1 46ec1b07a241d7822a0844c15f3106b09288f52f
SHA256 6ccbd18ce33c460715ff524f8326c479015ddee700640abdfaffa1da14446c80
SHA512 373f332a6607cb9f98fd66d059ba9d95328ebaff3aee0ebc78ec873095a218a3560984d2b92c79a0aad30559d8b5ea9f245c8a32959b9c9a4e65ab59a4b8667f

memory/628-90-0x00007FF71D570000-0x00007FF71D8C4000-memory.dmp

C:\Windows\System\iQdFyVA.exe

MD5 2e0cf3e559228f769f5c8981851509a3
SHA1 1bc2fdb90d7c21591ed3747098a0e89f39936180
SHA256 109954158e5a81b2f951c20a28b771d5ce4f509258bbc70f9e323adb2643445d
SHA512 2b1e8129931a74420250d902929026afe7adc44cd5c61321714a7240b7d052bac4e4e7555b1fb9a9506667f3ee83e1b52960c3851aeea61d498b3f94bd733b8d

memory/1232-92-0x00007FF6CF380000-0x00007FF6CF6D4000-memory.dmp

memory/3528-91-0x00007FF6FA390000-0x00007FF6FA6E4000-memory.dmp

memory/4504-89-0x00007FF66B010000-0x00007FF66B364000-memory.dmp

memory/3384-88-0x00007FF736C50000-0x00007FF736FA4000-memory.dmp

memory/4584-83-0x00007FF606E40000-0x00007FF607194000-memory.dmp

C:\Windows\System\obUFaEJ.exe

MD5 ccf05b8efc767b25ae20a6954262e776
SHA1 cdbfdea60af30146b111ded01bd754915503df53
SHA256 48c9d4ee8e75c8719c5463daba5ad51fe680bd9724f8a4690fdf70e4aed56151
SHA512 a8e49b07361a4a58133097c566fc24336bed26e24e72a36b9d6c30f3859ed82d7ce19482d49b43b36220026cd2c2e378e5f096cbe999baa2c5be85e40b3edf88

memory/2760-78-0x00007FF759740000-0x00007FF759A94000-memory.dmp

memory/4780-70-0x00007FF7334A0000-0x00007FF7337F4000-memory.dmp

memory/2364-68-0x00007FF742DF0000-0x00007FF743144000-memory.dmp

memory/4808-64-0x00007FF7143F0000-0x00007FF714744000-memory.dmp

memory/3996-56-0x00007FF64A930000-0x00007FF64AC84000-memory.dmp

C:\Windows\System\WNORmkU.exe

MD5 a7e44af4ac5fe58c4dec42d63b358a2d
SHA1 e3d2e18f59d989d26c50e1e1cbcbe85610f8832e
SHA256 ea97a78f3edbb390dad6bff0241dd03cb1884a09bbf144413428b5d18afb7d9d
SHA512 c4dac3bea8b9f001b5f724f21246507df775ff7d614aa6b4bcefbe7f68afeb39f4879cccbc6c604243b3ee5793c2cb295a262b6b72f04c1f6805dd9fd71c51e2

memory/4676-105-0x00007FF6C5A00000-0x00007FF6C5D54000-memory.dmp

memory/3564-104-0x00007FF798100000-0x00007FF798454000-memory.dmp

C:\Windows\System\TBhMmKk.exe

MD5 ce27105b4bd16bea0482d052065281f4
SHA1 9238b96d7fc2b1df0f64c02dab699d768be753cc
SHA256 de695b222be23a3c48ba8a424ceb693c4d20b3a3a83aa1a337ef41c908e95230
SHA512 44f13320674abc60e98c28e4d9df8c9209ed93c34a9f32b9e041f10120129142359f35b0c00f2b34985457430354bbb0940c662c87bdb8cb85790f2703e70810

C:\Windows\System\SlnGsVg.exe

MD5 1e3d9950f0ef208f876dcbaebb61bfcf
SHA1 f7db24b834d0a2176ef518676bd3b35d41d09418
SHA256 c50aec4018ac7eb65f6921a3ed5e89c5c421e74ba1af16a025ee226027a32076
SHA512 429097d5b771e96ec8c9da602a2c729dc5aa8c56ee265bbb6fa0bfd89854909eb6f7acb33bce6c761b69999ddd88cf065c582236f471c0aa52d459d3ed8b3405

C:\Windows\System\SLebjxk.exe

MD5 a7a0691f83f3901d3c94524f1218ce7e
SHA1 e9e615f5afc6e241950f61bbc391fb43e5046b1f
SHA256 1b91324f6c2f6d5dff6d12b6aeadb3a8080372a54cc129bf5e5fb88c25c3dfa4
SHA512 bf439343201bb270565b3e4b5c7d6ebcab142886f7be9877f56d5cc174dd9023dab4e2ed335afa98a10f6006974480fd6504f69792d937d65e83fa600663a47f

memory/4592-119-0x00007FF64ECC0000-0x00007FF64F014000-memory.dmp

memory/2684-112-0x00007FF658A50000-0x00007FF658DA4000-memory.dmp

memory/2904-111-0x00007FF6021F0000-0x00007FF602544000-memory.dmp

C:\Windows\System\rQGbmFu.exe

MD5 0dcc90008ea269d55274d3cd8ad2cc76
SHA1 62e6a5b580b3d08b65c5037c6ba78b007e46a8f0
SHA256 908bed583ad69012f77cca8b120bc902e62dfb7f4d3cbae2d875246853229536
SHA512 2a271efe7202c8fe56b53cfb54208d06add62a49689639257761276011c20549fdd12dda90927867e36d991a0d257a978ccbe3939cffb83e5d782b0313bc754e

memory/4192-127-0x00007FF605F10000-0x00007FF606264000-memory.dmp

memory/3996-126-0x00007FF64A930000-0x00007FF64AC84000-memory.dmp

C:\Windows\System\lcWZwPS.exe

MD5 050a2b01047d1ad6cb8ce07c86e42433
SHA1 22af2e3a4fa130087f02941bc8900846c1c41ee2
SHA256 70defd32b17c8b0255052f3f7bfc27b60146ed93b28c993705ff03d049f2cd1a
SHA512 8745b774a4eae34eb2a4a790be259de8123dc1bf6b8935b3939a44c6dab23568058cf2d8446af549f3bb58be21787f7d5eb70941943ee65a5ef06138063a0a8a

memory/1244-132-0x00007FF662E70000-0x00007FF6631C4000-memory.dmp

memory/4780-134-0x00007FF7334A0000-0x00007FF7337F4000-memory.dmp

memory/2760-135-0x00007FF759740000-0x00007FF759A94000-memory.dmp

memory/4584-136-0x00007FF606E40000-0x00007FF607194000-memory.dmp

memory/3384-137-0x00007FF736C50000-0x00007FF736FA4000-memory.dmp

memory/628-138-0x00007FF71D570000-0x00007FF71D8C4000-memory.dmp

memory/2904-139-0x00007FF6021F0000-0x00007FF602544000-memory.dmp

memory/2684-140-0x00007FF658A50000-0x00007FF658DA4000-memory.dmp

memory/4592-141-0x00007FF64ECC0000-0x00007FF64F014000-memory.dmp

memory/4192-142-0x00007FF605F10000-0x00007FF606264000-memory.dmp

memory/3612-143-0x00007FF6BD350000-0x00007FF6BD6A4000-memory.dmp

memory/1556-144-0x00007FF78D340000-0x00007FF78D694000-memory.dmp

memory/3124-145-0x00007FF626040000-0x00007FF626394000-memory.dmp

memory/4504-146-0x00007FF66B010000-0x00007FF66B364000-memory.dmp

memory/3528-147-0x00007FF6FA390000-0x00007FF6FA6E4000-memory.dmp

memory/1232-148-0x00007FF6CF380000-0x00007FF6CF6D4000-memory.dmp

memory/3564-149-0x00007FF798100000-0x00007FF798454000-memory.dmp

memory/1832-150-0x00007FF7B28F0000-0x00007FF7B2C44000-memory.dmp

memory/3996-151-0x00007FF64A930000-0x00007FF64AC84000-memory.dmp

memory/2364-152-0x00007FF742DF0000-0x00007FF743144000-memory.dmp

memory/2760-153-0x00007FF759740000-0x00007FF759A94000-memory.dmp

memory/4584-154-0x00007FF606E40000-0x00007FF607194000-memory.dmp

memory/4780-155-0x00007FF7334A0000-0x00007FF7337F4000-memory.dmp

memory/628-156-0x00007FF71D570000-0x00007FF71D8C4000-memory.dmp

memory/3384-157-0x00007FF736C50000-0x00007FF736FA4000-memory.dmp

memory/4676-158-0x00007FF6C5A00000-0x00007FF6C5D54000-memory.dmp

memory/2684-159-0x00007FF658A50000-0x00007FF658DA4000-memory.dmp

memory/2904-160-0x00007FF6021F0000-0x00007FF602544000-memory.dmp

memory/4592-161-0x00007FF64ECC0000-0x00007FF64F014000-memory.dmp

memory/1244-162-0x00007FF662E70000-0x00007FF6631C4000-memory.dmp

memory/4192-163-0x00007FF605F10000-0x00007FF606264000-memory.dmp