Malware Analysis Report

2024-10-16 03:08

Sample ID 240608-kmz2ksbe25
Target 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike
SHA256 e6a9a78b4a8fa1f1902cc96b91650547fc41523c4e884912aa00f25d4673e683
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e6a9a78b4a8fa1f1902cc96b91650547fc41523c4e884912aa00f25d4673e683

Threat Level: Known bad

The file 2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

xmrig

Cobaltstrike

XMRig Miner payload

UPX dump on OEP (original entry point)

Xmrig family

Cobalt Strike reflective loader

Detects Reflective DLL injection artifacts

Cobaltstrike family

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

XMRig Miner payload

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-08 08:43

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-08 08:43

Reported

2024-06-08 08:46

Platform

win7-20240419-en

Max time kernel

142s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\jUtUNdi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KiLMsnW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hoqOuZQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lTzmwYP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JeUpuzH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vJyApuh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fbGisJh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YZYADDR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hAGOBQA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JUIFqUY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FSFGWdp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KWbdyEf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oAQZqht.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SYDPzmd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lZXinBA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YEJVoNw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aHvKVhH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\atoHRbj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tFjfnxb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BdUCkMO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BIZCqZZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1968 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\aHvKVhH.exe
PID 1968 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\aHvKVhH.exe
PID 1968 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\aHvKVhH.exe
PID 1968 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\KWbdyEf.exe
PID 1968 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\KWbdyEf.exe
PID 1968 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\KWbdyEf.exe
PID 1968 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\lTzmwYP.exe
PID 1968 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\lTzmwYP.exe
PID 1968 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\lTzmwYP.exe
PID 1968 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\oAQZqht.exe
PID 1968 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\oAQZqht.exe
PID 1968 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\oAQZqht.exe
PID 1968 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\SYDPzmd.exe
PID 1968 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\SYDPzmd.exe
PID 1968 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\SYDPzmd.exe
PID 1968 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\JeUpuzH.exe
PID 1968 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\JeUpuzH.exe
PID 1968 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\JeUpuzH.exe
PID 1968 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\vJyApuh.exe
PID 1968 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\vJyApuh.exe
PID 1968 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\vJyApuh.exe
PID 1968 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\fbGisJh.exe
PID 1968 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\fbGisJh.exe
PID 1968 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\fbGisJh.exe
PID 1968 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\BdUCkMO.exe
PID 1968 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\BdUCkMO.exe
PID 1968 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\BdUCkMO.exe
PID 1968 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\atoHRbj.exe
PID 1968 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\atoHRbj.exe
PID 1968 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\atoHRbj.exe
PID 1968 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\jUtUNdi.exe
PID 1968 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\jUtUNdi.exe
PID 1968 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\jUtUNdi.exe
PID 1968 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\tFjfnxb.exe
PID 1968 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\tFjfnxb.exe
PID 1968 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\tFjfnxb.exe
PID 1968 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\BIZCqZZ.exe
PID 1968 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\BIZCqZZ.exe
PID 1968 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\BIZCqZZ.exe
PID 1968 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\YZYADDR.exe
PID 1968 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\YZYADDR.exe
PID 1968 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\YZYADDR.exe
PID 1968 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\hAGOBQA.exe
PID 1968 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\hAGOBQA.exe
PID 1968 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\hAGOBQA.exe
PID 1968 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\KiLMsnW.exe
PID 1968 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\KiLMsnW.exe
PID 1968 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\KiLMsnW.exe
PID 1968 wrote to memory of 344 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\hoqOuZQ.exe
PID 1968 wrote to memory of 344 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\hoqOuZQ.exe
PID 1968 wrote to memory of 344 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\hoqOuZQ.exe
PID 1968 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\lZXinBA.exe
PID 1968 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\lZXinBA.exe
PID 1968 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\lZXinBA.exe
PID 1968 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\JUIFqUY.exe
PID 1968 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\JUIFqUY.exe
PID 1968 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\JUIFqUY.exe
PID 1968 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\YEJVoNw.exe
PID 1968 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\YEJVoNw.exe
PID 1968 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\YEJVoNw.exe
PID 1968 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\FSFGWdp.exe
PID 1968 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\FSFGWdp.exe
PID 1968 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\FSFGWdp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\aHvKVhH.exe

C:\Windows\System\aHvKVhH.exe

C:\Windows\System\KWbdyEf.exe

C:\Windows\System\KWbdyEf.exe

C:\Windows\System\lTzmwYP.exe

C:\Windows\System\lTzmwYP.exe

C:\Windows\System\oAQZqht.exe

C:\Windows\System\oAQZqht.exe

C:\Windows\System\SYDPzmd.exe

C:\Windows\System\SYDPzmd.exe

C:\Windows\System\JeUpuzH.exe

C:\Windows\System\JeUpuzH.exe

C:\Windows\System\vJyApuh.exe

C:\Windows\System\vJyApuh.exe

C:\Windows\System\fbGisJh.exe

C:\Windows\System\fbGisJh.exe

C:\Windows\System\BdUCkMO.exe

C:\Windows\System\BdUCkMO.exe

C:\Windows\System\atoHRbj.exe

C:\Windows\System\atoHRbj.exe

C:\Windows\System\jUtUNdi.exe

C:\Windows\System\jUtUNdi.exe

C:\Windows\System\tFjfnxb.exe

C:\Windows\System\tFjfnxb.exe

C:\Windows\System\BIZCqZZ.exe

C:\Windows\System\BIZCqZZ.exe

C:\Windows\System\YZYADDR.exe

C:\Windows\System\YZYADDR.exe

C:\Windows\System\hAGOBQA.exe

C:\Windows\System\hAGOBQA.exe

C:\Windows\System\KiLMsnW.exe

C:\Windows\System\KiLMsnW.exe

C:\Windows\System\hoqOuZQ.exe

C:\Windows\System\hoqOuZQ.exe

C:\Windows\System\lZXinBA.exe

C:\Windows\System\lZXinBA.exe

C:\Windows\System\JUIFqUY.exe

C:\Windows\System\JUIFqUY.exe

C:\Windows\System\YEJVoNw.exe

C:\Windows\System\YEJVoNw.exe

C:\Windows\System\FSFGWdp.exe

C:\Windows\System\FSFGWdp.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1968-0-0x00000000003F0000-0x0000000000400000-memory.dmp

memory/1968-2-0x000000013F240000-0x000000013F594000-memory.dmp

\Windows\system\aHvKVhH.exe

MD5 c59688da11d39e62832ebdb9361b4976
SHA1 c7a9f0ff7da05e495d0a0aeec67df0ced7846a8c
SHA256 de3efa1f06808498d6bbc50355072b41295caee310aff197fa467f6b0f691268
SHA512 5a08fe3fd053e66b632441151bc12b644d5b4cc0e2f7ce00f8e488d63332e31b4d08a895236715873feffab66078bb700847b332281ec33a1401a4471bc5eea5

memory/1968-6-0x000000013F8E0000-0x000000013FC34000-memory.dmp

memory/3008-8-0x000000013F8E0000-0x000000013FC34000-memory.dmp

\Windows\system\KWbdyEf.exe

MD5 04aa09ed29e3413a045d545793c211e7
SHA1 4bdbde3b5e5ca60ac450e32b548a8ac54d0a1ef7
SHA256 f058b7ddcf3e9286f013c727cbb7b3249187abb432cbe1507d98c44f64981919
SHA512 ae742a6ba6ef9ac3ac5705f888990bb5f623c096dd87a482a7a2d0dcf4cb74eaa2d10dd298f77511b07b5b8e07f31e895e8be1a5aab22ae13799bf469f5dd393

\Windows\system\lTzmwYP.exe

MD5 f96716b4aa2b572162d91b0fc05dec4f
SHA1 4a10b73b22269fa78d587af3ea9e1cffbaee3f70
SHA256 d4083f7a6f2d41dbed0a1f76943be9149daa478f23260d304c341dfd5cf3e7e2
SHA512 3cd650b87bc6ad9f3602d50058e854b605c46b59a4c5fabffe136bbe171b9f0eeffc0367f65179f78ed036fb3ade7072934a58922153f3e9fb9ef305bf880f3d

C:\Windows\system\oAQZqht.exe

MD5 a47115b9ca02b0919f8dea9b64895c36
SHA1 eb8e6ba1a4bfe8f8b08bb92c4a48421653c1c444
SHA256 2d2bf25993575c5bff611aa019a9e7f8bcd82fb8b8d30e7600a9cc8e66065637
SHA512 f329b8afaf879699b8562e954e17c47904e0e92a96fb18722e4f72658b22cc0ea9a08d4005f32cae2678d42fff115cee0912287172bb2ba3e7e93b8f2f2baae7

memory/1968-28-0x000000013F720000-0x000000013FA74000-memory.dmp

memory/2736-29-0x000000013F720000-0x000000013FA74000-memory.dmp

memory/2664-26-0x000000013FDF0000-0x0000000140144000-memory.dmp

memory/1968-23-0x000000013FDF0000-0x0000000140144000-memory.dmp

memory/2596-14-0x000000013F7B0000-0x000000013FB04000-memory.dmp

memory/2788-35-0x000000013FF20000-0x0000000140274000-memory.dmp

memory/2488-43-0x000000013FBC0000-0x000000013FF14000-memory.dmp

memory/1968-42-0x000000013FBC0000-0x000000013FF14000-memory.dmp

memory/1968-34-0x000000013FF20000-0x0000000140274000-memory.dmp

C:\Windows\system\JeUpuzH.exe

MD5 e962a30a22a6cba30f82d58139aa33ff
SHA1 e4c6b84f07301f32157680ee3160d5c71010f341
SHA256 f8122527d3cfc9c0f45c6568e4cee517e01115afe8def921bea10b701bfcd3af
SHA512 dd629fe2b66d31e4457fcaf281f9a95c79971eb8d187bcf3e6b2792cba774b5d1d0ca4a776b805a899bdb085c523731b82c08572257cc7ab058d6ee92a647646

C:\Windows\system\SYDPzmd.exe

MD5 31d8d6bed97811a2c8183dd7d0723e30
SHA1 fe92dd6854990487d605c4d3835f29701e2c6903
SHA256 f95003cd4fbc9fb6f5a2389e1903c388fbf207916950034606e016e54c0dc249
SHA512 569211519f8da4b174ec58872e6431a022aa6a277e9d1fdc7a4fbceb717394a8fcfefa27f972a043f8d8527001fb4f7daba077ee4f3fd081fb2ab23a78901dd8

memory/2780-49-0x000000013F1B0000-0x000000013F504000-memory.dmp

memory/2532-56-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

memory/1968-55-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

C:\Windows\system\atoHRbj.exe

MD5 3c31f53fa79ccb3c2cca0949b6030d81
SHA1 4a03ad35d77e44e23f3b5610e2ea1d1a347b9847
SHA256 67ed21380a3469eb1475f6f43e8bdfb2782a4672220fa520c044e53a779bcb48
SHA512 1518917693336449ac711668ef043bf27fd40ab3866fabbaac88cbb7dbc345f47ea28b9fc81702bd84f809351bcc635c876805054c620a9b63387b2a058a57d9

memory/2504-63-0x000000013F290000-0x000000013F5E4000-memory.dmp

memory/1596-69-0x000000013F050000-0x000000013F3A4000-memory.dmp

\Windows\system\jUtUNdi.exe

MD5 86d114f7a1ac68e3dd9dae8af90507f8
SHA1 1017bce5f8d7990fccef767220361c1d27e58a8d
SHA256 8d11e4de38cc6b8eb4e71043702bd2478111134d5d8b7ba79a9146aa6fd95df3
SHA512 3e81b6f7c9c85f813b6d2ff4cd77a8931e6d0c407929b552535d3de10bc5f1fb9301797073182ee784de0b6159368bd218eb14ee0ba9b1a1168611ea2ece5e80

C:\Windows\system\YZYADDR.exe

MD5 85031710d40453d68c36f1c697d4aa93
SHA1 20a1ad6ad6947f3f06de1a4afb4a227c31d07eb9
SHA256 81a3c270179558414a6fc4c28fcc49457304b6ce9cdd5eda3b4235103f4e6ef0
SHA512 2294790c0a670a758183f25961dec0fccdb989edf82f040c62163d826ec3607376cd36ad5bd6c03310dfaa1d4447859ade98f67975452dbf9cec24feeac6db9c

memory/1588-99-0x000000013FC60000-0x000000013FFB4000-memory.dmp

C:\Windows\system\lZXinBA.exe

MD5 ea3d70e2748e9830d552e5c4d5f85ea0
SHA1 4a380bdb4bfa866ae5e2e0a3afd0b50f149277cf
SHA256 71f74a6c2d529860a168585751e84f97ba0700399ffb23a9271c3683feb6bc29
SHA512 b999180c30a1db69a3610f79c54476d983af0fd28627f594f700912f40ae48fe949627f3aaa81b14aaeda9d0e0b2120bfac0f60bba36484ba6c7ac98b0c5fe90

\Windows\system\FSFGWdp.exe

MD5 c9248cbe49a2ca6c61cd67acc3833c83
SHA1 546576bf34dc353a9e8df92513fdd3b542171fa7
SHA256 11c28cb2773d5a3283610acab0c1b03cbf73180a6792491c6e44a2e60ecb1f49
SHA512 9f1a0a64336f9c3958e6a587839ee5727961686bfd2327d2dd78847814a9930730bd5a841e2958413f1d89b14f3b6de7f557ac9f552df229e4c4e242efe9ddeb

C:\Windows\system\YEJVoNw.exe

MD5 62c6eba47634f877dc30bafbe07ae0b1
SHA1 3a769d5764e2ddca363ba936dff31a003da51ece
SHA256 13a806d9617141522060a3a10b62ef9561853d6137767be9c72f31bd6665ee8f
SHA512 2a783b53643b28b2872f2b80cf13da725f40d0cc1712a52bfaa7d75b4ed9360de13b6bf242a56770874540bf4f8d9a9aba2770b514631aa8176683c2610d3d7e

C:\Windows\system\JUIFqUY.exe

MD5 775983015164f26ffb297f3b03d11bf0
SHA1 a67981ccd9d8482696fe14da51a958e0dae4f553
SHA256 8f0f1bbac317c77ab5c42455b152165dacdb7a13629edd28174df712995c5974
SHA512 01b25692bd4767fa80059e197666161ecc053e755ef7aca14d002f342a8cb7ba1ceac0a1ce47c33cd84fa31ce4714b319ceb87463ca3f26b81f5ce6171628760

C:\Windows\system\hoqOuZQ.exe

MD5 c3cf9225e2ddd589b80bf81e9d12fa8a
SHA1 fd8eb7742ad44cafff6b1bfb21407e9f663c15b0
SHA256 76c353c7a099c64049191926eecddfd5c148e29f2b34ec2186c4c05b819e5e1a
SHA512 05329e6c946a2fe73865086885d9ee2cf55e80c11077b24049af9e6cf95d0e0111b7755d4cf17a0dd5e3d52e92a17f5f18f5e15de66c2c5c99907c6af4f58520

C:\Windows\system\hAGOBQA.exe

MD5 95922d25b21b1a1fdb3b7de9a092a552
SHA1 ff627df1bc295827fb238c66964885ab1437d70a
SHA256 81d00a0922847d8f307771cf9925415b4415d606fdd3fe12eae6b0b869cb1029
SHA512 9dc3027a138f85cc5b6f3e63ea2eaf1cf4785042b232713c243c86ec73485b5bfe33d03b7c2f13837ee043aa3a6c2fcdc0d841d438d11bdc0394283d37dba3d8

C:\Windows\system\KiLMsnW.exe

MD5 70268d965d3bd1193610da9a3bfa8cc3
SHA1 06bf23ae25c33d798cca2879258e821cb8dd0b1e
SHA256 a464504611dbd33f44a3a779a46aa49d36392e5dcf810b862987b5eacca1beba
SHA512 de33ab058cb52a66dbbe08d7c3d8dbe6687f79f943d9e45334c831d3311f7fb5c3575788069c7b36b7a1b876ea9c364beaf8ace02a071cc780581b32d7d5a0d3

memory/1584-92-0x000000013F680000-0x000000013F9D4000-memory.dmp

memory/2780-136-0x000000013F1B0000-0x000000013F504000-memory.dmp

memory/1968-91-0x000000013F680000-0x000000013F9D4000-memory.dmp

C:\Windows\system\BIZCqZZ.exe

MD5 8336c4934bb1e5fe2e12d9bb5cdc4465
SHA1 3fb07cd23105b00cc838c7d41c43d9ad5fe9e4b5
SHA256 b201120b6454d9aa484f2b7546dc11729fa3b0df003eceddccf68b3610aaa275
SHA512 9e2657f9f762c04d0bbb187bdef1629b6ab4a2f1d2b39b5d44fbaa3fe1b5cec5099e8591646ea0d7543438915d5fb937ba12ae339867cd6178eb4a7a953d1d56

memory/1968-98-0x000000013FC60000-0x000000013FFB4000-memory.dmp

memory/2524-77-0x000000013FF10000-0x0000000140264000-memory.dmp

memory/1968-76-0x000000013FF10000-0x0000000140264000-memory.dmp

memory/2664-75-0x000000013FDF0000-0x0000000140144000-memory.dmp

memory/2596-74-0x000000013F7B0000-0x000000013FB04000-memory.dmp

memory/2788-97-0x000000013FF20000-0x0000000140274000-memory.dmp

memory/2632-85-0x000000013F9E0000-0x000000013FD34000-memory.dmp

memory/1968-84-0x000000013F9E0000-0x000000013FD34000-memory.dmp

C:\Windows\system\tFjfnxb.exe

MD5 7c7f8f6479618853f012c8da98b9bffc
SHA1 46aa73d757dad3e3b8c91a1326c5a479b0ab2dda
SHA256 a86d9876b15c62bd397d0a1ac6b9b1b2af010158f2d99a5b26b169de454f7559
SHA512 e67281a2f76277b8345fd29178ecc8f2c307473a5533ef9e3b7a616e48e44b52b18d833983a48c1590b1d8d7056859da486a195c45465ebe7c58ae822a4c2d80

memory/2532-137-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

memory/3008-62-0x000000013F8E0000-0x000000013FC34000-memory.dmp

C:\Windows\system\BdUCkMO.exe

MD5 9d242080a29101ea417121d269e439c1
SHA1 6f79fc31b3ba8276808c322445d11b1ea761cc03
SHA256 44153767998c3a1183345bc741fe0e21dfe013097c546771fd585bab9504c558
SHA512 cae98a1492089bc496495789912e4e7b1d34d637f549b5602ee6157b426d93d0dd62ff91ce4ef1ffb2b8969a92468ff7a0e73666fde7ba81852f4b8e0dbf406d

C:\Windows\system\fbGisJh.exe

MD5 fee2b4540de28d4de1d225c97b5dee6b
SHA1 d8c558259b66e1d6345ab66fdd9cadae8f0aaac5
SHA256 c015f6c3ff440179f573e6c996c08b4048b52565aadf4bb46e96aee9f904b417
SHA512 87a6ef6c605f8a7ef9ae000f283ff61932f95592847ed05fe5a7e861990c62b40be94cd00295d7eb5ffe6dab71a1466175ab0684e7dcc440b41e0d349c78de94

memory/1968-48-0x000000013F240000-0x000000013F594000-memory.dmp

C:\Windows\system\vJyApuh.exe

MD5 165717a7c7d307a6143ad7cbf6835ea5
SHA1 b4f8617c191ee61946a8ea4cb3ef7ff1367b20b8
SHA256 82a95b066496a88e96baca069e7b712f0f6ad1f163d4f664140abfc559215c34
SHA512 255955ca0e116893cf47073538db874b7ff4b3e7f91c64c420865cc278cdff15af3d1ccb6c8fa3901733c39d049d8fb40c13f1ed6567f5ae1039bdbc07e9d35d

memory/2504-138-0x000000013F290000-0x000000013F5E4000-memory.dmp

memory/1968-139-0x00000000022F0000-0x0000000002644000-memory.dmp

memory/1596-140-0x000000013F050000-0x000000013F3A4000-memory.dmp

memory/1968-141-0x000000013FF10000-0x0000000140264000-memory.dmp

memory/2524-142-0x000000013FF10000-0x0000000140264000-memory.dmp

memory/2632-143-0x000000013F9E0000-0x000000013FD34000-memory.dmp

memory/1968-144-0x000000013F680000-0x000000013F9D4000-memory.dmp

memory/1584-145-0x000000013F680000-0x000000013F9D4000-memory.dmp

memory/1968-146-0x000000013FC60000-0x000000013FFB4000-memory.dmp

memory/1588-147-0x000000013FC60000-0x000000013FFB4000-memory.dmp

memory/1968-148-0x000000013F8C0000-0x000000013FC14000-memory.dmp

memory/3008-149-0x000000013F8E0000-0x000000013FC34000-memory.dmp

memory/2596-150-0x000000013F7B0000-0x000000013FB04000-memory.dmp

memory/2664-151-0x000000013FDF0000-0x0000000140144000-memory.dmp

memory/2736-152-0x000000013F720000-0x000000013FA74000-memory.dmp

memory/2788-153-0x000000013FF20000-0x0000000140274000-memory.dmp

memory/2488-154-0x000000013FBC0000-0x000000013FF14000-memory.dmp

memory/2780-155-0x000000013F1B0000-0x000000013F504000-memory.dmp

memory/2532-156-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

memory/2504-157-0x000000013F290000-0x000000013F5E4000-memory.dmp

memory/1596-158-0x000000013F050000-0x000000013F3A4000-memory.dmp

memory/2524-159-0x000000013FF10000-0x0000000140264000-memory.dmp

memory/2632-160-0x000000013F9E0000-0x000000013FD34000-memory.dmp

memory/1584-161-0x000000013F680000-0x000000013F9D4000-memory.dmp

memory/1588-162-0x000000013FC60000-0x000000013FFB4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-08 08:43

Reported

2024-06-08 08:46

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\tgfWTfS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\idBiwaO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\drYpgIA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iHAKULg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vFTRQmI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NoalAQd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BndfJif.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nwrzkJB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IMNddgG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OIurKJm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LnzdIhT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\Euwkhcr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uuASpvp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yireyTD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mTyPanL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YhrMxek.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UOAQHXR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ypwFQvv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WFVlAoc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MLiRNja.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IRpOKeL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4172 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\drYpgIA.exe
PID 4172 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\drYpgIA.exe
PID 4172 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\WFVlAoc.exe
PID 4172 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\WFVlAoc.exe
PID 4172 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\MLiRNja.exe
PID 4172 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\MLiRNja.exe
PID 4172 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\OIurKJm.exe
PID 4172 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\OIurKJm.exe
PID 4172 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\iHAKULg.exe
PID 4172 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\iHAKULg.exe
PID 4172 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\LnzdIhT.exe
PID 4172 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\LnzdIhT.exe
PID 4172 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\Euwkhcr.exe
PID 4172 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\Euwkhcr.exe
PID 4172 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\yireyTD.exe
PID 4172 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\yireyTD.exe
PID 4172 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\vFTRQmI.exe
PID 4172 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\vFTRQmI.exe
PID 4172 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\mTyPanL.exe
PID 4172 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\mTyPanL.exe
PID 4172 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\NoalAQd.exe
PID 4172 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\NoalAQd.exe
PID 4172 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\tgfWTfS.exe
PID 4172 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\tgfWTfS.exe
PID 4172 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\IRpOKeL.exe
PID 4172 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\IRpOKeL.exe
PID 4172 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\BndfJif.exe
PID 4172 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\BndfJif.exe
PID 4172 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\YhrMxek.exe
PID 4172 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\YhrMxek.exe
PID 4172 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\UOAQHXR.exe
PID 4172 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\UOAQHXR.exe
PID 4172 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\ypwFQvv.exe
PID 4172 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\ypwFQvv.exe
PID 4172 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\idBiwaO.exe
PID 4172 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\idBiwaO.exe
PID 4172 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\uuASpvp.exe
PID 4172 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\uuASpvp.exe
PID 4172 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\nwrzkJB.exe
PID 4172 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\nwrzkJB.exe
PID 4172 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\IMNddgG.exe
PID 4172 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe C:\Windows\System\IMNddgG.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_d1e400c0201bbe03851c57d78c496d6d_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\drYpgIA.exe

C:\Windows\System\drYpgIA.exe

C:\Windows\System\WFVlAoc.exe

C:\Windows\System\WFVlAoc.exe

C:\Windows\System\MLiRNja.exe

C:\Windows\System\MLiRNja.exe

C:\Windows\System\OIurKJm.exe

C:\Windows\System\OIurKJm.exe

C:\Windows\System\iHAKULg.exe

C:\Windows\System\iHAKULg.exe

C:\Windows\System\LnzdIhT.exe

C:\Windows\System\LnzdIhT.exe

C:\Windows\System\Euwkhcr.exe

C:\Windows\System\Euwkhcr.exe

C:\Windows\System\yireyTD.exe

C:\Windows\System\yireyTD.exe

C:\Windows\System\vFTRQmI.exe

C:\Windows\System\vFTRQmI.exe

C:\Windows\System\mTyPanL.exe

C:\Windows\System\mTyPanL.exe

C:\Windows\System\NoalAQd.exe

C:\Windows\System\NoalAQd.exe

C:\Windows\System\tgfWTfS.exe

C:\Windows\System\tgfWTfS.exe

C:\Windows\System\IRpOKeL.exe

C:\Windows\System\IRpOKeL.exe

C:\Windows\System\BndfJif.exe

C:\Windows\System\BndfJif.exe

C:\Windows\System\YhrMxek.exe

C:\Windows\System\YhrMxek.exe

C:\Windows\System\UOAQHXR.exe

C:\Windows\System\UOAQHXR.exe

C:\Windows\System\ypwFQvv.exe

C:\Windows\System\ypwFQvv.exe

C:\Windows\System\idBiwaO.exe

C:\Windows\System\idBiwaO.exe

C:\Windows\System\uuASpvp.exe

C:\Windows\System\uuASpvp.exe

C:\Windows\System\nwrzkJB.exe

C:\Windows\System\nwrzkJB.exe

C:\Windows\System\IMNddgG.exe

C:\Windows\System\IMNddgG.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 52.111.227.11:443 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4172-0-0x00007FF6E9CD0000-0x00007FF6EA024000-memory.dmp

C:\Windows\System\WFVlAoc.exe

MD5 4d0b8fb2e36a61053c4487a6dcfa4ea0
SHA1 7752018f04697d2f17a39ca56f49d6c45d84dac0
SHA256 af94cad45b5efeb9089612695341a0bf41e7427f7ed18584a46093d8785f83bf
SHA512 71bfff9c1d800b90099c23fac3178c561e825fbfba10c50cd7b749b1645528a719e9d292fa4b12907c37d631debd882df88fdda93b5630e5a690ee37cb0f8449

C:\Windows\System\MLiRNja.exe

MD5 e00123716811aad26e6b6826897e491b
SHA1 a09fd362dfa075d0730357f81e368f61c45bb724
SHA256 9d9f94f486234a77926595285684cd2309b3a324dabe7f4c4bdcbe32ce393a04
SHA512 56930d0741aadb645fff3fbee0176bc78fee2a3b5a497c8043dcc916924614f4d01101a0914617dfb3eb17ad1825299bcb0c252abbba5bba6e42ffb096c6a12e

memory/2848-20-0x00007FF7D1050000-0x00007FF7D13A4000-memory.dmp

memory/3732-14-0x00007FF7084D0000-0x00007FF708824000-memory.dmp

memory/1668-8-0x00007FF6EBD40000-0x00007FF6EC094000-memory.dmp

C:\Windows\System\drYpgIA.exe

MD5 bc5af2dc92c389109611805ff90065df
SHA1 73fac57b70354df865a70e30a8c3a34cc5944d33
SHA256 eae347d281e30f55aaec50910cffae598b9b8316511180954200c715ed7a33f5
SHA512 6eaefc67e5546aa94813e59475404ce54e68feef6c385c012b7152cc44acf9292008786f513b0a20a036906073c6f9d6153fd8f666f6138b7937144bce52090f

memory/4172-1-0x0000013E7C860000-0x0000013E7C870000-memory.dmp

C:\Windows\System\OIurKJm.exe

MD5 5b34b85fa26c28716e4f7f89150bf2b5
SHA1 00840b9d145431b911196e290ee433b246fe195d
SHA256 fa99100a7b6f7f3f458e8eb929b7b1ce6ec113bd0306abc987bfd29bd02071b9
SHA512 8cfbdc8018d9a9866164f195ac44213b4f803262d869d5b4d922cf0a1468752d59404fdae734d7e991d407248ec37da823730792fc9d556e48dc411eb4718900

C:\Windows\System\iHAKULg.exe

MD5 683158fd1db098fccdebced8ae521ff4
SHA1 3c3b6d5e2ddcb85af08c8a4aa31a496ea623164f
SHA256 6363b9cb88f06adf4dd7c98885907f8cc2aa482e01e80c624b5ebed5a88ee26c
SHA512 f3d1ecf292dab174e0801f8834195aa02e637beb3771bddc622107a4c5de3af5270acf833edb1b1144aceb9298ba0d0cd0d7d400d199986bc4733d95ff494cc1

memory/4948-46-0x00007FF66A490000-0x00007FF66A7E4000-memory.dmp

C:\Windows\System\mTyPanL.exe

MD5 c1739e82df12289021dd4a0a2c0b89df
SHA1 f4501383f987f4d573a7d4208e8c00aae70858ac
SHA256 eb5fdec70376c3951f88b30cdc69b3424b8dcc7e00080cc0f9c49025ab5fd6ce
SHA512 1e5ed1b46e122d6982fc099bb4efbea81ad185977649619263260df804c2ca6b9b5a3b8f41d7a69787e92695818886c6fa61f54051ade15c40e6d632610e8937

C:\Windows\System\vFTRQmI.exe

MD5 63b87786d7a880dfd4fbf0debb67cfb7
SHA1 49f6493b2a0cc050cad64679f685e75a5eb337dc
SHA256 9e246a79eb6a51482705cbf96e199215e5f32f0804ddfe9413da2f6a32fae278
SHA512 1336bf0090b04c4b386910d90c41ad6a11e8148b9de21e11730351b65cbb3f2e21d493804b9c84fd6e6e6700d6afc48e3a9d070ecf06e61c2d57aa602cb02fac

memory/2804-60-0x00007FF7A7340000-0x00007FF7A7694000-memory.dmp

memory/4788-57-0x00007FF6CEC80000-0x00007FF6CEFD4000-memory.dmp

C:\Windows\System\LnzdIhT.exe

MD5 b169e22aa207fb820cd389590a725663
SHA1 26d4ee998963bb3f3e86853ae897ff69ecd3e862
SHA256 bb56703a15c649ff08337a60a82650090951cd055db4e1d77aef5300e48feb22
SHA512 70d65d83cf543b4a15320d16665b5ead25979bdf8e8b53fdd767cbd088c1dd31abc16add734028cf4d32e2295db665e360ca1c82c7b5c4eb3f521ad47792770a

C:\Windows\System\Euwkhcr.exe

MD5 702d0e1d8426a8c173c9687ef807d4e6
SHA1 100b52b59eadc043100228db25aa69f6bf323e66
SHA256 2dfa68afc48feb69459bef7dba93e381e2bd14a3643d1c782eef68437218c9b1
SHA512 b4e126879a4ab92da9c1a16c26df1970f59288d0c9cd6928d38b749e2fd33b4c92fe3d4cc0610e4c9c8493740961692de947cbda23cb469db33aa98a62ab7461

C:\Windows\System\yireyTD.exe

MD5 694948af9a3526e920f529653720a633
SHA1 978954965076da5164a7457e95ad25d19cb6ec53
SHA256 13559c0f0b4ee777c50bf10f868d38ddc038c9806410b5c6d164f64690301e5c
SHA512 85e7a3fd77ac8ea4c6f5cf4d7290064b2344b48c5d7c040a4e8cb7e2253f607e4d3adeabc3b0a1e403dd33356eff14dca138964ddb1749a349384a54dc01bd16

memory/4688-49-0x00007FF716520000-0x00007FF716874000-memory.dmp

memory/5008-42-0x00007FF6AC040000-0x00007FF6AC394000-memory.dmp

memory/1652-38-0x00007FF663810000-0x00007FF663B64000-memory.dmp

memory/588-26-0x00007FF633230000-0x00007FF633584000-memory.dmp

C:\Windows\System\NoalAQd.exe

MD5 04aaf2afda0c579aa2bb3aaa9a7af828
SHA1 bff99949c9220d922cfddb2a89ec22701d0f7557
SHA256 219f122d1df30cff755a89066c8d29e16e0a2c6c01b20d1e1fd49628bf7089a0
SHA512 9b5edf26422525b833c8f93551c6fc688140b848948880c29995cbfb6aacbf671cc275af721585b5e4a2e13e5e5c94d504098023b4a2926b04f22204c05152fe

C:\Windows\System\IRpOKeL.exe

MD5 ecab78c9b8c30c28b0032980329cfbe7
SHA1 8e9b679a75cc84930da8c6573a2f5140a39f136e
SHA256 5dcc60e53bb30bc19a30a0226ca8ae1dcf31f000131ff55836d29cf283f860a0
SHA512 f2acef3da5d608b9b9362f91e07d92ad469645b454ecf458a47b87cc64ec15fad7816d53b4fb494c16d1db39c13d314e5c53f119ffc346ef3bb1ea45841882c5

memory/4172-78-0x00007FF6E9CD0000-0x00007FF6EA024000-memory.dmp

memory/3584-72-0x00007FF76A8B0000-0x00007FF76AC04000-memory.dmp

C:\Windows\System\tgfWTfS.exe

MD5 f22fda7cf7028ec7ed71adf51c89268f
SHA1 ea7dc58a0ff5315d700220aa71a7af2e85cc043d
SHA256 360b5da5785d71d1f73b332e59c74139cb8ccc06c19cf19fa5163f0c4254c052
SHA512 edca5b368da7746820e2bd888749e9b2547ebd8225cf250712672cade73b5f0e40cd2d570e82272c5d1fb827863355b2eea2d7719d907614b66e7633a9b13f8e

C:\Windows\System\BndfJif.exe

MD5 d4215261c237c5bb8978ab8f5ea35252
SHA1 5b361c6c0758fbf6ecd45a22dc1afac072c799d9
SHA256 d89673898dc360e61606e61722d8a34469090c0c6de6101c36ce30da0a1a4dae
SHA512 35db2fc59cb3fe0f3ec6d9de22eddf67ea49c1830f01f89a65970afd9a6a081a9f6945edda06f47adcc8006512539882fa01aac458f91927d3d6e62e6ff223c5

memory/2264-88-0x00007FF7BF2E0000-0x00007FF7BF634000-memory.dmp

memory/2212-92-0x00007FF6495C0000-0x00007FF649914000-memory.dmp

C:\Windows\System\YhrMxek.exe

MD5 f6a4d6f04a8c85a1e43b6259bc051ba6
SHA1 77e1778d6b5f9d8723a6bca8088c645bc3808530
SHA256 9b2f24979780d26ec01826b6df11867041daa500dfd2d8bdc024b11155348f19
SHA512 a8062ccecbe3e2aaf62f7c5f6db58cf271ea95513184eb399785dd2a61567d4d72aeda50c91d3da1a505c99cabab54aae5b8500cce087120d4cc19f53b427788

C:\Windows\System\UOAQHXR.exe

MD5 9e0884ab8e9633422ac425be6d3e8a21
SHA1 74e3feaabc5c4eabd560a3a8b03b41f8e9687ea0
SHA256 9c414d5ae29d578c5148d40ebf4589d1aa450bb23f4b20b758b20ba5d6ca53b2
SHA512 16af839d8fac05283e2674c6cca1c11e9010f98005195a30e13f23e7a6c2854de9a3ef80ac42ca8c5aba5c2800db857a85ac3a02d22d688cfa8c10f0122b36b1

memory/4860-98-0x00007FF752D80000-0x00007FF7530D4000-memory.dmp

memory/3216-95-0x00007FF65D780000-0x00007FF65DAD4000-memory.dmp

memory/3992-77-0x00007FF607900000-0x00007FF607C54000-memory.dmp

C:\Windows\System\ypwFQvv.exe

MD5 9292028ce0e8d14d3b6968919bf646c8
SHA1 33c468b2fc3a921dc8bf10ae6d2794b6c5a0e300
SHA256 78eb2e2d59201643e492bc3fd22bd9b59d4b287d6d315c39c81f72217ec29758
SHA512 0f9d4f72ba9865d0652c61fc09316a9cab338e4e39b373f1d99b0b670b13b7341232a614c59fbc139288e208591de22c6bc395e6f9602587fcaa0cad89aa3dd5

memory/2496-107-0x00007FF6048E0000-0x00007FF604C34000-memory.dmp

C:\Windows\System\idBiwaO.exe

MD5 893b192de4ab62dd01aaf5e15a11e8ff
SHA1 0648d141248c10c482985b82c3bc38ab4fa6bcda
SHA256 dc8160cc265da5bb4f62dd628f112a583ad774780bbb398852432ba9faa1b52f
SHA512 f33ec6791b5db34f15b7030383e619b9214fe6406b7dfc8bd46f1ed177dbef2a26a1796fec3b76d37bffa358b0b2d172ed45a00d0f9b52fa3da90e9f37a5ea17

memory/3732-105-0x00007FF7084D0000-0x00007FF708824000-memory.dmp

memory/2848-111-0x00007FF7D1050000-0x00007FF7D13A4000-memory.dmp

C:\Windows\System\nwrzkJB.exe

MD5 102b8337e82b71299519126ec765cbf3
SHA1 0de4bf5de3812c29f55b3fc73c37422fc6d1dd59
SHA256 bf84aa2d3d00c7606eef3da7d2d25856562cf7657033c356d7b69a1848a993e5
SHA512 cd2b8bb02e9a50e86ff5aebb0e585153ac57f11a81f3466b2257c92d60e1d517617cf2186201e9bad414989a445ce90b9a6c88743a0de83c28722276f45463ce

memory/4728-125-0x00007FF7C3970000-0x00007FF7C3CC4000-memory.dmp

C:\Windows\System\IMNddgG.exe

MD5 c5c38ada3d1c712d0a85fd1e4e9add27
SHA1 e402dc3bb9ebe23aa0a839025a4f643c1447634d
SHA256 41c6e0c4e139c71372eac7d76739b5aa33be0297832e1c0b8c86412fa4c3bfb0
SHA512 f6792bdb064f92524cac42e42ef3015d910157934329bb5c0c55253babb11ef0b23dc44796e1f190ab6a528da5b198ba1d4a7994a07624939e5ef7bb362f043e

C:\Windows\System\uuASpvp.exe

MD5 c39a88172b9f7311761b7fe7c26ae7bc
SHA1 69228d6f9005813c58ac2902b5b157b25e0b8ace
SHA256 8e28a53bf4acc0946a91f4dc85538227442f847d64d3c97c66fc68e838d32e01
SHA512 c26291a328f0de612d5035bc4e2ed62b6cb2643f13b155e755e2976351364ffa3b4681489e52c81f9145be01ad2e1ade2e1e6633bf8dc341356ecaa0ff27eb69

memory/4688-128-0x00007FF716520000-0x00007FF716874000-memory.dmp

memory/4260-126-0x00007FF60A3C0000-0x00007FF60A714000-memory.dmp

memory/5008-121-0x00007FF6AC040000-0x00007FF6AC394000-memory.dmp

memory/1652-120-0x00007FF663810000-0x00007FF663B64000-memory.dmp

memory/588-119-0x00007FF633230000-0x00007FF633584000-memory.dmp

memory/5000-113-0x00007FF6B0120000-0x00007FF6B0474000-memory.dmp

memory/4948-134-0x00007FF66A490000-0x00007FF66A7E4000-memory.dmp

memory/4968-135-0x00007FF6F8C10000-0x00007FF6F8F64000-memory.dmp

memory/2804-136-0x00007FF7A7340000-0x00007FF7A7694000-memory.dmp

memory/4788-137-0x00007FF6CEC80000-0x00007FF6CEFD4000-memory.dmp

memory/3992-138-0x00007FF607900000-0x00007FF607C54000-memory.dmp

memory/2212-139-0x00007FF6495C0000-0x00007FF649914000-memory.dmp

memory/4860-140-0x00007FF752D80000-0x00007FF7530D4000-memory.dmp

memory/4728-141-0x00007FF7C3970000-0x00007FF7C3CC4000-memory.dmp

memory/4260-142-0x00007FF60A3C0000-0x00007FF60A714000-memory.dmp

memory/1668-143-0x00007FF6EBD40000-0x00007FF6EC094000-memory.dmp

memory/3732-144-0x00007FF7084D0000-0x00007FF708824000-memory.dmp

memory/2848-145-0x00007FF7D1050000-0x00007FF7D13A4000-memory.dmp

memory/588-146-0x00007FF633230000-0x00007FF633584000-memory.dmp

memory/1652-147-0x00007FF663810000-0x00007FF663B64000-memory.dmp

memory/5008-148-0x00007FF6AC040000-0x00007FF6AC394000-memory.dmp

memory/4688-149-0x00007FF716520000-0x00007FF716874000-memory.dmp

memory/4788-151-0x00007FF6CEC80000-0x00007FF6CEFD4000-memory.dmp

memory/2804-150-0x00007FF7A7340000-0x00007FF7A7694000-memory.dmp

memory/4948-152-0x00007FF66A490000-0x00007FF66A7E4000-memory.dmp

memory/3584-153-0x00007FF76A8B0000-0x00007FF76AC04000-memory.dmp

memory/3216-154-0x00007FF65D780000-0x00007FF65DAD4000-memory.dmp

memory/2264-155-0x00007FF7BF2E0000-0x00007FF7BF634000-memory.dmp

memory/3992-156-0x00007FF607900000-0x00007FF607C54000-memory.dmp

memory/2212-157-0x00007FF6495C0000-0x00007FF649914000-memory.dmp

memory/4860-158-0x00007FF752D80000-0x00007FF7530D4000-memory.dmp

memory/2496-159-0x00007FF6048E0000-0x00007FF604C34000-memory.dmp

memory/5000-160-0x00007FF6B0120000-0x00007FF6B0474000-memory.dmp

memory/4728-161-0x00007FF7C3970000-0x00007FF7C3CC4000-memory.dmp

memory/4968-162-0x00007FF6F8C10000-0x00007FF6F8F64000-memory.dmp

memory/4260-163-0x00007FF60A3C0000-0x00007FF60A714000-memory.dmp