Malware Analysis Report

2024-10-16 03:07

Sample ID 240608-q1dy6ada56
Target 2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike
SHA256 15efae55ad58f40a11baa92251e2b1e6d120af513c4b3a747e1d7da5d9b7b3fd
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

15efae55ad58f40a11baa92251e2b1e6d120af513c4b3a747e1d7da5d9b7b3fd

Threat Level: Known bad

The file 2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobaltstrike family

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

xmrig

Cobaltstrike

Xmrig family

Cobalt Strike reflective loader

XMRig Miner payload

UPX dump on OEP (original entry point)

XMRig Miner payload

Detects Reflective DLL injection artifacts

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-08 13:43

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-08 13:43

Reported

2024-06-08 13:47

Platform

win7-20240221-en

Max time kernel

135s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\RjprfLn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ppkpORd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nmFTJHp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yMTEKPL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NiLgiYa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QQiQqfb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aFnhkeO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aqTxCVq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nnTmGHG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dImZMoT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nuXyOtT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sqwvTkK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PmEygvH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HktMgIM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gFjAUbs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\klZDBYc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pehMZtc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hSjGMDN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fCfiDJN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TIVlKMH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YNdEHNH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1908 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\fCfiDJN.exe
PID 1908 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\fCfiDJN.exe
PID 1908 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\fCfiDJN.exe
PID 1908 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\PmEygvH.exe
PID 1908 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\PmEygvH.exe
PID 1908 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\PmEygvH.exe
PID 1908 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\HktMgIM.exe
PID 1908 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\HktMgIM.exe
PID 1908 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\HktMgIM.exe
PID 1908 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\NiLgiYa.exe
PID 1908 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\NiLgiYa.exe
PID 1908 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\NiLgiYa.exe
PID 1908 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\gFjAUbs.exe
PID 1908 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\gFjAUbs.exe
PID 1908 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\gFjAUbs.exe
PID 1908 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\QQiQqfb.exe
PID 1908 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\QQiQqfb.exe
PID 1908 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\QQiQqfb.exe
PID 1908 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\aqTxCVq.exe
PID 1908 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\aqTxCVq.exe
PID 1908 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\aqTxCVq.exe
PID 1908 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\aFnhkeO.exe
PID 1908 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\aFnhkeO.exe
PID 1908 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\aFnhkeO.exe
PID 1908 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\TIVlKMH.exe
PID 1908 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\TIVlKMH.exe
PID 1908 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\TIVlKMH.exe
PID 1908 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\RjprfLn.exe
PID 1908 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\RjprfLn.exe
PID 1908 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\RjprfLn.exe
PID 1908 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\nmFTJHp.exe
PID 1908 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\nmFTJHp.exe
PID 1908 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\nmFTJHp.exe
PID 1908 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\yMTEKPL.exe
PID 1908 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\yMTEKPL.exe
PID 1908 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\yMTEKPL.exe
PID 1908 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\YNdEHNH.exe
PID 1908 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\YNdEHNH.exe
PID 1908 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\YNdEHNH.exe
PID 1908 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\klZDBYc.exe
PID 1908 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\klZDBYc.exe
PID 1908 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\klZDBYc.exe
PID 1908 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\nnTmGHG.exe
PID 1908 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\nnTmGHG.exe
PID 1908 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\nnTmGHG.exe
PID 1908 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\dImZMoT.exe
PID 1908 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\dImZMoT.exe
PID 1908 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\dImZMoT.exe
PID 1908 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\nuXyOtT.exe
PID 1908 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\nuXyOtT.exe
PID 1908 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\nuXyOtT.exe
PID 1908 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\pehMZtc.exe
PID 1908 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\pehMZtc.exe
PID 1908 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\pehMZtc.exe
PID 1908 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\sqwvTkK.exe
PID 1908 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\sqwvTkK.exe
PID 1908 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\sqwvTkK.exe
PID 1908 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\ppkpORd.exe
PID 1908 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\ppkpORd.exe
PID 1908 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\ppkpORd.exe
PID 1908 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\hSjGMDN.exe
PID 1908 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\hSjGMDN.exe
PID 1908 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\hSjGMDN.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\fCfiDJN.exe

C:\Windows\System\fCfiDJN.exe

C:\Windows\System\PmEygvH.exe

C:\Windows\System\PmEygvH.exe

C:\Windows\System\HktMgIM.exe

C:\Windows\System\HktMgIM.exe

C:\Windows\System\NiLgiYa.exe

C:\Windows\System\NiLgiYa.exe

C:\Windows\System\gFjAUbs.exe

C:\Windows\System\gFjAUbs.exe

C:\Windows\System\QQiQqfb.exe

C:\Windows\System\QQiQqfb.exe

C:\Windows\System\aqTxCVq.exe

C:\Windows\System\aqTxCVq.exe

C:\Windows\System\aFnhkeO.exe

C:\Windows\System\aFnhkeO.exe

C:\Windows\System\TIVlKMH.exe

C:\Windows\System\TIVlKMH.exe

C:\Windows\System\RjprfLn.exe

C:\Windows\System\RjprfLn.exe

C:\Windows\System\nmFTJHp.exe

C:\Windows\System\nmFTJHp.exe

C:\Windows\System\yMTEKPL.exe

C:\Windows\System\yMTEKPL.exe

C:\Windows\System\YNdEHNH.exe

C:\Windows\System\YNdEHNH.exe

C:\Windows\System\klZDBYc.exe

C:\Windows\System\klZDBYc.exe

C:\Windows\System\nnTmGHG.exe

C:\Windows\System\nnTmGHG.exe

C:\Windows\System\dImZMoT.exe

C:\Windows\System\dImZMoT.exe

C:\Windows\System\nuXyOtT.exe

C:\Windows\System\nuXyOtT.exe

C:\Windows\System\pehMZtc.exe

C:\Windows\System\pehMZtc.exe

C:\Windows\System\sqwvTkK.exe

C:\Windows\System\sqwvTkK.exe

C:\Windows\System\ppkpORd.exe

C:\Windows\System\ppkpORd.exe

C:\Windows\System\hSjGMDN.exe

C:\Windows\System\hSjGMDN.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1908-0-0x000000013F130000-0x000000013F484000-memory.dmp

memory/1908-1-0x00000000000F0000-0x0000000000100000-memory.dmp

C:\Windows\system\fCfiDJN.exe

MD5 2f4a204d264c02e44aac95eca3903cf1
SHA1 c4ec6126570e6576ffdf8fde8e14a0a2b446bc6f
SHA256 ec3a30bb6a41e2720c13c7583eef47db0242bb9c015c967b53c4f41b28c50dad
SHA512 00d6056adcce3f384a43ccd1fceee953205cc9a4656e5fbccdba2ac300974701409861dbb6c85de4f3e9409e3f82d4505c40ee13f9b5e1ba13f1f664aaa4581e

\Windows\system\PmEygvH.exe

MD5 fada61fc9948175a56bf39b490ef7c72
SHA1 fbc013ae5bb71e45e77409b0cb93d497dd98b3d0
SHA256 2f57e4101d580b2a866bb0aaa432b070784b60f7623fe82f4531f60362c9ade4
SHA512 26b442612aef830950a7c8f77d806e06f97317300f829864a32ccf68983afd9d8d5c5936c46a569ae73384b745babd956cae8039a489814fc4cac128e0a37250

C:\Windows\system\HktMgIM.exe

MD5 fd1570b6a5ced0b794c82ec12b904580
SHA1 c56b51b789d4738b011171526989dd55e1863073
SHA256 c65eee30befd284d627988f542dc34405113c4c5dceae46e12e0aac2cc3d5299
SHA512 cfd8eea827b7ffa7bf0763f33d443ddbfc92585a6b662e2913876884448cc62c1c07a758660304ea52c47637ee2d1ba46b76efa745f9680a69769be73cfff9d6

memory/1908-17-0x0000000002320000-0x0000000002674000-memory.dmp

memory/1908-26-0x000000013F570000-0x000000013F8C4000-memory.dmp

memory/1908-28-0x000000013FD40000-0x0000000140094000-memory.dmp

memory/2616-30-0x000000013FD40000-0x0000000140094000-memory.dmp

memory/1908-29-0x000000013FC50000-0x000000013FFA4000-memory.dmp

memory/2620-27-0x000000013F570000-0x000000013F8C4000-memory.dmp

memory/2548-25-0x000000013FC50000-0x000000013FFA4000-memory.dmp

memory/2936-22-0x000000013F120000-0x000000013F474000-memory.dmp

C:\Windows\system\NiLgiYa.exe

MD5 33e660d057f51cac72486d96e1c364f0
SHA1 c39307b49778dbdb2e8417e8459768734746f861
SHA256 eab13820bd4233145b4f9d9a4b81ef548ef985b7219929828972b64a2c624374
SHA512 609930e77104f6d852cc7c196a234e2b07313f8f3c55469fd524a2d354d503fc219bffd606511ca3ad5442bd744a6ea0a9619a3b0937c7ecd96432f123dafdb2

C:\Windows\system\gFjAUbs.exe

MD5 784ffe2ee1d3594a18f1ade09536f5c1
SHA1 5217d6bda2f04e8ef9140527365a9cc637dd949e
SHA256 3d75b2de3433ab272883600cb2f13bbf88119c741acdf5f95ab6b4a8f21f312e
SHA512 06d46ecf5a0067d2a258a76a50db61025ee02c833b6992b971660456b92ca46a8cc0277fc705f0a603cd7677468dc5ae3b88c32fa0f1afb125f9389e0a7739b5

memory/1908-35-0x000000013FCC0000-0x0000000140014000-memory.dmp

memory/2688-37-0x000000013FCC0000-0x0000000140014000-memory.dmp

C:\Windows\system\QQiQqfb.exe

MD5 7f05ce4f1d36fd2e6c778fb33bb3dfd3
SHA1 569ba89d8adb798f14ebe403e341b028fc335bc3
SHA256 bddebb8facf2bf809f50c5b2a1db82f986664f71db4a7f5d86355aacee9af34f
SHA512 2639937707ee665562fcc5ca5b59cb3c1b714e7b789f0cf293ca236221fa5c1e01cd906ee43f99e0dc06c00f94cb2a0d92d461d28bdde96c4f44f75c8d658fea

C:\Windows\system\aqTxCVq.exe

MD5 965ebeeb894bc8f45afe4bdf8246ea91
SHA1 77d8f8e709eb3ff2e0ae681d71953ded4b6e626d
SHA256 d4f5e8d9b175225e9b2661483806fec53013a7bcfea9885e4b901124c5ba83e7
SHA512 2272efb0bef7f7b27922e7679892c08e604b9e6b34da4470ec884398ec81c0604ceff48588efd5c01355716f546d86fa2044e7b7c052a37daa2abc7dd3fee3d7

C:\Windows\system\nmFTJHp.exe

MD5 7226df8fac04b0049197c4d8e057a6ac
SHA1 6f794600cf37adabb84a0bb1449408948a8e996f
SHA256 4ff0b104d8a8e6007f8775272ea029088a2366d64c5381a9e912a919a761e99a
SHA512 6fcfd0278308eaddba9f215c9e3150433162e3e21e51151fb616a38561cdab5eb6b8bea19219be648179fc2f98360ed304af3cf674c73875e5a97f9c2c3fb5fc

C:\Windows\system\yMTEKPL.exe

MD5 3ecbf30965117082b1420763c13be72a
SHA1 1df7b7b2d530f7cdd153fe7a80f1a3ce4196d929
SHA256 1bba64f786673a2ec212d8609a2d872905e01c4b8e2d6c3ec3f59237c4e17cc3
SHA512 b8db5c37fe60518b1eeea3907861fe0d7a2f38d037a81099b279227792d9eb2a93f3104a84f5fef03fb2a6227991acdf0d86c3e36456c702187ad135dd6d0714

\Windows\system\hSjGMDN.exe

MD5 b6d6019b4d04ddc4d0891891ce9251a9
SHA1 3074578802488a69b88a618fcaef7cf00b41545e
SHA256 c6db8aabf5f75f4cf87b979dc89a741ff4fa747ecc5a7cf03c73f4bce16df4af
SHA512 fd296a49e0938c37ce1ca452c79e6a660bd1d78a4c4649c2fc743231d2f835ce0d02cce3319f0f3927e0f5ba907c26759097f44daace460ccfd4f0486c819ef9

C:\Windows\system\ppkpORd.exe

MD5 08bbb24dfd9180418f683df304137397
SHA1 ea4317af138ab315e6faf71aee4f7207f88f78d9
SHA256 b3308fff7174b3cde6427ba310f771aad99ccde8fe99313ecab273d1f12d3ab9
SHA512 89a6658b2194ac377330427d90ae84f8f75afd576534584c160e78d25c526a6c8d54135038826acf801129b1e142c27c4954e4cd268dec215c4d49a6d438f758

C:\Windows\system\sqwvTkK.exe

MD5 86bc6566badd0f3e93dac5e6b8108b4c
SHA1 0e1238d5a88f09923fdbfd568e81c670b9732149
SHA256 0bca74c1888edc20839f6a70075493985f7af24e51381f253c82c22e40203381
SHA512 5815d6914c48f63e2399645586ba893b63647ab81254871815e39e6aafcd75b7e0ffdd2da39b24145f97a8076f36a760a95999e61805e2d9ac644e5331ee8ab2

memory/1908-120-0x000000013FFB0000-0x0000000140304000-memory.dmp

memory/2436-123-0x000000013F4F0000-0x000000013F844000-memory.dmp

memory/1908-126-0x000000013F6E0000-0x000000013FA34000-memory.dmp

memory/1996-129-0x000000013F2B0000-0x000000013F604000-memory.dmp

memory/2212-131-0x000000013F9D0000-0x000000013FD24000-memory.dmp

memory/1908-133-0x000000013FE80000-0x00000001401D4000-memory.dmp

memory/1908-134-0x000000013F830000-0x000000013FB84000-memory.dmp

memory/1552-132-0x000000013F190000-0x000000013F4E4000-memory.dmp

memory/1908-130-0x000000013F9D0000-0x000000013FD24000-memory.dmp

memory/1908-128-0x0000000002320000-0x0000000002674000-memory.dmp

memory/2836-127-0x000000013F6E0000-0x000000013FA34000-memory.dmp

memory/2540-125-0x000000013F500000-0x000000013F854000-memory.dmp

memory/1908-124-0x000000013F500000-0x000000013F854000-memory.dmp

memory/1908-122-0x000000013F4F0000-0x000000013F844000-memory.dmp

memory/2684-121-0x000000013FFB0000-0x0000000140304000-memory.dmp

memory/2584-119-0x000000013F830000-0x000000013FB84000-memory.dmp

memory/2520-118-0x000000013F450000-0x000000013F7A4000-memory.dmp

memory/1908-117-0x0000000002320000-0x0000000002674000-memory.dmp

C:\Windows\system\pehMZtc.exe

MD5 4a1988f39ceb99af58bc95d06638f322
SHA1 4dd89ae5a26d34b3ca1261fc51a6bd88205259f5
SHA256 06abb96430bc179bf67f1b20b231fb76565b519fd728f86fc61cfc99a347fb37
SHA512 a3509691db49257b7f6f0341854d965e376111ff9f2ed131cba8fcd9f33d89d06fd684a3e99921b21552692312bf3ba65d342a3db09dfa4db6595b5f5c7c8f31

C:\Windows\system\nuXyOtT.exe

MD5 215f2abb009f123802624084f30a7533
SHA1 c27f4d62922d5e55c78165794e6b38fd499d369a
SHA256 e4752a92540a794bec9ce8579d2a85630fecb7ff060f1ac2e1870b126f7a2e46
SHA512 bff2451f54e33932cf41ddc5cd37593e71a736f03426d9dca2d14d0360da2750999254cab4e6369ac37c87de16827916c7db17e9aa258f2076e2b0d5f2bddbfb

C:\Windows\system\dImZMoT.exe

MD5 33c6bcf162fb3544238d01fe76088702
SHA1 e35797cff31f09410c545109f79f536f85b66c06
SHA256 16e2f7eacd94d3be57f58f488cf438b24fa0b465b48d6a7ca7dd9bc0ce51a85d
SHA512 b0d7919b69454868c9b913fb9b9ba3cf7d2efda83f47667ef91385ef16c4dfc3e760de46674431d0a348209ba7c0a912444d214a8c3e113cf9953ade3c80730d

C:\Windows\system\nnTmGHG.exe

MD5 cbbcc21874fc2182b9e8ec9491061f5a
SHA1 3a712500bc9236b5fcb83215fbd58d2c91769dcd
SHA256 b85df1b62255cb55a049e145c87eb678416fe37d5c1e8e1097b77f3581d1e583
SHA512 cdb210d4d338e62017fcbe38826791f7386d674f6e0ec7ba7f29983f2b4f54a5a60f832f7620b729f44e5b6520ca9048b2e7085720d6c81b1a4cdb2103e1f541

C:\Windows\system\klZDBYc.exe

MD5 281ebb28fbedc87a1117a0577616fee0
SHA1 a92355366821cdf7e3780268de76becff8f18b0b
SHA256 36af5ef3ac9fe90721a4148f3ac3d267d26a8ee032f359adb56df057b02e2c7c
SHA512 332f50958cb0c27ad55f159f08dbea4b33ddc396e1da9f4afe3d8295a49287e5ffb05d8b96c9f68380ad08d76c883f5cc828a068e54d9f491ee1264d84bbd4d0

C:\Windows\system\YNdEHNH.exe

MD5 4b176c79be3b6d1762c8c340a13cae7a
SHA1 a4ebe346907e650cb6d29937ea1501a15c2483f5
SHA256 2152de735a09564c6456d2cc0e8a30a0995a5c4cab51fa3f279a31f0279cd49c
SHA512 505dc0e340192f84a350ad6c090d88dd3d84e95c91923a6b03ab0b5fad2e9dac1076b956337b593e8127682f9f7274cbf03b319a8190073914e4242dd9e484af

C:\Windows\system\RjprfLn.exe

MD5 33a0448f5b13a982431e1a690befa50e
SHA1 b6da075d1fcba48bd63f5e22e28ea1d1f0905ac8
SHA256 c142281faab1981584fcfbac475ddefad0cdcdfe0937bd3dcdeb568c5c9fcb3f
SHA512 dcb613883d6849a68b2fcff06194a6a1f2211ac40e48b68f4b92892226cacc66006a7b558d0fdb3843becc038c1359cf49f5227738dccaad418e8b9d056a2641

C:\Windows\system\TIVlKMH.exe

MD5 ee11a1334a8c41e13c50edca8c901d6b
SHA1 3ae7ca66c2f47535333a802b3e07e473150cbea2
SHA256 a7ac8437fae23ebf871da384079d181f4196ca5873036ca2706f7379858eecef
SHA512 904e5fef86835f9d19b924a6373a90536351edd545ea2ff0333ded6b7f53fcec075bcd1bf24a42894bf1f1429797c8aa6e44dc8904c154c864f171a65166b9dd

C:\Windows\system\aFnhkeO.exe

MD5 bc00853350ea8a2acccf9dc4cfa1ffbf
SHA1 30269a17ba3d1b351e4aa68717cce18ea3d7a10c
SHA256 9292333617d32af52808bd253350d2279653235ef10b371da07203763820cb93
SHA512 bd066ff188e1e1b22e66255578932460122e0b4b60cb8866ac1af633fae2036fe4689182690747a973b0d80506f80c1caadfc6a6723e4d1a0cf48f31ab3b6c16

memory/1908-135-0x000000013F130000-0x000000013F484000-memory.dmp

memory/1908-136-0x000000013FCC0000-0x0000000140014000-memory.dmp

memory/2688-137-0x000000013FCC0000-0x0000000140014000-memory.dmp

memory/1908-138-0x000000013FFB0000-0x0000000140304000-memory.dmp

memory/1908-139-0x000000013F500000-0x000000013F854000-memory.dmp

memory/2548-140-0x000000013FC50000-0x000000013FFA4000-memory.dmp

memory/2936-141-0x000000013F120000-0x000000013F474000-memory.dmp

memory/2616-143-0x000000013FD40000-0x0000000140094000-memory.dmp

memory/2620-142-0x000000013F570000-0x000000013F8C4000-memory.dmp

memory/2688-144-0x000000013FCC0000-0x0000000140014000-memory.dmp

memory/2520-145-0x000000013F450000-0x000000013F7A4000-memory.dmp

memory/1552-153-0x000000013F190000-0x000000013F4E4000-memory.dmp

memory/2212-152-0x000000013F9D0000-0x000000013FD24000-memory.dmp

memory/1996-151-0x000000013F2B0000-0x000000013F604000-memory.dmp

memory/2836-150-0x000000013F6E0000-0x000000013FA34000-memory.dmp

memory/2540-149-0x000000013F500000-0x000000013F854000-memory.dmp

memory/2436-148-0x000000013F4F0000-0x000000013F844000-memory.dmp

memory/2584-147-0x000000013F830000-0x000000013FB84000-memory.dmp

memory/2684-146-0x000000013FFB0000-0x0000000140304000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-08 13:43

Reported

2024-06-08 13:47

Platform

win10v2004-20240508-en

Max time kernel

143s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\IthfdTq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jINqasD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\efLODSi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DyTSQSB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oKoiAyJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ifpRqfB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sPcIbum.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eMZbmvg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CZpKFgF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wKGQGWX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SvUKAax.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BZdvyUr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BcwVYZg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZmfEkGF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ceqPjoa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JUCiIHd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QYBNxpZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wptSbTO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UXzVfmq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rRrardn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DpWMmAF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1920 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\CZpKFgF.exe
PID 1920 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\CZpKFgF.exe
PID 1920 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\efLODSi.exe
PID 1920 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\efLODSi.exe
PID 1920 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\UXzVfmq.exe
PID 1920 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\UXzVfmq.exe
PID 1920 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\DyTSQSB.exe
PID 1920 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\DyTSQSB.exe
PID 1920 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\wKGQGWX.exe
PID 1920 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\wKGQGWX.exe
PID 1920 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\oKoiAyJ.exe
PID 1920 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\oKoiAyJ.exe
PID 1920 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\rRrardn.exe
PID 1920 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\rRrardn.exe
PID 1920 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\BcwVYZg.exe
PID 1920 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\BcwVYZg.exe
PID 1920 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZmfEkGF.exe
PID 1920 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZmfEkGF.exe
PID 1920 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\ceqPjoa.exe
PID 1920 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\ceqPjoa.exe
PID 1920 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\DpWMmAF.exe
PID 1920 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\DpWMmAF.exe
PID 1920 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\ifpRqfB.exe
PID 1920 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\ifpRqfB.exe
PID 1920 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\JUCiIHd.exe
PID 1920 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\JUCiIHd.exe
PID 1920 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\SvUKAax.exe
PID 1920 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\SvUKAax.exe
PID 1920 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\QYBNxpZ.exe
PID 1920 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\QYBNxpZ.exe
PID 1920 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\wptSbTO.exe
PID 1920 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\wptSbTO.exe
PID 1920 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\sPcIbum.exe
PID 1920 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\sPcIbum.exe
PID 1920 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\eMZbmvg.exe
PID 1920 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\eMZbmvg.exe
PID 1920 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\IthfdTq.exe
PID 1920 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\IthfdTq.exe
PID 1920 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\jINqasD.exe
PID 1920 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\jINqasD.exe
PID 1920 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\BZdvyUr.exe
PID 1920 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe C:\Windows\System\BZdvyUr.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\CZpKFgF.exe

C:\Windows\System\CZpKFgF.exe

C:\Windows\System\efLODSi.exe

C:\Windows\System\efLODSi.exe

C:\Windows\System\UXzVfmq.exe

C:\Windows\System\UXzVfmq.exe

C:\Windows\System\DyTSQSB.exe

C:\Windows\System\DyTSQSB.exe

C:\Windows\System\wKGQGWX.exe

C:\Windows\System\wKGQGWX.exe

C:\Windows\System\oKoiAyJ.exe

C:\Windows\System\oKoiAyJ.exe

C:\Windows\System\rRrardn.exe

C:\Windows\System\rRrardn.exe

C:\Windows\System\BcwVYZg.exe

C:\Windows\System\BcwVYZg.exe

C:\Windows\System\ZmfEkGF.exe

C:\Windows\System\ZmfEkGF.exe

C:\Windows\System\ceqPjoa.exe

C:\Windows\System\ceqPjoa.exe

C:\Windows\System\DpWMmAF.exe

C:\Windows\System\DpWMmAF.exe

C:\Windows\System\ifpRqfB.exe

C:\Windows\System\ifpRqfB.exe

C:\Windows\System\JUCiIHd.exe

C:\Windows\System\JUCiIHd.exe

C:\Windows\System\SvUKAax.exe

C:\Windows\System\SvUKAax.exe

C:\Windows\System\QYBNxpZ.exe

C:\Windows\System\QYBNxpZ.exe

C:\Windows\System\wptSbTO.exe

C:\Windows\System\wptSbTO.exe

C:\Windows\System\sPcIbum.exe

C:\Windows\System\sPcIbum.exe

C:\Windows\System\eMZbmvg.exe

C:\Windows\System\eMZbmvg.exe

C:\Windows\System\IthfdTq.exe

C:\Windows\System\IthfdTq.exe

C:\Windows\System\jINqasD.exe

C:\Windows\System\jINqasD.exe

C:\Windows\System\BZdvyUr.exe

C:\Windows\System\BZdvyUr.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 52.111.229.43:443 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1920-0-0x00007FF68D200000-0x00007FF68D554000-memory.dmp

memory/1920-1-0x000001CB030B0000-0x000001CB030C0000-memory.dmp

C:\Windows\System\CZpKFgF.exe

MD5 15244e4c55e9cda28e70036e2a63c866
SHA1 b633cf4f186f7735823cd137c4fc4e639cfd8eb0
SHA256 a783e6c9df686b1d9f59be250d9a3eb97022abc331cdcf9d985dcf14da6f5f96
SHA512 defe88d8f782266aa6c6360739c4dfe0089ff398be84e1f8f61ea6f88a73e3cf596d6aa9438f08e67fc7e660940fdaab0bd6373a838d41707db28996be155647

C:\Windows\System\efLODSi.exe

MD5 e0e0805cfabdbbb175dca0401a26b7b0
SHA1 8d59783be76b770eb83e8a6cfc3909a2599d3f8b
SHA256 99bc99502d5baea815b2cea5ed1e56243c069f80ed3651420e990af398c64cbf
SHA512 f811d769e02b43df3b82a5ce3d5f2905e0180b768adda5b1d86f6966c507706f56c8ad5fdb831bd98a56f53f8a16bbbe81a4e367c238a37ecf921d4c1ed975b0

memory/2764-7-0x00007FF6E28C0000-0x00007FF6E2C14000-memory.dmp

C:\Windows\System\UXzVfmq.exe

MD5 7ab1403902f7be3ce3c169a32e12dda8
SHA1 f24e84acc764c57ea67cfdf70d760876ba7d715d
SHA256 8958b3505ea75942f41eeef60b1ac98b8551ff2f903a8a206acb4baa0f22418d
SHA512 0f866e02cf258465937e18780caa11f613e1e0011cea9b601d1d411a041e035eaa19d2ccfd426e49f1e4589cfefb8cdf4be6ec5f0cb73a6c76e430aa15d2185d

memory/4388-18-0x00007FF652A10000-0x00007FF652D64000-memory.dmp

memory/2772-14-0x00007FF7C84B0000-0x00007FF7C8804000-memory.dmp

C:\Windows\System\DyTSQSB.exe

MD5 7cbf7455897ff6191f1593b3db47087f
SHA1 15d05ccb1916e48c8306990a0433aca068e1333c
SHA256 3a2d6bd0a9a5f92215f06fcc25b24f0f74120663a4f784b9a1ce42c424a59f65
SHA512 6b05ada9a5cf87da69f23bc3f139304fc6fdb2cc2c75e9d68df40db8cafc42060a8ba0c0dd7584873b69f0551312706d307e4c2d60ec7d9cdb2c927ed509a305

memory/5048-25-0x00007FF770430000-0x00007FF770784000-memory.dmp

C:\Windows\System\wKGQGWX.exe

MD5 879b09ab3079ba88f7cf34bb4bb3f01b
SHA1 d14b04f1ab99af2918180a4cea63423d51bbf785
SHA256 86ca357d7d6c67083e84a0ff48963a85bb84cb3b6727a3c521424316e96b47d9
SHA512 a99c92a8cb9f6c0be07296c1885caa528799701fc855ed6e4a39e2fbc8b879d4023fcf304e4741105cbcca9e9daa58be57590ec0c40269905dda2a0f01edf241

memory/5008-33-0x00007FF7BCF70000-0x00007FF7BD2C4000-memory.dmp

C:\Windows\System\oKoiAyJ.exe

MD5 804cd1eff9f5d36224c2fb1f6be3473e
SHA1 446a0774909a61c480897872e3e8c4d7680984ca
SHA256 19ba8d79cb0cd2b2af76289e4bed0f3b1935ac18882ed449c7d63d87c9bc34ee
SHA512 4c9e98d74e07a7d9585f7a9e37a33b7176d0b0daf64710acfdfc3d3fc66410545617c88d5c82fcdf9b0c91725eeb20eb827d021ec83a8ad35094a22c35506166

memory/4792-46-0x00007FF74A250000-0x00007FF74A5A4000-memory.dmp

C:\Windows\System\BcwVYZg.exe

MD5 c39c475afc95a9a45c9297113e41b4e5
SHA1 2827bd9805a5e608c9b469c1c8aaf1a7f07f8017
SHA256 8d224ca35455e7570ae5755d544bafb9b03d587c200b220b1f7093beb1bd828b
SHA512 86431b29d93a4119026705452608701035cead8752ed85a2ae2f4162010092ce5a4831290a8bb833af528e8612f484863330d69b7548a25f7822972b29c2fee6

C:\Windows\System\ceqPjoa.exe

MD5 c88bd00935a512aa5ae9b58dde5c9e6f
SHA1 cd25bafcb7327f53befd3a17e6a4e1417be5e018
SHA256 81ffd717615a5ba307556bb82e140d11058402644a6a0364047d3ca1c92e6c68
SHA512 0459e822b612dd875b493217d64c2454b73763cdcb2a1248545d23a8ba8281dbeb0de7c2c237ef81602c187eff4f66c3c611a2b1c2f3b3072293abfd8a48b881

C:\Windows\System\DpWMmAF.exe

MD5 eeae35a08d83a7baec90532eba1dd1d6
SHA1 aa50a7593bfe7dce0cc593968941d232ac2cf649
SHA256 e01a44d2c9072804f0623a28fa85a2a6af503db6d25255730c6420e3d7b8e1b8
SHA512 aa76d0a177a5c6c260ca9112f6dcdfc882b216e9d6ed32ec5dadb540c429040b55aff8ab69da2d91897ba0fc919431f0d3c9b1fde625946a9fedcdad0ca5c2e3

C:\Windows\System\JUCiIHd.exe

MD5 691146249bc1bb145faa3451e1735644
SHA1 eb57f493f155d970b88c0771b9bf5d44bf1a6010
SHA256 fc38bf011ba4dd473e6a42c726475fcd44321e10ce07d70fc68d0800c446f683
SHA512 9cbc2c01d4271d70c169101421cc33d00dc0dfcc42f979344d273d9df20cbe29862fba9a2c280d57eb9c8ff2d3cd5e5caded634905a63947161777fa393361af

memory/1920-76-0x00007FF68D200000-0x00007FF68D554000-memory.dmp

C:\Windows\System\ifpRqfB.exe

MD5 14f5133d8ef03dc26e8cb33ad89cf81d
SHA1 5eeaf37e5db4b522f10fa20e192b9627cebb7ffa
SHA256 d74128cd5bb9befaff7b331385e9db1a39bdf752674a88fc0d3b4f526e3ca771
SHA512 19635d7035ca8c9aa6636eeb1faef65c660cb9fb4bdecdda295a9ab2a8c6324d202e49e146e8224ff4fe479c72e6e6652d842ed7538a29ff5b5ba20bf04c8ca2

memory/2628-79-0x00007FF7A05C0000-0x00007FF7A0914000-memory.dmp

memory/2256-75-0x00007FF61A780000-0x00007FF61AAD4000-memory.dmp

memory/3532-73-0x00007FF7218E0000-0x00007FF721C34000-memory.dmp

memory/1872-59-0x00007FF7CFDF0000-0x00007FF7D0144000-memory.dmp

memory/656-58-0x00007FF73A180000-0x00007FF73A4D4000-memory.dmp

memory/436-57-0x00007FF7047F0000-0x00007FF704B44000-memory.dmp

memory/980-54-0x00007FF7E2480000-0x00007FF7E27D4000-memory.dmp

C:\Windows\System\ZmfEkGF.exe

MD5 cac6619450afb3363bb9f5093726052d
SHA1 386c0285316ce1286cb9e60aa9c1f4cbffff34c4
SHA256 aca911487d02402e71442df4b0ee09ddba8ed3b423731c7973050c034d42357f
SHA512 9513cdda485dee512fe93bcafa9928f11fa5b5054852cf196701b5ca7d66bbf6702c8c0fccff3262c02961918276e08844ffe7eb69a54337e75b98c825ddb0dd

C:\Windows\System\rRrardn.exe

MD5 02fbb5ad2d4763027ee6b9540a9e595f
SHA1 e1e217088149720fdfd9b622e19a24bce7bf86cf
SHA256 c956f0d37b2bb5ffee0c41f5c1dc832a32e2b4edc8636662f6f3dd0ed00dacb0
SHA512 fd77f4294de07221929caff88e8969c06a783a6b00099249c857e77535af2a9c9648deeaefded6307674b95b1aed5b86ee2ef5d38509cad3563273a1b1901d83

C:\Windows\System\SvUKAax.exe

MD5 13978664d143120437acd9418d851333
SHA1 4e5ec373e544f20dcf856385401c4f017665b948
SHA256 b6e2c02450aad0cca8c86da1a3c2f4197c2fb9f3d5d9b219648274cf9cbf1132
SHA512 2f162c6b0c4c8f4041a906041751af638f8cc94d947508dc6046808851dfc4b5b48be6c15dc6f2da70a54e86dbdb2394e411f28d91dbd7d00c1f421710313f2e

C:\Windows\System\wptSbTO.exe

MD5 29715f56739bdbae966f298c095037d2
SHA1 d3cf9f8192c420a2784552c87fbc5196639164ad
SHA256 465d70fcabb7fdd538ed12dfb2a2ff8a7bc3593e95dd79634bebf7e7354fcd2b
SHA512 f5bfb9932b614b43a7251ad6f2f9915a34be0af517ecb2d69d36b01d8486354326c43e9b50a1d7cbe48457d280108f76e94badf19a65c0d597e0db7808101610

C:\Windows\System\eMZbmvg.exe

MD5 24eba8ee8b135de990b7528bfa5845d1
SHA1 edf8fa017c0a6fc09285246748d5e6ae3333c64e
SHA256 93ac6a86c1859f3eb98ad337ef5ec50b12be5227dc7a13a45a669676875b6381
SHA512 b3c0afc36b6e775dd6401ab2586a0c72dc4bd16ad0fa9d4942fc25011beb7e5f13b0677e73e667f1380c96593420bb19505a167cb0f354c99f2b479674f3b139

C:\Windows\System\BZdvyUr.exe

MD5 13d4d022c00b61cf73bc7f0a4ab0e6f7
SHA1 5a82f9ba4fd16a496a3f1d738e55770d5c318a0a
SHA256 60cbb350067e36e3746e8f1d5787a896d176647f7cd5b1b703971e64e0936280
SHA512 d4c24e91b2b87903450e483330a19e59d07a837f663bb45fa60166c787ab0b02ff83df53935bbe7413c505e8d26d22aeb2fc7e74e0ff9e8bbf652ad5817a4096

C:\Windows\System\jINqasD.exe

MD5 9ee4b2f6a725ade6c9a30d9ea77a0c97
SHA1 3b53e2de6704fc237d97af3f407a24b97094be1a
SHA256 8dd0cf86083b4a9acfb50d7e4c4f710baa03aeb5b24a9b1dc6ad3f0d002aba35
SHA512 006ea1a9d25fad1435bad88f649198648659e5f308e7d4a73dee51812df0ee9571e371217c2c92dd4685af24ffa9138886c97ac7510eb10c20f4b362d8d145de

C:\Windows\System\IthfdTq.exe

MD5 13e8b7ac4c7db2616d75b097d3d1f64f
SHA1 79d192e6f37ab9f0f77f539c1901b1d8689b136f
SHA256 aa5c984455e185bced5025def71c6ecb105be6a969f85703164d479d1d44a698
SHA512 5ad10de231993ded43562271548683b18495c041dca62e9a44b16f6a667cbc139466f67200caeeaeeabf723bfcb609b41a70e3acbd5630e632e97c6ea200376c

memory/460-117-0x00007FF74C830000-0x00007FF74CB84000-memory.dmp

memory/4448-116-0x00007FF7F4BE0000-0x00007FF7F4F34000-memory.dmp

C:\Windows\System\QYBNxpZ.exe

MD5 52546d4d52086507ce4d3a0e16e3266c
SHA1 faf43a1c0526704c43f07140fc23473463869f69
SHA256 1c36d76c5ace25381f19a670618acd2fa66fd94654ea26cf3c8d9cddad23f1e0
SHA512 a91c47258ab80cdc8345861ee8f12aa005b98a77d67c9d60e016fbe154e37264d7e68d29845470695b996fb4fdd75c4d88d8dbaa405924227bc8380d493cd4d5

memory/4388-107-0x00007FF652A10000-0x00007FF652D64000-memory.dmp

memory/520-103-0x00007FF783F60000-0x00007FF7842B4000-memory.dmp

memory/4576-100-0x00007FF7B8A00000-0x00007FF7B8D54000-memory.dmp

memory/3136-99-0x00007FF6BFD90000-0x00007FF6C00E4000-memory.dmp

C:\Windows\System\sPcIbum.exe

MD5 729a2f3129cb6b97bab8c84430e52db7
SHA1 191c2fc39f1b1a554f62b693a038639fb6c83f04
SHA256 bf6323df3e8cb11595e5c37798091e3acf1ccda9e15283487115bda6d6360e97
SHA512 458e7abcb1c5010bcfa93b713b2f8d2498ffaa42c108919d3773b8dda2fa72508eac23d25afd0b84c9561456577fd097d4b5b8a6522d6ad112e763aae5466a0c

memory/2772-91-0x00007FF7C84B0000-0x00007FF7C8804000-memory.dmp

memory/2764-90-0x00007FF6E28C0000-0x00007FF6E2C14000-memory.dmp

memory/1604-129-0x00007FF674610000-0x00007FF674964000-memory.dmp

memory/4900-130-0x00007FF78FB70000-0x00007FF78FEC4000-memory.dmp

memory/1836-132-0x00007FF6B9A10000-0x00007FF6B9D64000-memory.dmp

memory/5048-131-0x00007FF770430000-0x00007FF770784000-memory.dmp

memory/5008-133-0x00007FF7BCF70000-0x00007FF7BD2C4000-memory.dmp

memory/1872-134-0x00007FF7CFDF0000-0x00007FF7D0144000-memory.dmp

memory/2256-135-0x00007FF61A780000-0x00007FF61AAD4000-memory.dmp

memory/2628-136-0x00007FF7A05C0000-0x00007FF7A0914000-memory.dmp

memory/3136-137-0x00007FF6BFD90000-0x00007FF6C00E4000-memory.dmp

memory/520-138-0x00007FF783F60000-0x00007FF7842B4000-memory.dmp

memory/4448-139-0x00007FF7F4BE0000-0x00007FF7F4F34000-memory.dmp

memory/460-140-0x00007FF74C830000-0x00007FF74CB84000-memory.dmp

memory/1604-141-0x00007FF674610000-0x00007FF674964000-memory.dmp

memory/2764-142-0x00007FF6E28C0000-0x00007FF6E2C14000-memory.dmp

memory/2772-143-0x00007FF7C84B0000-0x00007FF7C8804000-memory.dmp

memory/4388-144-0x00007FF652A10000-0x00007FF652D64000-memory.dmp

memory/5048-145-0x00007FF770430000-0x00007FF770784000-memory.dmp

memory/5008-146-0x00007FF7BCF70000-0x00007FF7BD2C4000-memory.dmp

memory/4792-147-0x00007FF74A250000-0x00007FF74A5A4000-memory.dmp

memory/980-148-0x00007FF7E2480000-0x00007FF7E27D4000-memory.dmp

memory/436-149-0x00007FF7047F0000-0x00007FF704B44000-memory.dmp

memory/656-150-0x00007FF73A180000-0x00007FF73A4D4000-memory.dmp

memory/3532-151-0x00007FF7218E0000-0x00007FF721C34000-memory.dmp

memory/1872-152-0x00007FF7CFDF0000-0x00007FF7D0144000-memory.dmp

memory/2628-153-0x00007FF7A05C0000-0x00007FF7A0914000-memory.dmp

memory/2256-154-0x00007FF61A780000-0x00007FF61AAD4000-memory.dmp

memory/4576-155-0x00007FF7B8A00000-0x00007FF7B8D54000-memory.dmp

memory/3136-156-0x00007FF6BFD90000-0x00007FF6C00E4000-memory.dmp

memory/520-157-0x00007FF783F60000-0x00007FF7842B4000-memory.dmp

memory/460-158-0x00007FF74C830000-0x00007FF74CB84000-memory.dmp

memory/4448-159-0x00007FF7F4BE0000-0x00007FF7F4F34000-memory.dmp

memory/4900-160-0x00007FF78FB70000-0x00007FF78FEC4000-memory.dmp

memory/1836-161-0x00007FF6B9A10000-0x00007FF6B9D64000-memory.dmp

memory/1604-162-0x00007FF674610000-0x00007FF674964000-memory.dmp