Malware Analysis Report

2024-10-16 03:06

Sample ID 240608-vv1yysdg21
Target 2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike
SHA256 2f4f6dd3562c3dc6b5e75ae49e619be7bf558b1fe64e6258ab4810319a0fd68b
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2f4f6dd3562c3dc6b5e75ae49e619be7bf558b1fe64e6258ab4810319a0fd68b

Threat Level: Known bad

The file 2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

UPX dump on OEP (original entry point)

Xmrig family

Cobalt Strike reflective loader

xmrig

Detects Reflective DLL injection artifacts

Cobaltstrike family

Cobaltstrike

XMRig Miner payload

UPX dump on OEP (original entry point)

XMRig Miner payload

Detects Reflective DLL injection artifacts

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-08 17:19

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-08 17:19

Reported

2024-06-08 17:22

Platform

win7-20240221-en

Max time kernel

124s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\JxxkXhC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VAhTfdB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hjLNfvk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\APQNKBB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\steCAUd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HKZxiyt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vjSIfsf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lWRYWQj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zfJyEmn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gMAsYZQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GCPddTT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TwjJDMe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IatcuOi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dcvkBjN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kVKSbCw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SwwqPay.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GUsjEKl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\smFJGuR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SdUOaNj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oDGIUFH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ThejKho.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1760 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\JxxkXhC.exe
PID 1760 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\JxxkXhC.exe
PID 1760 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\JxxkXhC.exe
PID 1760 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\GCPddTT.exe
PID 1760 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\GCPddTT.exe
PID 1760 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\GCPddTT.exe
PID 1760 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\steCAUd.exe
PID 1760 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\steCAUd.exe
PID 1760 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\steCAUd.exe
PID 1760 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\TwjJDMe.exe
PID 1760 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\TwjJDMe.exe
PID 1760 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\TwjJDMe.exe
PID 1760 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\HKZxiyt.exe
PID 1760 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\HKZxiyt.exe
PID 1760 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\HKZxiyt.exe
PID 1760 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\vjSIfsf.exe
PID 1760 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\vjSIfsf.exe
PID 1760 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\vjSIfsf.exe
PID 1760 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\IatcuOi.exe
PID 1760 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\IatcuOi.exe
PID 1760 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\IatcuOi.exe
PID 1760 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\dcvkBjN.exe
PID 1760 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\dcvkBjN.exe
PID 1760 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\dcvkBjN.exe
PID 1760 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\kVKSbCw.exe
PID 1760 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\kVKSbCw.exe
PID 1760 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\kVKSbCw.exe
PID 1760 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\VAhTfdB.exe
PID 1760 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\VAhTfdB.exe
PID 1760 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\VAhTfdB.exe
PID 1760 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\hjLNfvk.exe
PID 1760 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\hjLNfvk.exe
PID 1760 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\hjLNfvk.exe
PID 1760 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\GUsjEKl.exe
PID 1760 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\GUsjEKl.exe
PID 1760 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\GUsjEKl.exe
PID 1760 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\SwwqPay.exe
PID 1760 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\SwwqPay.exe
PID 1760 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\SwwqPay.exe
PID 1760 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\lWRYWQj.exe
PID 1760 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\lWRYWQj.exe
PID 1760 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\lWRYWQj.exe
PID 1760 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\zfJyEmn.exe
PID 1760 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\zfJyEmn.exe
PID 1760 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\zfJyEmn.exe
PID 1760 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\smFJGuR.exe
PID 1760 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\smFJGuR.exe
PID 1760 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\smFJGuR.exe
PID 1760 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\SdUOaNj.exe
PID 1760 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\SdUOaNj.exe
PID 1760 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\SdUOaNj.exe
PID 1760 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\oDGIUFH.exe
PID 1760 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\oDGIUFH.exe
PID 1760 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\oDGIUFH.exe
PID 1760 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\ThejKho.exe
PID 1760 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\ThejKho.exe
PID 1760 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\ThejKho.exe
PID 1760 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\gMAsYZQ.exe
PID 1760 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\gMAsYZQ.exe
PID 1760 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\gMAsYZQ.exe
PID 1760 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\APQNKBB.exe
PID 1760 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\APQNKBB.exe
PID 1760 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\APQNKBB.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\JxxkXhC.exe

C:\Windows\System\JxxkXhC.exe

C:\Windows\System\GCPddTT.exe

C:\Windows\System\GCPddTT.exe

C:\Windows\System\steCAUd.exe

C:\Windows\System\steCAUd.exe

C:\Windows\System\TwjJDMe.exe

C:\Windows\System\TwjJDMe.exe

C:\Windows\System\HKZxiyt.exe

C:\Windows\System\HKZxiyt.exe

C:\Windows\System\vjSIfsf.exe

C:\Windows\System\vjSIfsf.exe

C:\Windows\System\IatcuOi.exe

C:\Windows\System\IatcuOi.exe

C:\Windows\System\dcvkBjN.exe

C:\Windows\System\dcvkBjN.exe

C:\Windows\System\kVKSbCw.exe

C:\Windows\System\kVKSbCw.exe

C:\Windows\System\VAhTfdB.exe

C:\Windows\System\VAhTfdB.exe

C:\Windows\System\hjLNfvk.exe

C:\Windows\System\hjLNfvk.exe

C:\Windows\System\GUsjEKl.exe

C:\Windows\System\GUsjEKl.exe

C:\Windows\System\SwwqPay.exe

C:\Windows\System\SwwqPay.exe

C:\Windows\System\lWRYWQj.exe

C:\Windows\System\lWRYWQj.exe

C:\Windows\System\zfJyEmn.exe

C:\Windows\System\zfJyEmn.exe

C:\Windows\System\smFJGuR.exe

C:\Windows\System\smFJGuR.exe

C:\Windows\System\SdUOaNj.exe

C:\Windows\System\SdUOaNj.exe

C:\Windows\System\oDGIUFH.exe

C:\Windows\System\oDGIUFH.exe

C:\Windows\System\ThejKho.exe

C:\Windows\System\ThejKho.exe

C:\Windows\System\gMAsYZQ.exe

C:\Windows\System\gMAsYZQ.exe

C:\Windows\System\APQNKBB.exe

C:\Windows\System\APQNKBB.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1760-0-0x000000013FBF0000-0x000000013FF44000-memory.dmp

memory/1760-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\JxxkXhC.exe

MD5 eeaeaa3c895bb1bc2723bf941047be75
SHA1 da02f9b560861f5f02892e2d03529cf41cc5e06c
SHA256 c2ef6aa8a585a223046e6e5d7cca94571fad78f3ad2f317948029856f88e7f1b
SHA512 0eb9dfed9e642e8db82e402df27205d10f4a9bc797bc051ed0633a95735a3a5ab5699adbc9a160d095e01c7c21e511cf8b331f32092f4df450828d3eb6c51c21

memory/1760-28-0x00000000023D0000-0x0000000002724000-memory.dmp

\Windows\system\HKZxiyt.exe

MD5 b26cd31e9cd4910e5b4a6baf47cf4c00
SHA1 d01f2a63107e39e61b69f1a9c8178f43c0622be0
SHA256 038873bbfc953d00a5477aeff064cd3b5d373cc987321b2a2dab86d12cae58e4
SHA512 15db3aae8242067942ccb7e403921a92711c9cea399a4875fe8dd53c735acdcc26c88e86ca2d335fb1b2526f574284d4734f388be8635e9ff9237b3a2e1be177

\Windows\system\TwjJDMe.exe

MD5 8f616e185368d9f802944f23c98383c4
SHA1 59aad23d22d70c9a8e294740a7050f755c22d8bd
SHA256 4869bcb6f16a661097a90b81f7d97a100c73145f0c7ff876926cf2a6a32db241
SHA512 42ddaa8b03893de621e8c3362ddaed6b2ffaa70e5475ea1ed1d02cdfb033b95492385b3a153111aac12d54914f4532b7635937cd9fa9163110f6dbb63a2b543b

memory/2736-24-0x000000013FE10000-0x0000000140164000-memory.dmp

memory/1760-113-0x000000013FBF0000-0x000000013FF44000-memory.dmp

\Windows\system\VAhTfdB.exe

MD5 74bd532e4a7184aaa03201bb5f203bc1
SHA1 f689e161c8658e600fffa2954f1ff695f5c262ce
SHA256 c8cbcb1ca0640ac153d7b0ed75e5e27f24182c9e7a340c2574c25ba3e3f616b6
SHA512 f9ab4de3f750d779f2387b14602c1ed9affbfd7573dc47becb9d4b731d72a5cd4bc8a8eecb20180edb0808673a7babc19d21e8a50316617d6aa0f9bf1d64ae3f

\Windows\system\gMAsYZQ.exe

MD5 11fedb464da19adec2a5ec1f48e1e89b
SHA1 b4b8a4082ddba542cf209663f0fe27620a5f28e8
SHA256 fc13e306b797f7061685609c289eb8945c8aac884037b27f320e66c10fff47ae
SHA512 f20b79d9ae31d1acfeb0f33629a3fdcc12f3593649b6672812e916d19063f58332cab6d2fbe5bf99bffbda8c97768bbebee24d56dcbf8462e331f95d3463a075

\Windows\system\oDGIUFH.exe

MD5 d46cbdfc501390865f7cd30251ddd05b
SHA1 8bda62291d9e296d053a3087f647b86819a1bea9
SHA256 11620997d63c6c4653cb14594f25b8ae489867d81d9f42e495c6a240eaf7dfe9
SHA512 7ad53e90b183c68c0bab42f69c501bdf0d283c9d38e992eebdc3d0957a5393d70762089612c37911cd811daa02fa35a78dfa79c145a8710cdffbc45b8d694ff1

memory/1760-84-0x000000013F7B0000-0x000000013FB04000-memory.dmp

C:\Windows\system\zfJyEmn.exe

MD5 44835a899cfd7aa813e0c0a033ea36a4
SHA1 3741ba5fb2f9fce412403bf0fc01104a2d8ada84
SHA256 d68160aacd7946b7362c8e0cf2641a8c39fa50a2aa1cd3fbadd2442735b692d3
SHA512 d1b4cf03010ad70db7554292c09558ac51c9b5bc369ebb63f03b6339b794fbf5f2cee081fb7946da30556c94e9035423944db10c14239592c7b9bc4a354a2174

\Windows\system\smFJGuR.exe

MD5 ac196fd439bb1dc01c79755cad3cb4a8
SHA1 76b8aceeb8b45117d54a9d97cdd02df6886647e1
SHA256 e62a61d912938d3378cc418538d34b7dc260c5604a14a048ccb84bc32268144d
SHA512 a470acbf56805dd021d957f9977a6ce5900f184a75b730545b374ff3c403f4c8d583dddff6b65a6191ecd781ab81d160490901f5b7b76d3e8fc997a61bd67750

memory/2972-76-0x000000013F3B0000-0x000000013F704000-memory.dmp

\Windows\system\lWRYWQj.exe

MD5 73c013a8add2d6d9b5509c98e9ea38e9
SHA1 0a2cc5d613fd325b8aebcbc22c41b0c1c67238c3
SHA256 0aac8db62022fa4dcc760ab5898ff158ae64cfeaf8c6906087ed97f3bd8c0d2a
SHA512 8f404ae2217a5f4e866b0d8be679a58c389ffcaea0921d3f396e9e049e07015a1d8df049fd644736025a6b98f65a2f2b0bc89a40f470f525e3a375853bb3fe68

C:\Windows\system\hjLNfvk.exe

MD5 3273953f9acdbfdbde40e7232ae5dcbd
SHA1 4688e9960464412434508ff8a22ce503ac25fbf0
SHA256 9bcb361e03aa1e1c0e204b9800b8e1fe6ee741d127b633fca03d9cf416912336
SHA512 8b49938b8b2cf8260f16235c86a9d3e01f30dc301c39486166e1511861cc5bdaffead435105969f6062325744d8525808aebea8d2cee2f6b552e6c3f798f4c81

\Windows\system\GUsjEKl.exe

MD5 8a8e97ea6f4b3e5962f4f92aaa74bff0
SHA1 b329e923b21759e79acf3feb087497636bbcfa2c
SHA256 cbdf42abf52317c52158a9e099f198e5b35e7cfc50d1743ef76ce0b9d258c7e6
SHA512 a3e506984276c4db2c6d4b71b9e060cbc18bfada44ab8092fc91b951f451a014318631da9afe6df669cbdca5e7a1a87f1a9f330bac9cacfc6589d4854e549e59

\Windows\system\dcvkBjN.exe

MD5 ef87ad866abd0c53d26cddbc36b69110
SHA1 03541e1c65f16be4465f3ea833aea91e2534fd92
SHA256 34c98a22103d814e6158413f90f0e9bb91579235f41c3d263971ac65e845f409
SHA512 246ec00eb5b3f89d8d67dba374bc9d6ac249f3d31e8e7965d6120f25d0b94e68e051321f1c4626c862c1fee63a3d8e8225d2c290f02b0a8b5d7625fa035254eb

memory/1772-112-0x000000013F670000-0x000000013F9C4000-memory.dmp

memory/1760-111-0x000000013F670000-0x000000013F9C4000-memory.dmp

memory/1760-110-0x00000000023D0000-0x0000000002724000-memory.dmp

memory/1760-109-0x00000000023D0000-0x0000000002724000-memory.dmp

memory/1760-108-0x000000013F1F0000-0x000000013F544000-memory.dmp

memory/820-107-0x000000013F7B0000-0x000000013FB04000-memory.dmp

C:\Windows\system\APQNKBB.exe

MD5 a65fd2eb933f7b685c1072afb7dd03de
SHA1 840b36b9b94f506290f5c627aa034732fa9a85da
SHA256 447d44e7dfef660a915e073af6ffc0210b47562b10fea5232d3d6eb63691cbcb
SHA512 7b1a54ad8870cf7b3c64a9d3ac7536f3ee62dd8b6da7cbef0b5ff17fef0e51b42054c883178f0ed47f7bc348e299d807bbd2821caf0c48e36ba6d2636a74ab2c

memory/1760-100-0x000000013F380000-0x000000013F6D4000-memory.dmp

memory/2588-99-0x000000013F7E0000-0x000000013FB34000-memory.dmp

C:\Windows\system\ThejKho.exe

MD5 f1ce0c206fb6d947e2a9b8cff92a2012
SHA1 c952ba14ce8663ab862c19cb27a029a5912a2135
SHA256 564871e63ba0364b04cbc8504fbb7ae605a37e26cf4d7dea736004b7281d9afc
SHA512 dcd905dd5bda5e425b640800d0596d971e8f0267e7b33f1e7cec81b95c877cbdbe2e6904885f35dbe25f59f648f63477574ec6f52831cc24476cc0e678d98f2f

memory/1760-91-0x000000013F7E0000-0x000000013FB34000-memory.dmp

C:\Windows\system\SdUOaNj.exe

MD5 f55336611c76b65fdad8281a240817a4
SHA1 c1059b32269ef6b38d060fc20c524bde40456cc3
SHA256 a5ed90ff165ed63ff136204d325ff12cc96f08adbded0e4755daea939a5b2706
SHA512 a7411698b180504b6ea1fcfb7ae9b2fe392f723400b5fd04008ad864b2f53184c3ea1599bb608ea08ed7bdff58f323ae702e08cd082066e19b29fd1750fd734d

memory/1708-89-0x000000013FE90000-0x00000001401E4000-memory.dmp

memory/2748-80-0x000000013F300000-0x000000013F654000-memory.dmp

memory/2568-134-0x000000013F310000-0x000000013F664000-memory.dmp

memory/1760-72-0x000000013F300000-0x000000013F654000-memory.dmp

memory/1760-71-0x00000000023D0000-0x0000000002724000-memory.dmp

C:\Windows\system\SwwqPay.exe

MD5 404e0031629426315f722c64bd2f900c
SHA1 83679d0becd6169c0b53f73826df66ab6c0e7b70
SHA256 f4c6821e60ef607837202e4557d1386069b717b2266c5578bdb866e4e7aa55f4
SHA512 e8d248e609bcb462164482d8271bd4e52afc6d48badc7deab1924c54b6302c162f547d1834783a92da2e683a98ba3952d5fcd126689fafc80206c9c508690ad7

memory/2440-68-0x000000013F380000-0x000000013F6D4000-memory.dmp

memory/1760-59-0x00000000023D0000-0x0000000002724000-memory.dmp

C:\Windows\system\vjSIfsf.exe

MD5 6315c61fb8ba81a9c4b2396022a98d0b
SHA1 ab5f08e2d185f861cbc83370277d80c5f1c14522
SHA256 0cfcc6dda6d47bbb2ee0ba9f231447e40a0624568a4c2572b6554f1b17b8a58b
SHA512 761994a69f7cf6dbfb3936f9715086fed39339b68d768fa7114c648de20933d8fedb66ecd0731fa3bb48e51e955d5ff1739945080b4b4d6c0b70753ee7e13314

C:\Windows\system\kVKSbCw.exe

MD5 763e5aafed9d5cc400dbe5773d288c09
SHA1 4420910ab01d6844c256cc406df8890f6cdb34f6
SHA256 634015d68c2a5890eb60cb2702b5d653be29056b44a50871dee717b3830fb425
SHA512 989e0d3c0779baa937a2233153b464f082e2c9ea877a071809614934132dc320859d7d627d7a133eebde18d0f37097a45e723e07d12b3195b7ae3a9a4d23a2f8

C:\Windows\system\IatcuOi.exe

MD5 0fa58b4758eb1d2fc113fd16931077ca
SHA1 d86e2af24c1de05a49d3271c7efe72853f95e022
SHA256 de1cea97e1e361d561f0e60e84817a780ab5167b7730d5bafe509cf8f7e6813f
SHA512 07ca363509ef5a2a4cdc83bc3e1bc9e5a5f051fae1b5742c42ce57b38e7bce320240246fe3bc9fda8bec4690f41966577eda11d8bf4a17ceae0fac6173e119bb

memory/2552-35-0x000000013FB50000-0x000000013FEA4000-memory.dmp

memory/3060-34-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

memory/1760-31-0x00000000023D0000-0x0000000002724000-memory.dmp

memory/1760-30-0x00000000023D0000-0x0000000002724000-memory.dmp

memory/3012-11-0x000000013FF10000-0x0000000140264000-memory.dmp

memory/2568-19-0x000000013F310000-0x000000013F664000-memory.dmp

C:\Windows\system\steCAUd.exe

MD5 4f2391cf1a6d7608dd093637350f4731
SHA1 712ab4d2780ca9c52ab8d2dff93052884e0a4fe1
SHA256 7e955e3e033d7465478dda4d2b12db03196c810733c9109655c6b471a8116c97
SHA512 739629853ddb73d4dcceb3b4e74bf501a61f24e6b8404e73896f5736c215e058ba2cf121582c761302a32cf1eb1477b456082ab9fe1c4576f4903bf67c709727

C:\Windows\system\GCPddTT.exe

MD5 236e1761d4044ac2da57bd62f280f168
SHA1 e06d909dde4c9d462aaf99be93c4981eac566697
SHA256 9fbe34b04c31088341b70ee66a50b0f31b2c72b419e374f9f5f94385031d82a3
SHA512 a75be2fbdb8c384e528f4f29b6a05c9773a7324962872190a8fd7afcf7f1f73913012cf953390923c1d9cea5da962e0bb868f3c1a0afd4ac0202e4a5ae0574e8

memory/1760-15-0x000000013F310000-0x000000013F664000-memory.dmp

memory/3060-135-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

memory/2552-136-0x000000013FB50000-0x000000013FEA4000-memory.dmp

memory/1760-137-0x00000000023D0000-0x0000000002724000-memory.dmp

memory/1708-140-0x000000013FE90000-0x00000001401E4000-memory.dmp

memory/2748-139-0x000000013F300000-0x000000013F654000-memory.dmp

memory/2972-138-0x000000013F3B0000-0x000000013F704000-memory.dmp

memory/1772-141-0x000000013F670000-0x000000013F9C4000-memory.dmp

memory/3012-142-0x000000013FF10000-0x0000000140264000-memory.dmp

memory/2736-143-0x000000013FE10000-0x0000000140164000-memory.dmp

memory/2568-144-0x000000013F310000-0x000000013F664000-memory.dmp

memory/3060-145-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

memory/2440-146-0x000000013F380000-0x000000013F6D4000-memory.dmp

memory/2552-147-0x000000013FB50000-0x000000013FEA4000-memory.dmp

memory/820-149-0x000000013F7B0000-0x000000013FB04000-memory.dmp

memory/2588-148-0x000000013F7E0000-0x000000013FB34000-memory.dmp

memory/1772-152-0x000000013F670000-0x000000013F9C4000-memory.dmp

memory/1708-151-0x000000013FE90000-0x00000001401E4000-memory.dmp

memory/2748-150-0x000000013F300000-0x000000013F654000-memory.dmp

memory/2972-153-0x000000013F3B0000-0x000000013F704000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-08 17:19

Reported

2024-06-08 17:22

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\nbJgaBO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZznoJNt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uzCGrjJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zAYmbFZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FCiVWZA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zWsyzKg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FyBkEbj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KDLNLCs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CZiMWRB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oqethvv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dQpmMQS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SrTGSSz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HBNUwTd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UTmFEtt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oGZBnri.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zalNJoM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eYbYaky.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LsmxWVh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RatEvcv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kpqVthO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RLwocsQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4500 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\zAYmbFZ.exe
PID 4500 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\zAYmbFZ.exe
PID 4500 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\FCiVWZA.exe
PID 4500 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\FCiVWZA.exe
PID 4500 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\zalNJoM.exe
PID 4500 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\zalNJoM.exe
PID 4500 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\kpqVthO.exe
PID 4500 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\kpqVthO.exe
PID 4500 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\CZiMWRB.exe
PID 4500 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\CZiMWRB.exe
PID 4500 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\oqethvv.exe
PID 4500 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\oqethvv.exe
PID 4500 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\nbJgaBO.exe
PID 4500 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\nbJgaBO.exe
PID 4500 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZznoJNt.exe
PID 4500 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZznoJNt.exe
PID 4500 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\eYbYaky.exe
PID 4500 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\eYbYaky.exe
PID 4500 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\dQpmMQS.exe
PID 4500 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\dQpmMQS.exe
PID 4500 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\SrTGSSz.exe
PID 4500 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\SrTGSSz.exe
PID 4500 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\HBNUwTd.exe
PID 4500 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\HBNUwTd.exe
PID 4500 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\zWsyzKg.exe
PID 4500 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\zWsyzKg.exe
PID 4500 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\FyBkEbj.exe
PID 4500 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\FyBkEbj.exe
PID 4500 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\KDLNLCs.exe
PID 4500 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\KDLNLCs.exe
PID 4500 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\RLwocsQ.exe
PID 4500 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\RLwocsQ.exe
PID 4500 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\UTmFEtt.exe
PID 4500 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\UTmFEtt.exe
PID 4500 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\oGZBnri.exe
PID 4500 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\oGZBnri.exe
PID 4500 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\LsmxWVh.exe
PID 4500 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\LsmxWVh.exe
PID 4500 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\uzCGrjJ.exe
PID 4500 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\uzCGrjJ.exe
PID 4500 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\RatEvcv.exe
PID 4500 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe C:\Windows\System\RatEvcv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_b4f920b4a0e31634c0c08c703ba60bad_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\zAYmbFZ.exe

C:\Windows\System\zAYmbFZ.exe

C:\Windows\System\FCiVWZA.exe

C:\Windows\System\FCiVWZA.exe

C:\Windows\System\zalNJoM.exe

C:\Windows\System\zalNJoM.exe

C:\Windows\System\kpqVthO.exe

C:\Windows\System\kpqVthO.exe

C:\Windows\System\CZiMWRB.exe

C:\Windows\System\CZiMWRB.exe

C:\Windows\System\oqethvv.exe

C:\Windows\System\oqethvv.exe

C:\Windows\System\nbJgaBO.exe

C:\Windows\System\nbJgaBO.exe

C:\Windows\System\ZznoJNt.exe

C:\Windows\System\ZznoJNt.exe

C:\Windows\System\eYbYaky.exe

C:\Windows\System\eYbYaky.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3144,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=1284 /prefetch:8

C:\Windows\System\dQpmMQS.exe

C:\Windows\System\dQpmMQS.exe

C:\Windows\System\SrTGSSz.exe

C:\Windows\System\SrTGSSz.exe

C:\Windows\System\HBNUwTd.exe

C:\Windows\System\HBNUwTd.exe

C:\Windows\System\zWsyzKg.exe

C:\Windows\System\zWsyzKg.exe

C:\Windows\System\FyBkEbj.exe

C:\Windows\System\FyBkEbj.exe

C:\Windows\System\KDLNLCs.exe

C:\Windows\System\KDLNLCs.exe

C:\Windows\System\RLwocsQ.exe

C:\Windows\System\RLwocsQ.exe

C:\Windows\System\UTmFEtt.exe

C:\Windows\System\UTmFEtt.exe

C:\Windows\System\oGZBnri.exe

C:\Windows\System\oGZBnri.exe

C:\Windows\System\LsmxWVh.exe

C:\Windows\System\LsmxWVh.exe

C:\Windows\System\uzCGrjJ.exe

C:\Windows\System\uzCGrjJ.exe

C:\Windows\System\RatEvcv.exe

C:\Windows\System\RatEvcv.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 7.173.189.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4500-0-0x00007FF75B2F0000-0x00007FF75B644000-memory.dmp

memory/4500-1-0x0000012C59A80000-0x0000012C59A90000-memory.dmp

C:\Windows\System\zAYmbFZ.exe

MD5 635e826ae75eac11044007357e79e51f
SHA1 4803dbfb09c7c489b397cc342ff737eb7e28850b
SHA256 6ee05d83ac982607c99c3ae6fab1db71c5da2a97f657e6455f49bca0e567603e
SHA512 695927a216cce82c405c1ebd7ba04e85a69689462cf1a4c8788586ef5658f0b8ab20c2a2dc31188c903d76339a24ea1570cb54bcb45373c384fb6f081b11c784

memory/4704-7-0x00007FF66BDC0000-0x00007FF66C114000-memory.dmp

C:\Windows\System\FCiVWZA.exe

MD5 f0bc9650d4e9f0de1f214dfc73462501
SHA1 eee6243ef03d61e70a3d68858c7f33ac665a3841
SHA256 f1738d292a58c8a86fd7e410468feb23c7812f3824b9e0bf78ba11d6874bb2a5
SHA512 2651ecc991a29758288cd4933c4bb0ff8244eb709652695d4fb76eb2364a8af20c3d71d1475bb9e4410787852e587dd5604ae4857472540ef1419df7ed4be0d0

C:\Windows\System\zalNJoM.exe

MD5 bdce45a8cda523daaa784432df49ebdd
SHA1 3cabffd8ea52325cd12e59703f67490072a3b9f0
SHA256 a302baf435547eddc760baa3bc45dec02ea6ea7ff688ad8c98657a2f671e7cd8
SHA512 df8c93cf3be2d970e69c6743227a5bf807a31086074b8bd9ab0cbf1a9cdaca7db86824983a90ce005f0388937b3d1e85206ae24a8909dc369dd1489b8f1ce82a

C:\Windows\System\kpqVthO.exe

MD5 1c6fca9242c978da926b8da0d74ea57f
SHA1 d0e4d7613d63cc8f2663339572e9cc6156bd75a1
SHA256 323ddf5286379ed8fe5d62d07c7d1bfed3c46251025028cce3d78f19731f1022
SHA512 d3af89146f13251fe11cb6799a5e91c3acb9d5db4c5898d02134cc93296c9700b863f74e265fa0046205b2e018a6ee41e45692f681b4d5dd4b448956d84c7bca

memory/2216-29-0x00007FF7811A0000-0x00007FF7814F4000-memory.dmp

memory/2016-32-0x00007FF620DA0000-0x00007FF6210F4000-memory.dmp

C:\Windows\System\CZiMWRB.exe

MD5 445c6ede51731cf5d9f18c69b01456f5
SHA1 021165970c19e378f76ac17803eacfda16dd4477
SHA256 765f92afe4bf88d078b6d9840d0769d9cefcf348a8fce0cd1e37425fd79115e8
SHA512 3ee2b0e4037d1c1ebf4ca21a68812836c05c5815eef385ccbf439a56431b74b2ddc4ae61cac85196c0d14cc6880d8afb1a0bcf30e4f2febb8e1a2c5477c1e92f

memory/2820-20-0x00007FF762D80000-0x00007FF7630D4000-memory.dmp

memory/4592-14-0x00007FF73A7B0000-0x00007FF73AB04000-memory.dmp

C:\Windows\System\oqethvv.exe

MD5 3794c4c7c072f273e3727c607c5a97c7
SHA1 36a12a303a6e19c5358530a22509359e94ceb764
SHA256 e0f82288e97ffae6f8458cb2136bdc8c9c00cf6fa366f1ef5514adebe103d862
SHA512 8f7b0f56904db4244fa86ca5d27885c9b915de99017ff6efc3deb460a16451c4a39969d6d48b3ef896a322a7475c294541a0e9d12802c53622b8853336a0a768

memory/4956-39-0x00007FF77EF90000-0x00007FF77F2E4000-memory.dmp

C:\Windows\System\nbJgaBO.exe

MD5 cbd7a20926c867b45e9019290040c65e
SHA1 1e5fd635be913ef9a20911a7ef1990d7273d70c5
SHA256 86a5e366d67a6f035d7d0a34c86a49bad45802e6d65ba02b8be33b3cef85b309
SHA512 88dfd1e76b64c9ce656d9419b4ef78db39a830822a8c514dcc8ff6ec87eabffc2a9f54427141d89e0ae6ff4b4d230492dc473fec0e5b29a7b2dfbde79f3e642c

C:\Windows\System\ZznoJNt.exe

MD5 d624f53b0b4c92294ec670ce7898301d
SHA1 3fa44372c3ab5c40acd822e6d49b3f484c61e3bf
SHA256 2b4cbeae2a0214c1f8d244f9417706a47e298efc6204a595d44c27b26429cd82
SHA512 8634a75bdc43fbe800bffef8a3fee3859b113ce9139ff16beb61dbccffe0b7b2ebd3bcbf42f15bffe205217edd220a75f747a309407cbad6843262260620f8f4

memory/2336-49-0x00007FF63BBC0000-0x00007FF63BF14000-memory.dmp

memory/4468-43-0x00007FF782600000-0x00007FF782954000-memory.dmp

C:\Windows\System\eYbYaky.exe

MD5 c5f3274ea6d18af90087e3120434a84c
SHA1 65a64acc6e06217e847460c1ec73b56cf43c6d9c
SHA256 f3c98854ddeada1279124d8ad9566668b1564fdb74abecbd04e5ee291dd7cd6c
SHA512 9dd10bb3d72cd562e8a1a554b4eae19b5a4b34c910630c41bb246e8c7ef852fcf45fd1336594bcb5ab7ac3933f3f970efd9b92f29dac9e6f0f55783490bca9fd

memory/1180-58-0x00007FF60D510000-0x00007FF60D864000-memory.dmp

C:\Windows\System\dQpmMQS.exe

MD5 71681b4658c2470864b5e78135029502
SHA1 b6c97ab0b19bc4f7c6b4a7862c3784f49c514432
SHA256 a864ba8aef32052780921ad8edb523ef8b4ea70cd6215c4ea11f2e9c735c41a6
SHA512 aae59e0f1c38136871c2bdcd4ead63fefb0aa44a97ae2455e32dfc6654d01e039579766f8309b3ca78d06a112e4dfd1e3bba813ad2fbb396f017ee258f2efe06

memory/4704-67-0x00007FF66BDC0000-0x00007FF66C114000-memory.dmp

memory/1300-71-0x00007FF694D80000-0x00007FF6950D4000-memory.dmp

memory/2844-72-0x00007FF763ED0000-0x00007FF764224000-memory.dmp

C:\Windows\System\HBNUwTd.exe

MD5 4c3c3507b278cf3ca94c8c9e76eefbc1
SHA1 27839cc39562c55adbd5054f89e810ecc48f5f28
SHA256 1c60fb3d686aa957459c9e08b2c7227f09011ba0631ac3088f35e870faa0aac6
SHA512 ab3f70d562dba3e54f5c6b154e22209d58601e6ef8c1b886426ce91a7d9b041782031cd2976f02a80975818aa92236437f9c348397f85233c303fa94c8e75ab6

C:\Windows\System\SrTGSSz.exe

MD5 4522326e1d4208f55e7bcd0c4f6c119d
SHA1 2a65a8c788770a7a49aa191612947a147dcd9962
SHA256 cc321046fd2a6dc1c5c4d4924e8a1811926deb047f8a8eafc6121e721b32dcf5
SHA512 c22facd86e96e6aa62c46f42fc9947bc82797067027ba700e6513bdb09db6c8d4a86453b2de902e60d2d1409dec6e4d2f5252eac6b143976c97a9fc2542326dc

memory/1948-66-0x00007FF7D0E30000-0x00007FF7D1184000-memory.dmp

memory/4500-62-0x00007FF75B2F0000-0x00007FF75B644000-memory.dmp

C:\Windows\System\zWsyzKg.exe

MD5 5af569789bbf437428d287d4494db1b1
SHA1 acc3ef08bad2e63eeab737ed440d69d6b4697c09
SHA256 b0614abf891b79fd9d5321594b83690cf6fe953e868168bccf716a2c7005e099
SHA512 3f6e83796ad67fddccb30ad3409231d6e4dedf241392a81e4144d69a6b34c081a3e54a7fa49f7efe29433a7394db43d36bb6b76cafc7a0e07d0175c85224e035

memory/1480-86-0x00007FF784880000-0x00007FF784BD4000-memory.dmp

C:\Windows\System\KDLNLCs.exe

MD5 5adabeca09f8f23964db172477e6e3ab
SHA1 aaeb8ad14c9a0aa74e1b981626e62a17ad3006ae
SHA256 f957fe19da2b1671d354f4cf57eea0f4b96c0216d5b8bde0fd76bf741bbd7ac2
SHA512 380f72232f6b3fc72cac1136140a3961564b86458e92e8c51bbf546baa968e8ec62a3164f36b4e0a3668dc31a979ead46e21ee320af4886f5f1bfa4235f0fa02

C:\Windows\System\FyBkEbj.exe

MD5 021532c7659f84e64676dd56909bbc7a
SHA1 2c60f33402f1470d988e3424cc988f6c9ecbbb3a
SHA256 d5d1fbfe1636ca61d2d2adbf9a474285fc0c95c4c689a3bce58c719014e58db6
SHA512 4f7eb32fec7ac30fe49bc5070645533edb423af3e6ad6521df7e446f99792d589971ae97310c2272b47c554c1b912104e1798fa78e6ea285ead0fdc7f47e66b0

memory/1224-89-0x00007FF723140000-0x00007FF723494000-memory.dmp

C:\Windows\System\RLwocsQ.exe

MD5 f7aa800091cdb6a116cdd7ea10c4abc8
SHA1 46bb671ab11bbbee128294f5f744efb7969bd64f
SHA256 d0cd88c31c7a41af5d476df8290d3349a98db25cae07b43d56520ec9096a33d1
SHA512 fc342f2e7f40ae6f299540b7d7aaef3bf37b0f5b65a787dbf380af63d844793582fe5bda678bfa331e97e583ba784cd5cf177a8755803d4df5a0ff45759923e0

C:\Windows\System\UTmFEtt.exe

MD5 2ef1f88e2208cc2e0e84bb00cdd42dda
SHA1 005152410212e2ab7b9635e9a1075addc71e595a
SHA256 d196c6a1d00ff1c8a4bd6d2848ddda1d8fc71a613ef66830e66ff1d6695164e1
SHA512 3858ed41860192e40fa7dab7e5935778fc1d5a4c836f4a6e8df3ac6362f95211b3a4882e2113d273fd9f7054acb39c1c714d9961ae50daca487b6ff51df7440f

memory/4072-93-0x00007FF7800F0000-0x00007FF780444000-memory.dmp

C:\Windows\System\RatEvcv.exe

MD5 e70ac13a61e6b05b42c26770502c43cd
SHA1 33fd26f1e3a2cc9a33ca493a106322f8605ca14a
SHA256 57928d42bac6bc41b3b8239d1b3d6caac942a80028c84ba149d59aa2f8a522c4
SHA512 624430b730bf053245e318439f4ae7b68cf7a44d6a67d15b895b730062ff29aae44367a282b2c2f41af812e8c70f0b0f351b57396f4141128f4fa73e68a859b1

C:\Windows\System\uzCGrjJ.exe

MD5 67241e86bd6bc24ae734bb1d6200c8aa
SHA1 dc5e6ec4723c2bd0f776fec49db1c178f14a8f90
SHA256 a8807c042b88ace4201a19cf4c907a8a49ab4f4d1b449158175fcb5fd482841e
SHA512 25d4857356cab2034964feb81b38547bcd54f4442b797aac0affad829655eda296da80f5f2b90345e98a1b3e2199cdba0d08b5dd344b174af0bdcdc6db3dc7d6

C:\Windows\System\LsmxWVh.exe

MD5 b39f81109bdeba5f84e8ada205a24828
SHA1 1cd9ff7b8a95e6ea869a4995645465a8e6e5cc5c
SHA256 5389df696f566fcf3027531edc30ddeeb95ac2af38b71a691ced38ca047fa3a2
SHA512 391313a881d401fc5bd3bfb15df9108c93eae52596b8a55b4d7c2ce5ec18948ce88608f12bf01700e40c807ee0d667705f14a4fd2093de1c291f0621bb3333b6

C:\Windows\System\oGZBnri.exe

MD5 5717b923b2bc112c44d79e9a04326601
SHA1 fd034e9087351393639cbc3f202a921469a70046
SHA256 a793e5ba885f7519466b8266b85129be746285388b6f41adace10e601a09e566
SHA512 8d5b58eb53979a830c726b25e40b43033f273b009b7ab2f76932531d53f1950a248ed695790e1e778c5cbec4a5b7f522ad85db5b782fbf9f99f5607ae5700d13

memory/3528-107-0x00007FF68EC80000-0x00007FF68EFD4000-memory.dmp

memory/3980-103-0x00007FF66B0B0000-0x00007FF66B404000-memory.dmp

memory/4956-100-0x00007FF77EF90000-0x00007FF77F2E4000-memory.dmp

memory/4468-127-0x00007FF782600000-0x00007FF782954000-memory.dmp

memory/2284-128-0x00007FF65CF60000-0x00007FF65D2B4000-memory.dmp

memory/3656-129-0x00007FF7CFA00000-0x00007FF7CFD54000-memory.dmp

memory/876-130-0x00007FF7F71E0000-0x00007FF7F7534000-memory.dmp

memory/216-131-0x00007FF612010000-0x00007FF612364000-memory.dmp

memory/2336-132-0x00007FF63BBC0000-0x00007FF63BF14000-memory.dmp

memory/1180-133-0x00007FF60D510000-0x00007FF60D864000-memory.dmp

memory/1300-134-0x00007FF694D80000-0x00007FF6950D4000-memory.dmp

memory/2844-135-0x00007FF763ED0000-0x00007FF764224000-memory.dmp

memory/1224-136-0x00007FF723140000-0x00007FF723494000-memory.dmp

memory/4072-137-0x00007FF7800F0000-0x00007FF780444000-memory.dmp

memory/3528-138-0x00007FF68EC80000-0x00007FF68EFD4000-memory.dmp

memory/4704-139-0x00007FF66BDC0000-0x00007FF66C114000-memory.dmp

memory/4592-140-0x00007FF73A7B0000-0x00007FF73AB04000-memory.dmp

memory/2820-141-0x00007FF762D80000-0x00007FF7630D4000-memory.dmp

memory/2216-142-0x00007FF7811A0000-0x00007FF7814F4000-memory.dmp

memory/2016-143-0x00007FF620DA0000-0x00007FF6210F4000-memory.dmp

memory/4468-144-0x00007FF782600000-0x00007FF782954000-memory.dmp

memory/4956-145-0x00007FF77EF90000-0x00007FF77F2E4000-memory.dmp

memory/2336-146-0x00007FF63BBC0000-0x00007FF63BF14000-memory.dmp

memory/1180-147-0x00007FF60D510000-0x00007FF60D864000-memory.dmp

memory/1948-148-0x00007FF7D0E30000-0x00007FF7D1184000-memory.dmp

memory/1300-149-0x00007FF694D80000-0x00007FF6950D4000-memory.dmp

memory/2844-150-0x00007FF763ED0000-0x00007FF764224000-memory.dmp

memory/1480-151-0x00007FF784880000-0x00007FF784BD4000-memory.dmp

memory/1224-152-0x00007FF723140000-0x00007FF723494000-memory.dmp

memory/4072-153-0x00007FF7800F0000-0x00007FF780444000-memory.dmp

memory/3980-154-0x00007FF66B0B0000-0x00007FF66B404000-memory.dmp

memory/2284-155-0x00007FF65CF60000-0x00007FF65D2B4000-memory.dmp

memory/3528-156-0x00007FF68EC80000-0x00007FF68EFD4000-memory.dmp

memory/216-157-0x00007FF612010000-0x00007FF612364000-memory.dmp

memory/876-158-0x00007FF7F71E0000-0x00007FF7F7534000-memory.dmp

memory/3656-159-0x00007FF7CFA00000-0x00007FF7CFD54000-memory.dmp