Malware Analysis Report

2024-10-16 03:06

Sample ID 240608-x4hj3sfa9z
Target 2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike
SHA256 72fcdebb5fa68790bca3e7b1b45d6de95c2a1c060b59f0f76d164dbd45d46dac
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

72fcdebb5fa68790bca3e7b1b45d6de95c2a1c060b59f0f76d164dbd45d46dac

Threat Level: Known bad

The file 2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

xmrig

Cobaltstrike family

Xmrig family

Cobalt Strike reflective loader

XMRig Miner payload

UPX dump on OEP (original entry point)

Cobaltstrike

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-08 19:24

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-08 19:24

Reported

2024-06-08 19:26

Platform

win7-20240215-en

Max time kernel

136s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\UmvhodP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GtILghu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GrMncTu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VGwxAEp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AdVRsFZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\exhoPYr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WNNdAkh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PqBVGiR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hmOPFMi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nHmCPFJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kvelMvi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bopoNbf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uTOqQrb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UtVDFgQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mxUtNGp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bQMjejV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rdzaPmK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\asZUvdj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SYtKmrx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UPDfpCH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ncnsrNo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2108 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\UtVDFgQ.exe
PID 2108 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\UtVDFgQ.exe
PID 2108 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\UtVDFgQ.exe
PID 2108 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\GrMncTu.exe
PID 2108 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\GrMncTu.exe
PID 2108 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\GrMncTu.exe
PID 2108 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\exhoPYr.exe
PID 2108 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\exhoPYr.exe
PID 2108 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\exhoPYr.exe
PID 2108 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\mxUtNGp.exe
PID 2108 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\mxUtNGp.exe
PID 2108 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\mxUtNGp.exe
PID 2108 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\bQMjejV.exe
PID 2108 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\bQMjejV.exe
PID 2108 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\bQMjejV.exe
PID 2108 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\hmOPFMi.exe
PID 2108 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\hmOPFMi.exe
PID 2108 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\hmOPFMi.exe
PID 2108 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\nHmCPFJ.exe
PID 2108 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\nHmCPFJ.exe
PID 2108 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\nHmCPFJ.exe
PID 2108 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\VGwxAEp.exe
PID 2108 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\VGwxAEp.exe
PID 2108 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\VGwxAEp.exe
PID 2108 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\WNNdAkh.exe
PID 2108 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\WNNdAkh.exe
PID 2108 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\WNNdAkh.exe
PID 2108 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\SYtKmrx.exe
PID 2108 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\SYtKmrx.exe
PID 2108 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\SYtKmrx.exe
PID 2108 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\AdVRsFZ.exe
PID 2108 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\AdVRsFZ.exe
PID 2108 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\AdVRsFZ.exe
PID 2108 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\kvelMvi.exe
PID 2108 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\kvelMvi.exe
PID 2108 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\kvelMvi.exe
PID 2108 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\PqBVGiR.exe
PID 2108 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\PqBVGiR.exe
PID 2108 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\PqBVGiR.exe
PID 2108 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\UPDfpCH.exe
PID 2108 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\UPDfpCH.exe
PID 2108 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\UPDfpCH.exe
PID 2108 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\UmvhodP.exe
PID 2108 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\UmvhodP.exe
PID 2108 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\UmvhodP.exe
PID 2108 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\bopoNbf.exe
PID 2108 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\bopoNbf.exe
PID 2108 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\bopoNbf.exe
PID 2108 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\ncnsrNo.exe
PID 2108 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\ncnsrNo.exe
PID 2108 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\ncnsrNo.exe
PID 2108 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\GtILghu.exe
PID 2108 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\GtILghu.exe
PID 2108 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\GtILghu.exe
PID 2108 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\uTOqQrb.exe
PID 2108 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\uTOqQrb.exe
PID 2108 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\uTOqQrb.exe
PID 2108 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\rdzaPmK.exe
PID 2108 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\rdzaPmK.exe
PID 2108 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\rdzaPmK.exe
PID 2108 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\asZUvdj.exe
PID 2108 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\asZUvdj.exe
PID 2108 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\asZUvdj.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\UtVDFgQ.exe

C:\Windows\System\UtVDFgQ.exe

C:\Windows\System\GrMncTu.exe

C:\Windows\System\GrMncTu.exe

C:\Windows\System\exhoPYr.exe

C:\Windows\System\exhoPYr.exe

C:\Windows\System\mxUtNGp.exe

C:\Windows\System\mxUtNGp.exe

C:\Windows\System\bQMjejV.exe

C:\Windows\System\bQMjejV.exe

C:\Windows\System\hmOPFMi.exe

C:\Windows\System\hmOPFMi.exe

C:\Windows\System\nHmCPFJ.exe

C:\Windows\System\nHmCPFJ.exe

C:\Windows\System\VGwxAEp.exe

C:\Windows\System\VGwxAEp.exe

C:\Windows\System\WNNdAkh.exe

C:\Windows\System\WNNdAkh.exe

C:\Windows\System\SYtKmrx.exe

C:\Windows\System\SYtKmrx.exe

C:\Windows\System\AdVRsFZ.exe

C:\Windows\System\AdVRsFZ.exe

C:\Windows\System\kvelMvi.exe

C:\Windows\System\kvelMvi.exe

C:\Windows\System\PqBVGiR.exe

C:\Windows\System\PqBVGiR.exe

C:\Windows\System\UPDfpCH.exe

C:\Windows\System\UPDfpCH.exe

C:\Windows\System\UmvhodP.exe

C:\Windows\System\UmvhodP.exe

C:\Windows\System\bopoNbf.exe

C:\Windows\System\bopoNbf.exe

C:\Windows\System\ncnsrNo.exe

C:\Windows\System\ncnsrNo.exe

C:\Windows\System\GtILghu.exe

C:\Windows\System\GtILghu.exe

C:\Windows\System\uTOqQrb.exe

C:\Windows\System\uTOqQrb.exe

C:\Windows\System\rdzaPmK.exe

C:\Windows\System\rdzaPmK.exe

C:\Windows\System\asZUvdj.exe

C:\Windows\System\asZUvdj.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2108-0-0x000000013F980000-0x000000013FCD4000-memory.dmp

memory/2108-1-0x00000000000F0000-0x0000000000100000-memory.dmp

C:\Windows\system\UtVDFgQ.exe

MD5 ad61650fc0e0b15197c1c2bed9ca7e6b
SHA1 769cd06187695d76c648dc9a8a2d877b5459f6d9
SHA256 cb634cf808cae68a32c764ec2476b70008e98800ec1d5e4e723c4fbcfa4d1abf
SHA512 f9ce76619e9d4d4825a9ba19e6aba9575a020545d341c10b69cb9b11f7f36101d1d2923d1124a0555f77c1e71c01ebb6820bb2e1d63ac2e61647185907d4ab0f

memory/2108-8-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

C:\Windows\system\GrMncTu.exe

MD5 a251e619a6c412b70d9aa67224c9d3e6
SHA1 5f5b76dd39fdd5a02841bb0cf0ca52769566f865
SHA256 73cc348a2cad1baba6b19229d8376366e41261003b62c522ddd8bc33dee1b78e
SHA512 b77512ceb8b4d63b2327c9e4a77b59a6b0ce17f7a761757192b5de3caee9ff6afcd88ebb39eeb9838935a5feca1a2640b5098775f20b9e1f1c71edf60c39496c

memory/2108-15-0x000000013FEC0000-0x0000000140214000-memory.dmp

memory/2024-16-0x000000013FEC0000-0x0000000140214000-memory.dmp

memory/2632-12-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

C:\Windows\system\exhoPYr.exe

MD5 719b80bb272cf78ea0dda1fb41fb47e6
SHA1 f13516b45c51e414508421a7110441eee9e898b3
SHA256 a181d11c4cbb065a85f5d6b33674ff5414827b46dfdbee58f9efc0b07ed89d67
SHA512 131ef20579e0f3a542341424fa748ec3d7e60b71da7e4874736e0721a7a90f4c292fb31623a1087cfd4300b86a4ab022de54f919fa8080aff0f82cb24aae5ff2

memory/1256-22-0x000000013FB20000-0x000000013FE74000-memory.dmp

C:\Windows\system\mxUtNGp.exe

MD5 6cd7450660dac660df23a2242f591d16
SHA1 368e8d1e901b41cd679b4bde7a87bc1e66122ede
SHA256 b07c4f0274341fccc562b9c0044d65341ad5e82c367de4e9b81287cd7f4b8de9
SHA512 df924929cc67a9d0184883b4f10807f2b55ec18fb274855498c2f59d8eaf3b8ecdf923d6f7e82f59bd8240087a844d601bc92d6500b0dd37abbcefbba2466150

memory/2588-29-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

memory/2108-27-0x0000000002430000-0x0000000002784000-memory.dmp

C:\Windows\system\bQMjejV.exe

MD5 f39cb9cd31d31c9482eb335feb6fa328
SHA1 0a28bd1a09a9d8a5dd44fcc9959bb7d41093f274
SHA256 776426646c9fa9710f4e87a7c841add177ae64b63b7254bf35107c93296a20c7
SHA512 c18c1d783bb42b112df5aadd6efa786ecf444ea46cb8a566cd408808ea6d0873e7d44683162e91ffab63bc8a35ba7f29b26b393a5c9cec2f9e4be2d34922eaf2

memory/2172-36-0x000000013F520000-0x000000013F874000-memory.dmp

memory/2108-35-0x000000013F520000-0x000000013F874000-memory.dmp

\Windows\system\hmOPFMi.exe

MD5 e074cc878d8733149e847659ed5a9c09
SHA1 02dfbbd4a8cc927efb87940b287e0db90534c00d
SHA256 4397e983f6d577674b258bb6f1b8882f3040ed05bae0d85a7f21120c314410bd
SHA512 8600c68db9ee4cd79b17f3954d31989f300115b769ba50f72e508d680c5f16833893f5262dd103a7d599a1abb402b332e7b6b76a352a9d07da120a2bcd524b8c

memory/2612-42-0x000000013F620000-0x000000013F974000-memory.dmp

C:\Windows\system\nHmCPFJ.exe

MD5 9b8c97be5730a16715b0ea7d0c816396
SHA1 0a2c5ed123ef0fea06861ba6b7210dba5dab0b5f
SHA256 bf925a83a61e887a9aeb4cbc9bd27ab81162540b65c542878f3c73f439543b18
SHA512 9216263258a224aa5af4fcba142e2578a0c8dbb89ab5cccc95248a207a9f522b05ba1950400166ad68289278f33d149cd5576822de8b0d761de10addb419a587

memory/2624-48-0x000000013FD10000-0x0000000140064000-memory.dmp

\Windows\system\VGwxAEp.exe

MD5 e51b31cec89b5d22870701daf2aed846
SHA1 997226b6ed3b834f5a82293632eff03b77922b1a
SHA256 31d9046259e4c3ebf303ff1e30257c8af488f530ae1e4910d19cb793147217c5
SHA512 97777df3127a75dc2ffc5914439ffdfc65d583df50293ae3ebbdb8909b097c42363b55f5cf8dd7ac42bc29a380b498050f8dfea59ee6850cf1f1014e1a479acc

memory/2108-52-0x000000013F980000-0x000000013FCD4000-memory.dmp

C:\Windows\system\WNNdAkh.exe

MD5 c53157a76f797fc019eeb75bce1bc233
SHA1 d798e3c01bf736e71bea7f881eb50f6bc3f43c56
SHA256 11b44e2b944c25fb49a5cbf063504937255530c96da9f944ee67fc5ab8ba5ce9
SHA512 a8c98aac5e18d598d66860dc5f2aa047271203fa48abc977885b006986b68dcfc41302c04bfdfeb7d654e563d5cd37f2db6849c6a69e761e858f1e6397b225bd

memory/2436-65-0x000000013F8C0000-0x000000013FC14000-memory.dmp

memory/2956-69-0x000000013F600000-0x000000013F954000-memory.dmp

C:\Windows\system\AdVRsFZ.exe

MD5 dd3892e1ed02b098cd98b9e95b1adad2
SHA1 51cdba3e5876c2ecb4400ddf4f4965c02bb135d6
SHA256 e7b6890408d7f371dc6899e56ee89891cf07b334dd4a586eb3cf88b774714175
SHA512 e3f8debbb0b87c0f759cad4f3f8798c469b3b1a4885cc9f8469732973e1a0ba645c963ff1148a02ac250832a76bf4d741e8d81dc94642d61be6b59ad72cc1921

C:\Windows\system\kvelMvi.exe

MD5 f1c09fa2feeb344f1a19c7df75e92276
SHA1 5a685c5009daa7d0384c2ac5e45fd8b088c5ac23
SHA256 a68009e5856148e2a1a35d93a951c36ef792d49a86153acc5ece92d7e583fad3
SHA512 00da5ae1c116aad7011a9ed79c1a2636d434b7f080fa28e750cf381566b249411d997ee86c12b66a881e0fb4ee3645cf4a3318071d6652b0298fdc8718747b1e

memory/2700-83-0x000000013F4D0000-0x000000013F824000-memory.dmp

memory/2108-80-0x000000013F4D0000-0x000000013F824000-memory.dmp

memory/2244-76-0x000000013F3F0000-0x000000013F744000-memory.dmp

memory/2108-75-0x000000013F3F0000-0x000000013F744000-memory.dmp

memory/2108-68-0x000000013F600000-0x000000013F954000-memory.dmp

memory/2360-66-0x000000013FF00000-0x0000000140254000-memory.dmp

C:\Windows\system\SYtKmrx.exe

MD5 11456ce27f3f184907fdae2ec0ffc23c
SHA1 9c0bb44f7e5edcaf1bbabcf44e9661f352f66a65
SHA256 5958c4dc1c9ee24fe16c767d296a15fc1345b5fe27c08f186b24d594979036d5
SHA512 2d415bb7055eb096604227edf441d2840c6e08f2fec3ad984b7a806b827a63c01a345c47918140df29d785cbcb28b067da82289e23d8c697edc9b756d91f0631

memory/2108-63-0x000000013FF00000-0x0000000140254000-memory.dmp

C:\Windows\system\PqBVGiR.exe

MD5 36dbec0520357452131c947c1f6af662
SHA1 3e5a8f031ada201a2a743a086ba272252cc2851b
SHA256 60bd95ced5d18520f35c83783c3284af75c5e69ab6592bbe055b0b2265b54b87
SHA512 3ba2dd465ca44f1fa18064af7a432f9323788b9663b078e6b4534d5b303c2de2968670f423413611dfc367fba76210a7ab3d2fff404bfc02285e34a1b5a78ca7

C:\Windows\system\UPDfpCH.exe

MD5 e6771c5f610e978cdddfc5f49b491928
SHA1 db8e90aa291668d8a45a41d662cfe70a9ac81b3b
SHA256 7f7102d26ba116d00e3d5edb086f8cf78eaea4d68eced6eed154d461c6947393
SHA512 50d9dbbbe75c1ca87cedbb98b8f0ee9fbe6fc080d10669627ab882a2e59a9735d7f95cdb82f85fc37e0c761af2201795b5e56fbfbf18ee809c85bed51ee11886

memory/2108-96-0x0000000002430000-0x0000000002784000-memory.dmp

C:\Windows\system\uTOqQrb.exe

MD5 90c809df1d8c8f855e90b01b159c0566
SHA1 b60e19524dd9c433686d52852584b1477096e051
SHA256 d581e2b12f008e5ff730da7715594601ea7653e9b92e8d184a7aadbe6f3e7bd4
SHA512 b100bf9056f8ff6f5c56ee95cca4402147ced3a742de92e10a3131dfb0cb212cdfb097b00a26a05d03bc577f7a4f1870eb04b2cac97a253860adbc5265748983

\Windows\system\asZUvdj.exe

MD5 b6edb93a712b196165117172ef4616e4
SHA1 39830a8a39df309a0bbe515ee97ff9a65bbd9140
SHA256 52ca7f4d061fb30bd48433f611db0df59921b1f041992704502b49aa20a7e95e
SHA512 961f378221bb4c5e86496a70bb9153c928094dee86998d4f9898bfd4762ba0fd7167d8ff28612e89cec43b96d4d4a9e8ac59b0a9d5a9afe7c7865f5cee2ca41d

C:\Windows\system\rdzaPmK.exe

MD5 250768877b481165be3c9148ec20b7e5
SHA1 a9d9e34bd1c9d218000804b25806cc88aff4f355
SHA256 cae054a367700b9cbeafcb6bdb61f342fbfd0530a18084a2f3d4cefe254a7b1d
SHA512 fe64c2c0119192c11a6ccc304ee54588c0e0efa6763717db3fb18ebcb96469d640191c749b0ebf9ba3baec826072fa7f66987b07aaa5e40edf0fc0e540b8d51f

C:\Windows\system\ncnsrNo.exe

MD5 78daa90b615759b96a390ea242517258
SHA1 21bc540988540215ec6b18d43a5c6734f37553cf
SHA256 09d6088af389b1072e1a97387a9ba5c6c3365155656282792344c2dd38c8f9ef
SHA512 b520bcfe1897308d430c98f64c0d7906218ca3c97600b00da51fdf57aa873af65dcee4b380da357cbbc1ca8eefcd804b7f698b8b1b233c3579f21827717ad229

C:\Windows\system\UmvhodP.exe

MD5 ef061c2f278886d23011b85ba764fe96
SHA1 43a77ea839500e4cc034c8782f30eed43fe61595
SHA256 098931530ec1a6119bb5c06d83d36b3bc50f915be4a3a618122f8a60d1bae162
SHA512 8701076790f96389365514b65b786845427b9a7c5397335c8f13956386fb5e042db95ebe74aa650e3df27f528afab7db46a5821001bf166defce7b669a9110ce

C:\Windows\system\GtILghu.exe

MD5 82bee3613615d7266fad865cb107adeb
SHA1 1221a4209f6d33b585d4a13e5345cff23bef6daa
SHA256 73becfe04634e2d5b69bc6d7684b2da143ce4beb58d5b0eb963321e74aaaa743
SHA512 012fb14ac53cef46efa959e137db6a0ca0a4921f3142c138305eabeea6e6cf2f1282206341a093f8391a1428cf2d17f9e8bb4babb1e7cf9c1b591a7b03be8971

memory/2748-100-0x000000013F7C0000-0x000000013FB14000-memory.dmp

C:\Windows\system\bopoNbf.exe

MD5 2cc683a1497f64001b5ba47d2162df0e
SHA1 bd571ea62784233ddf8634ef354a0e778fa43014
SHA256 3dcb621de170d4612b74fa670d8d1fe881e791cea8070bd7feaa4767fe0eec8e
SHA512 817fa1d017ea4e8bb9cd5bd9bacb4023ecd48d5b3eccd3f052e6186a39cc10b2bf297ab356579bbaf4c91f459a8d4dd0c54b4ea2d3b8d264a69619e2637c817f

memory/2108-104-0x0000000002430000-0x0000000002784000-memory.dmp

memory/2692-95-0x000000013FCD0000-0x0000000140024000-memory.dmp

memory/2108-93-0x0000000002430000-0x0000000002784000-memory.dmp

memory/2588-91-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

memory/2108-134-0x0000000002430000-0x0000000002784000-memory.dmp

memory/2108-135-0x000000013F600000-0x000000013F954000-memory.dmp

memory/2108-136-0x000000013F3F0000-0x000000013F744000-memory.dmp

memory/2108-137-0x000000013F4D0000-0x000000013F824000-memory.dmp

memory/2632-138-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

memory/2024-139-0x000000013FEC0000-0x0000000140214000-memory.dmp

memory/1256-140-0x000000013FB20000-0x000000013FE74000-memory.dmp

memory/2588-141-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

memory/2172-142-0x000000013F520000-0x000000013F874000-memory.dmp

memory/2612-143-0x000000013F620000-0x000000013F974000-memory.dmp

memory/2624-144-0x000000013FD10000-0x0000000140064000-memory.dmp

memory/2360-146-0x000000013FF00000-0x0000000140254000-memory.dmp

memory/2436-145-0x000000013F8C0000-0x000000013FC14000-memory.dmp

memory/2956-147-0x000000013F600000-0x000000013F954000-memory.dmp

memory/2244-148-0x000000013F3F0000-0x000000013F744000-memory.dmp

memory/2700-149-0x000000013F4D0000-0x000000013F824000-memory.dmp

memory/2692-150-0x000000013FCD0000-0x0000000140024000-memory.dmp

memory/2748-151-0x000000013F7C0000-0x000000013FB14000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-08 19:24

Reported

2024-06-08 19:26

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\WGPhAmU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pZbjwAD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sJhHSnP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kwVKYDz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KjJUmyb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BsKwkud.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xfpGKzR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HaGYNqT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HUTpuQo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ShEINcl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cHpsCtp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZhOpBMs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VlHSqMy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AmJSwfG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nQzvgdY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mNYrpTH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uFcOCKU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HVgPzcb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YiHPFdJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bGRWrht.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ogryxty.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4212 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\bGRWrht.exe
PID 4212 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\bGRWrht.exe
PID 4212 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\nQzvgdY.exe
PID 4212 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\nQzvgdY.exe
PID 4212 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\ogryxty.exe
PID 4212 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\ogryxty.exe
PID 4212 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\uFcOCKU.exe
PID 4212 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\uFcOCKU.exe
PID 4212 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\HaGYNqT.exe
PID 4212 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\HaGYNqT.exe
PID 4212 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\mNYrpTH.exe
PID 4212 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\mNYrpTH.exe
PID 4212 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\HVgPzcb.exe
PID 4212 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\HVgPzcb.exe
PID 4212 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\HUTpuQo.exe
PID 4212 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\HUTpuQo.exe
PID 4212 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\ShEINcl.exe
PID 4212 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\ShEINcl.exe
PID 4212 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\pZbjwAD.exe
PID 4212 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\pZbjwAD.exe
PID 4212 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\sJhHSnP.exe
PID 4212 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\sJhHSnP.exe
PID 4212 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\kwVKYDz.exe
PID 4212 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\kwVKYDz.exe
PID 4212 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\cHpsCtp.exe
PID 4212 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\cHpsCtp.exe
PID 4212 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZhOpBMs.exe
PID 4212 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZhOpBMs.exe
PID 4212 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\KjJUmyb.exe
PID 4212 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\KjJUmyb.exe
PID 4212 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\BsKwkud.exe
PID 4212 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\BsKwkud.exe
PID 4212 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\VlHSqMy.exe
PID 4212 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\VlHSqMy.exe
PID 4212 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\AmJSwfG.exe
PID 4212 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\AmJSwfG.exe
PID 4212 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\YiHPFdJ.exe
PID 4212 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\YiHPFdJ.exe
PID 4212 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\WGPhAmU.exe
PID 4212 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\WGPhAmU.exe
PID 4212 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\xfpGKzR.exe
PID 4212 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe C:\Windows\System\xfpGKzR.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\bGRWrht.exe

C:\Windows\System\bGRWrht.exe

C:\Windows\System\nQzvgdY.exe

C:\Windows\System\nQzvgdY.exe

C:\Windows\System\ogryxty.exe

C:\Windows\System\ogryxty.exe

C:\Windows\System\uFcOCKU.exe

C:\Windows\System\uFcOCKU.exe

C:\Windows\System\HaGYNqT.exe

C:\Windows\System\HaGYNqT.exe

C:\Windows\System\mNYrpTH.exe

C:\Windows\System\mNYrpTH.exe

C:\Windows\System\HVgPzcb.exe

C:\Windows\System\HVgPzcb.exe

C:\Windows\System\HUTpuQo.exe

C:\Windows\System\HUTpuQo.exe

C:\Windows\System\ShEINcl.exe

C:\Windows\System\ShEINcl.exe

C:\Windows\System\pZbjwAD.exe

C:\Windows\System\pZbjwAD.exe

C:\Windows\System\sJhHSnP.exe

C:\Windows\System\sJhHSnP.exe

C:\Windows\System\kwVKYDz.exe

C:\Windows\System\kwVKYDz.exe

C:\Windows\System\cHpsCtp.exe

C:\Windows\System\cHpsCtp.exe

C:\Windows\System\ZhOpBMs.exe

C:\Windows\System\ZhOpBMs.exe

C:\Windows\System\KjJUmyb.exe

C:\Windows\System\KjJUmyb.exe

C:\Windows\System\BsKwkud.exe

C:\Windows\System\BsKwkud.exe

C:\Windows\System\VlHSqMy.exe

C:\Windows\System\VlHSqMy.exe

C:\Windows\System\AmJSwfG.exe

C:\Windows\System\AmJSwfG.exe

C:\Windows\System\YiHPFdJ.exe

C:\Windows\System\YiHPFdJ.exe

C:\Windows\System\WGPhAmU.exe

C:\Windows\System\WGPhAmU.exe

C:\Windows\System\xfpGKzR.exe

C:\Windows\System\xfpGKzR.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp

Files

memory/4212-0-0x00007FF63FC10000-0x00007FF63FF64000-memory.dmp

memory/4212-1-0x000001CD469A0000-0x000001CD469B0000-memory.dmp

C:\Windows\System\bGRWrht.exe

MD5 a921dafa4f54fbeb60256b64a5ea3d10
SHA1 27804f5874445e6925a3a3e208421dbd2f4f0785
SHA256 89b4175783f2d3741e4b6f95bee5be60e3f73d3e23c83973dc51af17c347aa34
SHA512 db3f96ceba45c58d89c0031554ae93451a7dae446ff3135c5c4750ab15f950aa18a326e6d2588a98d534c8b2d573cd7ba42916e461d0be8d2ea480272ccef710

memory/3328-6-0x00007FF607E40000-0x00007FF608194000-memory.dmp

C:\Windows\System\ogryxty.exe

MD5 02fab6c854632ec54c9300479bc6244f
SHA1 2cdeb7e382d376115cc577baf6249e98c8099706
SHA256 aeabd24e57e4f8f900e24971d6af74bfceaa460c90ce768ac7a54f0c9063ed4e
SHA512 3decb04c57067b1cbb721c51b01e61dfe87bfd5f36478e57ddd57d8cd4e41a3ebbd98660813a8caf2000e4723b0187a749d29ca676f0da83f9d16d35dd82ee65

C:\Windows\System\nQzvgdY.exe

MD5 77f93469007e5ccc00b6942c754b7de6
SHA1 0a3690364ec844ce11e89c22329d1f984cd3ad97
SHA256 db365be615caf10742ebf0adad20cc03d7f729c38651dc4e19cc9dab3303ff4c
SHA512 67e9e49e07046439698edd6ac29115a40844801b29c717629587939355ffab5d78e3550c46abdd648dab16a96bb07a65c040c884a6fd97f11787ac347ee4e89a

C:\Windows\System\uFcOCKU.exe

MD5 04533548d1bd33bc736778037507bbfa
SHA1 bf309f32878c9c02247ab1f5a9952ebad1dbfd9f
SHA256 ac87fdd82697045ca40d87124a9679cfeb7a0665da560fc3957278fa4ed862bf
SHA512 6aca18143781e053c2b00aac4d54c9c42282812360a70113f4c16c04881c1bbc69c1968ef281c3b213c42d10e7626a9ab0bd5cf0f3f32cec01374530123369db

C:\Windows\System\mNYrpTH.exe

MD5 aee7ed2edeb70297c7d783161789d821
SHA1 d3207567cf6386934f3b92146e9e1d410fffdbb6
SHA256 6f49690719b2c7d9ee294326402ec5593d97dc4cb6f0bde202f18ea3f4472846
SHA512 1e4aa9ad1589208dc504d5735db37504b38edd261ab49e537e06afb7574d225bcdd6fa77fddf5422d2ad69a55908d06f63c66e503186694980facda584e9edbb

C:\Windows\System\HUTpuQo.exe

MD5 9e4e75220ad81f880a51ed7110c00ee2
SHA1 6ff1c6bba19d14c1c317de1d2fc80e9ca4d07c26
SHA256 c780f43e77421dca831aa101ab16dacc1ff3d1a0d1cb2ff498a783753a6cc97f
SHA512 473df34ab707eec22e1d303698d5214038035aa682144ddc357c4d6a1470979197d18f886d0d22de8aa31ca75686dc53c4aae781ef6f4a22cd80ac59b3227340

C:\Windows\System\ShEINcl.exe

MD5 182939a9a832f1ae9420d150a15f4ff6
SHA1 1bcc740c33a7dd6fc6c771f5f510ecc72e5b27cf
SHA256 591cacbe7c4752926b93b29638cba8dd2f2c06fd6cf43e894c9f67a66675e81d
SHA512 69ea7ef86fae8984f233bd624665a4e3c505d80c791b7b0dfa9cbc9c419d645e1eac0d18d25eeb1d6870bf6b89a8154b9138ea1695a43731b0664582966aa0c6

C:\Windows\System\kwVKYDz.exe

MD5 b418e25e61b3b973dc49a9510c3d29e9
SHA1 8c786d3d8ab87e2cdd82aa6f0ec42ac27410acaf
SHA256 6fe171f5d8be12ae749e73ecb8db93f0cf4acffbb70f8845cefb92e110a36316
SHA512 f56de11196588eaa7dce59375bdcbbc6d1668680fbf6cd54dde8c2cea9ff50bec254bc537bfb442a2e81dde3e8ece6be6b9010f66b6993092832f847368b3e19

C:\Windows\System\KjJUmyb.exe

MD5 e34057d8d80040b5a5c8469c5da83360
SHA1 d23a666ebee18ee606ae431b24176212a15258ed
SHA256 37eb774c96b9c4e51818719ff949167b6d19ebf27f04c504f10d095313ee0693
SHA512 338b5943c6902acb574a06093753554dae102987471255eb6524eb0d484988cf426bc0f9fc9b21cfebae77158f8050895fa864a7b38e3164ebd5b466aa10918e

C:\Windows\System\ZhOpBMs.exe

MD5 983fc613c3993fa83c31d34f3712b8a0
SHA1 5bf7585d2e2d5129f08bcb66c78f8883a8406a18
SHA256 785508702fc817ea8aad309997af758e8c85716e6a2b2d8845e6feb2a9cdba91
SHA512 0934f491e306eb2543bf5a91e685bd90696a25d52882bb0fda4a4fb97ac75745591f0d2914d370cfad888cacba2bf55d3e0aaad1f6f432dcbb26b34a83f34e93

C:\Windows\System\cHpsCtp.exe

MD5 4f27405c32743c05158bdced2ee007a8
SHA1 9deca0994fabe02af35f4fd2611e3121e0758ce5
SHA256 8c6906bd772da8e51a821810653bd58d541fa6c75e285714929a5d80a9fd93ba
SHA512 56408a3e3e65954a89edd4c7754fbc920b457f924e5257c3b9e47f9fcea1224dffa2073b4016026d32557c49069fdf0c2c2791dc619c455b757cc69992d17d6d

C:\Windows\System\sJhHSnP.exe

MD5 72ec0ee885c77245becc00576ce1957e
SHA1 6f8e26d9ff8e6cd9515387625b6fd11e35cc15e7
SHA256 87d047a3f5ed840d7b4a805b9965b2403f115c9374730da8cb6f5e1fcda2c4b7
SHA512 43a6c66609133d353490f5512da9c351e344ce26e6f8f8ce517a53acb1a67b2975bc76b009d8c2bee20cf4337000f5472cfc9a85aae278cd4481dd4ecc651215

C:\Windows\System\pZbjwAD.exe

MD5 ab3e36f9f834154431f3f9968cbe2623
SHA1 3eaab31eaa10ca670f148ddfbd5eb5f218dd2c3c
SHA256 b96063293d3ecf4072bd10da58ecbe7377bd9753596fdb803ebf4127d15f58fc
SHA512 8b756cfe1836901dcfe60ea322588b140e28e5c8d37331977fab756b9b902afb079c40e985c96abcda6ccbbc892dec3460abfc0b650bc99c9aec4bca370ee94e

C:\Windows\System\HVgPzcb.exe

MD5 e89bf72de1d06a24470917666b8f754d
SHA1 803480e399e47cc7f0cb0babaee89a0c39c19a4d
SHA256 b696ff9bfad18811bb5fcc360ce755efaddbb133319d448806b78ba837ff9e3d
SHA512 7dadb644bbf54e032181f0390bc7534ea947a3441fe06509275e4a34541581db7451d90b99f4f4af1f042a37423bcfbef30ec501eda2e9fe96c9f9b2fa267860

memory/2436-38-0x00007FF6EEBE0000-0x00007FF6EEF34000-memory.dmp

memory/912-33-0x00007FF622180000-0x00007FF6224D4000-memory.dmp

memory/3216-28-0x00007FF6E4690000-0x00007FF6E49E4000-memory.dmp

C:\Windows\System\HaGYNqT.exe

MD5 d317c170f3e45bb952f8e558da43c800
SHA1 5928cc03cfb0fa36bddc1f7c1823470ebb1b4a47
SHA256 421178ab4dea8287dcaf7fd26933bfbb23e455d2ef70f934b9447837d5c42052
SHA512 455f0c1de6f0eb159a6a879346e464b5684db8c0bb813ebfcbe217c8aec46841618b56559cd8263c3d3d8711e9d4a5b1ef10a9ea8f9bda16d729fbcf39cc2b24

memory/4192-20-0x00007FF6B9AF0000-0x00007FF6B9E44000-memory.dmp

memory/4412-12-0x00007FF684640000-0x00007FF684994000-memory.dmp

memory/3596-86-0x00007FF706EA0000-0x00007FF7071F4000-memory.dmp

C:\Windows\System\VlHSqMy.exe

MD5 b7eb4593cc96faabd382e9284bb746e2
SHA1 3fcd12fef425d9e36b6c8e761a80156c50ed3fe4
SHA256 55a1269705a6191d6a13e59deb28dc7467cb6ae417dc0df0c9a419afd51b55d7
SHA512 c8b40ff1a7aa4e633759578b7fd7afefc659626908206e789239f48dd95354688279b63ec6fbe5e464448d6af2b6e8686783a0352921bd593e2ca9e81225351f

memory/548-91-0x00007FF71E0E0000-0x00007FF71E434000-memory.dmp

memory/1908-94-0x00007FF61D5B0000-0x00007FF61D904000-memory.dmp

memory/4648-104-0x00007FF70DE80000-0x00007FF70E1D4000-memory.dmp

C:\Windows\System\AmJSwfG.exe

MD5 63446fd1425a2ac9b80bbd08c417c039
SHA1 653eab47e65aa2b7f562f14f423a5577e1bb293c
SHA256 d688bbea528a81ec9fb4376bc87ed1a39d9b640b25572a494f4b849f02dc4c70
SHA512 b2d51318cc23acebc365386d55fd0dadc0515bec5c6aaeaa19267c22cf2535355a56624b7c1693e791d5e8ce2ebb8f5fda599bb39929749932a03b7148c57da6

C:\Windows\System\BsKwkud.exe

MD5 db8b1ee3e32a9bab920c567d87debc21
SHA1 96b4116533069260755640aede3b69c5799d4391
SHA256 0605fbbc51bafbfe4851b557c580035067a47ef349e3f783bf41a3779a96ce8a
SHA512 cf912df3a46383f022aa2fcfaf182a1d7fb8c5c819eb2690b490ac73d41c1e19a50a54db525fef4a41b3f18159b6a7ee9d926f2895324d57b774d39cde77ccdb

C:\Windows\System\WGPhAmU.exe

MD5 70294df36fc52fb797a096ff725b0e19
SHA1 3a26ca71f69b9c364e652104446dbe2e0ee0a6c8
SHA256 61946b167cf6e5f2a8d4618707e03ac33bd7bfbb0e3c938def908005e57d17ce
SHA512 a53d8b7ec1d2247d8e3737315fbe46752178590068bdb6128d29e2ac25974220202960559f33bbb1d44b40166a019263f6f83000a9c46ff2a3b10ced59dc2075

C:\Windows\System\xfpGKzR.exe

MD5 b8733b597451d9ead43502a41785253f
SHA1 a76394b2531562c7b18f6f641075a63156122b66
SHA256 2556940d43a076ca835c686eaabb5bded5caaecb8096451e94aca32ad2b8f688
SHA512 6b8a78b74ab4bd9f465bb0beb9d18f22d3762b873494140a6074e59f136eddc7159b69baf2200c1529d45b6f377ac39aee3a63620fc79c23894155863aaa2812

C:\Windows\System\YiHPFdJ.exe

MD5 cb5ec0e278ff06cf44a6316453596d0b
SHA1 e79ab90bd51ea513d8b1f719a2129bb3364682c6
SHA256 d315046836fbd283368b4379d8f131236b30c9286954d78c56b7fada33eedad6
SHA512 bf608fef1b0a8cea7bf8a773b20adb4b397fe12de0651e12b43b77c182b1a96519bcc988766acbc3e60f64f51c5917bb23e38c42f8c384bd24db7c7ba9340d2a

memory/4308-106-0x00007FF7D53F0000-0x00007FF7D5744000-memory.dmp

memory/3716-105-0x00007FF72B5E0000-0x00007FF72B934000-memory.dmp

memory/3860-102-0x00007FF7F4E20000-0x00007FF7F5174000-memory.dmp

memory/4692-96-0x00007FF673A20000-0x00007FF673D74000-memory.dmp

memory/4752-93-0x00007FF622700000-0x00007FF622A54000-memory.dmp

memory/688-89-0x00007FF67B380000-0x00007FF67B6D4000-memory.dmp

memory/4484-85-0x00007FF73C8E0000-0x00007FF73CC34000-memory.dmp

memory/1132-84-0x00007FF7DCDE0000-0x00007FF7DD134000-memory.dmp

memory/4212-125-0x00007FF63FC10000-0x00007FF63FF64000-memory.dmp

memory/3804-128-0x00007FF6F2C10000-0x00007FF6F2F64000-memory.dmp

memory/3844-127-0x00007FF72F8B0000-0x00007FF72FC04000-memory.dmp

memory/5028-126-0x00007FF75F500000-0x00007FF75F854000-memory.dmp

memory/3328-129-0x00007FF607E40000-0x00007FF608194000-memory.dmp

memory/4412-130-0x00007FF684640000-0x00007FF684994000-memory.dmp

memory/3216-132-0x00007FF6E4690000-0x00007FF6E49E4000-memory.dmp

memory/4192-131-0x00007FF6B9AF0000-0x00007FF6B9E44000-memory.dmp

memory/3716-133-0x00007FF72B5E0000-0x00007FF72B934000-memory.dmp

memory/4308-134-0x00007FF7D53F0000-0x00007FF7D5744000-memory.dmp

memory/3328-135-0x00007FF607E40000-0x00007FF608194000-memory.dmp

memory/4412-136-0x00007FF684640000-0x00007FF684994000-memory.dmp

memory/4192-137-0x00007FF6B9AF0000-0x00007FF6B9E44000-memory.dmp

memory/912-138-0x00007FF622180000-0x00007FF6224D4000-memory.dmp

memory/3216-139-0x00007FF6E4690000-0x00007FF6E49E4000-memory.dmp

memory/2436-140-0x00007FF6EEBE0000-0x00007FF6EEF34000-memory.dmp

memory/1132-141-0x00007FF7DCDE0000-0x00007FF7DD134000-memory.dmp

memory/4484-142-0x00007FF73C8E0000-0x00007FF73CC34000-memory.dmp

memory/3596-143-0x00007FF706EA0000-0x00007FF7071F4000-memory.dmp

memory/688-144-0x00007FF67B380000-0x00007FF67B6D4000-memory.dmp

memory/548-145-0x00007FF71E0E0000-0x00007FF71E434000-memory.dmp

memory/4752-146-0x00007FF622700000-0x00007FF622A54000-memory.dmp

memory/1908-147-0x00007FF61D5B0000-0x00007FF61D904000-memory.dmp

memory/4692-148-0x00007FF673A20000-0x00007FF673D74000-memory.dmp

memory/3860-149-0x00007FF7F4E20000-0x00007FF7F5174000-memory.dmp

memory/4648-150-0x00007FF70DE80000-0x00007FF70E1D4000-memory.dmp

memory/4308-152-0x00007FF7D53F0000-0x00007FF7D5744000-memory.dmp

memory/3716-151-0x00007FF72B5E0000-0x00007FF72B934000-memory.dmp

memory/5028-153-0x00007FF75F500000-0x00007FF75F854000-memory.dmp

memory/3844-154-0x00007FF72F8B0000-0x00007FF72FC04000-memory.dmp

memory/3804-155-0x00007FF6F2C10000-0x00007FF6F2F64000-memory.dmp