Malware Analysis Report

2024-10-16 03:06

Sample ID 240608-z1jzvaha89
Target 2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike
SHA256 bffe0d0033affa8b9fefb8cddfff8c584f623ac69597e557fef47330bafb7e21
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bffe0d0033affa8b9fefb8cddfff8c584f623ac69597e557fef47330bafb7e21

Threat Level: Known bad

The file 2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

Xmrig family

XMRig Miner payload

Cobaltstrike

Cobalt Strike reflective loader

xmrig

Cobaltstrike family

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

XMRig Miner payload

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-08 21:11

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-08 21:11

Reported

2024-06-08 21:13

Platform

win7-20240508-en

Max time kernel

138s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\iHoLgRe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RzpaiWZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YjXmvdg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GIrYDho.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gIaNfOj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZafYWrv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YbbkImW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KoVieRR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XGpZfJa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HBldljh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qsBqJiE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zXmEfPg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KywSLQB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gNHxpzh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NMBhHSX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KzTFBBp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bLIGWjW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ccxSoQR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nwTsWhd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zTaXyFq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RfwcEFM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2244 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\KoVieRR.exe
PID 2244 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\KoVieRR.exe
PID 2244 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\KoVieRR.exe
PID 2244 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\NMBhHSX.exe
PID 2244 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\NMBhHSX.exe
PID 2244 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\NMBhHSX.exe
PID 2244 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\XGpZfJa.exe
PID 2244 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\XGpZfJa.exe
PID 2244 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\XGpZfJa.exe
PID 2244 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\nwTsWhd.exe
PID 2244 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\nwTsWhd.exe
PID 2244 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\nwTsWhd.exe
PID 2244 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\zTaXyFq.exe
PID 2244 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\zTaXyFq.exe
PID 2244 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\zTaXyFq.exe
PID 2244 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\HBldljh.exe
PID 2244 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\HBldljh.exe
PID 2244 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\HBldljh.exe
PID 2244 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\iHoLgRe.exe
PID 2244 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\iHoLgRe.exe
PID 2244 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\iHoLgRe.exe
PID 2244 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\KzTFBBp.exe
PID 2244 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\KzTFBBp.exe
PID 2244 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\KzTFBBp.exe
PID 2244 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\qsBqJiE.exe
PID 2244 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\qsBqJiE.exe
PID 2244 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\qsBqJiE.exe
PID 2244 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\GIrYDho.exe
PID 2244 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\GIrYDho.exe
PID 2244 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\GIrYDho.exe
PID 2244 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\gIaNfOj.exe
PID 2244 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\gIaNfOj.exe
PID 2244 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\gIaNfOj.exe
PID 2244 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\RzpaiWZ.exe
PID 2244 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\RzpaiWZ.exe
PID 2244 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\RzpaiWZ.exe
PID 2244 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\bLIGWjW.exe
PID 2244 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\bLIGWjW.exe
PID 2244 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\bLIGWjW.exe
PID 2244 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\ccxSoQR.exe
PID 2244 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\ccxSoQR.exe
PID 2244 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\ccxSoQR.exe
PID 2244 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\zXmEfPg.exe
PID 2244 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\zXmEfPg.exe
PID 2244 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\zXmEfPg.exe
PID 2244 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\YjXmvdg.exe
PID 2244 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\YjXmvdg.exe
PID 2244 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\YjXmvdg.exe
PID 2244 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\RfwcEFM.exe
PID 2244 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\RfwcEFM.exe
PID 2244 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\RfwcEFM.exe
PID 2244 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZafYWrv.exe
PID 2244 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZafYWrv.exe
PID 2244 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZafYWrv.exe
PID 2244 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\YbbkImW.exe
PID 2244 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\YbbkImW.exe
PID 2244 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\YbbkImW.exe
PID 2244 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\KywSLQB.exe
PID 2244 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\KywSLQB.exe
PID 2244 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\KywSLQB.exe
PID 2244 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\gNHxpzh.exe
PID 2244 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\gNHxpzh.exe
PID 2244 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\gNHxpzh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\KoVieRR.exe

C:\Windows\System\KoVieRR.exe

C:\Windows\System\NMBhHSX.exe

C:\Windows\System\NMBhHSX.exe

C:\Windows\System\XGpZfJa.exe

C:\Windows\System\XGpZfJa.exe

C:\Windows\System\nwTsWhd.exe

C:\Windows\System\nwTsWhd.exe

C:\Windows\System\zTaXyFq.exe

C:\Windows\System\zTaXyFq.exe

C:\Windows\System\HBldljh.exe

C:\Windows\System\HBldljh.exe

C:\Windows\System\iHoLgRe.exe

C:\Windows\System\iHoLgRe.exe

C:\Windows\System\KzTFBBp.exe

C:\Windows\System\KzTFBBp.exe

C:\Windows\System\qsBqJiE.exe

C:\Windows\System\qsBqJiE.exe

C:\Windows\System\GIrYDho.exe

C:\Windows\System\GIrYDho.exe

C:\Windows\System\gIaNfOj.exe

C:\Windows\System\gIaNfOj.exe

C:\Windows\System\RzpaiWZ.exe

C:\Windows\System\RzpaiWZ.exe

C:\Windows\System\bLIGWjW.exe

C:\Windows\System\bLIGWjW.exe

C:\Windows\System\ccxSoQR.exe

C:\Windows\System\ccxSoQR.exe

C:\Windows\System\zXmEfPg.exe

C:\Windows\System\zXmEfPg.exe

C:\Windows\System\YjXmvdg.exe

C:\Windows\System\YjXmvdg.exe

C:\Windows\System\RfwcEFM.exe

C:\Windows\System\RfwcEFM.exe

C:\Windows\System\ZafYWrv.exe

C:\Windows\System\ZafYWrv.exe

C:\Windows\System\YbbkImW.exe

C:\Windows\System\YbbkImW.exe

C:\Windows\System\KywSLQB.exe

C:\Windows\System\KywSLQB.exe

C:\Windows\System\gNHxpzh.exe

C:\Windows\System\gNHxpzh.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2244-0-0x00000000002F0000-0x0000000000300000-memory.dmp

memory/2244-1-0x000000013FDF0000-0x0000000140144000-memory.dmp

C:\Windows\system\KoVieRR.exe

MD5 d4f08cb5676f33946def8a3cb2c1f11e
SHA1 fe0d63c6121be7e9293e42084dd42326aa9f481e
SHA256 7cabd834b53def0d7da99293c746a5b83a89d0a0545cfecf0079c265aba3c09d
SHA512 0db79afeedf58d67ba22ea02cbaa44b67c306cb9656018f277a9ac2c60ed0a95d1fba30292de98e0ab5c6c983070caae6ec044433bcf9d9c8d6e04c51c2a7788

memory/2032-9-0x000000013F050000-0x000000013F3A4000-memory.dmp

memory/2244-8-0x000000013F050000-0x000000013F3A4000-memory.dmp

C:\Windows\system\XGpZfJa.exe

MD5 0ebbed5fd07b5d7d7fabb4d2d2d38f32
SHA1 596d84dc122768a983084d89bf472731834c1110
SHA256 6a13ef42b10d278c1bc5dcd0ae82d278b5c7794b55cbaa491792e35e2509ed64
SHA512 4ee7b5b9d46904fa3abc523998d36cb80f6d27857ba3dd6c7b88a31075b684afc9daf4ca2634b6d5fb5f43365ff8bc24c0aa250d40f1e122e7543f18b8ec2911

memory/2244-23-0x000000013F600000-0x000000013F954000-memory.dmp

memory/2344-22-0x000000013F600000-0x000000013F954000-memory.dmp

\Windows\system\nwTsWhd.exe

MD5 97889ed4405b3174b08caa283ae7a88e
SHA1 b25c82293d7ab6d957accc74890133dc065e20c8
SHA256 bc62d38734f83dbed9d2aa1ce46548f9fc2a93221487cd7e8c8da5c1831edc59
SHA512 261c97785d044f7aa724d6ce9487784253d76b33090460c6050d7892800912ecd0113c4d5d3f76e9a06ad7ab9fdc141931a0bd876a71cd0482cbaface5259f32

memory/2944-20-0x000000013FE90000-0x00000001401E4000-memory.dmp

memory/2740-29-0x000000013FAF0000-0x000000013FE44000-memory.dmp

\Windows\system\HBldljh.exe

MD5 a1d3c4b06c72b2422f143951d131c70c
SHA1 465847a66bbc7fb1fae277e9b2c628e5090252af
SHA256 dc733fcc8f5d59baf7445266d2a13af5f46770e309a843445ee62b674c31cb0d
SHA512 2487db08a3ad52507af86782bc8217ca598b08673fee61b77445dc23812944f000bf49c73dc2cbd91e4f7662063a3c28b1d354c781e33182467b3e8dfb100bdd

memory/2244-40-0x000000013F320000-0x000000013F674000-memory.dmp

memory/2828-41-0x000000013F320000-0x000000013F674000-memory.dmp

memory/2636-36-0x000000013FEE0000-0x0000000140234000-memory.dmp

memory/2812-49-0x000000013F330000-0x000000013F684000-memory.dmp

memory/2540-56-0x000000013FD40000-0x0000000140094000-memory.dmp

\Windows\system\qsBqJiE.exe

MD5 d88b0dec704f9b8e9ac13e1baff7bdad
SHA1 3a32cc11fdfa653ba902f25f48d6a9ebbcc2579b
SHA256 adf4b08d0e188edd0d9db8e93e51e1281034c490604af70f2b9c7cdd112023b4
SHA512 f53e2c445d7519e74a72f88af1413efa63f6ac345fda0e75fb988697ed4d27c5fc97574ff1889c0651cfa6ad05fadc920a631e2525dafd2d72a6bc79b5eb6253

memory/2244-55-0x000000013FDF0000-0x0000000140144000-memory.dmp

C:\Windows\system\iHoLgRe.exe

MD5 ba497662ea53caaa170a0f7abae93680
SHA1 d3b87d24ea929a4d2f578852d7efd2c826489994
SHA256 dce9439019ee9e0557c4ebb065dbb75f8dbd9b9d5b2430cad4cda8768563bea5
SHA512 c4cfdb7699011972da8e9a2b44aa373e99e3c229bca77e9d71d7ec19da96b65300005df1d31e5c004a336e07db5cd0fd44e104730e1f0e8a10304985e59cccb2

C:\Windows\system\KzTFBBp.exe

MD5 6b1a6d104d6884aa66fc2339207d9faf
SHA1 be6fd92d38d1c5ea27525da0448a2891f499b6d4
SHA256 888e52847aade3abd6488ecbad52f83a86532a5c9807fe7de483ec52b305d79d
SHA512 7c4c6251c1312fd76a6bd6574f6f27d7d354744627b022eb829f20c75117b2ea8ae356b212d33014ba53e7800ad9f56ae05de3c2b3067d765091e2ddb1d521f3

memory/2244-35-0x00000000021C0000-0x0000000002514000-memory.dmp

C:\Windows\system\zTaXyFq.exe

MD5 5c06a655cadd3fea21c895ae52da19d8
SHA1 68f78f8cd9f2be1b7fcf5a1e5a1a8a8eed46defa
SHA256 b6b09749dec0d0d9c1ecc4042a560d044b85bfb355394943b47e3de6e41ba312
SHA512 34c1b0c83b87976d93842a73cbb945549d0f3bc26f1b287d3dc5373bb947b570849fda1163b6c7a29416ef9720f81387bc1c96d0a1c0d57d8ce71c168a5a9b8c

memory/2244-27-0x00000000021C0000-0x0000000002514000-memory.dmp

memory/2244-15-0x00000000021C0000-0x0000000002514000-memory.dmp

C:\Windows\system\NMBhHSX.exe

MD5 e1ecf135664855090085c5e826c372a5
SHA1 bcb92ba9cf5fc97a48d38a8730e00697d8b4bf57
SHA256 642d2a150685694c9f1abae5b85172118eddba981f44489c1a89713d975bb5b9
SHA512 ccf72253b7f2f9760a0a82061eb7bd876193fd193b32f13b3488b8183c9f411986d2660419154342e4f888248e7117193278c7eb8e609f57a21169fd8a064535

\Windows\system\GIrYDho.exe

MD5 f0c7c309c7786de596e580f7b41df7e2
SHA1 b053b9c69bb76d406f178f88a2abb5a5fa54f4c9
SHA256 dcb37d858dc268c54e5ef4c344bb30e390750e3482757c5efa2368e197817fbd
SHA512 0d54f3565e540a915d6cd283639952284ef2f5ec3fe93ccb47182753b99f68793d2b37205b2906e8077dd3161ba171c5da37e079eb8d3d538db16288eff2f0c0

memory/2560-63-0x000000013FF00000-0x0000000140254000-memory.dmp

memory/2124-71-0x000000013F560000-0x000000013F8B4000-memory.dmp

memory/2344-62-0x000000013F600000-0x000000013F954000-memory.dmp

memory/2244-69-0x000000013F560000-0x000000013F8B4000-memory.dmp

\Windows\system\RzpaiWZ.exe

MD5 a7480fed1b4dfb8dcd37376ccdef5958
SHA1 484e87050fc9638601ed614219f9f31f2aab6c77
SHA256 167ff2a293a14ece725f910e43c3783ba813642b290199232a0d674f7b168600
SHA512 8ad814d7473ae3822dc6bad3600de77300f61855244bf911c8ae27b1eb4fa432b2ac08042425a6736496057900f6d50a62385711601bcf7502999f490b4fefaf

memory/3052-85-0x000000013F5C0000-0x000000013F914000-memory.dmp

memory/2244-84-0x000000013F5C0000-0x000000013F914000-memory.dmp

memory/2740-83-0x000000013FAF0000-0x000000013FE44000-memory.dmp

memory/2884-82-0x000000013F130000-0x000000013F484000-memory.dmp

\Windows\system\gIaNfOj.exe

MD5 d9c104222f1cc6b51e7b17cc1cd0d4cf
SHA1 4c1e5dfcb0449151a62f70bc0adf6e3fe6e5b93d
SHA256 11a118757edc28eae58d7902976c541ca71f82403f9d8db91e26e15ebde63d0a
SHA512 a4fad3d54be86e65615205f3be780c4c9c0fa60b7e71be95fc54269ef58d153c8380a19fa00a8d44f6dd8bcd29b0d83c5f5d31504cac046544d193d6f85c20a2

\Windows\system\bLIGWjW.exe

MD5 e51bee921aae0c6834f63c8b7e777ce3
SHA1 0dab489238b10be481466ad3faea42575705de9b
SHA256 0e606ec40887a46ac131d24961e9f5bcbeedabd95dc0d21873832f8874e78679
SHA512 7690278588512c4587e532020e3ef2afa799ba6c366434de3ca4d75424f9bee69f947722d69587ab39bfe3a1a9de6b1b2c76790830b636320606853d885613cc

memory/2828-92-0x000000013F320000-0x000000013F674000-memory.dmp

memory/468-94-0x000000013F210000-0x000000013F564000-memory.dmp

memory/2244-93-0x000000013F210000-0x000000013F564000-memory.dmp

memory/2636-91-0x000000013FEE0000-0x0000000140234000-memory.dmp

C:\Windows\system\ccxSoQR.exe

MD5 d4249d4134fe175403fd4c9cb2fe3157
SHA1 8aa7aa2e662d0f68cc33bd20cbd4038fe3c724e7
SHA256 3455729ce60cf6f3a19b851d3481eea86312d832582d1de27830f4c581fac163
SHA512 1063aaec5589be71f05aa92c67c22dc604abbceeb00509886a2d8389273d1988e05461a34c0d7028ef83efc842694800c144a3f6eef1fe23857693db0b29a570

memory/2876-100-0x000000013F870000-0x000000013FBC4000-memory.dmp

\Windows\system\zXmEfPg.exe

MD5 ebf457a7eafd1af1f6f33d18ba5cdb81
SHA1 f443e1517bcedede6e531ff228d365589a4408ff
SHA256 737f722b324770c8e6a794da7852542adc0d4f04352265361cb3c8193fb4c8b8
SHA512 4cf1317f3fbd2a06b6f3f3f4a23c399c31acac4825a71141f62c8189521d86a1f58e3259b7f63368dd505a757f27615e2c6ed35fb0ddd65e9a85683575ea6f20

memory/2244-106-0x000000013FA10000-0x000000013FD64000-memory.dmp

\Windows\system\YjXmvdg.exe

MD5 3f6ee24927197ec1badf76701d1c8dfa
SHA1 d6285a47b001c0ed5070734054c84c07fa56b95e
SHA256 7b4135d764f40fa75dc60862c98ece6e8d7ad4760712bfb76ae2df85f321e8b5
SHA512 9ed3808ee164052ca0ecf698a7d0157bab0a42863462d350a68e7778aa26302720dab21d1495134909faa4fda26d8499ec656d19d2f79dd3a4f16e3b62295e4d

C:\Windows\system\ZafYWrv.exe

MD5 d2cef7c3461c0b97729a64921dfff5c4
SHA1 5759b29a12c19d2ec86a6015300784241b46cc94
SHA256 90cc766b65c63e117423505a2c7693653411fd204ec4ce424853fbaeb14db4c1
SHA512 5922ab57af39fb5933883cdc3737696c66999429377bbd6b00a4dfafff5ef02f305393d0f1b3dcfea5a7edf653765a2e564c94c285963fe512f9f68f3450039b

\Windows\system\gNHxpzh.exe

MD5 71c97ef2cf07622e705142e8a0dd6e72
SHA1 0722d9e07f4a65422cda06650d07624081ba1ef3
SHA256 77db6d123d07dff414a9772aa8e9e560a9eb13557bebf0aa53083f9864327f52
SHA512 d3c538d6bc122ecadaf492baabbb790b503a9649c89fe888208ccc78aba852b56820055e1c2fa7e8232b8d898e8fde89b1034ba4a66000b71fc88141bbe8f13b

C:\Windows\system\KywSLQB.exe

MD5 4e6a6329377f516ba6ed58049a0ef691
SHA1 29040546cfb6e8290625cf685463c74d92989277
SHA256 f819121978728f2d76bb573cb7dae2d7faf6fc213ea169cbbc2450afc18aa0ab
SHA512 4c12769ad36b2aba3160f12f6ec1cf13521e21affc20b2c8b15aa312d122b5f13ab14e550a704d10a46937937a4ca73c3d02a8d6be67df460d27ed44d6c11a42

C:\Windows\system\YbbkImW.exe

MD5 504d39256ff464a28de4fa97dd9bf472
SHA1 6d1537d69b7ba7bf30cc1903003d63bc17d7f3fe
SHA256 af1bb418fadc69dc2d805e3316cc11f155804cd03e164ccffa1490ba1e797849
SHA512 00db7a8bee97077f751a46a1cef0a2c918126575941caf37d489f40a0221c4a8cbd9802e999a99ccb832f9228b4109acf237d2d32b305977b6743a968cd6609a

C:\Windows\system\RfwcEFM.exe

MD5 8535d030b5c1751b797a699be93655e2
SHA1 d3559f2bdd13a337116dcff123c414706c2315aa
SHA256 14e5bb83d5fb462c692e1c448aa003bfccdc2de2a9ce3720bb073730ca25141b
SHA512 777502b044d3c723f41242fd2ecbf639b1a9dbca9eead438ee2eb933f82162bd42b1537fa872169e98c7dafc4912078c3e3a4328dd3be4989d2044797fed74ab

memory/2812-136-0x000000013F330000-0x000000013F684000-memory.dmp

memory/2560-137-0x000000013FF00000-0x0000000140254000-memory.dmp

memory/2244-139-0x000000013F130000-0x000000013F484000-memory.dmp

memory/2244-138-0x000000013F560000-0x000000013F8B4000-memory.dmp

memory/2244-140-0x000000013F5C0000-0x000000013F914000-memory.dmp

memory/2244-141-0x000000013F210000-0x000000013F564000-memory.dmp

memory/2244-142-0x000000013F870000-0x000000013FBC4000-memory.dmp

memory/2244-143-0x000000013FA10000-0x000000013FD64000-memory.dmp

memory/2032-144-0x000000013F050000-0x000000013F3A4000-memory.dmp

memory/2944-145-0x000000013FE90000-0x00000001401E4000-memory.dmp

memory/2344-146-0x000000013F600000-0x000000013F954000-memory.dmp

memory/2740-147-0x000000013FAF0000-0x000000013FE44000-memory.dmp

memory/2540-150-0x000000013FD40000-0x0000000140094000-memory.dmp

memory/2636-149-0x000000013FEE0000-0x0000000140234000-memory.dmp

memory/2828-148-0x000000013F320000-0x000000013F674000-memory.dmp

memory/2812-151-0x000000013F330000-0x000000013F684000-memory.dmp

memory/2560-152-0x000000013FF00000-0x0000000140254000-memory.dmp

memory/2124-153-0x000000013F560000-0x000000013F8B4000-memory.dmp

memory/2884-154-0x000000013F130000-0x000000013F484000-memory.dmp

memory/3052-155-0x000000013F5C0000-0x000000013F914000-memory.dmp

memory/468-156-0x000000013F210000-0x000000013F564000-memory.dmp

memory/2876-157-0x000000013F870000-0x000000013FBC4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-08 21:11

Reported

2024-06-08 21:13

Platform

win10v2004-20240508-en

Max time kernel

140s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\KoVieRR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NMBhHSX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iHoLgRe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZafYWrv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XGpZfJa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qsBqJiE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ccxSoQR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YbbkImW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zTaXyFq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HBldljh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KzTFBBp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GIrYDho.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YjXmvdg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RfwcEFM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gNHxpzh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nwTsWhd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gIaNfOj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RzpaiWZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bLIGWjW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zXmEfPg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KywSLQB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4772 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\KoVieRR.exe
PID 4772 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\KoVieRR.exe
PID 4772 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\NMBhHSX.exe
PID 4772 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\NMBhHSX.exe
PID 4772 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\XGpZfJa.exe
PID 4772 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\XGpZfJa.exe
PID 4772 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\nwTsWhd.exe
PID 4772 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\nwTsWhd.exe
PID 4772 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\zTaXyFq.exe
PID 4772 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\zTaXyFq.exe
PID 4772 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\HBldljh.exe
PID 4772 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\HBldljh.exe
PID 4772 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\iHoLgRe.exe
PID 4772 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\iHoLgRe.exe
PID 4772 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\KzTFBBp.exe
PID 4772 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\KzTFBBp.exe
PID 4772 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\qsBqJiE.exe
PID 4772 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\qsBqJiE.exe
PID 4772 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\GIrYDho.exe
PID 4772 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\GIrYDho.exe
PID 4772 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\gIaNfOj.exe
PID 4772 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\gIaNfOj.exe
PID 4772 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\RzpaiWZ.exe
PID 4772 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\RzpaiWZ.exe
PID 4772 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\bLIGWjW.exe
PID 4772 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\bLIGWjW.exe
PID 4772 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\ccxSoQR.exe
PID 4772 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\ccxSoQR.exe
PID 4772 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\zXmEfPg.exe
PID 4772 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\zXmEfPg.exe
PID 4772 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\YjXmvdg.exe
PID 4772 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\YjXmvdg.exe
PID 4772 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\RfwcEFM.exe
PID 4772 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\RfwcEFM.exe
PID 4772 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZafYWrv.exe
PID 4772 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZafYWrv.exe
PID 4772 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\YbbkImW.exe
PID 4772 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\YbbkImW.exe
PID 4772 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\KywSLQB.exe
PID 4772 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\KywSLQB.exe
PID 4772 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\gNHxpzh.exe
PID 4772 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe C:\Windows\System\gNHxpzh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_8fd6c750979b3ba1fa77f0b99205e649_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\KoVieRR.exe

C:\Windows\System\KoVieRR.exe

C:\Windows\System\NMBhHSX.exe

C:\Windows\System\NMBhHSX.exe

C:\Windows\System\XGpZfJa.exe

C:\Windows\System\XGpZfJa.exe

C:\Windows\System\nwTsWhd.exe

C:\Windows\System\nwTsWhd.exe

C:\Windows\System\zTaXyFq.exe

C:\Windows\System\zTaXyFq.exe

C:\Windows\System\HBldljh.exe

C:\Windows\System\HBldljh.exe

C:\Windows\System\iHoLgRe.exe

C:\Windows\System\iHoLgRe.exe

C:\Windows\System\KzTFBBp.exe

C:\Windows\System\KzTFBBp.exe

C:\Windows\System\qsBqJiE.exe

C:\Windows\System\qsBqJiE.exe

C:\Windows\System\GIrYDho.exe

C:\Windows\System\GIrYDho.exe

C:\Windows\System\gIaNfOj.exe

C:\Windows\System\gIaNfOj.exe

C:\Windows\System\RzpaiWZ.exe

C:\Windows\System\RzpaiWZ.exe

C:\Windows\System\bLIGWjW.exe

C:\Windows\System\bLIGWjW.exe

C:\Windows\System\ccxSoQR.exe

C:\Windows\System\ccxSoQR.exe

C:\Windows\System\zXmEfPg.exe

C:\Windows\System\zXmEfPg.exe

C:\Windows\System\YjXmvdg.exe

C:\Windows\System\YjXmvdg.exe

C:\Windows\System\RfwcEFM.exe

C:\Windows\System\RfwcEFM.exe

C:\Windows\System\ZafYWrv.exe

C:\Windows\System\ZafYWrv.exe

C:\Windows\System\YbbkImW.exe

C:\Windows\System\YbbkImW.exe

C:\Windows\System\KywSLQB.exe

C:\Windows\System\KywSLQB.exe

C:\Windows\System\gNHxpzh.exe

C:\Windows\System\gNHxpzh.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4772-0-0x00007FF74BC90000-0x00007FF74BFE4000-memory.dmp

memory/4772-1-0x0000028004960000-0x0000028004970000-memory.dmp

C:\Windows\System\KoVieRR.exe

MD5 d4f08cb5676f33946def8a3cb2c1f11e
SHA1 fe0d63c6121be7e9293e42084dd42326aa9f481e
SHA256 7cabd834b53def0d7da99293c746a5b83a89d0a0545cfecf0079c265aba3c09d
SHA512 0db79afeedf58d67ba22ea02cbaa44b67c306cb9656018f277a9ac2c60ed0a95d1fba30292de98e0ab5c6c983070caae6ec044433bcf9d9c8d6e04c51c2a7788

memory/4232-8-0x00007FF763D70000-0x00007FF7640C4000-memory.dmp

C:\Windows\System\NMBhHSX.exe

MD5 e1ecf135664855090085c5e826c372a5
SHA1 bcb92ba9cf5fc97a48d38a8730e00697d8b4bf57
SHA256 642d2a150685694c9f1abae5b85172118eddba981f44489c1a89713d975bb5b9
SHA512 ccf72253b7f2f9760a0a82061eb7bd876193fd193b32f13b3488b8183c9f411986d2660419154342e4f888248e7117193278c7eb8e609f57a21169fd8a064535

C:\Windows\System\XGpZfJa.exe

MD5 0ebbed5fd07b5d7d7fabb4d2d2d38f32
SHA1 596d84dc122768a983084d89bf472731834c1110
SHA256 6a13ef42b10d278c1bc5dcd0ae82d278b5c7794b55cbaa491792e35e2509ed64
SHA512 4ee7b5b9d46904fa3abc523998d36cb80f6d27857ba3dd6c7b88a31075b684afc9daf4ca2634b6d5fb5f43365ff8bc24c0aa250d40f1e122e7543f18b8ec2911

memory/2944-14-0x00007FF67D470000-0x00007FF67D7C4000-memory.dmp

C:\Windows\System\nwTsWhd.exe

MD5 97889ed4405b3174b08caa283ae7a88e
SHA1 b25c82293d7ab6d957accc74890133dc065e20c8
SHA256 bc62d38734f83dbed9d2aa1ce46548f9fc2a93221487cd7e8c8da5c1831edc59
SHA512 261c97785d044f7aa724d6ce9487784253d76b33090460c6050d7892800912ecd0113c4d5d3f76e9a06ad7ab9fdc141931a0bd876a71cd0482cbaface5259f32

C:\Windows\System\zTaXyFq.exe

MD5 5c06a655cadd3fea21c895ae52da19d8
SHA1 68f78f8cd9f2be1b7fcf5a1e5a1a8a8eed46defa
SHA256 b6b09749dec0d0d9c1ecc4042a560d044b85bfb355394943b47e3de6e41ba312
SHA512 34c1b0c83b87976d93842a73cbb945549d0f3bc26f1b287d3dc5373bb947b570849fda1163b6c7a29416ef9720f81387bc1c96d0a1c0d57d8ce71c168a5a9b8c

memory/628-27-0x00007FF6A8510000-0x00007FF6A8864000-memory.dmp

memory/3552-18-0x00007FF6BA180000-0x00007FF6BA4D4000-memory.dmp

memory/440-32-0x00007FF7A8830000-0x00007FF7A8B84000-memory.dmp

C:\Windows\System\HBldljh.exe

MD5 a1d3c4b06c72b2422f143951d131c70c
SHA1 465847a66bbc7fb1fae277e9b2c628e5090252af
SHA256 dc733fcc8f5d59baf7445266d2a13af5f46770e309a843445ee62b674c31cb0d
SHA512 2487db08a3ad52507af86782bc8217ca598b08673fee61b77445dc23812944f000bf49c73dc2cbd91e4f7662063a3c28b1d354c781e33182467b3e8dfb100bdd

C:\Windows\System\iHoLgRe.exe

MD5 ba497662ea53caaa170a0f7abae93680
SHA1 d3b87d24ea929a4d2f578852d7efd2c826489994
SHA256 dce9439019ee9e0557c4ebb065dbb75f8dbd9b9d5b2430cad4cda8768563bea5
SHA512 c4cfdb7699011972da8e9a2b44aa373e99e3c229bca77e9d71d7ec19da96b65300005df1d31e5c004a336e07db5cd0fd44e104730e1f0e8a10304985e59cccb2

memory/2204-37-0x00007FF72A040000-0x00007FF72A394000-memory.dmp

memory/5112-41-0x00007FF7C19F0000-0x00007FF7C1D44000-memory.dmp

C:\Windows\System\KzTFBBp.exe

MD5 6b1a6d104d6884aa66fc2339207d9faf
SHA1 be6fd92d38d1c5ea27525da0448a2891f499b6d4
SHA256 888e52847aade3abd6488ecbad52f83a86532a5c9807fe7de483ec52b305d79d
SHA512 7c4c6251c1312fd76a6bd6574f6f27d7d354744627b022eb829f20c75117b2ea8ae356b212d33014ba53e7800ad9f56ae05de3c2b3067d765091e2ddb1d521f3

memory/4976-50-0x00007FF63B190000-0x00007FF63B4E4000-memory.dmp

C:\Windows\System\qsBqJiE.exe

MD5 d88b0dec704f9b8e9ac13e1baff7bdad
SHA1 3a32cc11fdfa653ba902f25f48d6a9ebbcc2579b
SHA256 adf4b08d0e188edd0d9db8e93e51e1281034c490604af70f2b9c7cdd112023b4
SHA512 f53e2c445d7519e74a72f88af1413efa63f6ac345fda0e75fb988697ed4d27c5fc97574ff1889c0651cfa6ad05fadc920a631e2525dafd2d72a6bc79b5eb6253

memory/4864-56-0x00007FF79B330000-0x00007FF79B684000-memory.dmp

C:\Windows\System\gIaNfOj.exe

MD5 d9c104222f1cc6b51e7b17cc1cd0d4cf
SHA1 4c1e5dfcb0449151a62f70bc0adf6e3fe6e5b93d
SHA256 11a118757edc28eae58d7902976c541ca71f82403f9d8db91e26e15ebde63d0a
SHA512 a4fad3d54be86e65615205f3be780c4c9c0fa60b7e71be95fc54269ef58d153c8380a19fa00a8d44f6dd8bcd29b0d83c5f5d31504cac046544d193d6f85c20a2

memory/1020-69-0x00007FF7093C0000-0x00007FF709714000-memory.dmp

C:\Windows\System\RzpaiWZ.exe

MD5 a7480fed1b4dfb8dcd37376ccdef5958
SHA1 484e87050fc9638601ed614219f9f31f2aab6c77
SHA256 167ff2a293a14ece725f910e43c3783ba813642b290199232a0d674f7b168600
SHA512 8ad814d7473ae3822dc6bad3600de77300f61855244bf911c8ae27b1eb4fa432b2ac08042425a6736496057900f6d50a62385711601bcf7502999f490b4fefaf

memory/3552-77-0x00007FF6BA180000-0x00007FF6BA4D4000-memory.dmp

C:\Windows\System\bLIGWjW.exe

MD5 e51bee921aae0c6834f63c8b7e777ce3
SHA1 0dab489238b10be481466ad3faea42575705de9b
SHA256 0e606ec40887a46ac131d24961e9f5bcbeedabd95dc0d21873832f8874e78679
SHA512 7690278588512c4587e532020e3ef2afa799ba6c366434de3ca4d75424f9bee69f947722d69587ab39bfe3a1a9de6b1b2c76790830b636320606853d885613cc

memory/4528-78-0x00007FF74A7C0000-0x00007FF74AB14000-memory.dmp

memory/3880-75-0x00007FF7C78A0000-0x00007FF7C7BF4000-memory.dmp

C:\Windows\System\GIrYDho.exe

MD5 f0c7c309c7786de596e580f7b41df7e2
SHA1 b053b9c69bb76d406f178f88a2abb5a5fa54f4c9
SHA256 dcb37d858dc268c54e5ef4c344bb30e390750e3482757c5efa2368e197817fbd
SHA512 0d54f3565e540a915d6cd283639952284ef2f5ec3fe93ccb47182753b99f68793d2b37205b2906e8077dd3161ba171c5da37e079eb8d3d538db16288eff2f0c0

memory/2076-64-0x00007FF70BF70000-0x00007FF70C2C4000-memory.dmp

memory/4772-63-0x00007FF74BC90000-0x00007FF74BFE4000-memory.dmp

C:\Windows\System\ccxSoQR.exe

MD5 d4249d4134fe175403fd4c9cb2fe3157
SHA1 8aa7aa2e662d0f68cc33bd20cbd4038fe3c724e7
SHA256 3455729ce60cf6f3a19b851d3481eea86312d832582d1de27830f4c581fac163
SHA512 1063aaec5589be71f05aa92c67c22dc604abbceeb00509886a2d8389273d1988e05461a34c0d7028ef83efc842694800c144a3f6eef1fe23857693db0b29a570

C:\Windows\System\RfwcEFM.exe

MD5 8535d030b5c1751b797a699be93655e2
SHA1 d3559f2bdd13a337116dcff123c414706c2315aa
SHA256 14e5bb83d5fb462c692e1c448aa003bfccdc2de2a9ce3720bb073730ca25141b
SHA512 777502b044d3c723f41242fd2ecbf639b1a9dbca9eead438ee2eb933f82162bd42b1537fa872169e98c7dafc4912078c3e3a4328dd3be4989d2044797fed74ab

C:\Windows\System\ZafYWrv.exe

MD5 d2cef7c3461c0b97729a64921dfff5c4
SHA1 5759b29a12c19d2ec86a6015300784241b46cc94
SHA256 90cc766b65c63e117423505a2c7693653411fd204ec4ce424853fbaeb14db4c1
SHA512 5922ab57af39fb5933883cdc3737696c66999429377bbd6b00a4dfafff5ef02f305393d0f1b3dcfea5a7edf653765a2e564c94c285963fe512f9f68f3450039b

memory/4620-104-0x00007FF64DA10000-0x00007FF64DD64000-memory.dmp

memory/2204-102-0x00007FF72A040000-0x00007FF72A394000-memory.dmp

C:\Windows\System\YjXmvdg.exe

MD5 3f6ee24927197ec1badf76701d1c8dfa
SHA1 d6285a47b001c0ed5070734054c84c07fa56b95e
SHA256 7b4135d764f40fa75dc60862c98ece6e8d7ad4760712bfb76ae2df85f321e8b5
SHA512 9ed3808ee164052ca0ecf698a7d0157bab0a42863462d350a68e7778aa26302720dab21d1495134909faa4fda26d8499ec656d19d2f79dd3a4f16e3b62295e4d

memory/1344-96-0x00007FF6A4880000-0x00007FF6A4BD4000-memory.dmp

C:\Windows\System\zXmEfPg.exe

MD5 ebf457a7eafd1af1f6f33d18ba5cdb81
SHA1 f443e1517bcedede6e531ff228d365589a4408ff
SHA256 737f722b324770c8e6a794da7852542adc0d4f04352265361cb3c8193fb4c8b8
SHA512 4cf1317f3fbd2a06b6f3f3f4a23c399c31acac4825a71141f62c8189521d86a1f58e3259b7f63368dd505a757f27615e2c6ed35fb0ddd65e9a85683575ea6f20

memory/5092-86-0x00007FF709220000-0x00007FF709574000-memory.dmp

memory/3912-115-0x00007FF785AC0000-0x00007FF785E14000-memory.dmp

C:\Windows\System\YbbkImW.exe

MD5 504d39256ff464a28de4fa97dd9bf472
SHA1 6d1537d69b7ba7bf30cc1903003d63bc17d7f3fe
SHA256 af1bb418fadc69dc2d805e3316cc11f155804cd03e164ccffa1490ba1e797849
SHA512 00db7a8bee97077f751a46a1cef0a2c918126575941caf37d489f40a0221c4a8cbd9802e999a99ccb832f9228b4109acf237d2d32b305977b6743a968cd6609a

memory/4920-118-0x00007FF6ACC10000-0x00007FF6ACF64000-memory.dmp

memory/5060-113-0x00007FF665F10000-0x00007FF666264000-memory.dmp

memory/5112-112-0x00007FF7C19F0000-0x00007FF7C1D44000-memory.dmp

C:\Windows\System\KywSLQB.exe

MD5 4e6a6329377f516ba6ed58049a0ef691
SHA1 29040546cfb6e8290625cf685463c74d92989277
SHA256 f819121978728f2d76bb573cb7dae2d7faf6fc213ea169cbbc2450afc18aa0ab
SHA512 4c12769ad36b2aba3160f12f6ec1cf13521e21affc20b2c8b15aa312d122b5f13ab14e550a704d10a46937937a4ca73c3d02a8d6be67df460d27ed44d6c11a42

C:\Windows\System\gNHxpzh.exe

MD5 71c97ef2cf07622e705142e8a0dd6e72
SHA1 0722d9e07f4a65422cda06650d07624081ba1ef3
SHA256 77db6d123d07dff414a9772aa8e9e560a9eb13557bebf0aa53083f9864327f52
SHA512 d3c538d6bc122ecadaf492baabbb790b503a9649c89fe888208ccc78aba852b56820055e1c2fa7e8232b8d898e8fde89b1034ba4a66000b71fc88141bbe8f13b

memory/4940-125-0x00007FF791AD0000-0x00007FF791E24000-memory.dmp

memory/2076-131-0x00007FF70BF70000-0x00007FF70C2C4000-memory.dmp

memory/3416-132-0x00007FF707B90000-0x00007FF707EE4000-memory.dmp

memory/3880-133-0x00007FF7C78A0000-0x00007FF7C7BF4000-memory.dmp

memory/4528-134-0x00007FF74A7C0000-0x00007FF74AB14000-memory.dmp

memory/5092-135-0x00007FF709220000-0x00007FF709574000-memory.dmp

memory/4920-136-0x00007FF6ACC10000-0x00007FF6ACF64000-memory.dmp

memory/4940-137-0x00007FF791AD0000-0x00007FF791E24000-memory.dmp

memory/4232-138-0x00007FF763D70000-0x00007FF7640C4000-memory.dmp

memory/2944-139-0x00007FF67D470000-0x00007FF67D7C4000-memory.dmp

memory/440-142-0x00007FF7A8830000-0x00007FF7A8B84000-memory.dmp

memory/3552-141-0x00007FF6BA180000-0x00007FF6BA4D4000-memory.dmp

memory/628-140-0x00007FF6A8510000-0x00007FF6A8864000-memory.dmp

memory/2204-143-0x00007FF72A040000-0x00007FF72A394000-memory.dmp

memory/5112-144-0x00007FF7C19F0000-0x00007FF7C1D44000-memory.dmp

memory/4976-145-0x00007FF63B190000-0x00007FF63B4E4000-memory.dmp

memory/4864-146-0x00007FF79B330000-0x00007FF79B684000-memory.dmp

memory/2076-148-0x00007FF70BF70000-0x00007FF70C2C4000-memory.dmp

memory/1020-147-0x00007FF7093C0000-0x00007FF709714000-memory.dmp

memory/4528-150-0x00007FF74A7C0000-0x00007FF74AB14000-memory.dmp

memory/3880-149-0x00007FF7C78A0000-0x00007FF7C7BF4000-memory.dmp

memory/5092-151-0x00007FF709220000-0x00007FF709574000-memory.dmp

memory/1344-152-0x00007FF6A4880000-0x00007FF6A4BD4000-memory.dmp

memory/4620-153-0x00007FF64DA10000-0x00007FF64DD64000-memory.dmp

memory/3912-154-0x00007FF785AC0000-0x00007FF785E14000-memory.dmp

memory/5060-155-0x00007FF665F10000-0x00007FF666264000-memory.dmp

memory/4920-156-0x00007FF6ACC10000-0x00007FF6ACF64000-memory.dmp

memory/3416-157-0x00007FF707B90000-0x00007FF707EE4000-memory.dmp

memory/4940-158-0x00007FF791AD0000-0x00007FF791E24000-memory.dmp