Malware Analysis Report

2024-10-16 03:05

Sample ID 240608-zt734aha28
Target 2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike
SHA256 8172356dc1b04ad9e68c050c1431ef0e0fa20c997c96c0268b202a1298430dd2
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8172356dc1b04ad9e68c050c1431ef0e0fa20c997c96c0268b202a1298430dd2

Threat Level: Known bad

The file 2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Xmrig family

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

Cobaltstrike

XMRig Miner payload

xmrig

Cobaltstrike family

Cobalt Strike reflective loader

Detects Reflective DLL injection artifacts

XMRig Miner payload

UPX dump on OEP (original entry point)

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-08 21:02

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-08 21:01

Reported

2024-06-08 21:09

Platform

win7-20240220-en

Max time kernel

134s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe"

Signatures

xmrig

miner xmrig

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\CrrygFG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cPwZqTz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jApptUw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EkNabuZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lXyTqhp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SGbxzEv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZhIPcfW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tXfPMfz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OlfgOzD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\THqgnOx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bJjPdUx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LjFcsII.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MUVlURR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jVmvyeK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jFYCwhm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NaIuSAw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eOFPJhy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XYAnkdc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DMqONTm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kAOdehF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rnTwbyT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2204 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZhIPcfW.exe
PID 2204 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZhIPcfW.exe
PID 2204 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZhIPcfW.exe
PID 2204 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\DMqONTm.exe
PID 2204 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\DMqONTm.exe
PID 2204 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\DMqONTm.exe
PID 2204 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\bJjPdUx.exe
PID 2204 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\bJjPdUx.exe
PID 2204 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\bJjPdUx.exe
PID 2204 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\EkNabuZ.exe
PID 2204 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\EkNabuZ.exe
PID 2204 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\EkNabuZ.exe
PID 2204 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\kAOdehF.exe
PID 2204 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\kAOdehF.exe
PID 2204 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\kAOdehF.exe
PID 2204 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\MUVlURR.exe
PID 2204 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\MUVlURR.exe
PID 2204 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\MUVlURR.exe
PID 2204 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\lXyTqhp.exe
PID 2204 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\lXyTqhp.exe
PID 2204 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\lXyTqhp.exe
PID 2204 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\jVmvyeK.exe
PID 2204 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\jVmvyeK.exe
PID 2204 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\jVmvyeK.exe
PID 2204 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\jFYCwhm.exe
PID 2204 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\jFYCwhm.exe
PID 2204 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\jFYCwhm.exe
PID 2204 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\NaIuSAw.exe
PID 2204 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\NaIuSAw.exe
PID 2204 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\NaIuSAw.exe
PID 2204 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\tXfPMfz.exe
PID 2204 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\tXfPMfz.exe
PID 2204 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\tXfPMfz.exe
PID 2204 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\LjFcsII.exe
PID 2204 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\LjFcsII.exe
PID 2204 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\LjFcsII.exe
PID 2204 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\OlfgOzD.exe
PID 2204 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\OlfgOzD.exe
PID 2204 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\OlfgOzD.exe
PID 2204 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\eOFPJhy.exe
PID 2204 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\eOFPJhy.exe
PID 2204 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\eOFPJhy.exe
PID 2204 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\THqgnOx.exe
PID 2204 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\THqgnOx.exe
PID 2204 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\THqgnOx.exe
PID 2204 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\SGbxzEv.exe
PID 2204 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\SGbxzEv.exe
PID 2204 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\SGbxzEv.exe
PID 2204 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\CrrygFG.exe
PID 2204 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\CrrygFG.exe
PID 2204 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\CrrygFG.exe
PID 2204 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\cPwZqTz.exe
PID 2204 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\cPwZqTz.exe
PID 2204 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\cPwZqTz.exe
PID 2204 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\XYAnkdc.exe
PID 2204 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\XYAnkdc.exe
PID 2204 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\XYAnkdc.exe
PID 2204 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\rnTwbyT.exe
PID 2204 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\rnTwbyT.exe
PID 2204 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\rnTwbyT.exe
PID 2204 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\jApptUw.exe
PID 2204 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\jApptUw.exe
PID 2204 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\jApptUw.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\ZhIPcfW.exe

C:\Windows\System\ZhIPcfW.exe

C:\Windows\System\DMqONTm.exe

C:\Windows\System\DMqONTm.exe

C:\Windows\System\bJjPdUx.exe

C:\Windows\System\bJjPdUx.exe

C:\Windows\System\EkNabuZ.exe

C:\Windows\System\EkNabuZ.exe

C:\Windows\System\kAOdehF.exe

C:\Windows\System\kAOdehF.exe

C:\Windows\System\MUVlURR.exe

C:\Windows\System\MUVlURR.exe

C:\Windows\System\lXyTqhp.exe

C:\Windows\System\lXyTqhp.exe

C:\Windows\System\jVmvyeK.exe

C:\Windows\System\jVmvyeK.exe

C:\Windows\System\jFYCwhm.exe

C:\Windows\System\jFYCwhm.exe

C:\Windows\System\NaIuSAw.exe

C:\Windows\System\NaIuSAw.exe

C:\Windows\System\tXfPMfz.exe

C:\Windows\System\tXfPMfz.exe

C:\Windows\System\LjFcsII.exe

C:\Windows\System\LjFcsII.exe

C:\Windows\System\OlfgOzD.exe

C:\Windows\System\OlfgOzD.exe

C:\Windows\System\eOFPJhy.exe

C:\Windows\System\eOFPJhy.exe

C:\Windows\System\THqgnOx.exe

C:\Windows\System\THqgnOx.exe

C:\Windows\System\SGbxzEv.exe

C:\Windows\System\SGbxzEv.exe

C:\Windows\System\CrrygFG.exe

C:\Windows\System\CrrygFG.exe

C:\Windows\System\cPwZqTz.exe

C:\Windows\System\cPwZqTz.exe

C:\Windows\System\XYAnkdc.exe

C:\Windows\System\XYAnkdc.exe

C:\Windows\System\rnTwbyT.exe

C:\Windows\System\rnTwbyT.exe

C:\Windows\System\jApptUw.exe

C:\Windows\System\jApptUw.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2204-0-0x00000000000F0000-0x0000000000100000-memory.dmp

memory/2204-1-0x000000013F790000-0x000000013FAE4000-memory.dmp

\Windows\system\ZhIPcfW.exe

MD5 3dd3dcd306f0efc9bbfa800cbd31ae40
SHA1 d052cb1858658159c0105a89f05e8ea0bb515259
SHA256 7c369ff01d831de8701c05e89e10baafecae898266eb16442fd298ec3ac4b304
SHA512 59ad00f536a0bf367e7ffc9ae8487c3c876b694bdbdc9cbc067ae6fe30b5ea1fb628f6dff517baa30ac39f6a2825197d0473cb1892c86bc9e668a42a7b74d6a3

memory/2204-8-0x0000000002400000-0x0000000002754000-memory.dmp

C:\Windows\system\DMqONTm.exe

MD5 d0f3f08dac10750dbe4af117124973a9
SHA1 5bb40e4c05909c11cf0378f90675400c257de839
SHA256 226752531ac61381a8900c03379917ef597d02c4b702b8da147f47b01957adaa
SHA512 22804c2d146a830601c82460e1662705346591f13fc6244984a769ddeebdbae1cefeecdb1deb956eec78269f07450bf9493c850c66c35780e937815ac5925a02

memory/3048-11-0x000000013F5C0000-0x000000013F914000-memory.dmp

memory/2544-19-0x000000013F580000-0x000000013F8D4000-memory.dmp

memory/2204-22-0x0000000002400000-0x0000000002754000-memory.dmp

\Windows\system\kAOdehF.exe

MD5 70ff90aa4744113bd0310fc0d9642696
SHA1 4f02a897376e5e156044a81d440bc1b6f5e73eda
SHA256 850f0bbecc3dc6f48578257267b2dfc4dd032dd358202c0f6ec3920e2118bcf5
SHA512 bdc7f055358d137daf4d2e1f7011457331106547b4eec4e5f4ff35dd9f5890da8611a6c345a9ae884d95e4260252b884173921b0ceaa07cb5d1698fa0594012f

C:\Windows\system\EkNabuZ.exe

MD5 b12f50740eef66714200750b921dca91
SHA1 8373966e5ed792f21420a1f96bf3bbb6923ce01a
SHA256 719552d5e050d5b6103aeabc2599e37e66f0dc2dc083f0cf409b7b43085c6d59
SHA512 7a4e91a3c8d86a2c7d2864f022b2bc699138cd2829346c866cd8c934865e794d9cf66725904fe7973648c3a72b48057f93b8dc315697f02e4e9bbb78689e94d8

\Windows\system\EkNabuZ.exe

MD5 484f9bd860840f7d2331986e4199e3d2
SHA1 eb5448cac8a274aecd2e2e996f7a8c535ce8dfe2
SHA256 d792f6a1d133eaf0c847fb75869638ea7611e35c703fc655348b58642f5eef41
SHA512 30de83fe0665fd35b3e5b2ef1bcd329c5b3c3cda1a0fab51d4301e97e4af95f143875fb670b8aa6d25ab7572333b6c08ac07f838a0611a2110ce3153537d12d2

memory/2652-21-0x000000013F630000-0x000000013F984000-memory.dmp

\Windows\system\bJjPdUx.exe

MD5 0e2fd2a522d2418bc7dbaf689ef76673
SHA1 5f1c27d705b7b859dfc3a6c555a6c8b3ab244763
SHA256 40742f91cd985eb524bd3891d1dd35d24592ad177108d69ed9cd6d4b18b99360
SHA512 64301bc0310c56dee53197109af15147dcdc7fc2e4ce1b977cb7e6dcd2f13af6e165bd17c6af06ed25d21fbd4c9cf4f3e78ae062fc175d24eb2fa93590a4ee28

C:\Windows\system\bJjPdUx.exe

MD5 b731781bf85531537282fd235875b3ac
SHA1 59206fda46b1e56bdb976d7da35012e4e6f8f1d4
SHA256 2657a1b1a648dd161d8d3ed50a75150d2dc010da365b30b7a3795fcb1daf19d8
SHA512 9c8f38979f392f1b992869e4ca74bbf964e203e775e31879ef15724590f704e0e57e3157344250ce39807469b2b0c7b88f0fe314e1bd06187f5de3c3f57f7a8f

\Windows\system\DMqONTm.exe

MD5 18efd8c69c7a14d378b8475ff681f6c4
SHA1 2b1da0506beaecb78e94aad76f14aebfb86a9678
SHA256 4278c75a637d678dfa4ac6463d90c2d6e77ae9f9cb3ad2dff76bbdba355ca4d3
SHA512 04c788d5c6912701ce96ced72692ab689759b453228b07881060ae26b58129eed0be110e75ca2aeb8de823205c66a043a92d6184c1d83f72a7a44b67b5c42597

C:\Windows\system\ZhIPcfW.exe

MD5 c855d9545c07cd79979ffc8d326eea3e
SHA1 4f949d4840815a1121af168d9a1365e7c7438ff5
SHA256 4f32f25a3cda26fb2584a341564f7f299b15d891ae61f2a147190344a8b9706b
SHA512 b59c45f40a1aae27eddf3d7b04d8df06abfc9842dcc1d548cc5646ebf986148f6292edead9d39f03cc1942bca037e30cf6865932a09c0db6788398d6998ce320

memory/2204-32-0x0000000002400000-0x0000000002754000-memory.dmp

C:\Windows\system\kAOdehF.exe

MD5 f9bb666c375bafe5bb759561167fb359
SHA1 8db0504bfc2103d6012f3daba3c9c3b53485f363
SHA256 3cb3ce6b25098e8f80c56c963d9195fc1c3535964d63e5973f7c37284dcb50c6
SHA512 448c21a8ecb9cbdc1ac62a52f9c18e59b95ad9c895fdbd3e281dcc94d2026ea104c48d56ae789eb7ac1da59c5d78594ff22d85baa63f338d432285e3f512a734

memory/2656-40-0x000000013F620000-0x000000013F974000-memory.dmp

memory/2912-37-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

memory/2204-47-0x0000000002400000-0x0000000002754000-memory.dmp

memory/2288-48-0x000000013FB50000-0x000000013FEA4000-memory.dmp

memory/2204-49-0x000000013FB50000-0x000000013FEA4000-memory.dmp

memory/2520-46-0x000000013FC20000-0x000000013FF74000-memory.dmp

C:\Windows\system\jVmvyeK.exe

MD5 fe57f8188564cd40e581d657eb39a51c
SHA1 a769db5a955895999e8cfad6f9c2156a7679ab61
SHA256 509f676438e0a62ce998520d6b512997df34dab53b716afecb70fde12451e067
SHA512 bedc7b8c666d75b4b2a51cdf1cbb44229891d399ac024af5950af15345f2453cff67fc09503257cefbe1a68d8da92c49e28e020e981fdb43101104e23819a72e

memory/2412-55-0x000000013F6C0000-0x000000013FA14000-memory.dmp

C:\Windows\system\jFYCwhm.exe

MD5 8501e1b3ec042e7e35c8a420be40052e
SHA1 9387a8c36b178a4031ee833ba9d467062f0b27bf
SHA256 586fd82b12dec2e295dad7b24bce29753bf165ba24b0179a447f67e307ffac12
SHA512 2feaf4546e56b98718cbacd9b99cd23d02716607d121943151d374b64f8005f9acb6bb2fb4a0e77cd659eeb064ad22db5e63fb4907d0763d44622f3bc9887ac1

memory/2204-61-0x000000013F790000-0x000000013FAE4000-memory.dmp

\Windows\system\NaIuSAw.exe

MD5 73a986c9493930f4cd8a8093981caf97
SHA1 d56e4ec277c46c1f501f0380990a8cb52fc97921
SHA256 79658989fc6265b27479193101b06b4d07a3afc14a90cac7cd0c2fd5a470fdb1
SHA512 df908858efce8052aba32afa73708ab41a555ed2fb2054faebcbf306cccde59229ad974697075f78113c385920705044fa084d6313ac5116bfcc6a59748d37e7

memory/2204-73-0x000000013FE30000-0x0000000140184000-memory.dmp

memory/1920-76-0x000000013F530000-0x000000013F884000-memory.dmp

memory/2204-75-0x0000000002400000-0x0000000002754000-memory.dmp

C:\Windows\system\LjFcsII.exe

MD5 31490ad2606e8a897ca8c4a419bd3e58
SHA1 15ea2dbbf80f024fbd088a8352c0dff268e627e1
SHA256 e7019212e2d60c4f62ca01dd184bf4d01bcefd9b021dae68fd8643a75ee137af
SHA512 64347a3d4f532f02dc9fadf00483a158d2bc4e2f2cc5f9e65365a844cac9e22d7f0477247deea55649e47fc235d1420588dbea30950d3bdd7d82439013980a5f

C:\Windows\system\jApptUw.exe

MD5 3abfd04cbd5bfb580962e174eb161ef3
SHA1 68b5f3effe81f27b825e1f140f0eaf22a238e86d
SHA256 f6131d94bec376103e933fab80d12e7848ac041ba79efbfe4b10dfcf2ff7c54f
SHA512 faecfac84160a772c5bcb139aedf1f1777b2196aa08cb9fd45f4492847180ca2ad8f5d89fb3c60b385b3df056df6195c523bc250a936606531c9ce28efbb35c0

memory/2656-133-0x000000013F620000-0x000000013F974000-memory.dmp

memory/2204-134-0x000000013F420000-0x000000013F774000-memory.dmp

memory/1240-130-0x000000013FCD0000-0x0000000140024000-memory.dmp

C:\Windows\system\rnTwbyT.exe

MD5 6e43ed95cc20d2ddcab2cd2f4ba27ce3
SHA1 ecfefb0ab2676c2c3b87cc0607c20135ccbbfb8d
SHA256 abeab4c7d15c7e6b5b6307621e131f5923c08c9602baec23757555414a26f396
SHA512 8c97da48938db0cf64785262c719fcc498f5129075e51feb2af44bae18db924e8a15bd8b5325e27b27d230e40c730008ca277d0a7c66733c0770c059ca356580

C:\Windows\system\XYAnkdc.exe

MD5 cf1dfa3398fc7a5a3e4aa28a33021420
SHA1 92ec7e1793049f05d8929127974c688764686f20
SHA256 7641ca4766ae524c827c88f2ee88ac772b0e00345b34712c04fd3e150364b4d4
SHA512 a5e45e07e58dc3572cbc5d0ceafd19b3958197e95a20fae2b322066d7372fd3f608cbda4e832e690e9485a6db352f2dedacbdcd1bea9412fa871bbfb05f4fe6b

C:\Windows\system\CrrygFG.exe

MD5 e0f258099dcc71eb5136723dc36b2abf
SHA1 06369204a4e29aa090f08d64ed6c999554293c3f
SHA256 fc3ecae0284f85748e4163e8d74dc23b78b006a385dbce7949b1a3162c04a129
SHA512 e5e771b58d729c6c2e5be391c3472852275f9809b6a59989d03020b02587a111724b07f4267210e0379988c9bdeb785b25dc195f7e8ce97d17a6e677d81ad615

memory/2204-121-0x000000013FCD0000-0x0000000140024000-memory.dmp

memory/1260-120-0x000000013FE40000-0x0000000140194000-memory.dmp

memory/2204-114-0x000000013FE40000-0x0000000140194000-memory.dmp

\Windows\system\rnTwbyT.exe

MD5 586c9547493a88de16fd09ad19df758b
SHA1 8a50178682c692f204a45b7798c63d3f6375432b
SHA256 991f4d210c6e659974dd43deb7cc93077b9ed3c337c5951172529c0bae179e02
SHA512 63d13596bcc59b486c85cd55cf9779d952b67ccbfc54495f389035c1d68fd043ac79c180dc1fc0d479811fe4e468b78c5250d0acdb5b23ce7e1ec600b69b0629

\Windows\system\XYAnkdc.exe

MD5 7509e8458dee28959facd3025b7e9a36
SHA1 0ade1f20a2a15d90be2344a0fc563c232f7bf9a3
SHA256 589bb01ac8b80adfce55adb5008e41471875ed908ff3dc465d08b071ec680272
SHA512 4efc0ecc1f03a9031114e57c2fff3197f636dd8af58c9408385f651e0691e450f983fa54e645bcd8a4e601188082edcea1507b380974bcb0aedf148ececd4c3d

\Windows\system\CrrygFG.exe

MD5 6e1397464b6535c076ff5842da3ba259
SHA1 f69694ee3d472eab413c8fd02d83b5e6fa530ca4
SHA256 12e72caeb348f1251707dc8e4c011dd9ff4872f5b8edb3b121bf9d6ceeec7446
SHA512 30e7724f40fda74d45e0024af63d98df69f986157c6032a71356f43c1e1da3b17531b8e5141dc88e6b44178097d95d20bf7f9538455845129403ffbdd774d2ed

C:\Windows\system\eOFPJhy.exe

MD5 3fa20eb13326e5b476732824f747b31b
SHA1 98ea1b2abdadbb701a3258939da50b143a8cb926
SHA256 7bae0033d47c713d117eec1c07aaa3eef140980655b8b198aad0f7937d990c40
SHA512 265d2eb7bf0bb377bd7293693493fb8f081308182c92a635f4d204eed49e589505d7a9b87ae90c0855bcd533a3ebb4453df291278fa55e4d677cbe694e435891

\Windows\system\eOFPJhy.exe

MD5 61b53902a9909945443a2a0f4a6d9cf2
SHA1 adc0c4f5360b33f3051dcaedf7c015ca405ceecf
SHA256 cd9a8e12dd28bcb3020aa95a65af46fe0042cccb3b1780b0320689db61f41a1a
SHA512 45b5fd41f6b600d12b903b3542ed04969ed84b7b0799282dbf6485993b44f1ae79b788a3804212916d29ab7c15e2255c8f3e1a30cf881e8918822c961a64d094

C:\Windows\system\OlfgOzD.exe

MD5 7537d4d189041fd46ee405defda49424
SHA1 1243d0acc37471891f237d7377837d138168df73
SHA256 05bfdd05401037ad9de4dc7a8cefa0795c8811c0dc30acfa257f645f3b8f3815
SHA512 11169b5bd736f6e65e96485ff89b6ba579467ee5521e8b0f09b4bdf057b5efb7e5e369968a036d34fa40a00817f6bbf8c7a0d65d6c79d4f6f151bad6a59fed1a

memory/1388-84-0x000000013FE30000-0x0000000140184000-memory.dmp

memory/2204-83-0x000000013FE30000-0x0000000140184000-memory.dmp

memory/2652-82-0x000000013F630000-0x000000013F984000-memory.dmp

\Windows\system\LjFcsII.exe

MD5 39dd9a091374393fe2ae20e4a576d4d3
SHA1 df178a0d49aacd3b53bbeece54f74f4ad3c2e318
SHA256 cfaa56d0571c6b53cbccc9dd9e332f731ef5be45ce586506379694d1043cff68
SHA512 acf6762062831b8a125aac91ae6f4062934e6764b4954e05e8bc0307cee6cb52a64413f14efe520f0827edaf22442bc47b59c351cc2b82224ae1bbc3b15404a4

memory/1244-74-0x000000013FE30000-0x0000000140184000-memory.dmp

C:\Windows\system\tXfPMfz.exe

MD5 6590cf9a22e895f317992a11e6673733
SHA1 dabb0629eade282a86216956c93b81ff12ed079f
SHA256 74b7b03dacacedda881f7c189ce684981576529c8cbc55be5ff150930716f39d
SHA512 af01b6a743c85790b49c611bcc0fee6de6dbf145277acff81efcae41230036a2a20bd597e1334f29e81dee66b4ef08096a3f19bc8e3d6d0e52470019e6e1a1db

memory/2204-135-0x0000000002400000-0x0000000002754000-memory.dmp

memory/2480-62-0x000000013F750000-0x000000013FAA4000-memory.dmp

memory/2204-136-0x000000013FE30000-0x0000000140184000-memory.dmp

memory/2204-137-0x000000013FE40000-0x0000000140194000-memory.dmp

memory/2204-138-0x000000013F420000-0x000000013F774000-memory.dmp

memory/3048-139-0x000000013F5C0000-0x000000013F914000-memory.dmp

memory/2652-141-0x000000013F630000-0x000000013F984000-memory.dmp

memory/2520-142-0x000000013FC20000-0x000000013FF74000-memory.dmp

memory/2544-140-0x000000013F580000-0x000000013F8D4000-memory.dmp

memory/2656-144-0x000000013F620000-0x000000013F974000-memory.dmp

memory/2288-145-0x000000013FB50000-0x000000013FEA4000-memory.dmp

memory/2912-143-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

memory/2412-146-0x000000013F6C0000-0x000000013FA14000-memory.dmp

memory/2480-147-0x000000013F750000-0x000000013FAA4000-memory.dmp

memory/1244-148-0x000000013FE30000-0x0000000140184000-memory.dmp

memory/1920-149-0x000000013F530000-0x000000013F884000-memory.dmp

memory/1388-150-0x000000013FE30000-0x0000000140184000-memory.dmp

memory/1260-152-0x000000013FE40000-0x0000000140194000-memory.dmp

memory/1240-151-0x000000013FCD0000-0x0000000140024000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-08 21:01

Reported

2024-06-08 21:09

Platform

win10v2004-20240508-en

Max time kernel

138s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\TsFpKbu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IGAAavt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cJlDuGO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mrrlwWL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hBaLbEZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LJBLYjz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bdQBGnq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HUKtPMU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KfbeqVh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZLbZyrN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YvjOPCb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CtSumnA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OmAZqrd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QjLnzau.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VuvsiFx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IbLYzHI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JcXrDgf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lpQScHo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vAwDiPy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yXBaYuY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uuwMBfM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 220 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\cJlDuGO.exe
PID 220 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\cJlDuGO.exe
PID 220 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\YvjOPCb.exe
PID 220 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\YvjOPCb.exe
PID 220 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\CtSumnA.exe
PID 220 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\CtSumnA.exe
PID 220 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\mrrlwWL.exe
PID 220 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\mrrlwWL.exe
PID 220 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\IbLYzHI.exe
PID 220 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\IbLYzHI.exe
PID 220 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\OmAZqrd.exe
PID 220 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\OmAZqrd.exe
PID 220 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\vAwDiPy.exe
PID 220 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\vAwDiPy.exe
PID 220 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\JcXrDgf.exe
PID 220 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\JcXrDgf.exe
PID 220 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\lpQScHo.exe
PID 220 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\lpQScHo.exe
PID 220 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\hBaLbEZ.exe
PID 220 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\hBaLbEZ.exe
PID 220 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\QjLnzau.exe
PID 220 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\QjLnzau.exe
PID 220 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\LJBLYjz.exe
PID 220 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\LJBLYjz.exe
PID 220 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\VuvsiFx.exe
PID 220 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\VuvsiFx.exe
PID 220 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\HUKtPMU.exe
PID 220 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\HUKtPMU.exe
PID 220 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\KfbeqVh.exe
PID 220 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\KfbeqVh.exe
PID 220 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\bdQBGnq.exe
PID 220 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\bdQBGnq.exe
PID 220 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\TsFpKbu.exe
PID 220 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\TsFpKbu.exe
PID 220 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZLbZyrN.exe
PID 220 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZLbZyrN.exe
PID 220 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\IGAAavt.exe
PID 220 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\IGAAavt.exe
PID 220 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\yXBaYuY.exe
PID 220 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\yXBaYuY.exe
PID 220 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\uuwMBfM.exe
PID 220 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe C:\Windows\System\uuwMBfM.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_7260cb45dc24fbb3af26990b7461c7fb_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\cJlDuGO.exe

C:\Windows\System\cJlDuGO.exe

C:\Windows\System\YvjOPCb.exe

C:\Windows\System\YvjOPCb.exe

C:\Windows\System\CtSumnA.exe

C:\Windows\System\CtSumnA.exe

C:\Windows\System\mrrlwWL.exe

C:\Windows\System\mrrlwWL.exe

C:\Windows\System\IbLYzHI.exe

C:\Windows\System\IbLYzHI.exe

C:\Windows\System\OmAZqrd.exe

C:\Windows\System\OmAZqrd.exe

C:\Windows\System\vAwDiPy.exe

C:\Windows\System\vAwDiPy.exe

C:\Windows\System\JcXrDgf.exe

C:\Windows\System\JcXrDgf.exe

C:\Windows\System\lpQScHo.exe

C:\Windows\System\lpQScHo.exe

C:\Windows\System\hBaLbEZ.exe

C:\Windows\System\hBaLbEZ.exe

C:\Windows\System\QjLnzau.exe

C:\Windows\System\QjLnzau.exe

C:\Windows\System\LJBLYjz.exe

C:\Windows\System\LJBLYjz.exe

C:\Windows\System\VuvsiFx.exe

C:\Windows\System\VuvsiFx.exe

C:\Windows\System\HUKtPMU.exe

C:\Windows\System\HUKtPMU.exe

C:\Windows\System\KfbeqVh.exe

C:\Windows\System\KfbeqVh.exe

C:\Windows\System\bdQBGnq.exe

C:\Windows\System\bdQBGnq.exe

C:\Windows\System\TsFpKbu.exe

C:\Windows\System\TsFpKbu.exe

C:\Windows\System\ZLbZyrN.exe

C:\Windows\System\ZLbZyrN.exe

C:\Windows\System\IGAAavt.exe

C:\Windows\System\IGAAavt.exe

C:\Windows\System\yXBaYuY.exe

C:\Windows\System\yXBaYuY.exe

C:\Windows\System\uuwMBfM.exe

C:\Windows\System\uuwMBfM.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/220-0-0x00007FF7BCF10000-0x00007FF7BD264000-memory.dmp

memory/220-1-0x00000223870D0000-0x00000223870E0000-memory.dmp

C:\Windows\System\cJlDuGO.exe

MD5 46f9be5751083496640663e25375cee4
SHA1 a806511c672fa067b067cce2c512fcd8f6f48aae
SHA256 d4bb48839bce4073f71168599d385a8f0359dca5b2e9d85bbeb4bd09239c1112
SHA512 22e7585cdee6bfafbd340aec95b7c827dfe324a263102e032db59d1f688ed88d29a5230577b787877035a3e5b5d2ef86255052bf56a39111a3936dbb4287b6b5

memory/4064-8-0x00007FF6EEBA0000-0x00007FF6EEEF4000-memory.dmp

C:\Windows\System\YvjOPCb.exe

MD5 a1df3420cf46306b933f609aa091bde6
SHA1 03ce76e9fe6f2cdeb3378102ed49d48485ec7843
SHA256 bcae40deb504422275dc41ae536981fa1c76529cec89792a5d25e945abde44e6
SHA512 3e324e98cff88b9150fadb48b306851323411ebcf6295fe7b9fbe18ab5bc686dfb423f26e2dbc80e5e8b763023d53f53f102d1a25698637c3423030b33d31eb2

C:\Windows\System\YvjOPCb.exe

MD5 9b6c0158e1dab20cf49ce1c4721c0652
SHA1 1c2bd4e55434ef33e9dc323e8803634fc6f79ef7
SHA256 b16ae604a55b306e0dea977ed68646e2464d0027173a9ac88c7477b29563f832
SHA512 3ab0895f0c80f02cb087e91e9aa305100a8d62cdada50faf789edf314182b5cb1b3ff1d05695b5c71add94e432ef212232a35b45cd22d7baba8b596eecd522a7

memory/2992-14-0x00007FF7C4E40000-0x00007FF7C5194000-memory.dmp

C:\Windows\System\CtSumnA.exe

MD5 8775beabce1671c71176a06f6cdbf36a
SHA1 4abe5fcbc43a28b5d63eaf9ff751b965dd173c19
SHA256 c63c8fa6672795a65265984c27592b6beba2f81b001f9a0d06229a21754ec619
SHA512 e07424d921526b086cb4f8b296472b6dff77c407d757b0d6f11a1a75989113faeec8930540006c788f038bbd602db0fe02cd260731ae93a06a18b18e031eb184

C:\Windows\System\CtSumnA.exe

MD5 32041569ce29a5ef50883ca4e87e40ae
SHA1 62752d482ea7fbac09b013a4fe013fc0d3df3abe
SHA256 2e3378fbc771dcf65b54c5f4fc3d8b2f4d91a4c0824d0dd8ab6cf9cad9802f08
SHA512 f73e85b6685b7d4ce370cfab3ac9dd8c2d17fe49cb93ecb85f5f1ba15be35390697e7a824474b95109c653c60fc79b37d0e3c8a6792ee455c62ff2a12d3837b4

C:\Windows\System\mrrlwWL.exe

MD5 63935253404add7154a6655ea9205705
SHA1 a9fce3e1465662e4d184e3e5d47d1f446df6e558
SHA256 5bffc53b06da462f255cf695a1a08147fdce101f7fc3dd5fea487929cb40eb06
SHA512 c4b5ada09b8d7339a435f4fa986570cc0863ae377c5ca6e491fa8477ea87fc5dbe3fc810f937289782292f44b3a168c07fcaf01566ac8077cd946c380a75e521

memory/2264-19-0x00007FF796860000-0x00007FF796BB4000-memory.dmp

memory/748-24-0x00007FF680080000-0x00007FF6803D4000-memory.dmp

C:\Windows\System\IbLYzHI.exe

MD5 484f9bd860840f7d2331986e4199e3d2
SHA1 eb5448cac8a274aecd2e2e996f7a8c535ce8dfe2
SHA256 d792f6a1d133eaf0c847fb75869638ea7611e35c703fc655348b58642f5eef41
SHA512 30de83fe0665fd35b3e5b2ef1bcd329c5b3c3cda1a0fab51d4301e97e4af95f143875fb670b8aa6d25ab7572333b6c08ac07f838a0611a2110ce3153537d12d2

memory/2660-30-0x00007FF7A62A0000-0x00007FF7A65F4000-memory.dmp

C:\Windows\System\OmAZqrd.exe

MD5 a4e06b7158dc29852442ec95f77ad463
SHA1 72dfe8c83f86359ee98b7ac87e7b81cc25873e5a
SHA256 808f056762ba5054633f674fe838aaf9257fc6ec996be3668c1c4ed992e62344
SHA512 6012d18e234b7761e7f0db838af471c05d4921e0229eecf07b25679ec202f736be3d727a6841e2ff9884618a1211fcf0a268e5cd29b9a0d91e6f5c9e22c6a6be

C:\Windows\System\IbLYzHI.exe

MD5 3dd3dcd306f0efc9bbfa800cbd31ae40
SHA1 d052cb1858658159c0105a89f05e8ea0bb515259
SHA256 7c369ff01d831de8701c05e89e10baafecae898266eb16442fd298ec3ac4b304
SHA512 59ad00f536a0bf367e7ffc9ae8487c3c876b694bdbdc9cbc067ae6fe30b5ea1fb628f6dff517baa30ac39f6a2825197d0473cb1892c86bc9e668a42a7b74d6a3

C:\Windows\System\QjLnzau.exe

MD5 b731781bf85531537282fd235875b3ac
SHA1 59206fda46b1e56bdb976d7da35012e4e6f8f1d4
SHA256 2657a1b1a648dd161d8d3ed50a75150d2dc010da365b30b7a3795fcb1daf19d8
SHA512 9c8f38979f392f1b992869e4ca74bbf964e203e775e31879ef15724590f704e0e57e3157344250ce39807469b2b0c7b88f0fe314e1bd06187f5de3c3f57f7a8f

memory/3460-70-0x00007FF75AD00000-0x00007FF75B054000-memory.dmp

C:\Windows\System\LJBLYjz.exe

MD5 fe57f8188564cd40e581d657eb39a51c
SHA1 a769db5a955895999e8cfad6f9c2156a7679ab61
SHA256 509f676438e0a62ce998520d6b512997df34dab53b716afecb70fde12451e067
SHA512 bedc7b8c666d75b4b2a51cdf1cbb44229891d399ac024af5950af15345f2453cff67fc09503257cefbe1a68d8da92c49e28e020e981fdb43101104e23819a72e

memory/1172-79-0x00007FF777DB0000-0x00007FF778104000-memory.dmp

memory/2676-89-0x00007FF783310000-0x00007FF783664000-memory.dmp

memory/2992-94-0x00007FF7C4E40000-0x00007FF7C5194000-memory.dmp

memory/4308-93-0x00007FF626C10000-0x00007FF626F64000-memory.dmp

memory/3692-91-0x00007FF7B8EA0000-0x00007FF7B91F4000-memory.dmp

C:\Windows\System\KfbeqVh.exe

MD5 cc7a67ee7158f6c826584bb99e5602a0
SHA1 cfd34094e131b689afe9792f5a13c99c0995bc50
SHA256 52581cd24b7d6cfb26442d107588d95a37eaa682211dc9ca833b95b8c22824fd
SHA512 d9c0299d2939dabd7405e29b2b26ea3890b828ef1843b85f6c134d4bb03dc7b881c979f169c68c6c769b1f504fb7cb54a32e20cacd40eab9c00956c4834316a6

memory/2552-108-0x00007FF652EA0000-0x00007FF6531F4000-memory.dmp

memory/748-109-0x00007FF680080000-0x00007FF6803D4000-memory.dmp

C:\Windows\System\yXBaYuY.exe

MD5 18efd8c69c7a14d378b8475ff681f6c4
SHA1 2b1da0506beaecb78e94aad76f14aebfb86a9678
SHA256 4278c75a637d678dfa4ac6463d90c2d6e77ae9f9cb3ad2dff76bbdba355ca4d3
SHA512 04c788d5c6912701ce96ced72692ab689759b453228b07881060ae26b58129eed0be110e75ca2aeb8de823205c66a043a92d6184c1d83f72a7a44b67b5c42597

C:\Windows\System\IGAAavt.exe

MD5 77935f7fa515e2498097f96e331d34aa
SHA1 485d7f26bd5cb37bc584d5c8f968f5e9fef298cb
SHA256 a24111205f2806993b03daa9bab173a6d11a16cb18878caa1071fd928980464c
SHA512 36ce0bab4a0434c7a28f678c10a9627666b81884015f70cf5a1069ddfbb17d42082499c523fc5e2c32acfa6cdf63a0b247d285dc0850603412d2d0c0692584cf

memory/1984-122-0x00007FF662330000-0x00007FF662684000-memory.dmp

memory/2308-121-0x00007FF7552B0000-0x00007FF755604000-memory.dmp

memory/2660-120-0x00007FF7A62A0000-0x00007FF7A65F4000-memory.dmp

memory/1640-116-0x00007FF681680000-0x00007FF6819D4000-memory.dmp

C:\Windows\System\bdQBGnq.exe

MD5 2b9b2bef54472989cbeda5ceb4bcfc61
SHA1 f42c406c54d876b0104dd76a4bb7bd110ce3f1a8
SHA256 3ce4061e372c35951e9e9715456a04701ca4649466006232b89c40b65a5677cf
SHA512 7e58e106ba007d63bcc9701f264c627e9c99994f16aa069598abaaf9e29af537d63a6c6991f5682135a651e8ebfdca5bf2d6fea7ba695c60cc36a15d44340337

memory/4824-107-0x00007FF7257B0000-0x00007FF725B04000-memory.dmp

C:\Windows\System\ZLbZyrN.exe

MD5 807465f58d57bef07c98598a9a990800
SHA1 7b19e5316a3dd8012918b2b5c0804f75c53e589c
SHA256 8858cf337a9d8e987248e003d6cab981f3fd838f4a29ebd2de88e04332b1588c
SHA512 012966b330020d7dfb161cd340159edfc4a22ce66cdd1794805ef4b2588cf1e637df480af8369917513992383de33cf1658b196a5a62b9d19b23e79e921f104c

C:\Windows\System\bdQBGnq.exe

MD5 bbf23c91072b235dccbb03719d0f1c51
SHA1 cc1894496de64a877d577c6d924f720bc062b1c4
SHA256 f2b14f12a3322e4999332550f1eeb7bf5516e56163046f53ef3f2aeaf0704a68
SHA512 2d4c36aa5b1abb32c021916d658051e6c37b0399e5b756d786d221806a8e81a3fc61b8802989413cc0d9cd8af4a3f29fd73f375ace04515a21c8f6e3dfd0473f

memory/2264-102-0x00007FF796860000-0x00007FF796BB4000-memory.dmp

C:\Windows\System\VuvsiFx.exe

MD5 70ff90aa4744113bd0310fc0d9642696
SHA1 4f02a897376e5e156044a81d440bc1b6f5e73eda
SHA256 850f0bbecc3dc6f48578257267b2dfc4dd032dd358202c0f6ec3920e2118bcf5
SHA512 bdc7f055358d137daf4d2e1f7011457331106547b4eec4e5f4ff35dd9f5890da8611a6c345a9ae884d95e4260252b884173921b0ceaa07cb5d1698fa0594012f

memory/928-82-0x00007FF74F4F0000-0x00007FF74F844000-memory.dmp

C:\Windows\System\HUKtPMU.exe

MD5 6e43ed95cc20d2ddcab2cd2f4ba27ce3
SHA1 ecfefb0ab2676c2c3b87cc0607c20135ccbbfb8d
SHA256 abeab4c7d15c7e6b5b6307621e131f5923c08c9602baec23757555414a26f396
SHA512 8c97da48938db0cf64785262c719fcc498f5129075e51feb2af44bae18db924e8a15bd8b5325e27b27d230e40c730008ca277d0a7c66733c0770c059ca356580

C:\Windows\System\QjLnzau.exe

MD5 e0f258099dcc71eb5136723dc36b2abf
SHA1 06369204a4e29aa090f08d64ed6c999554293c3f
SHA256 fc3ecae0284f85748e4163e8d74dc23b78b006a385dbce7949b1a3162c04a129
SHA512 e5e771b58d729c6c2e5be391c3472852275f9809b6a59989d03020b02587a111724b07f4267210e0379988c9bdeb785b25dc195f7e8ce97d17a6e677d81ad615

memory/220-63-0x00007FF7BCF10000-0x00007FF7BD264000-memory.dmp

C:\Windows\System\hBaLbEZ.exe

MD5 6590cf9a22e895f317992a11e6673733
SHA1 dabb0629eade282a86216956c93b81ff12ed079f
SHA256 74b7b03dacacedda881f7c189ce684981576529c8cbc55be5ff150930716f39d
SHA512 af01b6a743c85790b49c611bcc0fee6de6dbf145277acff81efcae41230036a2a20bd597e1334f29e81dee66b4ef08096a3f19bc8e3d6d0e52470019e6e1a1db

memory/2464-53-0x00007FF688E00000-0x00007FF689154000-memory.dmp

memory/2600-52-0x00007FF7CBF60000-0x00007FF7CC2B4000-memory.dmp

C:\Windows\System\lpQScHo.exe

MD5 ca782e6e0a0804d229da2735af31fd06
SHA1 9723e9bc96c63cc03e30f15e6ef819269f1f2475
SHA256 ba3854cd0a9db88bfaa116cc87b39cc88eaa2db5fbe983ee4a1f94a5d0218c4b
SHA512 07b94d5d1ef974a4090999815983f7e5b36c85a3213799cf6c31b77a54aef66b9a42096f58731ef03d6bd59ef24aeee37023f9ce335eac6f247402ef24d3b6bf

memory/1960-44-0x00007FF72CE70000-0x00007FF72D1C4000-memory.dmp

C:\Windows\System\vAwDiPy.exe

MD5 b12f50740eef66714200750b921dca91
SHA1 8373966e5ed792f21420a1f96bf3bbb6923ce01a
SHA256 719552d5e050d5b6103aeabc2599e37e66f0dc2dc083f0cf409b7b43085c6d59
SHA512 7a4e91a3c8d86a2c7d2864f022b2bc699138cd2829346c866cd8c934865e794d9cf66725904fe7973648c3a72b48057f93b8dc315697f02e4e9bbb78689e94d8

C:\Windows\System\OmAZqrd.exe

MD5 f4664f4e39afd7529c368aa915ce122b
SHA1 6964bc8fe00d4d0dbca01701bfaf7a54c0a78999
SHA256 c7a001af1b70a23d00ffb6474810bcd2092759e47110e2052d917cd92d8a7bb5
SHA512 1e6fedcb2989ba40d6730d07f897ff73d90ec7a536d1cb90aaad6a72d9dab0a9b74f266f7d4b3aad29d01ddc59a9fb65047e424c6139f046ad7f1276b03f2dd5

memory/3160-36-0x00007FF71A320000-0x00007FF71A674000-memory.dmp

memory/3160-132-0x00007FF71A320000-0x00007FF71A674000-memory.dmp

memory/1292-133-0x00007FF669480000-0x00007FF6697D4000-memory.dmp

memory/2600-135-0x00007FF7CBF60000-0x00007FF7CC2B4000-memory.dmp

memory/1960-134-0x00007FF72CE70000-0x00007FF72D1C4000-memory.dmp

memory/2464-136-0x00007FF688E00000-0x00007FF689154000-memory.dmp

memory/1172-137-0x00007FF777DB0000-0x00007FF778104000-memory.dmp

memory/928-138-0x00007FF74F4F0000-0x00007FF74F844000-memory.dmp

memory/4308-139-0x00007FF626C10000-0x00007FF626F64000-memory.dmp

memory/4824-140-0x00007FF7257B0000-0x00007FF725B04000-memory.dmp

memory/2552-141-0x00007FF652EA0000-0x00007FF6531F4000-memory.dmp

memory/1640-142-0x00007FF681680000-0x00007FF6819D4000-memory.dmp

memory/1984-144-0x00007FF662330000-0x00007FF662684000-memory.dmp

memory/2308-143-0x00007FF7552B0000-0x00007FF755604000-memory.dmp

memory/4064-145-0x00007FF6EEBA0000-0x00007FF6EEEF4000-memory.dmp

memory/2992-146-0x00007FF7C4E40000-0x00007FF7C5194000-memory.dmp

memory/2264-147-0x00007FF796860000-0x00007FF796BB4000-memory.dmp

memory/748-148-0x00007FF680080000-0x00007FF6803D4000-memory.dmp

memory/2660-149-0x00007FF7A62A0000-0x00007FF7A65F4000-memory.dmp

memory/3160-150-0x00007FF71A320000-0x00007FF71A674000-memory.dmp

memory/2600-151-0x00007FF7CBF60000-0x00007FF7CC2B4000-memory.dmp

memory/1960-153-0x00007FF72CE70000-0x00007FF72D1C4000-memory.dmp

memory/2464-152-0x00007FF688E00000-0x00007FF689154000-memory.dmp

memory/2676-155-0x00007FF783310000-0x00007FF783664000-memory.dmp

memory/1172-156-0x00007FF777DB0000-0x00007FF778104000-memory.dmp

memory/3460-154-0x00007FF75AD00000-0x00007FF75B054000-memory.dmp

memory/3692-158-0x00007FF7B8EA0000-0x00007FF7B91F4000-memory.dmp

memory/4308-159-0x00007FF626C10000-0x00007FF626F64000-memory.dmp

memory/928-157-0x00007FF74F4F0000-0x00007FF74F844000-memory.dmp

memory/4824-160-0x00007FF7257B0000-0x00007FF725B04000-memory.dmp

memory/2552-162-0x00007FF652EA0000-0x00007FF6531F4000-memory.dmp

memory/1640-161-0x00007FF681680000-0x00007FF6819D4000-memory.dmp

memory/1292-165-0x00007FF669480000-0x00007FF6697D4000-memory.dmp

memory/1984-164-0x00007FF662330000-0x00007FF662684000-memory.dmp

memory/2308-163-0x00007FF7552B0000-0x00007FF755604000-memory.dmp