Malware Analysis Report

2024-10-16 03:05

Sample ID 240610-a5xztsab99
Target 2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike
SHA256 942bf36f1fc406ca964d9ac4a4c6fe8b49eec8e43bf9ad80a98de32b28cdd8f2
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

942bf36f1fc406ca964d9ac4a4c6fe8b49eec8e43bf9ad80a98de32b28cdd8f2

Threat Level: Known bad

The file 2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobalt Strike reflective loader

xmrig

Detects Reflective DLL injection artifacts

Cobaltstrike

UPX dump on OEP (original entry point)

Xmrig family

Cobaltstrike family

XMRig Miner payload

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

XMRig Miner payload

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-10 00:48

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 00:48

Reported

2024-06-10 00:54

Platform

win7-20231129-en

Max time kernel

135s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\AsJmpyP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SWpdKIu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sezrjfT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mCREGnj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YVhsGaW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\APYlEso.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MfwHadr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YLnsKZA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\REEmgRW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hVVfVgN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rEQQcMX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\buCiXxL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PXVxHyX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZpatCZO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CwUINnv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hFsQOmO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tacmDdG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WZsgImR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pzlCMQU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aBkOZPQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BzyimRJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1404 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\AsJmpyP.exe
PID 1404 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\AsJmpyP.exe
PID 1404 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\AsJmpyP.exe
PID 1404 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\hFsQOmO.exe
PID 1404 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\hFsQOmO.exe
PID 1404 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\hFsQOmO.exe
PID 1404 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\SWpdKIu.exe
PID 1404 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\SWpdKIu.exe
PID 1404 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\SWpdKIu.exe
PID 1404 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\APYlEso.exe
PID 1404 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\APYlEso.exe
PID 1404 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\APYlEso.exe
PID 1404 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\rEQQcMX.exe
PID 1404 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\rEQQcMX.exe
PID 1404 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\rEQQcMX.exe
PID 1404 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\tacmDdG.exe
PID 1404 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\tacmDdG.exe
PID 1404 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\tacmDdG.exe
PID 1404 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\MfwHadr.exe
PID 1404 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\MfwHadr.exe
PID 1404 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\MfwHadr.exe
PID 1404 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\buCiXxL.exe
PID 1404 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\buCiXxL.exe
PID 1404 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\buCiXxL.exe
PID 1404 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\WZsgImR.exe
PID 1404 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\WZsgImR.exe
PID 1404 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\WZsgImR.exe
PID 1404 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\PXVxHyX.exe
PID 1404 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\PXVxHyX.exe
PID 1404 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\PXVxHyX.exe
PID 1404 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\sezrjfT.exe
PID 1404 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\sezrjfT.exe
PID 1404 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\sezrjfT.exe
PID 1404 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZpatCZO.exe
PID 1404 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZpatCZO.exe
PID 1404 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZpatCZO.exe
PID 1404 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\YLnsKZA.exe
PID 1404 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\YLnsKZA.exe
PID 1404 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\YLnsKZA.exe
PID 1404 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\pzlCMQU.exe
PID 1404 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\pzlCMQU.exe
PID 1404 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\pzlCMQU.exe
PID 1404 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\mCREGnj.exe
PID 1404 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\mCREGnj.exe
PID 1404 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\mCREGnj.exe
PID 1404 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\REEmgRW.exe
PID 1404 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\REEmgRW.exe
PID 1404 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\REEmgRW.exe
PID 1404 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\hVVfVgN.exe
PID 1404 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\hVVfVgN.exe
PID 1404 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\hVVfVgN.exe
PID 1404 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\YVhsGaW.exe
PID 1404 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\YVhsGaW.exe
PID 1404 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\YVhsGaW.exe
PID 1404 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\aBkOZPQ.exe
PID 1404 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\aBkOZPQ.exe
PID 1404 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\aBkOZPQ.exe
PID 1404 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\BzyimRJ.exe
PID 1404 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\BzyimRJ.exe
PID 1404 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\BzyimRJ.exe
PID 1404 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\CwUINnv.exe
PID 1404 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\CwUINnv.exe
PID 1404 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\CwUINnv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\AsJmpyP.exe

C:\Windows\System\AsJmpyP.exe

C:\Windows\System\hFsQOmO.exe

C:\Windows\System\hFsQOmO.exe

C:\Windows\System\SWpdKIu.exe

C:\Windows\System\SWpdKIu.exe

C:\Windows\System\APYlEso.exe

C:\Windows\System\APYlEso.exe

C:\Windows\System\rEQQcMX.exe

C:\Windows\System\rEQQcMX.exe

C:\Windows\System\tacmDdG.exe

C:\Windows\System\tacmDdG.exe

C:\Windows\System\MfwHadr.exe

C:\Windows\System\MfwHadr.exe

C:\Windows\System\buCiXxL.exe

C:\Windows\System\buCiXxL.exe

C:\Windows\System\WZsgImR.exe

C:\Windows\System\WZsgImR.exe

C:\Windows\System\PXVxHyX.exe

C:\Windows\System\PXVxHyX.exe

C:\Windows\System\sezrjfT.exe

C:\Windows\System\sezrjfT.exe

C:\Windows\System\ZpatCZO.exe

C:\Windows\System\ZpatCZO.exe

C:\Windows\System\YLnsKZA.exe

C:\Windows\System\YLnsKZA.exe

C:\Windows\System\pzlCMQU.exe

C:\Windows\System\pzlCMQU.exe

C:\Windows\System\mCREGnj.exe

C:\Windows\System\mCREGnj.exe

C:\Windows\System\REEmgRW.exe

C:\Windows\System\REEmgRW.exe

C:\Windows\System\hVVfVgN.exe

C:\Windows\System\hVVfVgN.exe

C:\Windows\System\YVhsGaW.exe

C:\Windows\System\YVhsGaW.exe

C:\Windows\System\aBkOZPQ.exe

C:\Windows\System\aBkOZPQ.exe

C:\Windows\System\BzyimRJ.exe

C:\Windows\System\BzyimRJ.exe

C:\Windows\System\CwUINnv.exe

C:\Windows\System\CwUINnv.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1404-0-0x000000013F3B0000-0x000000013F704000-memory.dmp

memory/1404-1-0x00000000000F0000-0x0000000000100000-memory.dmp

memory/1404-7-0x000000013FC50000-0x000000013FFA4000-memory.dmp

C:\Windows\system\tacmDdG.exe

MD5 3e9ae2924c3c104a7c90b08e3e7acd45
SHA1 5ab39c27dfabf5fb9dbd2a44310816a56018d20c
SHA256 706cc4318f6f5062a2369f314f0df2e3f273d110dbd899cd95870c60ee38023c
SHA512 5879c7f873c8ceeb28e1f7811d1e7713cbd3021e525f26eb0f0be541ba4feec739955ad0e27111dd45018917651665cc6149704aed5a699266a9ca169a8e1b8c

\Windows\system\rEQQcMX.exe

MD5 727e777d96ed5568549d778633225cee
SHA1 f05edfd04082e6bc6a3bdd598f40f206e733a0ce
SHA256 4ff725d155ceadab4a6e67a21228a63a469d5bd118d8cca6f679be9c6a2c5c59
SHA512 e4fa9d8cf53108ab7571d9eae564748c1e39a93ab1801331899bfce9f5540ed753d24db4888834f92426b321fb76ab2d63f6483c0bb1f9514b27af59430d5281

C:\Windows\system\APYlEso.exe

MD5 ae5a606d6eeb1a38a20dde2c1d858cd2
SHA1 65617100db6552cdf2b09f261c5afddd36c175d5
SHA256 e2dcd3c156d5c15e9fb18e732702bfbebd2ae784362c3cc6d1d9cc005e52ba11
SHA512 1a8262228dc66a1adcc26a12151000d47f08c15c504e27a007323c2e37b3d05968f048237e5806c5fcf58d5c8566bf685172a01b3040011cac72892e852163f8

memory/3028-40-0x000000013FE50000-0x00000001401A4000-memory.dmp

memory/2748-38-0x000000013F640000-0x000000013F994000-memory.dmp

C:\Windows\system\MfwHadr.exe

MD5 b947826bbd9784436ea143eeb72cb7e6
SHA1 8ece86382634c8376de37b0f8e502dead522987f
SHA256 7cb8ce52a418a2848860c63f94f0647433e907d027a2566b0b4e5eb5499aabe7
SHA512 c4916083b03b6515fae041056f27f5d45676932d88b883747ff92e58abd54af07d43d2e991124733880630ec73d5091989c4916ed745b8303f45ee2dacb5e20f

memory/2868-48-0x000000013F770000-0x000000013FAC4000-memory.dmp

memory/1404-45-0x000000013F770000-0x000000013FAC4000-memory.dmp

memory/2164-36-0x000000013F440000-0x000000013F794000-memory.dmp

memory/2384-34-0x000000013FAC0000-0x000000013FE14000-memory.dmp

C:\Windows\system\hFsQOmO.exe

MD5 052d3e58516c3738da70b2f0dd291705
SHA1 c09b813fc271b3e44b0d900648a98d2443ac5eb6
SHA256 e5b38c0caaf0afa67e34967906854432ae259e71d3e960ac226f8b211ec6829b
SHA512 e253db481ed1e10bec8221c4cefef41b36d63f28cf5e702c8e4cb151a1afb98a99bb9d4e90318036514002d98c0908b384062ca235145047e7e8189002061d78

memory/1404-29-0x000000013FE50000-0x00000001401A4000-memory.dmp

memory/3064-28-0x000000013FA40000-0x000000013FD94000-memory.dmp

C:\Windows\system\buCiXxL.exe

MD5 2e958e280a6a3cd2981c5fb74f0a3b40
SHA1 69f72d0838628b4842c0d672b4c4372ec763c9d0
SHA256 d44a5d0e6e7dbe6e6fb16a1c927645c3982fbee0461733f8bfea9f369a7dbe7c
SHA512 ff85ce78617421ed3a08a320d1346aa55566dea0c376df537e98925fbe24c1d34647f83cfd0ad6c6cde70e60dbf6ad29b85f6c646675bb18444902e77c92b3bd

memory/1404-53-0x000000013F3B0000-0x000000013F704000-memory.dmp

memory/2464-55-0x000000013F4A0000-0x000000013F7F4000-memory.dmp

memory/2216-61-0x000000013FC50000-0x000000013FFA4000-memory.dmp

C:\Windows\system\WZsgImR.exe

MD5 a3d7b65906dde928b445879709896f31
SHA1 4676414489764667b18a6b9c1f91e17c73290c58
SHA256 fe4d8e740ae7df98b6e93e4fc54937a240d4703d97b48bf965312dcaf0022bb1
SHA512 814559d737bfbe0d38d708a74bb0ec8518cc8ff7d59331be0562cbbed17880e91418f04c5fefb10a46b8868d95755e7331c5d5e879741db45799201b7bfc93ee

C:\Windows\system\PXVxHyX.exe

MD5 f63dbc8995dc3bf2879b3a54a52c4226
SHA1 419b93c5de716e8b7d5765a02572cb47ee188ec7
SHA256 cfec0be2a21e3e9fda22578a92f8228803ed89500bf777885a98d3dd1383623b
SHA512 02c64c2bca372b612dc5c569ec3df57bc6c40abe56ee0b5b2852965db6c90b47d1533783ab10f5af9ac70bb5cb820972233ef5edb72b264075da0fdc2673c886

memory/2460-69-0x000000013FA20000-0x000000013FD74000-memory.dmp

memory/1404-67-0x000000013FA20000-0x000000013FD74000-memory.dmp

memory/2628-62-0x000000013FA80000-0x000000013FDD4000-memory.dmp

C:\Windows\system\SWpdKIu.exe

MD5 70dfd2be147a3fa4cc92c4df44a24e18
SHA1 4a4c9d75ea5553ecc79a0f995b4fe03728607577
SHA256 2d071272fee87b5a796334bf96715d4abf9f755605cda1b2329e4f934a1539c0
SHA512 007aecd7b6c4f865c917757146c85dfc4077a0981c67cc4cb7d44412df917b57a154ffc63ce2ef27cac575c2e3ce17698b2a663a1a83a5a44de61f892ad1ada5

memory/1404-18-0x000000013FAC0000-0x000000013FE14000-memory.dmp

memory/2216-11-0x000000013FC50000-0x000000013FFA4000-memory.dmp

C:\Windows\system\AsJmpyP.exe

MD5 81c2406e4b4016a9b7ef55bad5435474
SHA1 157f1ce9165f767df4e38d40b70104a67a919da8
SHA256 59097513dd65a94cca9d4ccac3004cc2854072a4fd74417245e80ececcec50dc
SHA512 05adb956e0dc9f46c6384ee7338ac75989863ff41ac93b716c2f37b363ba2dcbdd43f610bb601c5ea00f331c282e893fb9e776eacb832e6ea2d9c1c4105f399d

C:\Windows\system\sezrjfT.exe

MD5 eeff70f3b9091c5d1e07310ab11b4b06
SHA1 4ca451e10230ff6f5a3db26f9d2236adba0e31f8
SHA256 1fe0485d61131cb5d3264116acd3ebd6e2c1d8a9f35322e1eaf8f5b30cc3db72
SHA512 cb0e42579f5564c8ff2a3582c3ee44afec5a506a8e7bbc0d93dd30f4057895b406fe45fb5ad2b5bfb9fe22143a40b8372ed0ff6d58990abedcb08e4ce1e21585

C:\Windows\system\ZpatCZO.exe

MD5 6a29b5f70bed0620a0fbddca1ecbb197
SHA1 9f942e588f9f6371faf63d0a97456000cd1826d7
SHA256 b1415bb87b499a14926d4079fda261456f07b20f224c5ae66d2a85b0304a6829
SHA512 23b9e655068d12e7de30733ee931174c3bdc53e697096714db749d4ea483a73ae86b4a9afd88938b40f6602414594b8154c2675e94b7e762e85e6cabd49fdd86

\Windows\system\mCREGnj.exe

MD5 8d14462d7f0362a0821b23436951a10f
SHA1 03f88b9f125172988751bf58840ebc42b8e81dbd
SHA256 7a3f9e453ab7c8773d869579926854000105ab1b895f26fbea6aab4933ef536f
SHA512 1c15f5554f8fb9c8663a540f77fa1a400900ca042e6f7343a2f9293a250ba7a99c57acebb6fd25a59107f3f413f1192a8e8ab13aedda5ebd7ac50571155b4da4

memory/2188-114-0x000000013FBC0000-0x000000013FF14000-memory.dmp

C:\Windows\system\CwUINnv.exe

MD5 e592fedbeaddb1863dc54547015d669a
SHA1 1c07ea51def64fee66d2758e80c6d5dcc5f89842
SHA256 5c5cd6634c60942a55bd606834360389db5e06bd5fc18cd04048279714e6626a
SHA512 7ef2cbd307c149b1864f93cca709cfce1bfb41ca08d3c2d2175a50cc45d0a317d11e298a217d31638a5837a3d665c4f1a49ee2733c432b3f8dd4844d690009a2

memory/1404-130-0x000000013FBC0000-0x000000013FF14000-memory.dmp

memory/2396-129-0x000000013F3E0000-0x000000013F734000-memory.dmp

memory/1404-128-0x0000000002440000-0x0000000002794000-memory.dmp

memory/2532-125-0x000000013FF90000-0x00000001402E4000-memory.dmp

C:\Windows\system\aBkOZPQ.exe

MD5 bdd259efbff527b54eb29cd81e3214f1
SHA1 d5d85d8362d2928aa9e9252fe9f76fab3bd02e63
SHA256 177ef8daee1be5a60f041d4e97e54b238f4ce871beaf06c221886417c4d1b985
SHA512 02590594f60865e27f5d48b010f2687fd3fa35fb0d9fab5b7998236631ff257fd5a2f5b94efc4e0e12a13b4b4e7018f03c62c1774827cb555a26ca0a4044810c

C:\Windows\system\BzyimRJ.exe

MD5 b96bcfe818ee9f624631ecf5d64302cf
SHA1 d2a2feef269d707d7921298358d48f92099969fc
SHA256 59cc44ac2a08a69e34f70d13c1e21b1b3ad48e27fbc9c91c2d97234e716f6220
SHA512 7cf71c18ab75fbd4b14f7bda5bf76d110cfae3bc2b2150e6a4df4588663449d92b16a48bb8567be6fbbec9edab7a0fc4c0f10f1a900adabec08280ba783a49b7

C:\Windows\system\hVVfVgN.exe

MD5 3987c2fa71f02a8ad1edca608f3b60a7
SHA1 bca59479246ff30e24ffb64d69c90797484c8880
SHA256 0770e8f88bc9e4759b26713e62dcd5ca839f84f770f738bf5828fdf9d5cca8b2
SHA512 e337f2bbbf400f012f823a434d812c50f4b17ca6d4a513573146057e6e1b15f7c3034b1cdabe309b1d9c29336a1aef5fe337be57f1d41d2c8f3627834fdd1191

C:\Windows\system\YVhsGaW.exe

MD5 03ffeef72b5be2e2f6f88516c85e02fe
SHA1 3c5dbfd8a475dce3921a688c9269210b2f0cde63
SHA256 6415a6ea8be0ebde4e034c96f66ee6db51ca37f6f02688df37e38dba5ed37e8a
SHA512 d08326391e17000a415ce991c8db9ebc2772f7efa0cefbd130c5a89786ac04afba4630e961195d8d1b5044939f57549577099271173b4bc7d404ad6d02c9fca0

C:\Windows\system\REEmgRW.exe

MD5 c830eba0e0e18f51b987dd4c7f8c05d0
SHA1 e1aa8b5911b1448e8a64a38fb3c0279490a9b290
SHA256 50dc71da99867e907361fb626665a821f69a165142613fcea8f76357d8082c6f
SHA512 c037d8ebfe857a09c9afcd7df523498c3053e5fab657a306ea54945ac4ecddb76209c1ed40c3c03bdae82e0ff61dd936f9d3d2f7b8c0e784f5a2c2a900a1c249

memory/1404-99-0x000000013F8D0000-0x000000013FC24000-memory.dmp

\Windows\system\pzlCMQU.exe

MD5 a14d9fea3563c88e84a8f04d5f5f274c
SHA1 0e5b5f7002c2dfb736c7be7013c85a844dc754dd
SHA256 604976b3cc4e4359b796155c3b61d2306279ab326c14cc09c5c23bbe4dec6d2a
SHA512 acfa9115132c43d895c75474766226f90077ea846ac0be82198a7f76cb8d0df3bee061265220742a2b79f27b148a64c76f6b8474d805c6c8e3bac11fe573b7da

memory/2000-95-0x000000013F800000-0x000000013FB54000-memory.dmp

C:\Windows\system\YLnsKZA.exe

MD5 d7f5ced23b8bca9763eae1c4a390931d
SHA1 a0cf9bd5cc5adc6802e52d5a21d3ec957e8628fb
SHA256 4ff9f9f664532b5696527ad1efaa7dfcf790bd6e00b777d1b6578dfd959c2b55
SHA512 e30a5254ed5f2f0fe0ed6f8882ed63da103dbe75367a303d3591ea719a8fe365c025c7f4d948cf45f001c392572d8f4dca01f5ad3a2b5ee900826402f64a435a

memory/2164-131-0x000000013F440000-0x000000013F794000-memory.dmp

memory/2748-132-0x000000013F640000-0x000000013F994000-memory.dmp

memory/2868-133-0x000000013F770000-0x000000013FAC4000-memory.dmp

memory/2460-134-0x000000013FA20000-0x000000013FD74000-memory.dmp

memory/2216-135-0x000000013FC50000-0x000000013FFA4000-memory.dmp

memory/3064-136-0x000000013FA40000-0x000000013FD94000-memory.dmp

memory/2384-137-0x000000013FAC0000-0x000000013FE14000-memory.dmp

memory/3028-138-0x000000013FE50000-0x00000001401A4000-memory.dmp

memory/2748-139-0x000000013F640000-0x000000013F994000-memory.dmp

memory/2164-140-0x000000013F440000-0x000000013F794000-memory.dmp

memory/2868-141-0x000000013F770000-0x000000013FAC4000-memory.dmp

memory/2464-142-0x000000013F4A0000-0x000000013F7F4000-memory.dmp

memory/2628-143-0x000000013FA80000-0x000000013FDD4000-memory.dmp

memory/2460-144-0x000000013FA20000-0x000000013FD74000-memory.dmp

memory/2532-145-0x000000013FF90000-0x00000001402E4000-memory.dmp

memory/2000-146-0x000000013F800000-0x000000013FB54000-memory.dmp

memory/2396-147-0x000000013F3E0000-0x000000013F734000-memory.dmp

memory/2188-148-0x000000013FBC0000-0x000000013FF14000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 00:48

Reported

2024-06-10 00:54

Platform

win10v2004-20240426-en

Max time kernel

135s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\YOKyLTV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xBlOnsf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ftiUKAC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZiJaWhn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OeoFVeY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XcNqfKT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HFGFSzA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UQhaZJC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kbcPGkY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kGezFIu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jIhvDkb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aOrsWXi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZjkuUJk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WXfYTEs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BXgOuEL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SmkKVeN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vgvOZGd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cyznkdJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tRELYaE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EIknOAy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tCLhRNB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3200 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\HFGFSzA.exe
PID 3200 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\HFGFSzA.exe
PID 3200 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\WXfYTEs.exe
PID 3200 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\WXfYTEs.exe
PID 3200 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\cyznkdJ.exe
PID 3200 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\cyznkdJ.exe
PID 3200 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\BXgOuEL.exe
PID 3200 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\BXgOuEL.exe
PID 3200 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\YOKyLTV.exe
PID 3200 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\YOKyLTV.exe
PID 3200 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\xBlOnsf.exe
PID 3200 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\xBlOnsf.exe
PID 3200 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\ftiUKAC.exe
PID 3200 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\ftiUKAC.exe
PID 3200 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\UQhaZJC.exe
PID 3200 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\UQhaZJC.exe
PID 3200 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\SmkKVeN.exe
PID 3200 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\SmkKVeN.exe
PID 3200 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\vgvOZGd.exe
PID 3200 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\vgvOZGd.exe
PID 3200 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\tCLhRNB.exe
PID 3200 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\tCLhRNB.exe
PID 3200 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZiJaWhn.exe
PID 3200 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZiJaWhn.exe
PID 3200 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\kbcPGkY.exe
PID 3200 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\kbcPGkY.exe
PID 3200 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\tRELYaE.exe
PID 3200 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\tRELYaE.exe
PID 3200 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\kGezFIu.exe
PID 3200 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\kGezFIu.exe
PID 3200 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\jIhvDkb.exe
PID 3200 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\jIhvDkb.exe
PID 3200 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\OeoFVeY.exe
PID 3200 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\OeoFVeY.exe
PID 3200 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\aOrsWXi.exe
PID 3200 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\aOrsWXi.exe
PID 3200 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\EIknOAy.exe
PID 3200 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\EIknOAy.exe
PID 3200 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\XcNqfKT.exe
PID 3200 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\XcNqfKT.exe
PID 3200 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZjkuUJk.exe
PID 3200 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZjkuUJk.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_1b1345a2506f7b7145e6248a98c92fb5_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\HFGFSzA.exe

C:\Windows\System\HFGFSzA.exe

C:\Windows\System\WXfYTEs.exe

C:\Windows\System\WXfYTEs.exe

C:\Windows\System\cyznkdJ.exe

C:\Windows\System\cyznkdJ.exe

C:\Windows\System\BXgOuEL.exe

C:\Windows\System\BXgOuEL.exe

C:\Windows\System\YOKyLTV.exe

C:\Windows\System\YOKyLTV.exe

C:\Windows\System\xBlOnsf.exe

C:\Windows\System\xBlOnsf.exe

C:\Windows\System\ftiUKAC.exe

C:\Windows\System\ftiUKAC.exe

C:\Windows\System\UQhaZJC.exe

C:\Windows\System\UQhaZJC.exe

C:\Windows\System\SmkKVeN.exe

C:\Windows\System\SmkKVeN.exe

C:\Windows\System\vgvOZGd.exe

C:\Windows\System\vgvOZGd.exe

C:\Windows\System\tCLhRNB.exe

C:\Windows\System\tCLhRNB.exe

C:\Windows\System\ZiJaWhn.exe

C:\Windows\System\ZiJaWhn.exe

C:\Windows\System\kbcPGkY.exe

C:\Windows\System\kbcPGkY.exe

C:\Windows\System\tRELYaE.exe

C:\Windows\System\tRELYaE.exe

C:\Windows\System\kGezFIu.exe

C:\Windows\System\kGezFIu.exe

C:\Windows\System\jIhvDkb.exe

C:\Windows\System\jIhvDkb.exe

C:\Windows\System\OeoFVeY.exe

C:\Windows\System\OeoFVeY.exe

C:\Windows\System\aOrsWXi.exe

C:\Windows\System\aOrsWXi.exe

C:\Windows\System\EIknOAy.exe

C:\Windows\System\EIknOAy.exe

C:\Windows\System\XcNqfKT.exe

C:\Windows\System\XcNqfKT.exe

C:\Windows\System\ZjkuUJk.exe

C:\Windows\System\ZjkuUJk.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3200-0-0x00007FF7E7470000-0x00007FF7E77C4000-memory.dmp

memory/3200-1-0x0000021DF0E60000-0x0000021DF0E70000-memory.dmp

C:\Windows\System\cyznkdJ.exe

MD5 a8f7f644546e253aabdb5b3efecb37ca
SHA1 2c655b8b892e05ae46befae95b123d04dc8c6347
SHA256 305627b2b8c4c0432058e3c378b59c00084422ef0f74db798d47d14024d2d1a7
SHA512 295fef48f2a21cc2eaae577383d9898a368c1cded8b149fc4da21c5605c697c68294be329d79d1594553899326b04bd58b3d36a18d84a3dd00e2de0010a08207

memory/3592-13-0x00007FF6A6330000-0x00007FF6A6684000-memory.dmp

memory/2400-20-0x00007FF73BA80000-0x00007FF73BDD4000-memory.dmp

C:\Windows\System\BXgOuEL.exe

MD5 6983bc19e65f8ef7ffb04ea889f43ecb
SHA1 17bc108c85f9ed46185a54efbcba6f4a525aaad3
SHA256 585e72280fb7a37eb1789d6663a9ca74f43901ca2f506ad7ee3b68d5f8041c51
SHA512 6f5b0695633783ad17bcf8afabbe9eb2201eed24825af38c29d2cde3f1fccaee8cee9f7efb6104e94ba0018a120d21757906358cd8b292de5cc03744d2e136aa

C:\Windows\System\YOKyLTV.exe

MD5 41ad33e9900a5142e4ef2b3f7efed00e
SHA1 e99b98d85324f252075d3889e09e1ec4e712cd7d
SHA256 37abccc41cde65d907c0b3c1fcb0816a2b595fca259b2bdea9da02c54f8fb79a
SHA512 56050f3fa9e621f64a47188aeabd7baf828623c644f95bfbd2a06990fba0c764ed993da22e387b5d896ff4eae23f551b5aa790def31a56c6b452b11bba314632

C:\Windows\System\xBlOnsf.exe

MD5 1dc64ec77f5f57f434a9b2e77dd14027
SHA1 4ab3e46a491189eaa9f020335405f0b6826730e3
SHA256 4345688e2c2058bf0c7aa64c97ac29dc44ecd60569fa6556385f1d8406f0e9f2
SHA512 4e8efc5e5cb56220891cd303ff0d1ecbe6028ef8a63dc701b763e6f92b4d6c335860d728606ca56f7324f89677b32f1defddb27bb3ec473b9ed2645a7897dee6

C:\Windows\System\ftiUKAC.exe

MD5 65b7bbac9d56542ee157a2c35862c1d3
SHA1 f74de6644a3adccb085da822482a1398172470ae
SHA256 f4d7a1ede690a757a6460563e385fb2e618ee6bdd4094009a8293124bdbafffc
SHA512 ddcaf4098ab3ab33032f3440201962032ebfdc6c972f753c20b64d0de7b02865743ca529b8b9554cc61d56242d65c8bd5be1e5611b6914a8fb3da5657f19516e

C:\Windows\System\UQhaZJC.exe

MD5 b9a88964daebc7be5cc5c5c16faccb8d
SHA1 6a50f09a88652fdadc9fcb9c9c267404aa576126
SHA256 21a18336474020511c721fa86439cf5bb5e0171a39c7bba8875331257eb72846
SHA512 57bb8066ead2c57e4abf99ca8b4499a4b5bf4f213e89b31729e34e2f19ff0b2225c17e77be35e94dd6058f1b1ea8a608e3c0a44f79ccb644d532b9f5edae3d28

C:\Windows\System\SmkKVeN.exe

MD5 644228c2fe59155b6fe9b1c9d0ab2a5b
SHA1 f2d86f320647a66d7cc5c7aabfb09964fbd22b20
SHA256 96d0cd35e7da155f803826dbebfc5a2090b0eb3f42037d9aba11a4c962d3566a
SHA512 95b0ce0f94f0794c8bbed8c4f6defc914623d44bc0380c1f446d6ab3897107584f4ca934c03aeea031f9638832609a802a2a07b0dcbfa057cc6dfa501616ed19

C:\Windows\System\vgvOZGd.exe

MD5 c4db6800d1ea3d2cefacbbe712768d79
SHA1 ae2d8509c3cb04878ea953989ee31e14bc40b4cc
SHA256 80eee4b6b51c97380ffa4e20c71f18b6743239f5c4524b2408dbf29230277e29
SHA512 58b72eb1588523ffd1d80cc9e3af77bee64c3bbc32102b9bf13c6e45e5a70e403c6d12bdea54dcd2d78a3efe46a94df97e55cb40f47ef98abf3bd9c2412d42a1

C:\Windows\System\tCLhRNB.exe

MD5 79f2a0e63abbf0823606566bddc7b949
SHA1 9d64b45bfbd6924532c53182275aad04fd8cfcdc
SHA256 bde9baddee334771c21b8264b1cda58a1903475f86b34933dd966a9799b2cd71
SHA512 2930d11132c55e71f019d2731e3260dabf4b7b61296a0ceff65a4091b8ee26f000e4e1916a66152bd77578be068a878602ffe906c8640c18cf8243e7f8c2bdbb

memory/3108-63-0x00007FF6F1A60000-0x00007FF6F1DB4000-memory.dmp

memory/3200-62-0x00007FF7E7470000-0x00007FF7E77C4000-memory.dmp

memory/1476-58-0x00007FF76BD30000-0x00007FF76C084000-memory.dmp

memory/2080-52-0x00007FF779E40000-0x00007FF77A194000-memory.dmp

memory/3076-45-0x00007FF67E4D0000-0x00007FF67E824000-memory.dmp

memory/3592-73-0x00007FF6A6330000-0x00007FF6A6684000-memory.dmp

C:\Windows\System\ZiJaWhn.exe

MD5 effdd93eabf21916f8676efd5d26370f
SHA1 30d73328cb98dd5df5bc5a9632c989fc58d80872
SHA256 789f1be15a66a26caf62f38aad99e15d2206f54ea1383117a6ea8e6e578d5987
SHA512 a0545470d3a0fc681c5d29a9209864049dcca1afeb718c3f6de7887c2f4808497bd6acd8c7f018b792a36f8e92878282a189810f750eaf49fe7b59cbbf80e6bd

memory/3172-74-0x00007FF6F5850000-0x00007FF6F5BA4000-memory.dmp

C:\Windows\System\kbcPGkY.exe

MD5 d7cb07e4e0b293127c0d37b769b7d076
SHA1 bea5a5740ec3bfd3338e87f4b164e0a0c1ba6ec3
SHA256 e46ef55818d4195872da43111207cacb3feef833c67895e1566e157552e3f40f
SHA512 b42dfd911ffa9b9d6d006415e9733dfec8c8c1417560115acd6333540067f09234d0429bc866c6e62f6e143fcb945c690995bd206accbab6e373a3d04b8c2232

C:\Windows\System\tRELYaE.exe

MD5 0c86c72ad6b214a03c279adb0807be82
SHA1 d795d52755c9599fcd66dc8466aa511ffbb417dc
SHA256 973fa6c54a549940fd0c9d00c53e17fbb0cba9ad55f7ec1cfa1fe267ccbe411a
SHA512 1522d88a1b4432fe2c9806774f7d331a6b54fd4979532bd62d4f7bdb61f86137053368493ba4167a30fb86522b60b75fa6bd0cd3d2b934b2f6ffa8dcfb6b1c85

C:\Windows\System\kGezFIu.exe

MD5 b833d2cfd2925abebea21db84ce5a117
SHA1 8c7f61240af8719d0b74a2c89e4cbba51e60ee6d
SHA256 342ba317b755bef9f6d4b99a60d5a2acfabad6298fcc55ffdf55e75c92350813
SHA512 dde1f127c04bc7f9c99e984f355f8a89c504fa5ea46b955e6057679013382e33f96ddc3061a73bd783560cba9459775ec2bc7c0681c212de905dfc1a3530c601

memory/376-90-0x00007FF657D60000-0x00007FF6580B4000-memory.dmp

memory/392-96-0x00007FF7490B0000-0x00007FF749404000-memory.dmp

memory/3672-97-0x00007FF675990000-0x00007FF675CE4000-memory.dmp

memory/2916-89-0x00007FF674810000-0x00007FF674B64000-memory.dmp

C:\Windows\System\jIhvDkb.exe

MD5 cf223ce4776c5648f980fa22b44d2fcc
SHA1 2bb444728b3796af1bca90076afbf88c541a7cf7
SHA256 c5ad644700d6083959df4f168c95d96d7d20b3ca8dd5951fb13b5d0d8201a663
SHA512 4cf909ad0773a802283a95deaabf82c1a234b5aa584e790677829052fd20c527334251f6f3a971d73dea7de6c828a5aebf3438fb4f0b63e9da3e250e02405d2b

memory/3076-109-0x00007FF67E4D0000-0x00007FF67E824000-memory.dmp

C:\Windows\System\EIknOAy.exe

MD5 0072ab2140362b064f1e718809f531f1
SHA1 01f897d03238c6aa05150b3c33e4a370c09b3642
SHA256 f9ad9dc49af81f5d2607363c1375e362dc0c859870f3caaaeb3c1f413c750309
SHA512 e9b55e2499d9353991f3dd7d900e4f834b41c465bee70adac85bc8722390ad69f5c7e029ae07b0584f1e329047dc4a6c62f6ab7062467c9400fe92816914cf04

C:\Windows\System\aOrsWXi.exe

MD5 4bd96f314d25c6a69144a065a890bc76
SHA1 b63befbdb4b8699a32ab4f14984dd24e501fd181
SHA256 c12702295ded6b2b901282025459f170710628e56aeb171c7c70311a8e671114
SHA512 83b8c0d92648d37ee7efcf52e8c2f2f15bdf881b132ba501a4e17082d257c4a836988089edcd8b9318c81a84326e7973be02936ac39d74e71ae4b5bb81bb67cc

memory/3948-116-0x00007FF6FBDB0000-0x00007FF6FC104000-memory.dmp

memory/2080-114-0x00007FF779E40000-0x00007FF77A194000-memory.dmp

memory/1144-113-0x00007FF7D4510000-0x00007FF7D4864000-memory.dmp

C:\Windows\System\OeoFVeY.exe

MD5 982a8cb9d5c6a2751a6ae0895e2fe0a9
SHA1 ea14f70a28e31c293720ddc30e7121650548934b
SHA256 c4fe21295b9fb9b70731a0f072448cb59632ef1e8d16e82e97b8a0008554bfa9
SHA512 6519fdcfd400cac25cb3a094930265e549ebbf61bbd8e31557ca7169308f05c60801dcf526e49994ca50309f523f2c8e63727a831f2c8461c543811ea2095e7b

memory/4932-103-0x00007FF687140000-0x00007FF687494000-memory.dmp

memory/3644-83-0x00007FF63FA20000-0x00007FF63FD74000-memory.dmp

memory/2400-81-0x00007FF73BA80000-0x00007FF73BDD4000-memory.dmp

C:\Windows\System\ZjkuUJk.exe

MD5 eaf546b028ce3052f67f0d802d74ace9
SHA1 d87d39a5dabf68f9f4c6b96ddf66271a6d6597ae
SHA256 112fb47ed7f63a10506a455f585f0527d1cbd383c71fc25dcd79d659636552c1
SHA512 ca667baaf01efe12a099f9dc8e320859d55ff3d6a7cc66f56c35901aeefbbf80c09643bd17d13ee7e2d1a00fa94867bfe97c4440761a7894421154fd743e77f4

memory/3108-132-0x00007FF6F1A60000-0x00007FF6F1DB4000-memory.dmp

memory/1312-135-0x00007FF600880000-0x00007FF600BD4000-memory.dmp

memory/1384-134-0x00007FF79FD60000-0x00007FF7A00B4000-memory.dmp

C:\Windows\System\XcNqfKT.exe

MD5 69af52f0b691edc4b31b477aef0f02e9
SHA1 0fdad5822ac11c378f16ab7a6b4627b8416ce63e
SHA256 4bd17f65c9929607027e71ffef98383e15ebd3c1c8100eab0288058e1073aca3
SHA512 f940bf296a4ace330272d91395c3536799710d104c19a9bb0cbf9d99d1dc289107076ad4bc40c79d9fafcc332d199df49ebaeaa6849fd7b955614a0a78ebec61

memory/4880-123-0x00007FF622390000-0x00007FF6226E4000-memory.dmp

memory/2772-72-0x00007FF6D1BA0000-0x00007FF6D1EF4000-memory.dmp

memory/1212-38-0x00007FF661F20000-0x00007FF662274000-memory.dmp

memory/392-32-0x00007FF7490B0000-0x00007FF749404000-memory.dmp

memory/2916-26-0x00007FF674810000-0x00007FF674B64000-memory.dmp

C:\Windows\System\WXfYTEs.exe

MD5 75e690d009d830364944978f245c2c52
SHA1 0664a2ea6add0c030aaf8ad7c9bfbc2e676ed359
SHA256 0b9ec064973da55cb7e598324f2467502e030c4ce3de53e7903fc66cadfbe8b7
SHA512 f0a3694fd4efc0e7cee10c430479a1e30e397e84c237861b5ec383c2bf89aa459609007abae42c8b6a642f574861755bfa2e6ddb3e0b95f10d2d60cc960d55f3

C:\Windows\System\WXfYTEs.exe

MD5 711965c0ed770375b388ea9b5ea57c70
SHA1 21f7ffc0c96b29ee6bc8176dc97f6fd049d110a2
SHA256 c07d701eb04ab4f8699484a3bd23da869373ffe5abb89855dad47bf019625666
SHA512 1805d8628649a043140bc3aafe1e7909e2e2c4d13967ba772fc49046b58f359c9204953c678c902e0a7afe7ca922f35fcfea6266309db91efb45c72ff619c428

memory/2932-8-0x00007FF644060000-0x00007FF6443B4000-memory.dmp

C:\Windows\System\HFGFSzA.exe

MD5 ba6393375a710d32fc0db99a153a873d
SHA1 0fadd7a63307cd70e80c66ba9349daa6bbb2491a
SHA256 9ee39e87c011ea5196eceba878c211492d64a3e05bfbe8ae77fb8a78bb285f0e
SHA512 4188e7981001a1bdd0f12e40e8821bddaf23474ffe1e21986314b28db730e2dbf60b83ca5f20c92c0cf47caa60d4934253775a99e81897bd54e6436c80832ce1

memory/3172-136-0x00007FF6F5850000-0x00007FF6F5BA4000-memory.dmp

memory/3644-137-0x00007FF63FA20000-0x00007FF63FD74000-memory.dmp

memory/1144-139-0x00007FF7D4510000-0x00007FF7D4864000-memory.dmp

memory/4932-138-0x00007FF687140000-0x00007FF687494000-memory.dmp

memory/3948-140-0x00007FF6FBDB0000-0x00007FF6FC104000-memory.dmp

memory/2932-141-0x00007FF644060000-0x00007FF6443B4000-memory.dmp

memory/3592-142-0x00007FF6A6330000-0x00007FF6A6684000-memory.dmp

memory/2400-143-0x00007FF73BA80000-0x00007FF73BDD4000-memory.dmp

memory/392-145-0x00007FF7490B0000-0x00007FF749404000-memory.dmp

memory/1212-144-0x00007FF661F20000-0x00007FF662274000-memory.dmp

memory/2916-146-0x00007FF674810000-0x00007FF674B64000-memory.dmp

memory/3076-147-0x00007FF67E4D0000-0x00007FF67E824000-memory.dmp

memory/2080-148-0x00007FF779E40000-0x00007FF77A194000-memory.dmp

memory/1476-149-0x00007FF76BD30000-0x00007FF76C084000-memory.dmp

memory/3108-150-0x00007FF6F1A60000-0x00007FF6F1DB4000-memory.dmp

memory/2772-151-0x00007FF6D1BA0000-0x00007FF6D1EF4000-memory.dmp

memory/3172-152-0x00007FF6F5850000-0x00007FF6F5BA4000-memory.dmp

memory/3644-153-0x00007FF63FA20000-0x00007FF63FD74000-memory.dmp

memory/376-154-0x00007FF657D60000-0x00007FF6580B4000-memory.dmp

memory/3672-155-0x00007FF675990000-0x00007FF675CE4000-memory.dmp

memory/4932-156-0x00007FF687140000-0x00007FF687494000-memory.dmp

memory/1144-157-0x00007FF7D4510000-0x00007FF7D4864000-memory.dmp

memory/4880-159-0x00007FF622390000-0x00007FF6226E4000-memory.dmp

memory/3948-158-0x00007FF6FBDB0000-0x00007FF6FC104000-memory.dmp

memory/1384-160-0x00007FF79FD60000-0x00007FF7A00B4000-memory.dmp

memory/1312-161-0x00007FF600880000-0x00007FF600BD4000-memory.dmp