Malware Analysis Report

2024-10-16 03:05

Sample ID 240610-k2lshafe83
Target 2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike
SHA256 773c34cc7ad11814dee4ff2e4155ad3f08918b408bc2333ae68863a1394e4f2f
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

773c34cc7ad11814dee4ff2e4155ad3f08918b408bc2333ae68863a1394e4f2f

Threat Level: Known bad

The file 2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobalt Strike reflective loader

UPX dump on OEP (original entry point)

XMRig Miner payload

xmrig

Cobaltstrike family

Cobaltstrike

Detects Reflective DLL injection artifacts

Xmrig family

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

XMRig Miner payload

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-10 09:05

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 09:05

Reported

2024-06-10 09:08

Platform

win7-20231129-en

Max time kernel

136s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\MYrapkQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EFrfOFj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZcfjcvU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DswgjXQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QuODLzJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sXsoteO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nGsGpsR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qXBGnSv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BqnzgQx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wNozmvD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ifhbkRZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jbHGITa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tFbSYBW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fQBxSZe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kbPadkh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yZRPOhC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wAOUoCf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IYwoZvi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YSaiCOP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LoEPehK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YSPITfZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1848 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\tFbSYBW.exe
PID 1848 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\tFbSYBW.exe
PID 1848 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\tFbSYBW.exe
PID 1848 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\QuODLzJ.exe
PID 1848 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\QuODLzJ.exe
PID 1848 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\QuODLzJ.exe
PID 1848 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\sXsoteO.exe
PID 1848 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\sXsoteO.exe
PID 1848 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\sXsoteO.exe
PID 1848 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\nGsGpsR.exe
PID 1848 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\nGsGpsR.exe
PID 1848 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\nGsGpsR.exe
PID 1848 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\yZRPOhC.exe
PID 1848 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\yZRPOhC.exe
PID 1848 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\yZRPOhC.exe
PID 1848 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\fQBxSZe.exe
PID 1848 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\fQBxSZe.exe
PID 1848 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\fQBxSZe.exe
PID 1848 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\kbPadkh.exe
PID 1848 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\kbPadkh.exe
PID 1848 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\kbPadkh.exe
PID 1848 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\qXBGnSv.exe
PID 1848 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\qXBGnSv.exe
PID 1848 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\qXBGnSv.exe
PID 1848 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\wAOUoCf.exe
PID 1848 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\wAOUoCf.exe
PID 1848 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\wAOUoCf.exe
PID 1848 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\BqnzgQx.exe
PID 1848 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\BqnzgQx.exe
PID 1848 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\BqnzgQx.exe
PID 1848 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\YSaiCOP.exe
PID 1848 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\YSaiCOP.exe
PID 1848 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\YSaiCOP.exe
PID 1848 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\wNozmvD.exe
PID 1848 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\wNozmvD.exe
PID 1848 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\wNozmvD.exe
PID 1848 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\LoEPehK.exe
PID 1848 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\LoEPehK.exe
PID 1848 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\LoEPehK.exe
PID 1848 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\MYrapkQ.exe
PID 1848 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\MYrapkQ.exe
PID 1848 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\MYrapkQ.exe
PID 1848 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\ifhbkRZ.exe
PID 1848 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\ifhbkRZ.exe
PID 1848 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\ifhbkRZ.exe
PID 1848 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\YSPITfZ.exe
PID 1848 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\YSPITfZ.exe
PID 1848 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\YSPITfZ.exe
PID 1848 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\EFrfOFj.exe
PID 1848 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\EFrfOFj.exe
PID 1848 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\EFrfOFj.exe
PID 1848 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZcfjcvU.exe
PID 1848 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZcfjcvU.exe
PID 1848 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZcfjcvU.exe
PID 1848 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\IYwoZvi.exe
PID 1848 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\IYwoZvi.exe
PID 1848 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\IYwoZvi.exe
PID 1848 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\jbHGITa.exe
PID 1848 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\jbHGITa.exe
PID 1848 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\jbHGITa.exe
PID 1848 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\DswgjXQ.exe
PID 1848 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\DswgjXQ.exe
PID 1848 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\DswgjXQ.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\tFbSYBW.exe

C:\Windows\System\tFbSYBW.exe

C:\Windows\System\QuODLzJ.exe

C:\Windows\System\QuODLzJ.exe

C:\Windows\System\sXsoteO.exe

C:\Windows\System\sXsoteO.exe

C:\Windows\System\nGsGpsR.exe

C:\Windows\System\nGsGpsR.exe

C:\Windows\System\yZRPOhC.exe

C:\Windows\System\yZRPOhC.exe

C:\Windows\System\fQBxSZe.exe

C:\Windows\System\fQBxSZe.exe

C:\Windows\System\kbPadkh.exe

C:\Windows\System\kbPadkh.exe

C:\Windows\System\qXBGnSv.exe

C:\Windows\System\qXBGnSv.exe

C:\Windows\System\wAOUoCf.exe

C:\Windows\System\wAOUoCf.exe

C:\Windows\System\BqnzgQx.exe

C:\Windows\System\BqnzgQx.exe

C:\Windows\System\YSaiCOP.exe

C:\Windows\System\YSaiCOP.exe

C:\Windows\System\wNozmvD.exe

C:\Windows\System\wNozmvD.exe

C:\Windows\System\LoEPehK.exe

C:\Windows\System\LoEPehK.exe

C:\Windows\System\MYrapkQ.exe

C:\Windows\System\MYrapkQ.exe

C:\Windows\System\ifhbkRZ.exe

C:\Windows\System\ifhbkRZ.exe

C:\Windows\System\YSPITfZ.exe

C:\Windows\System\YSPITfZ.exe

C:\Windows\System\EFrfOFj.exe

C:\Windows\System\EFrfOFj.exe

C:\Windows\System\ZcfjcvU.exe

C:\Windows\System\ZcfjcvU.exe

C:\Windows\System\IYwoZvi.exe

C:\Windows\System\IYwoZvi.exe

C:\Windows\System\jbHGITa.exe

C:\Windows\System\jbHGITa.exe

C:\Windows\System\DswgjXQ.exe

C:\Windows\System\DswgjXQ.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1848-0-0x000000013F020000-0x000000013F374000-memory.dmp

memory/1848-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\tFbSYBW.exe

MD5 a0a032b7de2efacc478206e6f2cc2659
SHA1 d54fdf3c58be2e67ebd1ac91caea8003ac639efa
SHA256 13147fdc22b8807aef1ac697ed90a8039be5df83b74541461c694e79a8ca429f
SHA512 bc231b33f528c65f17412955731d279a68e111a85f6e8254c7d84e45a69d1900679d6abf8be9a5190c84105f5ade16619261b0adad1e73f12229b906d32610fd

memory/1848-7-0x00000000022F0000-0x0000000002644000-memory.dmp

\Windows\system\QuODLzJ.exe

MD5 73ad9e2b727d078d306ee3070eb2fa7e
SHA1 a1cb2b02487e53ee9c04975de8f7b16748c64f33
SHA256 47865061cc9641e4ffe334a1129de9c30686a1f6b56269a3c0f159f878cabbc8
SHA512 6cf7cd82c709f17b1056006b25abda28b2b302329a1eb9bec8857bfe26a42f8cbfc722b6b9962ba87923fe772255b3cded288220f9e496b1be5252adfe7668ec

memory/2288-13-0x000000013F1E0000-0x000000013F534000-memory.dmp

C:\Windows\system\nGsGpsR.exe

MD5 cf563126ac9919e4171cefe69de27ec8
SHA1 7825d3ec0007074aa96a4b02ab314a55b71e9c50
SHA256 5d2ab58207d1f3b216ed0d1bcaec76069f72da01c2418a425106a4a50234f1dc
SHA512 36e71ff994406818736fd5d5ed3ae107687b68fa42a7ac7f070fb64cdbed992945ffcb4a3252622785db99c81edd1c5f63cc356198726ad2fd7c4a86622d50e1

memory/1848-23-0x000000013F500000-0x000000013F854000-memory.dmp

memory/2552-21-0x000000013F6F0000-0x000000013FA44000-memory.dmp

memory/2844-27-0x000000013F500000-0x000000013F854000-memory.dmp

memory/2576-28-0x000000013FC80000-0x000000013FFD4000-memory.dmp

C:\Windows\system\sXsoteO.exe

MD5 f62ea7ed3cefebbdbf7198487651d0a0
SHA1 c5e1abaf60bf2fd3a5e96f7833635d08ebc35f58
SHA256 c63b84194b827cd412eabaa7373c49e68c8ccafa60d212e87b17c67030e30d59
SHA512 5e85813e9ae7bd09b5cb53a2ab0952fc233644f6ef5d87dbfcc809f2e84d07df4c4d5da495d5e45505f6360cbf84f6abaec4e36d6de17421b6c097805c1149de

\Windows\system\yZRPOhC.exe

MD5 7d742915d0b44d85b949d95d7827b0d0
SHA1 e61835c258a1e69f3286a0ab523f092df09b1dc2
SHA256 b209d3cf41c9d61911b9df4e2fd02e74f5972408fdcba4b46d29c58d514d4882
SHA512 47f80e0a7b8f9f246732a46dd86c77135fc7e70c12df3d7705c0cc5d7b5484ad331fca465e4a1fdcc5cab434eb955b1544e4ca875a9edd682b43fa185cd8a7f3

memory/1848-33-0x000000013F830000-0x000000013FB84000-memory.dmp

memory/2752-35-0x000000013F830000-0x000000013FB84000-memory.dmp

C:\Windows\system\fQBxSZe.exe

MD5 d8ec7bb41ed0919e6ed30a65e51141e7
SHA1 407611d086d8b61644ef0641672df175b86b560d
SHA256 8a44d0a03cb7879774986a8de7bd1b269905096e31a0fc0409da1193e5f5fdc4
SHA512 b9b287a86a412e348474973e9d792a00c97379a2035912c5526efb2a0a86d72a385ebfade94b50be19d5a4210256d7113cc80b9e514722aae9af71545b6d67cb

memory/2824-49-0x000000013F8D0000-0x000000013FC24000-memory.dmp

memory/2160-52-0x000000013FF40000-0x0000000140294000-memory.dmp

memory/2504-56-0x000000013FED0000-0x0000000140224000-memory.dmp

memory/1848-55-0x000000013FED0000-0x0000000140224000-memory.dmp

memory/1848-54-0x000000013FF40000-0x0000000140294000-memory.dmp

C:\Windows\system\qXBGnSv.exe

MD5 dfe527d0c980072fc58b447c0e7a470c
SHA1 000350f416f6b44fe7313014d639dd68b506e9db
SHA256 d04b772df3cb8ea8673aa15c44b6dcea3892ea478427544d0ce680f6cac26177
SHA512 f2b4e5e65e23ae88accc38ed33ac43b36bc5e93dd136a9fd11137b17f0bdbf094b06d4968a9b017768e6ee3dc93af2b67aab324109450630e787687c4119907c

C:\Windows\system\kbPadkh.exe

MD5 1e1df53037fa2cc99fa51e671427c5b8
SHA1 43ed4c24275111523984bce13cca1bc38831a11f
SHA256 0c4292fe6a9a86cac406740846fe2f7b31d669b3a3e36ad657775f1d1fbd6235
SHA512 1db61197359481263ca3ccdfbbd39b71acf95b7d5ac809ed8880e5b32d841de09beebf534b616c905e11b00bd1eb24e365f0f9eb19dbc5b90d726ea662487b64

memory/1848-43-0x000000013F8D0000-0x000000013FC24000-memory.dmp

memory/1832-62-0x000000013FC70000-0x000000013FFC4000-memory.dmp

C:\Windows\system\wAOUoCf.exe

MD5 72496f2bf18ffcd4b79df5ad6e36dbeb
SHA1 4244ca669ecd978cf146667eeafc2fc31fffe4f7
SHA256 71a01dbd4c2df2d04d79f63c7018a7251dd4a7251790479c39b70544261cbd9d
SHA512 cd34e5d182e4bfdc56b9090d861aaf4880eabc9fde6f2fcd82eea6081ad9368abb4430fd47176dd5ee61c06aa4967c47cb454fd64d9d6b4ee6fdc95643a30ccd

memory/1848-58-0x000000013FC70000-0x000000013FFC4000-memory.dmp

memory/1848-70-0x00000000022F0000-0x0000000002644000-memory.dmp

memory/2172-71-0x000000013F0F0000-0x000000013F444000-memory.dmp

memory/2552-68-0x000000013F6F0000-0x000000013FA44000-memory.dmp

memory/2288-78-0x000000013F1E0000-0x000000013F534000-memory.dmp

memory/1848-77-0x000000013F020000-0x000000013F374000-memory.dmp

memory/1660-79-0x000000013FC90000-0x000000013FFE4000-memory.dmp

C:\Windows\system\YSaiCOP.exe

MD5 8213cedfe1387a703114012f82b10000
SHA1 0572f0d19176c0759cb3de9e627125af81330165
SHA256 221ea3dc207f3629ea3c414657c296ed0cde983ffda007bcb2566292c209cbbe
SHA512 55f81c30f34a2333079166320fa851b8b0205b03a8bf36c4f70ee4562d96f256fddd0f3675d5275e9efbfbbc4d6a87ea127325290182914eea603b5d199dde09

C:\Windows\system\BqnzgQx.exe

MD5 743a99fc539ad3eca1599447908a66a7
SHA1 fae178418c4cd8fc858e26907f814849fb8b2af1
SHA256 037cd8d56066bdde3e131072abbee8a6eeb568b373bfb2a5ecc155994f07c007
SHA512 9e2476118f05225b173f0848a436b40bb647d2c336050428aebf0ecea1d64ca0356eebefe55ff1715543722fc7014f5caa3c949d145bb2639ef5397bf6835410

C:\Windows\system\wNozmvD.exe

MD5 4a8b134e17c59afd155ea7ac77adc183
SHA1 6ccff72fe2fd08d65943911ab6da411fe9b318c4
SHA256 2b279f4256910a35c78281112bfa06c035f8ba0a4b49fe9f1aa5e26a6cf7d81e
SHA512 5eef6ab5a2e829d0c855bb2b94d59c3474cd2558d99b469d2aac0eb44150ac9e214b526681c7101ecb82c030940ed1fb2af9d98ee186b4c4dd1b5927edf090fd

\Windows\system\LoEPehK.exe

MD5 0127e9950bbf34697c74e5d88ebec6f7
SHA1 cb3ac6c9bb3b916bf3447a2363104314229a457b
SHA256 a3e08ce4ea4e662766e74ac2ef25143126db25360183bddaac8b8af2cf0da6a3
SHA512 d3465f02ba569ca873e0dfe09b2bebf3060ef62dde6a9e67a248308888880a25ba41b7be03b6a0e8f0dad60b37fbf05008267f527bbd86965b10e6b9a58cc4d5

memory/2652-92-0x000000013FE90000-0x00000001401E4000-memory.dmp

memory/1848-91-0x000000013FE90000-0x00000001401E4000-memory.dmp

memory/2648-85-0x000000013FCD0000-0x0000000140024000-memory.dmp

C:\Windows\system\MYrapkQ.exe

MD5 0cf6d6c2c5770d8fdd84d72c8d264d83
SHA1 f6727613a7c2a8dd52d546a74290538734aa6194
SHA256 9387c8cd8619bf7ce17c5e7d42e202ea2041578dfead493b025f7cd6ed898a2c
SHA512 fa7ebc6a382d8c1a7a4df9a78c80c6b0e0ca5703ea981cd10928db0b6365a1b0294f1033608d7592045a7548f6d0b775eada71157c6b9a1ba31a00e993863268

C:\Windows\system\ifhbkRZ.exe

MD5 71563e5d1e40d8bc52af9994ac46511d
SHA1 83dea50e1c05826ee1d3c9fe131677e755ed7713
SHA256 ebe7c7dd2aa5d4ab324ddfe9dc9bbdc2d34f2e712ee53303881571ddea83028a
SHA512 5423e8c7705dd9d4b556eab88e33f43f7f336b2e27b6e240df475a48a528c6b5101352aad38e766e1f1458324b95f4215f911bacd17cf69b91b3657d3ad2bf1a

C:\Windows\system\YSPITfZ.exe

MD5 acf523568515a43adb3a1e5cbac1afb0
SHA1 4aaf7fab2599e90f0323dc6b715e26e78e4aac22
SHA256 49b35d77d8c90e5117acbaa178b5ddbb0db9c2674122b691abbb6d77a5b132d1
SHA512 fed7c2eaa99d007a102715023d8353f170bcf110cf4e9240b58c719051a319dbc5858f001f9de85cd9deae623b4562a18cdd312cc86156d475e873ab43db01c5

C:\Windows\system\ZcfjcvU.exe

MD5 bca958a51ecd1ce982e613f5a050cadf
SHA1 62316af19447ff0031d741e04441b4a0a2cc677a
SHA256 f1180717a7c2be1eee4ed5dfa9a0f708760ed0d4844d515e8c089b8dc71d796a
SHA512 10201915f03aabbb8b885987ae58d2fcbf4a52ca7bb43330778dc21870b5ab4f111878861547e52185099980be90edab0201c7a54b42a7cecbf1e1c58aeb6597

\Windows\system\DswgjXQ.exe

MD5 6c9a638768de1f227904511549b75cf8
SHA1 eeb8ce6ac42d54fb8e7c2d240c98a3fb4a978f85
SHA256 74f55ced4b40f634da0603d5980db0c7a9e1697d633df0c2d5be0899c776b9b1
SHA512 dfeea52d2eddd27243254245de07cbd1509b0cbeb0d70845b0527b2bb4d1876867df4d5ae7e2d7b6f12259b31b1141e4a3c995c1f9525040dfedd7c02e8645a8

C:\Windows\system\IYwoZvi.exe

MD5 38d17d36d11e945515bd857b7bb094bb
SHA1 6d0b845b0cc03f221e06040d38d2dc585b385c2c
SHA256 9c89bab40497ada1586cae46ca7bffea9c03a59d15718fe848e449f7fb02c4c7
SHA512 efa79e559065c096a018ab9fd0aad9c1b7d38e53a86149a83661251de902f8239bee85d952dca0daf98fd9c5f1611681d233ed478df23726a8de99e1ebd4e389

C:\Windows\system\jbHGITa.exe

MD5 e06b81cecad195469df86100f1f8a4d3
SHA1 7b078190bb002f73ab11d6153c8a60f4fa132c2d
SHA256 4e4e3db77005f6488a0b336adbf4980036d22f44422e42b14dd6932469eb0453
SHA512 177a9dfabb6fda578c3cb37cb2f82186c16327d7ca7a8958f02902f504bb5b4879df8a0580eaa91d01c218aec11ce8a7c2017b19d1a16d715426f3f40b741e9c

C:\Windows\system\EFrfOFj.exe

MD5 9e2de334379ba34ddf0bc81be6d44df1
SHA1 8588ed66a52b9a03857ce44770dc3eb4ac564713
SHA256 b0d94199a85ea5649d827e3c74df4762dc00f3dc84856922dbc5105f9acb0a7f
SHA512 68c7578e6205beeb8c979c565c558829c0657d17fd678558f3a1b6392c822c4c2db001f9c1b9f744d03e34b8267f0745d5385768e01194a51f3dc05d40fec3e6

memory/1848-133-0x000000013FF40000-0x0000000140294000-memory.dmp

memory/1848-135-0x000000013F750000-0x000000013FAA4000-memory.dmp

memory/2160-136-0x000000013FF40000-0x0000000140294000-memory.dmp

memory/2568-134-0x000000013FF40000-0x0000000140294000-memory.dmp

memory/1848-131-0x000000013F830000-0x000000013FB84000-memory.dmp

memory/1832-137-0x000000013FC70000-0x000000013FFC4000-memory.dmp

memory/1848-138-0x00000000022F0000-0x0000000002644000-memory.dmp

memory/1848-139-0x000000013FE90000-0x00000001401E4000-memory.dmp

memory/1848-140-0x000000013F750000-0x000000013FAA4000-memory.dmp

memory/2288-141-0x000000013F1E0000-0x000000013F534000-memory.dmp

memory/2844-142-0x000000013F500000-0x000000013F854000-memory.dmp

memory/2552-143-0x000000013F6F0000-0x000000013FA44000-memory.dmp

memory/2576-144-0x000000013FC80000-0x000000013FFD4000-memory.dmp

memory/2752-145-0x000000013F830000-0x000000013FB84000-memory.dmp

memory/2824-146-0x000000013F8D0000-0x000000013FC24000-memory.dmp

memory/2160-147-0x000000013FF40000-0x0000000140294000-memory.dmp

memory/2504-148-0x000000013FED0000-0x0000000140224000-memory.dmp

memory/1832-149-0x000000013FC70000-0x000000013FFC4000-memory.dmp

memory/2172-150-0x000000013F0F0000-0x000000013F444000-memory.dmp

memory/1660-151-0x000000013FC90000-0x000000013FFE4000-memory.dmp

memory/2648-152-0x000000013FCD0000-0x0000000140024000-memory.dmp

memory/2652-153-0x000000013FE90000-0x00000001401E4000-memory.dmp

memory/2568-154-0x000000013FF40000-0x0000000140294000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 09:05

Reported

2024-06-10 09:08

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\tFbSYBW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nGsGpsR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fQBxSZe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qXBGnSv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QuODLzJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kbPadkh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ifhbkRZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EFrfOFj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZcfjcvU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jbHGITa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DswgjXQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MYrapkQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IYwoZvi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sXsoteO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yZRPOhC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wAOUoCf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BqnzgQx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YSaiCOP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wNozmvD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LoEPehK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YSPITfZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4952 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\tFbSYBW.exe
PID 4952 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\tFbSYBW.exe
PID 4952 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\QuODLzJ.exe
PID 4952 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\QuODLzJ.exe
PID 4952 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\sXsoteO.exe
PID 4952 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\sXsoteO.exe
PID 4952 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\nGsGpsR.exe
PID 4952 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\nGsGpsR.exe
PID 4952 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\yZRPOhC.exe
PID 4952 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\yZRPOhC.exe
PID 4952 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\fQBxSZe.exe
PID 4952 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\fQBxSZe.exe
PID 4952 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\kbPadkh.exe
PID 4952 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\kbPadkh.exe
PID 4952 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\qXBGnSv.exe
PID 4952 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\qXBGnSv.exe
PID 4952 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\wAOUoCf.exe
PID 4952 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\wAOUoCf.exe
PID 4952 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\BqnzgQx.exe
PID 4952 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\BqnzgQx.exe
PID 4952 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\YSaiCOP.exe
PID 4952 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\YSaiCOP.exe
PID 4952 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\wNozmvD.exe
PID 4952 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\wNozmvD.exe
PID 4952 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\LoEPehK.exe
PID 4952 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\LoEPehK.exe
PID 4952 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\MYrapkQ.exe
PID 4952 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\MYrapkQ.exe
PID 4952 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\ifhbkRZ.exe
PID 4952 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\ifhbkRZ.exe
PID 4952 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\YSPITfZ.exe
PID 4952 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\YSPITfZ.exe
PID 4952 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\EFrfOFj.exe
PID 4952 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\EFrfOFj.exe
PID 4952 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZcfjcvU.exe
PID 4952 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZcfjcvU.exe
PID 4952 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\IYwoZvi.exe
PID 4952 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\IYwoZvi.exe
PID 4952 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\jbHGITa.exe
PID 4952 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\jbHGITa.exe
PID 4952 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\DswgjXQ.exe
PID 4952 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe C:\Windows\System\DswgjXQ.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\tFbSYBW.exe

C:\Windows\System\tFbSYBW.exe

C:\Windows\System\QuODLzJ.exe

C:\Windows\System\QuODLzJ.exe

C:\Windows\System\sXsoteO.exe

C:\Windows\System\sXsoteO.exe

C:\Windows\System\nGsGpsR.exe

C:\Windows\System\nGsGpsR.exe

C:\Windows\System\yZRPOhC.exe

C:\Windows\System\yZRPOhC.exe

C:\Windows\System\fQBxSZe.exe

C:\Windows\System\fQBxSZe.exe

C:\Windows\System\kbPadkh.exe

C:\Windows\System\kbPadkh.exe

C:\Windows\System\qXBGnSv.exe

C:\Windows\System\qXBGnSv.exe

C:\Windows\System\wAOUoCf.exe

C:\Windows\System\wAOUoCf.exe

C:\Windows\System\BqnzgQx.exe

C:\Windows\System\BqnzgQx.exe

C:\Windows\System\YSaiCOP.exe

C:\Windows\System\YSaiCOP.exe

C:\Windows\System\wNozmvD.exe

C:\Windows\System\wNozmvD.exe

C:\Windows\System\LoEPehK.exe

C:\Windows\System\LoEPehK.exe

C:\Windows\System\MYrapkQ.exe

C:\Windows\System\MYrapkQ.exe

C:\Windows\System\ifhbkRZ.exe

C:\Windows\System\ifhbkRZ.exe

C:\Windows\System\YSPITfZ.exe

C:\Windows\System\YSPITfZ.exe

C:\Windows\System\EFrfOFj.exe

C:\Windows\System\EFrfOFj.exe

C:\Windows\System\ZcfjcvU.exe

C:\Windows\System\ZcfjcvU.exe

C:\Windows\System\IYwoZvi.exe

C:\Windows\System\IYwoZvi.exe

C:\Windows\System\jbHGITa.exe

C:\Windows\System\jbHGITa.exe

C:\Windows\System\DswgjXQ.exe

C:\Windows\System\DswgjXQ.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 97.90.14.23.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4952-0-0x00007FF612180000-0x00007FF6124D4000-memory.dmp

memory/4952-1-0x00000158C1EE0000-0x00000158C1EF0000-memory.dmp

C:\Windows\System\tFbSYBW.exe

MD5 a0a032b7de2efacc478206e6f2cc2659
SHA1 d54fdf3c58be2e67ebd1ac91caea8003ac639efa
SHA256 13147fdc22b8807aef1ac697ed90a8039be5df83b74541461c694e79a8ca429f
SHA512 bc231b33f528c65f17412955731d279a68e111a85f6e8254c7d84e45a69d1900679d6abf8be9a5190c84105f5ade16619261b0adad1e73f12229b906d32610fd

memory/4092-8-0x00007FF6C6A60000-0x00007FF6C6DB4000-memory.dmp

C:\Windows\System\QuODLzJ.exe

MD5 73ad9e2b727d078d306ee3070eb2fa7e
SHA1 a1cb2b02487e53ee9c04975de8f7b16748c64f33
SHA256 47865061cc9641e4ffe334a1129de9c30686a1f6b56269a3c0f159f878cabbc8
SHA512 6cf7cd82c709f17b1056006b25abda28b2b302329a1eb9bec8857bfe26a42f8cbfc722b6b9962ba87923fe772255b3cded288220f9e496b1be5252adfe7668ec

C:\Windows\System\sXsoteO.exe

MD5 f62ea7ed3cefebbdbf7198487651d0a0
SHA1 c5e1abaf60bf2fd3a5e96f7833635d08ebc35f58
SHA256 c63b84194b827cd412eabaa7373c49e68c8ccafa60d212e87b17c67030e30d59
SHA512 5e85813e9ae7bd09b5cb53a2ab0952fc233644f6ef5d87dbfcc809f2e84d07df4c4d5da495d5e45505f6360cbf84f6abaec4e36d6de17421b6c097805c1149de

memory/3764-14-0x00007FF725560000-0x00007FF7258B4000-memory.dmp

memory/3488-22-0x00007FF7D4880000-0x00007FF7D4BD4000-memory.dmp

C:\Windows\System\nGsGpsR.exe

MD5 cf563126ac9919e4171cefe69de27ec8
SHA1 7825d3ec0007074aa96a4b02ab314a55b71e9c50
SHA256 5d2ab58207d1f3b216ed0d1bcaec76069f72da01c2418a425106a4a50234f1dc
SHA512 36e71ff994406818736fd5d5ed3ae107687b68fa42a7ac7f070fb64cdbed992945ffcb4a3252622785db99c81edd1c5f63cc356198726ad2fd7c4a86622d50e1

memory/3152-30-0x00007FF63F2D0000-0x00007FF63F624000-memory.dmp

C:\Windows\System\yZRPOhC.exe

MD5 7d742915d0b44d85b949d95d7827b0d0
SHA1 e61835c258a1e69f3286a0ab523f092df09b1dc2
SHA256 b209d3cf41c9d61911b9df4e2fd02e74f5972408fdcba4b46d29c58d514d4882
SHA512 47f80e0a7b8f9f246732a46dd86c77135fc7e70c12df3d7705c0cc5d7b5484ad331fca465e4a1fdcc5cab434eb955b1544e4ca875a9edd682b43fa185cd8a7f3

C:\Windows\System\fQBxSZe.exe

MD5 d8ec7bb41ed0919e6ed30a65e51141e7
SHA1 407611d086d8b61644ef0641672df175b86b560d
SHA256 8a44d0a03cb7879774986a8de7bd1b269905096e31a0fc0409da1193e5f5fdc4
SHA512 b9b287a86a412e348474973e9d792a00c97379a2035912c5526efb2a0a86d72a385ebfade94b50be19d5a4210256d7113cc80b9e514722aae9af71545b6d67cb

C:\Windows\System\qXBGnSv.exe

MD5 dfe527d0c980072fc58b447c0e7a470c
SHA1 000350f416f6b44fe7313014d639dd68b506e9db
SHA256 d04b772df3cb8ea8673aa15c44b6dcea3892ea478427544d0ce680f6cac26177
SHA512 f2b4e5e65e23ae88accc38ed33ac43b36bc5e93dd136a9fd11137b17f0bdbf094b06d4968a9b017768e6ee3dc93af2b67aab324109450630e787687c4119907c

memory/2204-46-0x00007FF709C00000-0x00007FF709F54000-memory.dmp

C:\Windows\System\wAOUoCf.exe

MD5 72496f2bf18ffcd4b79df5ad6e36dbeb
SHA1 4244ca669ecd978cf146667eeafc2fc31fffe4f7
SHA256 71a01dbd4c2df2d04d79f63c7018a7251dd4a7251790479c39b70544261cbd9d
SHA512 cd34e5d182e4bfdc56b9090d861aaf4880eabc9fde6f2fcd82eea6081ad9368abb4430fd47176dd5ee61c06aa4967c47cb454fd64d9d6b4ee6fdc95643a30ccd

C:\Windows\System\kbPadkh.exe

MD5 1e1df53037fa2cc99fa51e671427c5b8
SHA1 43ed4c24275111523984bce13cca1bc38831a11f
SHA256 0c4292fe6a9a86cac406740846fe2f7b31d669b3a3e36ad657775f1d1fbd6235
SHA512 1db61197359481263ca3ccdfbbd39b71acf95b7d5ac809ed8880e5b32d841de09beebf534b616c905e11b00bd1eb24e365f0f9eb19dbc5b90d726ea662487b64

C:\Windows\System\BqnzgQx.exe

MD5 743a99fc539ad3eca1599447908a66a7
SHA1 fae178418c4cd8fc858e26907f814849fb8b2af1
SHA256 037cd8d56066bdde3e131072abbee8a6eeb568b373bfb2a5ecc155994f07c007
SHA512 9e2476118f05225b173f0848a436b40bb647d2c336050428aebf0ecea1d64ca0356eebefe55ff1715543722fc7014f5caa3c949d145bb2639ef5397bf6835410

C:\Windows\System\YSaiCOP.exe

MD5 8213cedfe1387a703114012f82b10000
SHA1 0572f0d19176c0759cb3de9e627125af81330165
SHA256 221ea3dc207f3629ea3c414657c296ed0cde983ffda007bcb2566292c209cbbe
SHA512 55f81c30f34a2333079166320fa851b8b0205b03a8bf36c4f70ee4562d96f256fddd0f3675d5275e9efbfbbc4d6a87ea127325290182914eea603b5d199dde09

C:\Windows\System\wNozmvD.exe

MD5 4a8b134e17c59afd155ea7ac77adc183
SHA1 6ccff72fe2fd08d65943911ab6da411fe9b318c4
SHA256 2b279f4256910a35c78281112bfa06c035f8ba0a4b49fe9f1aa5e26a6cf7d81e
SHA512 5eef6ab5a2e829d0c855bb2b94d59c3474cd2558d99b469d2aac0eb44150ac9e214b526681c7101ecb82c030940ed1fb2af9d98ee186b4c4dd1b5927edf090fd

C:\Windows\System\MYrapkQ.exe

MD5 0cf6d6c2c5770d8fdd84d72c8d264d83
SHA1 f6727613a7c2a8dd52d546a74290538734aa6194
SHA256 9387c8cd8619bf7ce17c5e7d42e202ea2041578dfead493b025f7cd6ed898a2c
SHA512 fa7ebc6a382d8c1a7a4df9a78c80c6b0e0ca5703ea981cd10928db0b6365a1b0294f1033608d7592045a7548f6d0b775eada71157c6b9a1ba31a00e993863268

memory/4952-84-0x00007FF612180000-0x00007FF6124D4000-memory.dmp

memory/2592-85-0x00007FF735470000-0x00007FF7357C4000-memory.dmp

memory/2856-83-0x00007FF64DA20000-0x00007FF64DD74000-memory.dmp

memory/3768-79-0x00007FF665FF0000-0x00007FF666344000-memory.dmp

C:\Windows\System\LoEPehK.exe

MD5 0127e9950bbf34697c74e5d88ebec6f7
SHA1 cb3ac6c9bb3b916bf3447a2363104314229a457b
SHA256 a3e08ce4ea4e662766e74ac2ef25143126db25360183bddaac8b8af2cf0da6a3
SHA512 d3465f02ba569ca873e0dfe09b2bebf3060ef62dde6a9e67a248308888880a25ba41b7be03b6a0e8f0dad60b37fbf05008267f527bbd86965b10e6b9a58cc4d5

C:\Windows\System\ifhbkRZ.exe

MD5 71563e5d1e40d8bc52af9994ac46511d
SHA1 83dea50e1c05826ee1d3c9fe131677e755ed7713
SHA256 ebe7c7dd2aa5d4ab324ddfe9dc9bbdc2d34f2e712ee53303881571ddea83028a
SHA512 5423e8c7705dd9d4b556eab88e33f43f7f336b2e27b6e240df475a48a528c6b5101352aad38e766e1f1458324b95f4215f911bacd17cf69b91b3657d3ad2bf1a

C:\Windows\System\YSPITfZ.exe

MD5 acf523568515a43adb3a1e5cbac1afb0
SHA1 4aaf7fab2599e90f0323dc6b715e26e78e4aac22
SHA256 49b35d77d8c90e5117acbaa178b5ddbb0db9c2674122b691abbb6d77a5b132d1
SHA512 fed7c2eaa99d007a102715023d8353f170bcf110cf4e9240b58c719051a319dbc5858f001f9de85cd9deae623b4562a18cdd312cc86156d475e873ab43db01c5

memory/3764-117-0x00007FF725560000-0x00007FF7258B4000-memory.dmp

C:\Windows\System\DswgjXQ.exe

MD5 6c9a638768de1f227904511549b75cf8
SHA1 eeb8ce6ac42d54fb8e7c2d240c98a3fb4a978f85
SHA256 74f55ced4b40f634da0603d5980db0c7a9e1697d633df0c2d5be0899c776b9b1
SHA512 dfeea52d2eddd27243254245de07cbd1509b0cbeb0d70845b0527b2bb4d1876867df4d5ae7e2d7b6f12259b31b1141e4a3c995c1f9525040dfedd7c02e8645a8

C:\Windows\System\jbHGITa.exe

MD5 e06b81cecad195469df86100f1f8a4d3
SHA1 7b078190bb002f73ab11d6153c8a60f4fa132c2d
SHA256 4e4e3db77005f6488a0b336adbf4980036d22f44422e42b14dd6932469eb0453
SHA512 177a9dfabb6fda578c3cb37cb2f82186c16327d7ca7a8958f02902f504bb5b4879df8a0580eaa91d01c218aec11ce8a7c2017b19d1a16d715426f3f40b741e9c

memory/3388-118-0x00007FF7C45C0000-0x00007FF7C4914000-memory.dmp

memory/3360-116-0x00007FF6F8D70000-0x00007FF6F90C4000-memory.dmp

C:\Windows\System\IYwoZvi.exe

MD5 38d17d36d11e945515bd857b7bb094bb
SHA1 6d0b845b0cc03f221e06040d38d2dc585b385c2c
SHA256 9c89bab40497ada1586cae46ca7bffea9c03a59d15718fe848e449f7fb02c4c7
SHA512 efa79e559065c096a018ab9fd0aad9c1b7d38e53a86149a83661251de902f8239bee85d952dca0daf98fd9c5f1611681d233ed478df23726a8de99e1ebd4e389

C:\Windows\System\ZcfjcvU.exe

MD5 bca958a51ecd1ce982e613f5a050cadf
SHA1 62316af19447ff0031d741e04441b4a0a2cc677a
SHA256 f1180717a7c2be1eee4ed5dfa9a0f708760ed0d4844d515e8c089b8dc71d796a
SHA512 10201915f03aabbb8b885987ae58d2fcbf4a52ca7bb43330778dc21870b5ab4f111878861547e52185099980be90edab0201c7a54b42a7cecbf1e1c58aeb6597

C:\Windows\System\EFrfOFj.exe

MD5 9e2de334379ba34ddf0bc81be6d44df1
SHA1 8588ed66a52b9a03857ce44770dc3eb4ac564713
SHA256 b0d94199a85ea5649d827e3c74df4762dc00f3dc84856922dbc5105f9acb0a7f
SHA512 68c7578e6205beeb8c979c565c558829c0657d17fd678558f3a1b6392c822c4c2db001f9c1b9f744d03e34b8267f0745d5385768e01194a51f3dc05d40fec3e6

memory/3288-109-0x00007FF684E00000-0x00007FF685154000-memory.dmp

memory/464-106-0x00007FF696E30000-0x00007FF697184000-memory.dmp

memory/64-102-0x00007FF656750000-0x00007FF656AA4000-memory.dmp

memory/4348-73-0x00007FF61EA80000-0x00007FF61EDD4000-memory.dmp

memory/1600-69-0x00007FF763BD0000-0x00007FF763F24000-memory.dmp

memory/4472-67-0x00007FF7798C0000-0x00007FF779C14000-memory.dmp

memory/1304-45-0x00007FF7329A0000-0x00007FF732CF4000-memory.dmp

memory/2128-38-0x00007FF75B160000-0x00007FF75B4B4000-memory.dmp

memory/1392-29-0x00007FF6E88B0000-0x00007FF6E8C04000-memory.dmp

memory/1392-128-0x00007FF6E88B0000-0x00007FF6E8C04000-memory.dmp

memory/2004-130-0x00007FF62FD80000-0x00007FF6300D4000-memory.dmp

memory/1556-129-0x00007FF6328B0000-0x00007FF632C04000-memory.dmp

memory/3152-131-0x00007FF63F2D0000-0x00007FF63F624000-memory.dmp

memory/2128-132-0x00007FF75B160000-0x00007FF75B4B4000-memory.dmp

memory/1304-133-0x00007FF7329A0000-0x00007FF732CF4000-memory.dmp

memory/2204-134-0x00007FF709C00000-0x00007FF709F54000-memory.dmp

memory/3768-135-0x00007FF665FF0000-0x00007FF666344000-memory.dmp

memory/4348-136-0x00007FF61EA80000-0x00007FF61EDD4000-memory.dmp

memory/2856-137-0x00007FF64DA20000-0x00007FF64DD74000-memory.dmp

memory/2592-138-0x00007FF735470000-0x00007FF7357C4000-memory.dmp

memory/464-139-0x00007FF696E30000-0x00007FF697184000-memory.dmp

memory/3288-140-0x00007FF684E00000-0x00007FF685154000-memory.dmp

memory/3360-141-0x00007FF6F8D70000-0x00007FF6F90C4000-memory.dmp

memory/4092-142-0x00007FF6C6A60000-0x00007FF6C6DB4000-memory.dmp

memory/3764-143-0x00007FF725560000-0x00007FF7258B4000-memory.dmp

memory/3488-144-0x00007FF7D4880000-0x00007FF7D4BD4000-memory.dmp

memory/1392-145-0x00007FF6E88B0000-0x00007FF6E8C04000-memory.dmp

memory/3152-146-0x00007FF63F2D0000-0x00007FF63F624000-memory.dmp

memory/2128-147-0x00007FF75B160000-0x00007FF75B4B4000-memory.dmp

memory/2204-148-0x00007FF709C00000-0x00007FF709F54000-memory.dmp

memory/1304-149-0x00007FF7329A0000-0x00007FF732CF4000-memory.dmp

memory/1600-151-0x00007FF763BD0000-0x00007FF763F24000-memory.dmp

memory/4472-150-0x00007FF7798C0000-0x00007FF779C14000-memory.dmp

memory/3768-152-0x00007FF665FF0000-0x00007FF666344000-memory.dmp

memory/4348-153-0x00007FF61EA80000-0x00007FF61EDD4000-memory.dmp

memory/2592-155-0x00007FF735470000-0x00007FF7357C4000-memory.dmp

memory/2856-154-0x00007FF64DA20000-0x00007FF64DD74000-memory.dmp

memory/64-156-0x00007FF656750000-0x00007FF656AA4000-memory.dmp

memory/3388-158-0x00007FF7C45C0000-0x00007FF7C4914000-memory.dmp

memory/464-159-0x00007FF696E30000-0x00007FF697184000-memory.dmp

memory/3288-157-0x00007FF684E00000-0x00007FF685154000-memory.dmp

memory/1556-162-0x00007FF6328B0000-0x00007FF632C04000-memory.dmp

memory/2004-161-0x00007FF62FD80000-0x00007FF6300D4000-memory.dmp

memory/3360-160-0x00007FF6F8D70000-0x00007FF6F90C4000-memory.dmp