Malware Analysis Report

2024-10-16 03:07

Sample ID 240608-ewlyeshg65
Target 2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike
SHA256 a57045dae088923c81e07cd1244bba95e7020ebe95334455291ae801ad433d4b
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a57045dae088923c81e07cd1244bba95e7020ebe95334455291ae801ad433d4b

Threat Level: Known bad

The file 2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

XMRig Miner payload

Cobaltstrike

xmrig

Xmrig family

UPX dump on OEP (original entry point)

Cobaltstrike family

Cobalt Strike reflective loader

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

XMRig Miner payload

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-08 04:17

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-08 04:17

Reported

2024-06-08 04:20

Platform

win7-20240220-en

Max time kernel

139s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\yGakBKA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yRyFKoD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ACOuamW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wxSwBWi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ODCtmVo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rHnGGLj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oohPfwM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hgpoXMx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mtIhYIi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QGgtStS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ATVUtml.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WLMrujy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BzylbDj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mIvqfQt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MRhoyzF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WyhxHlU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rqXDMbZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OxMSLwl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BCCXJTA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QReWhNC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\quyKhbi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3032 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\oohPfwM.exe
PID 3032 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\oohPfwM.exe
PID 3032 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\oohPfwM.exe
PID 3032 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\mIvqfQt.exe
PID 3032 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\mIvqfQt.exe
PID 3032 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\mIvqfQt.exe
PID 3032 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\hgpoXMx.exe
PID 3032 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\hgpoXMx.exe
PID 3032 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\hgpoXMx.exe
PID 3032 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\yGakBKA.exe
PID 3032 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\yGakBKA.exe
PID 3032 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\yGakBKA.exe
PID 3032 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\yRyFKoD.exe
PID 3032 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\yRyFKoD.exe
PID 3032 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\yRyFKoD.exe
PID 3032 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\ACOuamW.exe
PID 3032 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\ACOuamW.exe
PID 3032 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\ACOuamW.exe
PID 3032 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\wxSwBWi.exe
PID 3032 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\wxSwBWi.exe
PID 3032 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\wxSwBWi.exe
PID 3032 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\QReWhNC.exe
PID 3032 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\QReWhNC.exe
PID 3032 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\QReWhNC.exe
PID 3032 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\mtIhYIi.exe
PID 3032 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\mtIhYIi.exe
PID 3032 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\mtIhYIi.exe
PID 3032 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\ODCtmVo.exe
PID 3032 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\ODCtmVo.exe
PID 3032 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\ODCtmVo.exe
PID 3032 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\rHnGGLj.exe
PID 3032 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\rHnGGLj.exe
PID 3032 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\rHnGGLj.exe
PID 3032 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\MRhoyzF.exe
PID 3032 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\MRhoyzF.exe
PID 3032 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\MRhoyzF.exe
PID 3032 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\quyKhbi.exe
PID 3032 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\quyKhbi.exe
PID 3032 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\quyKhbi.exe
PID 3032 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\WyhxHlU.exe
PID 3032 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\WyhxHlU.exe
PID 3032 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\WyhxHlU.exe
PID 3032 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\QGgtStS.exe
PID 3032 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\QGgtStS.exe
PID 3032 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\QGgtStS.exe
PID 3032 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\ATVUtml.exe
PID 3032 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\ATVUtml.exe
PID 3032 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\ATVUtml.exe
PID 3032 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\rqXDMbZ.exe
PID 3032 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\rqXDMbZ.exe
PID 3032 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\rqXDMbZ.exe
PID 3032 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\WLMrujy.exe
PID 3032 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\WLMrujy.exe
PID 3032 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\WLMrujy.exe
PID 3032 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\OxMSLwl.exe
PID 3032 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\OxMSLwl.exe
PID 3032 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\OxMSLwl.exe
PID 3032 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\BzylbDj.exe
PID 3032 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\BzylbDj.exe
PID 3032 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\BzylbDj.exe
PID 3032 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\BCCXJTA.exe
PID 3032 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\BCCXJTA.exe
PID 3032 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\BCCXJTA.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\oohPfwM.exe

C:\Windows\System\oohPfwM.exe

C:\Windows\System\mIvqfQt.exe

C:\Windows\System\mIvqfQt.exe

C:\Windows\System\hgpoXMx.exe

C:\Windows\System\hgpoXMx.exe

C:\Windows\System\yGakBKA.exe

C:\Windows\System\yGakBKA.exe

C:\Windows\System\yRyFKoD.exe

C:\Windows\System\yRyFKoD.exe

C:\Windows\System\ACOuamW.exe

C:\Windows\System\ACOuamW.exe

C:\Windows\System\wxSwBWi.exe

C:\Windows\System\wxSwBWi.exe

C:\Windows\System\QReWhNC.exe

C:\Windows\System\QReWhNC.exe

C:\Windows\System\mtIhYIi.exe

C:\Windows\System\mtIhYIi.exe

C:\Windows\System\ODCtmVo.exe

C:\Windows\System\ODCtmVo.exe

C:\Windows\System\rHnGGLj.exe

C:\Windows\System\rHnGGLj.exe

C:\Windows\System\MRhoyzF.exe

C:\Windows\System\MRhoyzF.exe

C:\Windows\System\quyKhbi.exe

C:\Windows\System\quyKhbi.exe

C:\Windows\System\WyhxHlU.exe

C:\Windows\System\WyhxHlU.exe

C:\Windows\System\QGgtStS.exe

C:\Windows\System\QGgtStS.exe

C:\Windows\System\ATVUtml.exe

C:\Windows\System\ATVUtml.exe

C:\Windows\System\rqXDMbZ.exe

C:\Windows\System\rqXDMbZ.exe

C:\Windows\System\WLMrujy.exe

C:\Windows\System\WLMrujy.exe

C:\Windows\System\OxMSLwl.exe

C:\Windows\System\OxMSLwl.exe

C:\Windows\System\BzylbDj.exe

C:\Windows\System\BzylbDj.exe

C:\Windows\System\BCCXJTA.exe

C:\Windows\System\BCCXJTA.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3032-0-0x0000000000190000-0x00000000001A0000-memory.dmp

\Windows\system\oohPfwM.exe

MD5 de4188a95ccb83c468381840ea2175ce
SHA1 973a17bd70670652e71ac5d69c2eb049b4ceb4df
SHA256 1f252e184577c781d401f0ee4dbafd9127f438240fdb6af9cd2ebb5e1eef831f
SHA512 d85fa7bb664e4e767ea2f3bf11bb6bdc90b20d33a5e05be70213a71e1a24412c794dba707c360db0a9a3218955d115acf420209d5b67f6fb5d4432262082f778

\Windows\system\hgpoXMx.exe

MD5 4a0024539b99a59438a507f6c3124cd6
SHA1 877c1303e82457a4e776b0f86c8e082d1d4d8e4a
SHA256 c73c5af55d8558fae3bc10df3309d6891a0212b6cc77f8f60263eea16930c988
SHA512 3b279a46b07e7c314348be15b07cf10748659f2b93331097fb9a30822ccaff634bca815ca120aa6aa52112a92da488c6020b66dee0b444dd0725fdd96bd4af7f

memory/2904-23-0x000000013F380000-0x000000013F6D4000-memory.dmp

\Windows\system\yGakBKA.exe

MD5 7bc007a1fd8c59f828c5b44786c55255
SHA1 ae4b119d6962d6821368ef5b7a7b6b6bce91ecd2
SHA256 d403a0d263b51b057d16c0f462a000813b5a68c6a3bd16245556afbdec6ab170
SHA512 81f26bd02c69e173e1e40604c57888ae49ba7f7fbcff098d4b33a68b26dd1b84c811148a477eebac53616e949bb2aacaafc7af365e64d01cd4b19922106c91e1

memory/3032-34-0x000000013F380000-0x000000013F6D4000-memory.dmp

memory/2740-37-0x000000013FAC0000-0x000000013FE14000-memory.dmp

memory/3032-36-0x000000013FAC0000-0x000000013FE14000-memory.dmp

C:\Windows\system\ACOuamW.exe

MD5 a8e2ae278bbfacc7346ccbc52f51fa12
SHA1 048d25b065309deff91282af48609d2225e6b69f
SHA256 4fd53dcfa5ae4df57a0128d31b92bb1db14d457ca127d8cf694ae2fd96833450
SHA512 0f4925dc9841724091757bcfdedba3a358f7942743dd3913b8043e0e12464a5c03434dad5a5405f60639673177fa1fb5d8770fb62b2a46ddb7a4a597266ac83e

\Windows\system\wxSwBWi.exe

MD5 578b0515bb2b5f73fad4ad646ded421b
SHA1 a7b413ab5787f746240a20602b169b01d13ac7e9
SHA256 3106efbc931ece3fc33acbd55028dd2aa8364d498d572f28b38fdd66104af7c0
SHA512 0378a564e02ee2906de263bfd3579891ebd4e9f2b4ab932d5f38db3a9169d1e78fe5456520cde280f97f57f4be41c406a63aa5a31f559b92df9c0d0eec87993f

memory/2100-51-0x000000013F570000-0x000000013F8C4000-memory.dmp

\Windows\system\QReWhNC.exe

MD5 ab4ce29dacb94b24c0cc2dfefe43519f
SHA1 8fd573017e42a631d15ed5d8a20400841b9588e3
SHA256 22fb352c9f3203d8598de258f3aaded99f2204a4981634d94c2bab5c2877311e
SHA512 8fc27a7d69f1b37d5a194f24b65ceb94fef6741ae58f620f185cb9fd30b20cfe8f7de386c003bc674363c10fa5484eb4dd82b91f260235515eaf7d333a1eceef

memory/3032-53-0x000000013F250000-0x000000013F5A4000-memory.dmp

C:\Windows\system\mtIhYIi.exe

MD5 f4fd662d3e597cf165ae77ab4eda44e0
SHA1 abf1bf45f87d3d40277f525c7b1125dc31a96bce
SHA256 a9c7b3d26b259094dcf0fb4a7afe074ea9138db114a09aaf723d9d96785f57b8
SHA512 2b30e406ca44527dbb92b134feb7fa9aaeda2dbf8f761224950b2bb021879b9621b51c16e7515fd7134f63169c40ff67630ca1e0a81b6da3e39f0d3362374014

memory/2440-65-0x000000013F880000-0x000000013FBD4000-memory.dmp

memory/2644-72-0x000000013FD30000-0x0000000140084000-memory.dmp

memory/3032-87-0x00000000022A0000-0x00000000025F4000-memory.dmp

C:\Windows\system\QGgtStS.exe

MD5 1d0dcc832e92ba7757e897f588e1d605
SHA1 f081f606fa9befa2ef7040372a319bd3eab98003
SHA256 d96b8e065341adea1d1732a257655faf6b0770cdec8bd40edffe6723bc2e6fa6
SHA512 c74d9c7a35497193c0e7a522c5d11be13f6a26784af9c1baa884fd7a64aac47eb49c0be0634953f59619724dffd67d951b6ff85a7abd12bf396dd8ff5c9a4ea4

C:\Windows\system\rqXDMbZ.exe

MD5 fa23bf51a3e329edfa9788fba0aae01c
SHA1 72d094481e100b0ee13c4d0c0603249048385427
SHA256 e0d5c51ca279c1f41c4306c88cd026a2672829095533d255e9481db52e78ce70
SHA512 2f51a0926f72863729037bd8b2e959693a8643a779cc753b8d0160a32193d0b95851d8a51ac0add0b3fa450edb1215d75850af4249ad73500dc85b184612cb4c

\Windows\system\BzylbDj.exe

MD5 00a98a63f508a862cfd818e2ace050a9
SHA1 5241ec292bf24661f2a944553c0e81db06bfb181
SHA256 8d3e1df975c2c06c1359ac2c4b851c624dbb7f82df5ad18f7327ca93d2d6790d
SHA512 3ba11183932c4a698786f27bf53dcfc9d1dc372cfefb5e83aaa52c09d0b267837cb24c811b43b442f94ad04b59777b393396d7aa26fc9f335c2cf85c056c57b6

C:\Windows\system\BCCXJTA.exe

MD5 cc0380066effda914afbab438c22d480
SHA1 0e8eb6a8e9b8758f6c338dea2c7933a0bd72456c
SHA256 3ccbd4f1a85b93cb653d666520ff9cc943d783ede4517e1b472f2dfbe2be4074
SHA512 4fc1ab1b6e8660dc5b4503c20600afd46b531ff82c6042335307a51a030e7400b91f1ca10e52fd8756b9a688718c838a09e45d50ad03bbbf0b2d7424e9475c20

C:\Windows\system\OxMSLwl.exe

MD5 1d51a6f9f8f706d40a78f27cac287065
SHA1 981c2096ede4558d1ebc91ef5d6ea849a5e05a26
SHA256 15b21f96ab3bc949c328ae89ca4b8971cb600187d8a414a03ad62deea81f4ef1
SHA512 f88e4c79c055461a937a826fa6bbc551f208f7399466fa47521581ae4db3bc5d256e1bf01ae134b570a11c9d09f89930e6add7d4c8135ba334d8b29af2c44c97

\Windows\system\OxMSLwl.exe

MD5 cea85dfe9434f81e707c8a170713c18c
SHA1 357f58e2c4d85b2476fd6e4dfc9925af05ff6fd5
SHA256 788b184c7a0173d4ef3e3a2c6a7fff55b0b03719d2532527be48eba71ed3bbf9
SHA512 9f812629ee05d1aaef58a8884dc08fd53eebb100ef540abab49e52b0cca3adb6bc76e90653728d0674f7e11ba3dbfea739947349b3df007602464355fed131df

C:\Windows\system\WLMrujy.exe

MD5 aee8bea1a57c1680fdb13eef68ea2b6b
SHA1 1bcad438ecb551a1022b0dd8b7213bca1b873d5c
SHA256 b778fc76774c8810a5f92f6cd457f9c750bdbb4b71fafdd9de236bc9513d71d4
SHA512 55bfe910d42ce3e110b5197dc0b2a8f2cc6f0a7f52d8adf665488683a0531a819d7f070f09afc04efbc9afd1a235895e0935d317b8998c2d88623c5d9aa7ccf5

\Windows\system\ATVUtml.exe

MD5 f41120e7855529bf7187180ca7258450
SHA1 b0c059df0d6beba5a3be7a777722bdf7cb8f6782
SHA256 9919a83b02042755054406f3aa7696c4956d2572b28197f57c0884592d8ca9d6
SHA512 d37d8f7a0be58d93bc8089c89a121eb95b0112454faee747b0fcd8563799e0cfe93fa09c3375a04897e33045ddf699fa15568a303cf0b304e933d2cbf8aa4a6a

C:\Windows\system\MRhoyzF.exe

MD5 d508fc6ef0abe87595c87fc8740c7ef5
SHA1 19d2a7f0dd3a9f5871204c1d98c8e2976bee6038
SHA256 f806a25721142375e31b3638fa47889fb3ed82e6d04ee462f2554cd569dc8508
SHA512 e5b926f6a23e4893f1d0707458b01a3c6bb3fba808d3ff3642427c51af8eaab0527af962af90fefc2ffc5242cd0b5a0e592b70b3fce0b8cf8f54a9d5abe43685

\Windows\system\WyhxHlU.exe

MD5 f849ead9a7c3f3e0e8990dda29297ea6
SHA1 dd0643263bcf900cea6a355c19bcd0e794f5b36c
SHA256 54c829e879085b5b41747d84b104e5d24874466d4bcec49812de8274d061346b
SHA512 6122145f63621fec7c8350877bab0dbd3acc8bf867f4755052c0b246f69b1216f56287737796d6623e29575feb0e5be3765d75ef75450122290d14136e5921b1

memory/2280-100-0x000000013F620000-0x000000013F974000-memory.dmp

memory/3032-99-0x000000013F620000-0x000000013F974000-memory.dmp

memory/1444-98-0x000000013FE10000-0x0000000140164000-memory.dmp

\Windows\system\MRhoyzF.exe

MD5 984a8cf637fc9f46a5be1646493a183b
SHA1 eff3045fcb5d0b4a9321004fdd3e94f3f336f5af
SHA256 0d4a824efda706db87b77805c320758f4772451fa0404efc091a4e3040c61068
SHA512 f10e98d33b97922d86b629662f92ca9b0747603db9cee26627e84885ca9797232c0f5349bf7b35b6812a24bc6e60bd825c6020365d2a762c823adc6158a78b7d

memory/1360-89-0x000000013F6C0000-0x000000013FA14000-memory.dmp

memory/3032-88-0x000000013F6C0000-0x000000013FA14000-memory.dmp

memory/3032-86-0x000000013FEE0000-0x0000000140234000-memory.dmp

C:\Windows\system\quyKhbi.exe

MD5 301ae3a5d2393e71a0e708a0d8de146e
SHA1 354c8bf0f69bd0a7adecefeacb5a3a5c0c8a0acc
SHA256 98b33fa7a1a64b0d19c5acaac4bb9494350bf32cb35115bb206dadd39ad5ea1f
SHA512 47330907074f98f2edee570816dd3187ba1836ae319e307a434d17cab158b90256e064dcd8320fd26a60c4b5929404fc709fc0c1e69a5c3e4b218656f0e50338

memory/2296-79-0x000000013FF80000-0x00000001402D4000-memory.dmp

memory/3032-78-0x00000000022A0000-0x00000000025F4000-memory.dmp

C:\Windows\system\rHnGGLj.exe

MD5 634a8970cc8994fb2801952aeea456fa
SHA1 f9dae053f5c8164c42a78233704932cece2ac007
SHA256 c51b87e0d12d40667505657e0ddfe50300fe849cae1b4dae84cf3a85ac5a97ae
SHA512 2119e3d6e3c43f185a9c9f3cbe28a303bf2388bdf3eda1e23593b9e140e6a82e634a23dbd669939779f94398bda780572e41a390d43fd350005d5953bcfef4aa

memory/3032-71-0x00000000022A0000-0x00000000025F4000-memory.dmp

C:\Windows\system\ODCtmVo.exe

MD5 d136830d8ce90557b1b526169d1cabfd
SHA1 7fd5f909c612ab93da363e62378f1b6f380cae96
SHA256 84e30ea5727b7fbc13b6954f360d7f1c5940610ee3c7552a51ef0bbd0c6b3494
SHA512 f96394adc2ad6147f614aa15a9e0f895db95a614d61e39eeee72e551220f5550b5ece6869332e69c2ba44f2e33c2852c892a63ff161ca6156231a25ef48ca0e3

memory/3032-64-0x000000013F880000-0x000000013FBD4000-memory.dmp

memory/2376-58-0x000000013F250000-0x000000013F5A4000-memory.dmp

\Windows\system\mtIhYIi.exe

MD5 f6cdfb3d88537b367792cbd894bd98ed
SHA1 3d3f99c94c72c456dffcf949bc5d30603a7e936c
SHA256 05dd3d926d8f7a6b3411e38a31ef4f8229eb7d780b830e3fca3bbab5124eef86
SHA512 0da483abd45f0fc31271e46184ea3a074b58fa3e0dc6bb0072318eee13b5c0ffc1280f1aa582bb4e78cf8a2c355408182d9725282b3a73e6e2dadc9f4f43faa3

memory/3032-50-0x000000013F570000-0x000000013F8C4000-memory.dmp

memory/2412-43-0x000000013F9C0000-0x000000013FD14000-memory.dmp

memory/3032-42-0x000000013F9C0000-0x000000013FD14000-memory.dmp

memory/3032-35-0x000000013F550000-0x000000013F8A4000-memory.dmp

memory/2748-33-0x000000013F550000-0x000000013F8A4000-memory.dmp

memory/2528-31-0x000000013F8D0000-0x000000013FC24000-memory.dmp

C:\Windows\system\yRyFKoD.exe

MD5 2b8cae360cdfab11275d90e941613ec4
SHA1 a24a8627b3ccfc3487303e6a217c5fab0174fc08
SHA256 6052926a61463e7426232e7d459057f91b843dc0adcb8166618bef7f8838729d
SHA512 dec466e315e6cad6fc5148c2b2c5705bf2723f15ec60340dc023b266298168bd39b87057b93c57d429b55792e57727e357938d625b393a0f1ac4039cc6d9f7f1

memory/3032-28-0x000000013F8D0000-0x000000013FC24000-memory.dmp

memory/2660-19-0x000000013F920000-0x000000013FC74000-memory.dmp

memory/3032-15-0x000000013F920000-0x000000013FC74000-memory.dmp

C:\Windows\system\mIvqfQt.exe

MD5 45304447aacdce0bd2e9fabfca54ccc3
SHA1 018798cd2e7166d5125f27320797d87dffa8a887
SHA256 a8ff630fcdc75f609702eacebc40461caf668cfbf3968040c0ab8c3eda54dc8c
SHA512 d03282f078784170e4fded04796b0e51ac038ee3977511a1fa5872966bbef0913de517633160c734acf6c24cefa2cf743f2e41f1924440fdfd8e81e8d28725df

memory/2412-136-0x000000013F9C0000-0x000000013FD14000-memory.dmp

memory/3032-2-0x000000013FEE0000-0x0000000140234000-memory.dmp

memory/3032-137-0x00000000022A0000-0x00000000025F4000-memory.dmp

memory/1360-139-0x000000013F6C0000-0x000000013FA14000-memory.dmp

memory/3032-138-0x000000013F6C0000-0x000000013FA14000-memory.dmp

memory/2280-141-0x000000013F620000-0x000000013F974000-memory.dmp

memory/1444-140-0x000000013FE10000-0x0000000140164000-memory.dmp

memory/2528-144-0x000000013F8D0000-0x000000013FC24000-memory.dmp

memory/2740-146-0x000000013FAC0000-0x000000013FE14000-memory.dmp

memory/2748-145-0x000000013F550000-0x000000013F8A4000-memory.dmp

memory/2904-143-0x000000013F380000-0x000000013F6D4000-memory.dmp

memory/2100-148-0x000000013F570000-0x000000013F8C4000-memory.dmp

memory/2412-147-0x000000013F9C0000-0x000000013FD14000-memory.dmp

memory/2376-149-0x000000013F250000-0x000000013F5A4000-memory.dmp

memory/2440-150-0x000000013F880000-0x000000013FBD4000-memory.dmp

memory/2644-151-0x000000013FD30000-0x0000000140084000-memory.dmp

memory/2296-152-0x000000013FF80000-0x00000001402D4000-memory.dmp

memory/2660-142-0x000000013F920000-0x000000013FC74000-memory.dmp

memory/1444-155-0x000000013FE10000-0x0000000140164000-memory.dmp

memory/2280-154-0x000000013F620000-0x000000013F974000-memory.dmp

memory/1360-153-0x000000013F6C0000-0x000000013FA14000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-08 04:17

Reported

2024-06-08 04:20

Platform

win10v2004-20240508-en

Max time kernel

140s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\ODCtmVo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rHnGGLj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MRhoyzF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WyhxHlU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oohPfwM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yGakBKA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yRyFKoD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ACOuamW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mIvqfQt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hgpoXMx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QGgtStS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rqXDMbZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OxMSLwl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mtIhYIi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\quyKhbi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ATVUtml.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WLMrujy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wxSwBWi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QReWhNC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BzylbDj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BCCXJTA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3044 wrote to memory of 5780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\oohPfwM.exe
PID 3044 wrote to memory of 5780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\oohPfwM.exe
PID 3044 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\mIvqfQt.exe
PID 3044 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\mIvqfQt.exe
PID 3044 wrote to memory of 5496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\hgpoXMx.exe
PID 3044 wrote to memory of 5496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\hgpoXMx.exe
PID 3044 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\yGakBKA.exe
PID 3044 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\yGakBKA.exe
PID 3044 wrote to memory of 6040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\yRyFKoD.exe
PID 3044 wrote to memory of 6040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\yRyFKoD.exe
PID 3044 wrote to memory of 5324 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\ACOuamW.exe
PID 3044 wrote to memory of 5324 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\ACOuamW.exe
PID 3044 wrote to memory of 5344 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\wxSwBWi.exe
PID 3044 wrote to memory of 5344 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\wxSwBWi.exe
PID 3044 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\QReWhNC.exe
PID 3044 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\QReWhNC.exe
PID 3044 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\mtIhYIi.exe
PID 3044 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\mtIhYIi.exe
PID 3044 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\ODCtmVo.exe
PID 3044 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\ODCtmVo.exe
PID 3044 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\rHnGGLj.exe
PID 3044 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\rHnGGLj.exe
PID 3044 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\MRhoyzF.exe
PID 3044 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\MRhoyzF.exe
PID 3044 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\quyKhbi.exe
PID 3044 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\quyKhbi.exe
PID 3044 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\WyhxHlU.exe
PID 3044 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\WyhxHlU.exe
PID 3044 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\QGgtStS.exe
PID 3044 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\QGgtStS.exe
PID 3044 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\ATVUtml.exe
PID 3044 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\ATVUtml.exe
PID 3044 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\rqXDMbZ.exe
PID 3044 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\rqXDMbZ.exe
PID 3044 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\WLMrujy.exe
PID 3044 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\WLMrujy.exe
PID 3044 wrote to memory of 5488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\OxMSLwl.exe
PID 3044 wrote to memory of 5488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\OxMSLwl.exe
PID 3044 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\BzylbDj.exe
PID 3044 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\BzylbDj.exe
PID 3044 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\BCCXJTA.exe
PID 3044 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe C:\Windows\System\BCCXJTA.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_536eab9cfdc25c6ab992fc1d2eff2291_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\oohPfwM.exe

C:\Windows\System\oohPfwM.exe

C:\Windows\System\mIvqfQt.exe

C:\Windows\System\mIvqfQt.exe

C:\Windows\System\hgpoXMx.exe

C:\Windows\System\hgpoXMx.exe

C:\Windows\System\yGakBKA.exe

C:\Windows\System\yGakBKA.exe

C:\Windows\System\yRyFKoD.exe

C:\Windows\System\yRyFKoD.exe

C:\Windows\System\ACOuamW.exe

C:\Windows\System\ACOuamW.exe

C:\Windows\System\wxSwBWi.exe

C:\Windows\System\wxSwBWi.exe

C:\Windows\System\QReWhNC.exe

C:\Windows\System\QReWhNC.exe

C:\Windows\System\mtIhYIi.exe

C:\Windows\System\mtIhYIi.exe

C:\Windows\System\ODCtmVo.exe

C:\Windows\System\ODCtmVo.exe

C:\Windows\System\rHnGGLj.exe

C:\Windows\System\rHnGGLj.exe

C:\Windows\System\MRhoyzF.exe

C:\Windows\System\MRhoyzF.exe

C:\Windows\System\quyKhbi.exe

C:\Windows\System\quyKhbi.exe

C:\Windows\System\WyhxHlU.exe

C:\Windows\System\WyhxHlU.exe

C:\Windows\System\QGgtStS.exe

C:\Windows\System\QGgtStS.exe

C:\Windows\System\ATVUtml.exe

C:\Windows\System\ATVUtml.exe

C:\Windows\System\rqXDMbZ.exe

C:\Windows\System\rqXDMbZ.exe

C:\Windows\System\WLMrujy.exe

C:\Windows\System\WLMrujy.exe

C:\Windows\System\OxMSLwl.exe

C:\Windows\System\OxMSLwl.exe

C:\Windows\System\BzylbDj.exe

C:\Windows\System\BzylbDj.exe

C:\Windows\System\BCCXJTA.exe

C:\Windows\System\BCCXJTA.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3044-0-0x00007FF7F5D30000-0x00007FF7F6084000-memory.dmp

memory/3044-1-0x000001F093F40000-0x000001F093F50000-memory.dmp

C:\Windows\System\oohPfwM.exe

MD5 de4188a95ccb83c468381840ea2175ce
SHA1 973a17bd70670652e71ac5d69c2eb049b4ceb4df
SHA256 1f252e184577c781d401f0ee4dbafd9127f438240fdb6af9cd2ebb5e1eef831f
SHA512 d85fa7bb664e4e767ea2f3bf11bb6bdc90b20d33a5e05be70213a71e1a24412c794dba707c360db0a9a3218955d115acf420209d5b67f6fb5d4432262082f778

memory/5780-8-0x00007FF681AB0000-0x00007FF681E04000-memory.dmp

C:\Windows\System\mIvqfQt.exe

MD5 45304447aacdce0bd2e9fabfca54ccc3
SHA1 018798cd2e7166d5125f27320797d87dffa8a887
SHA256 a8ff630fcdc75f609702eacebc40461caf668cfbf3968040c0ab8c3eda54dc8c
SHA512 d03282f078784170e4fded04796b0e51ac038ee3977511a1fa5872966bbef0913de517633160c734acf6c24cefa2cf743f2e41f1924440fdfd8e81e8d28725df

C:\Windows\System\hgpoXMx.exe

MD5 4a0024539b99a59438a507f6c3124cd6
SHA1 877c1303e82457a4e776b0f86c8e082d1d4d8e4a
SHA256 c73c5af55d8558fae3bc10df3309d6891a0212b6cc77f8f60263eea16930c988
SHA512 3b279a46b07e7c314348be15b07cf10748659f2b93331097fb9a30822ccaff634bca815ca120aa6aa52112a92da488c6020b66dee0b444dd0725fdd96bd4af7f

memory/2928-14-0x00007FF7B78C0000-0x00007FF7B7C14000-memory.dmp

memory/5496-20-0x00007FF6542C0000-0x00007FF654614000-memory.dmp

C:\Windows\System\yGakBKA.exe

MD5 7bc007a1fd8c59f828c5b44786c55255
SHA1 ae4b119d6962d6821368ef5b7a7b6b6bce91ecd2
SHA256 d403a0d263b51b057d16c0f462a000813b5a68c6a3bd16245556afbdec6ab170
SHA512 81f26bd02c69e173e1e40604c57888ae49ba7f7fbcff098d4b33a68b26dd1b84c811148a477eebac53616e949bb2aacaafc7af365e64d01cd4b19922106c91e1

memory/1020-26-0x00007FF7292A0000-0x00007FF7295F4000-memory.dmp

C:\Windows\System\yRyFKoD.exe

MD5 2b8cae360cdfab11275d90e941613ec4
SHA1 a24a8627b3ccfc3487303e6a217c5fab0174fc08
SHA256 6052926a61463e7426232e7d459057f91b843dc0adcb8166618bef7f8838729d
SHA512 dec466e315e6cad6fc5148c2b2c5705bf2723f15ec60340dc023b266298168bd39b87057b93c57d429b55792e57727e357938d625b393a0f1ac4039cc6d9f7f1

C:\Windows\System\ACOuamW.exe

MD5 a8e2ae278bbfacc7346ccbc52f51fa12
SHA1 048d25b065309deff91282af48609d2225e6b69f
SHA256 4fd53dcfa5ae4df57a0128d31b92bb1db14d457ca127d8cf694ae2fd96833450
SHA512 0f4925dc9841724091757bcfdedba3a358f7942743dd3913b8043e0e12464a5c03434dad5a5405f60639673177fa1fb5d8770fb62b2a46ddb7a4a597266ac83e

C:\Windows\System\wxSwBWi.exe

MD5 578b0515bb2b5f73fad4ad646ded421b
SHA1 a7b413ab5787f746240a20602b169b01d13ac7e9
SHA256 3106efbc931ece3fc33acbd55028dd2aa8364d498d572f28b38fdd66104af7c0
SHA512 0378a564e02ee2906de263bfd3579891ebd4e9f2b4ab932d5f38db3a9169d1e78fe5456520cde280f97f57f4be41c406a63aa5a31f559b92df9c0d0eec87993f

memory/5324-41-0x00007FF7E4B20000-0x00007FF7E4E74000-memory.dmp

memory/5344-42-0x00007FF730CC0000-0x00007FF731014000-memory.dmp

memory/6040-36-0x00007FF74AA30000-0x00007FF74AD84000-memory.dmp

C:\Windows\System\QReWhNC.exe

MD5 ab4ce29dacb94b24c0cc2dfefe43519f
SHA1 8fd573017e42a631d15ed5d8a20400841b9588e3
SHA256 22fb352c9f3203d8598de258f3aaded99f2204a4981634d94c2bab5c2877311e
SHA512 8fc27a7d69f1b37d5a194f24b65ceb94fef6741ae58f620f185cb9fd30b20cfe8f7de386c003bc674363c10fa5484eb4dd82b91f260235515eaf7d333a1eceef

memory/4984-50-0x00007FF67AEA0000-0x00007FF67B1F4000-memory.dmp

C:\Windows\System\mtIhYIi.exe

MD5 f4fd662d3e597cf165ae77ab4eda44e0
SHA1 abf1bf45f87d3d40277f525c7b1125dc31a96bce
SHA256 a9c7b3d26b259094dcf0fb4a7afe074ea9138db114a09aaf723d9d96785f57b8
SHA512 2b30e406ca44527dbb92b134feb7fa9aaeda2dbf8f761224950b2bb021879b9621b51c16e7515fd7134f63169c40ff67630ca1e0a81b6da3e39f0d3362374014

memory/1832-56-0x00007FF77E830000-0x00007FF77EB84000-memory.dmp

memory/3044-62-0x00007FF7F5D30000-0x00007FF7F6084000-memory.dmp

memory/1520-66-0x00007FF64C0B0000-0x00007FF64C404000-memory.dmp

C:\Windows\System\rHnGGLj.exe

MD5 634a8970cc8994fb2801952aeea456fa
SHA1 f9dae053f5c8164c42a78233704932cece2ac007
SHA256 c51b87e0d12d40667505657e0ddfe50300fe849cae1b4dae84cf3a85ac5a97ae
SHA512 2119e3d6e3c43f185a9c9f3cbe28a303bf2388bdf3eda1e23593b9e140e6a82e634a23dbd669939779f94398bda780572e41a390d43fd350005d5953bcfef4aa

memory/1076-69-0x00007FF614990000-0x00007FF614CE4000-memory.dmp

C:\Windows\System\ODCtmVo.exe

MD5 d136830d8ce90557b1b526169d1cabfd
SHA1 7fd5f909c612ab93da363e62378f1b6f380cae96
SHA256 84e30ea5727b7fbc13b6954f360d7f1c5940610ee3c7552a51ef0bbd0c6b3494
SHA512 f96394adc2ad6147f614aa15a9e0f895db95a614d61e39eeee72e551220f5550b5ece6869332e69c2ba44f2e33c2852c892a63ff161ca6156231a25ef48ca0e3

C:\Windows\System\MRhoyzF.exe

MD5 d508fc6ef0abe87595c87fc8740c7ef5
SHA1 19d2a7f0dd3a9f5871204c1d98c8e2976bee6038
SHA256 f806a25721142375e31b3638fa47889fb3ed82e6d04ee462f2554cd569dc8508
SHA512 e5b926f6a23e4893f1d0707458b01a3c6bb3fba808d3ff3642427c51af8eaab0527af962af90fefc2ffc5242cd0b5a0e592b70b3fce0b8cf8f54a9d5abe43685

memory/3632-76-0x00007FF769D30000-0x00007FF76A084000-memory.dmp

memory/2928-75-0x00007FF7B78C0000-0x00007FF7B7C14000-memory.dmp

C:\Windows\System\quyKhbi.exe

MD5 301ae3a5d2393e71a0e708a0d8de146e
SHA1 354c8bf0f69bd0a7adecefeacb5a3a5c0c8a0acc
SHA256 98b33fa7a1a64b0d19c5acaac4bb9494350bf32cb35115bb206dadd39ad5ea1f
SHA512 47330907074f98f2edee570816dd3187ba1836ae319e307a434d17cab158b90256e064dcd8320fd26a60c4b5929404fc709fc0c1e69a5c3e4b218656f0e50338

memory/1020-88-0x00007FF7292A0000-0x00007FF7295F4000-memory.dmp

memory/5324-92-0x00007FF7E4B20000-0x00007FF7E4E74000-memory.dmp

C:\Windows\System\QGgtStS.exe

MD5 1d0dcc832e92ba7757e897f588e1d605
SHA1 f081f606fa9befa2ef7040372a319bd3eab98003
SHA256 d96b8e065341adea1d1732a257655faf6b0770cdec8bd40edffe6723bc2e6fa6
SHA512 c74d9c7a35497193c0e7a522c5d11be13f6a26784af9c1baa884fd7a64aac47eb49c0be0634953f59619724dffd67d951b6ff85a7abd12bf396dd8ff5c9a4ea4

memory/3624-91-0x00007FF756D60000-0x00007FF7570B4000-memory.dmp

C:\Windows\System\WyhxHlU.exe

MD5 f849ead9a7c3f3e0e8990dda29297ea6
SHA1 dd0643263bcf900cea6a355c19bcd0e794f5b36c
SHA256 54c829e879085b5b41747d84b104e5d24874466d4bcec49812de8274d061346b
SHA512 6122145f63621fec7c8350877bab0dbd3acc8bf867f4755052c0b246f69b1216f56287737796d6623e29575feb0e5be3765d75ef75450122290d14136e5921b1

memory/4436-82-0x00007FF7C5C00000-0x00007FF7C5F54000-memory.dmp

C:\Windows\System\ATVUtml.exe

MD5 f41120e7855529bf7187180ca7258450
SHA1 b0c059df0d6beba5a3be7a777722bdf7cb8f6782
SHA256 9919a83b02042755054406f3aa7696c4956d2572b28197f57c0884592d8ca9d6
SHA512 d37d8f7a0be58d93bc8089c89a121eb95b0112454faee747b0fcd8563799e0cfe93fa09c3375a04897e33045ddf699fa15568a303cf0b304e933d2cbf8aa4a6a

C:\Windows\System\WLMrujy.exe

MD5 aee8bea1a57c1680fdb13eef68ea2b6b
SHA1 1bcad438ecb551a1022b0dd8b7213bca1b873d5c
SHA256 b778fc76774c8810a5f92f6cd457f9c750bdbb4b71fafdd9de236bc9513d71d4
SHA512 55bfe910d42ce3e110b5197dc0b2a8f2cc6f0a7f52d8adf665488683a0531a819d7f070f09afc04efbc9afd1a235895e0935d317b8998c2d88623c5d9aa7ccf5

C:\Windows\System\BCCXJTA.exe

MD5 cc0380066effda914afbab438c22d480
SHA1 0e8eb6a8e9b8758f6c338dea2c7933a0bd72456c
SHA256 3ccbd4f1a85b93cb653d666520ff9cc943d783ede4517e1b472f2dfbe2be4074
SHA512 4fc1ab1b6e8660dc5b4503c20600afd46b531ff82c6042335307a51a030e7400b91f1ca10e52fd8756b9a688718c838a09e45d50ad03bbbf0b2d7424e9475c20

C:\Windows\System\BzylbDj.exe

MD5 00a98a63f508a862cfd818e2ace050a9
SHA1 5241ec292bf24661f2a944553c0e81db06bfb181
SHA256 8d3e1df975c2c06c1359ac2c4b851c624dbb7f82df5ad18f7327ca93d2d6790d
SHA512 3ba11183932c4a698786f27bf53dcfc9d1dc372cfefb5e83aaa52c09d0b267837cb24c811b43b442f94ad04b59777b393396d7aa26fc9f335c2cf85c056c57b6

C:\Windows\System\OxMSLwl.exe

MD5 cea85dfe9434f81e707c8a170713c18c
SHA1 357f58e2c4d85b2476fd6e4dfc9925af05ff6fd5
SHA256 788b184c7a0173d4ef3e3a2c6a7fff55b0b03719d2532527be48eba71ed3bbf9
SHA512 9f812629ee05d1aaef58a8884dc08fd53eebb100ef540abab49e52b0cca3adb6bc76e90653728d0674f7e11ba3dbfea739947349b3df007602464355fed131df

C:\Windows\System\rqXDMbZ.exe

MD5 fa23bf51a3e329edfa9788fba0aae01c
SHA1 72d094481e100b0ee13c4d0c0603249048385427
SHA256 e0d5c51ca279c1f41c4306c88cd026a2672829095533d255e9481db52e78ce70
SHA512 2f51a0926f72863729037bd8b2e959693a8643a779cc753b8d0160a32193d0b95851d8a51ac0add0b3fa450edb1215d75850af4249ad73500dc85b184612cb4c

memory/4348-126-0x00007FF64A4C0000-0x00007FF64A814000-memory.dmp

memory/1936-125-0x00007FF767400000-0x00007FF767754000-memory.dmp

memory/3116-127-0x00007FF65B4E0000-0x00007FF65B834000-memory.dmp

memory/5488-128-0x00007FF6C9570000-0x00007FF6C98C4000-memory.dmp

memory/2820-130-0x00007FF693790000-0x00007FF693AE4000-memory.dmp

memory/4052-129-0x00007FF78CB60000-0x00007FF78CEB4000-memory.dmp

memory/2596-131-0x00007FF7EC1A0000-0x00007FF7EC4F4000-memory.dmp

memory/5344-132-0x00007FF730CC0000-0x00007FF731014000-memory.dmp

memory/4984-133-0x00007FF67AEA0000-0x00007FF67B1F4000-memory.dmp

memory/1832-134-0x00007FF77E830000-0x00007FF77EB84000-memory.dmp

memory/1076-135-0x00007FF614990000-0x00007FF614CE4000-memory.dmp

memory/5780-136-0x00007FF681AB0000-0x00007FF681E04000-memory.dmp

memory/2928-137-0x00007FF7B78C0000-0x00007FF7B7C14000-memory.dmp

memory/5496-138-0x00007FF6542C0000-0x00007FF654614000-memory.dmp

memory/1020-139-0x00007FF7292A0000-0x00007FF7295F4000-memory.dmp

memory/6040-140-0x00007FF74AA30000-0x00007FF74AD84000-memory.dmp

memory/5324-141-0x00007FF7E4B20000-0x00007FF7E4E74000-memory.dmp

memory/4984-143-0x00007FF67AEA0000-0x00007FF67B1F4000-memory.dmp

memory/5344-142-0x00007FF730CC0000-0x00007FF731014000-memory.dmp

memory/1832-144-0x00007FF77E830000-0x00007FF77EB84000-memory.dmp

memory/1520-145-0x00007FF64C0B0000-0x00007FF64C404000-memory.dmp

memory/1076-146-0x00007FF614990000-0x00007FF614CE4000-memory.dmp

memory/3632-147-0x00007FF769D30000-0x00007FF76A084000-memory.dmp

memory/4436-148-0x00007FF7C5C00000-0x00007FF7C5F54000-memory.dmp

memory/3624-149-0x00007FF756D60000-0x00007FF7570B4000-memory.dmp

memory/1936-150-0x00007FF767400000-0x00007FF767754000-memory.dmp

memory/2596-151-0x00007FF7EC1A0000-0x00007FF7EC4F4000-memory.dmp

memory/4348-152-0x00007FF64A4C0000-0x00007FF64A814000-memory.dmp

memory/3116-153-0x00007FF65B4E0000-0x00007FF65B834000-memory.dmp

memory/5488-154-0x00007FF6C9570000-0x00007FF6C98C4000-memory.dmp

memory/2820-156-0x00007FF693790000-0x00007FF693AE4000-memory.dmp

memory/4052-155-0x00007FF78CB60000-0x00007FF78CEB4000-memory.dmp