Malware Analysis Report

2024-10-16 03:07

Sample ID 240608-hwbdgaba53
Target 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike
SHA256 afc79d2e838171062903255a34fce33f67f71ea7b99964184e1d728223dd8334
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

afc79d2e838171062903255a34fce33f67f71ea7b99964184e1d728223dd8334

Threat Level: Known bad

The file 2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

XMRig Miner payload

Xmrig family

xmrig

Cobaltstrike family

Cobaltstrike

Cobalt Strike reflective loader

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

XMRig Miner payload

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-08 07:06

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-08 07:04

Reported

2024-06-08 07:08

Platform

win7-20240508-en

Max time kernel

141s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\jLdHOQH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SdfFolr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tTGGBQj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PAzhpbR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fifFZTk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hTFpolD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GKfcYGd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xAhriFR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YflPxwS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mnxRrwM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oEJbnIZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uUcRBjZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YAfBwvR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lTnJpvt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KhGXgXx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\LDqSqKR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QBqlNpH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gdLYgPC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gXJDiBk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bLoDaqM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MzEsYAX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1304 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\YflPxwS.exe
PID 1304 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\YflPxwS.exe
PID 1304 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\YflPxwS.exe
PID 1304 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\QBqlNpH.exe
PID 1304 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\QBqlNpH.exe
PID 1304 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\QBqlNpH.exe
PID 1304 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\mnxRrwM.exe
PID 1304 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\mnxRrwM.exe
PID 1304 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\mnxRrwM.exe
PID 1304 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\fifFZTk.exe
PID 1304 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\fifFZTk.exe
PID 1304 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\fifFZTk.exe
PID 1304 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\MzEsYAX.exe
PID 1304 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\MzEsYAX.exe
PID 1304 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\MzEsYAX.exe
PID 1304 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\oEJbnIZ.exe
PID 1304 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\oEJbnIZ.exe
PID 1304 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\oEJbnIZ.exe
PID 1304 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\gdLYgPC.exe
PID 1304 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\gdLYgPC.exe
PID 1304 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\gdLYgPC.exe
PID 1304 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\hTFpolD.exe
PID 1304 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\hTFpolD.exe
PID 1304 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\hTFpolD.exe
PID 1304 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\uUcRBjZ.exe
PID 1304 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\uUcRBjZ.exe
PID 1304 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\uUcRBjZ.exe
PID 1304 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\PAzhpbR.exe
PID 1304 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\PAzhpbR.exe
PID 1304 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\PAzhpbR.exe
PID 1304 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\GKfcYGd.exe
PID 1304 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\GKfcYGd.exe
PID 1304 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\GKfcYGd.exe
PID 1304 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\YAfBwvR.exe
PID 1304 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\YAfBwvR.exe
PID 1304 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\YAfBwvR.exe
PID 1304 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\jLdHOQH.exe
PID 1304 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\jLdHOQH.exe
PID 1304 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\jLdHOQH.exe
PID 1304 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\lTnJpvt.exe
PID 1304 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\lTnJpvt.exe
PID 1304 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\lTnJpvt.exe
PID 1304 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\KhGXgXx.exe
PID 1304 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\KhGXgXx.exe
PID 1304 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\KhGXgXx.exe
PID 1304 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\SdfFolr.exe
PID 1304 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\SdfFolr.exe
PID 1304 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\SdfFolr.exe
PID 1304 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\gXJDiBk.exe
PID 1304 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\gXJDiBk.exe
PID 1304 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\gXJDiBk.exe
PID 1304 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\LDqSqKR.exe
PID 1304 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\LDqSqKR.exe
PID 1304 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\LDqSqKR.exe
PID 1304 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\xAhriFR.exe
PID 1304 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\xAhriFR.exe
PID 1304 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\xAhriFR.exe
PID 1304 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\tTGGBQj.exe
PID 1304 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\tTGGBQj.exe
PID 1304 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\tTGGBQj.exe
PID 1304 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\bLoDaqM.exe
PID 1304 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\bLoDaqM.exe
PID 1304 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\bLoDaqM.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\YflPxwS.exe

C:\Windows\System\YflPxwS.exe

C:\Windows\System\QBqlNpH.exe

C:\Windows\System\QBqlNpH.exe

C:\Windows\System\mnxRrwM.exe

C:\Windows\System\mnxRrwM.exe

C:\Windows\System\fifFZTk.exe

C:\Windows\System\fifFZTk.exe

C:\Windows\System\MzEsYAX.exe

C:\Windows\System\MzEsYAX.exe

C:\Windows\System\oEJbnIZ.exe

C:\Windows\System\oEJbnIZ.exe

C:\Windows\System\gdLYgPC.exe

C:\Windows\System\gdLYgPC.exe

C:\Windows\System\hTFpolD.exe

C:\Windows\System\hTFpolD.exe

C:\Windows\System\uUcRBjZ.exe

C:\Windows\System\uUcRBjZ.exe

C:\Windows\System\PAzhpbR.exe

C:\Windows\System\PAzhpbR.exe

C:\Windows\System\GKfcYGd.exe

C:\Windows\System\GKfcYGd.exe

C:\Windows\System\YAfBwvR.exe

C:\Windows\System\YAfBwvR.exe

C:\Windows\System\jLdHOQH.exe

C:\Windows\System\jLdHOQH.exe

C:\Windows\System\lTnJpvt.exe

C:\Windows\System\lTnJpvt.exe

C:\Windows\System\KhGXgXx.exe

C:\Windows\System\KhGXgXx.exe

C:\Windows\System\SdfFolr.exe

C:\Windows\System\SdfFolr.exe

C:\Windows\System\gXJDiBk.exe

C:\Windows\System\gXJDiBk.exe

C:\Windows\System\LDqSqKR.exe

C:\Windows\System\LDqSqKR.exe

C:\Windows\System\xAhriFR.exe

C:\Windows\System\xAhriFR.exe

C:\Windows\System\tTGGBQj.exe

C:\Windows\System\tTGGBQj.exe

C:\Windows\System\bLoDaqM.exe

C:\Windows\System\bLoDaqM.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1304-0-0x000000013FD00000-0x0000000140054000-memory.dmp

memory/1304-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\YflPxwS.exe

MD5 d89b6523697854a16231d4bf79ec441d
SHA1 8f65d404fc8b6ba61fa96ea35e4ccf76985514b2
SHA256 4a965fd20032a141450da17ebe0dba58f4007e18ae6708ee50e1f435d50e16a1
SHA512 ef5f06be8476f042f01ab59a2dc51a5ede773c06ce5dba90f030e04acefb4e6140a634f650b2a4b75f355713ac1211df1282ed0970161d170f58343c4bc95e7c

memory/1124-8-0x000000013FEA0000-0x00000001401F4000-memory.dmp

\Windows\system\QBqlNpH.exe

MD5 08e2d03a0c8757462be73964b920eb93
SHA1 0adf47d38fa6108d5f218936492f8ae134dbb075
SHA256 20b54b0ba0318101b0dec60d7a0e04bec3bd0d3bcd4c54e207ac1e28d8998160
SHA512 7c57e6eefc774d04305d943e74b599ec44ad792b5dfbf24d055acdbc2fd6fe1746e89018c05ad63bd1b4a6ad2adc027740b01340ee75446202f50a8b1b5c43bf

memory/2800-14-0x000000013F250000-0x000000013F5A4000-memory.dmp

C:\Windows\system\mnxRrwM.exe

MD5 0795d5c24d82912748f300a439db1cb1
SHA1 77162b6de7d6fb7c22efd8a1ea916a9b12ddba16
SHA256 17f3606296890ef0544cc9b0a27bb3549171f86fe06fb9abc36f9e3fc85cf339
SHA512 10056aa24d6df3a4d8c415500bde31bd71321b2fe3b9249e9e5567294e34fc4a4816e8b669689743db954ddf1865e1258c1c369673c9d2c004e403307c603227

memory/2052-21-0x000000013F0B0000-0x000000013F404000-memory.dmp

\Windows\system\fifFZTk.exe

MD5 72d8070420dae7300ddd695a5aab1dc9
SHA1 658ca89e405d31be0f18910249cf86a6a2112395
SHA256 49a4c5e93c82b9dce4f3646f24535b6775f35fb9630537650c700943bf52ee8f
SHA512 d1c8b7ec56879a8d63165c90c72e4764d7efdca1c104ade087d4653051fb717d3785c96d1569b74823b54960f2e05b1ddd32c62d88b184864ab6340a61c16e7f

memory/2584-27-0x000000013FB00000-0x000000013FE54000-memory.dmp

memory/1304-41-0x0000000002480000-0x00000000027D4000-memory.dmp

\Windows\system\gdLYgPC.exe

MD5 e631adbdbceac624c705cb98a4ad5129
SHA1 bfc3ba925f751a909e5d0188d78e1422a7835726
SHA256 771b88f3dde576dec6051d66d17ca7483417baeb5258586f4e8c95af9717a1a0
SHA512 d8c2053df2c450c96a80a05ca3a00c1fcd4fb17864f71e034f5486306329b15d889d992f2d0c101f4f7159f028cb22783fe086a5e237a648fca388c0dcb775a7

memory/1304-44-0x000000013F1E0000-0x000000013F534000-memory.dmp

memory/1304-33-0x000000013F660000-0x000000013F9B4000-memory.dmp

C:\Windows\system\MzEsYAX.exe

MD5 6ddcaedd6a3fc2e9e99bb435b113dec0
SHA1 6922c3146826e70347684f72e13786f4db96d8f6
SHA256 49b5cd6bf952c2bfb697f4bfa2575899edb84d3c581db9db800e0b65eb2058df
SHA512 2fd699e7f10a8d6011e93936214e0f399d208cc89a4e53f554530c8efdcd74c03ec9771aacc1b59e4eb6f4e785c51372b349b80d29c3a494fb095df6479cd35f

memory/2620-39-0x000000013FD20000-0x0000000140074000-memory.dmp

C:\Windows\system\oEJbnIZ.exe

MD5 e190dfcca64eb46d9af6db7874dfb966
SHA1 11d2177eae4695d1d5c25c4f1531c91f09193d2d
SHA256 1637d460716acf7f8ea93df8c3260eea2cef0d5f5003535d00cfb387be27ad8b
SHA512 dd17344f0b45591746f83869ce5f7d8488e2342bf1d87915dec53ab1f36f9959af520b232f1eada55bd13572c65641e2125ca5282c09ff7665f10d927c508c4a

memory/2688-36-0x000000013F660000-0x000000013F9B4000-memory.dmp

memory/1304-26-0x0000000002480000-0x00000000027D4000-memory.dmp

memory/1304-20-0x000000013F0B0000-0x000000013F404000-memory.dmp

memory/2652-54-0x000000013FDE0000-0x0000000140134000-memory.dmp

memory/1304-53-0x0000000002480000-0x00000000027D4000-memory.dmp

memory/2476-61-0x000000013F6F0000-0x000000013FA44000-memory.dmp

memory/2600-66-0x000000013F1B0000-0x000000013F504000-memory.dmp

memory/2892-76-0x000000013F5C0000-0x000000013F914000-memory.dmp

memory/2548-83-0x000000013F9B0000-0x000000013FD04000-memory.dmp

C:\Windows\system\lTnJpvt.exe

MD5 a7b689c7e2d8b2d01ad8bb51326e9892
SHA1 a113394e13250e1cc4cc5d10f1e73700cc53d7e6
SHA256 8f4c00750d41619b1aa72533dadc9232c3bb3f4fe84cc904353da6be084c273a
SHA512 477f5feaeda2a0ec46f049ff278ff41d94080c0998df67cb93bfc9aa9a3b8f8d0721730985f1966b150d6e11d8502b25f699d32ad32a041420197777dd937037

C:\Windows\system\LDqSqKR.exe

MD5 2644857d04651a8e2462c889180ac407
SHA1 6a04b0d5794f59d2f6888d1da83ae2bf39dc8f68
SHA256 0b12b83e68aad30e6e028a7c47a25dd4fe45b5c6078cf0efecd26059151ca41b
SHA512 f8584dd4adf8618bc8ff6cf394ae8d2e1a31f407c2daea2285dbb1b3dbfdc0cfd9092bdd9d1dcedbae15365d64a1e0b6ea90cc45cf83b8df8106bfdf2c887707

\Windows\system\bLoDaqM.exe

MD5 d47d25e1ea2d2589316c609241c29239
SHA1 bbccbb01ff3afb8978f5b0b1cd3ab1c5bce0f6a9
SHA256 5e50bf879b3b6f9691a6857d81aec871bc4593d456cabe9012dd93bb29903562
SHA512 86cc4ef5c4b838fcaa1222be9b9676be429f9d20a1dd0b237d94503cfc7931e6bf3f41fff91d2d8b54f7355963bb344c8bb4d7b0ceacc41be79f09f944314004

C:\Windows\system\tTGGBQj.exe

MD5 a6c862c0378555c4106bf3417463dcf2
SHA1 df0c530c50a8d299f572028023716b8a5a978cee
SHA256 e275bb2fba4753775c02f2dc53cc216293a28cda50c02e87d8fe8266514b62e0
SHA512 ae8d25653df58e91957b399e94682a5ec29c193b6f99617bb7a7dc44d88685f40df457f47c0176188bcfad85d69c55524659f4050ce6c63bed64f9f4c142edb3

C:\Windows\system\xAhriFR.exe

MD5 cc92923033dc59bcc3381716535f7013
SHA1 df69db8c3bd0af2ad90aaeb228bd792349d29b70
SHA256 135929ef5fdd85c3f0500ac11df2c9cca9fa35ac6eb42bf7325851a754a531d5
SHA512 8ca542f4ab4262222ab8edd77e50ec8ef3656b0d10de18baa99319005580940b79426f77289abdccb3ebd9a39447547b39672bfd0a65468b70b62afb9cd7df5f

C:\Windows\system\gXJDiBk.exe

MD5 5a3a76924484d63071e4f78b447f7cb3
SHA1 fdb988cfd8015cffefc02ee3139faeb3c0f86355
SHA256 1b7439a51d11ede91659a343f5e89dc4112f23c7d67148cb469d5841eb338816
SHA512 d9a719eda9f92944859f4c5c59b0a77471a1792d12cec52577b91997284862a9a69b5a012744855fff193b08608c48a1b13be3b66341b6465064ec8c4b46504c

memory/1304-106-0x0000000002480000-0x00000000027D4000-memory.dmp

C:\Windows\system\KhGXgXx.exe

MD5 b63af94990e99af291e7ac51cbfdb8b4
SHA1 2bb3d55ec0f2a4f0c07961d8cba95ce9de428ccc
SHA256 a7d33b0534b85798c322955d14d40ad623532b8f695e90a13d62f92382c0fcad
SHA512 933abd0a39f8b01470fafbb4e51fc5142f2b2e8f6ee7ff1fb12ca6f3196f035cd7cd9ab2ad9a3d9cb8f53ceff26901a9ad9abacdb0e44a6f7893ac990dc8b2d2

C:\Windows\system\SdfFolr.exe

MD5 03b6fb3b9c4243cb5e71cace2841e7fe
SHA1 f1ddf0febe19ed32c56e27d46e4e0a589a7fc8c3
SHA256 6e2b35a5925dfb868151616ce87fa2d7ac242b1724384aeb2f21b09c9a18ab03
SHA512 e7b40483d1fc600b4e65bbe0b0889f077a41cdf867bcdb9fd4f07b519c1225fd434d7354e49f5b596d24646cfadbbc291ffe9fe17be11f8544b9b6b92f61d0b9

memory/1152-99-0x000000013F210000-0x000000013F564000-memory.dmp

memory/1304-98-0x000000013F210000-0x000000013F564000-memory.dmp

memory/2868-92-0x000000013F4F0000-0x000000013F844000-memory.dmp

memory/1304-91-0x000000013F4F0000-0x000000013F844000-memory.dmp

memory/2620-97-0x000000013FD20000-0x0000000140074000-memory.dmp

memory/2688-90-0x000000013F660000-0x000000013F9B4000-memory.dmp

memory/2584-89-0x000000013FB00000-0x000000013FE54000-memory.dmp

C:\Windows\system\jLdHOQH.exe

MD5 7d505ed5635c3f345432a7f6b4daea0d
SHA1 18c609722dd84ceeeae6e245bd699b78f877c103
SHA256 fa3091665d3624838cd4fb09b0ac892694e675ddbe688db405a9219412ee0e69
SHA512 927a83c01293158e1547ced1a8305bff335311b79f5d32bcbe00c7100599fdf6f909ed52a4042985af7ae33d2eb06a83b42e3d2da58d709e5c15daddeb00388a

memory/1304-82-0x0000000002480000-0x00000000027D4000-memory.dmp

memory/2800-75-0x000000013F250000-0x000000013F5A4000-memory.dmp

C:\Windows\system\YAfBwvR.exe

MD5 1a9b12e96410bb1eebcca281977d56fb
SHA1 d1e92a86c223864df2fab6df50e91538d675aa0f
SHA256 3cbe8f268a0b559e16bf5bddf321c14a1d65a7343b17cc25052376d2a4454f53
SHA512 37a7ceece37437067b882b9827fc2a423547101fe485b51eda3ec1b663086e1f74edae28118908ceb483eaba7ff166756e864797b763b6350390c05881dda4b9

C:\Windows\system\GKfcYGd.exe

MD5 e627bf4a91b3f9195517aed1985e4726
SHA1 5a473cb62c86c9515b75214a366b930e0bae82ad
SHA256 fd7e722e6dfab63ddf8f0bf809fafa1f683e315d22c27af2e47bab6993c330dc
SHA512 980099d1b11d99624ff3438fc753d4c559237b7c539e09592c2a515f71e04a261412980237ccda553fc3052f7bb6804f0439f77607d62741fd90391dedd779de

memory/2748-137-0x000000013F1E0000-0x000000013F534000-memory.dmp

memory/2652-138-0x000000013FDE0000-0x0000000140134000-memory.dmp

memory/1124-65-0x000000013FEA0000-0x00000001401F4000-memory.dmp

C:\Windows\system\PAzhpbR.exe

MD5 c888d97e2d4c47eb4934f7c2b5f66dc2
SHA1 f30c3043882a83d34b69836f82316409bf9c5860
SHA256 60da83231098e205e1ea305e442e8f754b632a8f391acc47852ee6bb51c90793
SHA512 451663d64a42f9921c0dc7f7bc7a1f477d239cca5fc94c0fe2270b1ee51bcbbbc394f34afe5075fb1c5a4db0ae88c71650032274c81936ee6dc67efd0adbd199

memory/1304-60-0x0000000002480000-0x00000000027D4000-memory.dmp

C:\Windows\system\uUcRBjZ.exe

MD5 8f5662e8941dbe382facabfc739532fd
SHA1 7c241552d72e9a8bba7a956997085a77b291ea48
SHA256 719542013855fd3f7279d830c2fbaaf79e17958c9481e6bd3d74ce133b70da0e
SHA512 d596a6cc3f5e74cb93794b46715f626c56a2262b425cfa30487fa0e49827a7955a6592678bb4c2cec42c72dcd065ce100fe094f02dd5a4818477d3a6efc81f3d

memory/1304-58-0x000000013FD00000-0x0000000140054000-memory.dmp

memory/2748-52-0x000000013F1E0000-0x000000013F534000-memory.dmp

C:\Windows\system\hTFpolD.exe

MD5 dc93eb239ecd386232f3ba16c9c2d95e
SHA1 9e2531207f7930d0128cfab4f8b7cb4e387af2bc
SHA256 462699643efe6f412174893dc5adb18836c098cb5298c5b3bcf64ffdd74e3b29
SHA512 86a0cd86acefd35ffffbbc2daa5bbf69e039a49ec68951fa278a91fae31da231d0e240e6b11a08a86d76968fd8ddd4d4c05c2bfc1620b837f6d283ecc59b3687

memory/2600-140-0x000000013F1B0000-0x000000013F504000-memory.dmp

memory/1304-141-0x000000013F5C0000-0x000000013F914000-memory.dmp

memory/2892-142-0x000000013F5C0000-0x000000013F914000-memory.dmp

memory/1304-143-0x0000000002480000-0x00000000027D4000-memory.dmp

memory/2548-144-0x000000013F9B0000-0x000000013FD04000-memory.dmp

memory/1304-145-0x000000013F4F0000-0x000000013F844000-memory.dmp

memory/2868-146-0x000000013F4F0000-0x000000013F844000-memory.dmp

memory/1304-147-0x000000013F210000-0x000000013F564000-memory.dmp

memory/1152-148-0x000000013F210000-0x000000013F564000-memory.dmp

memory/1124-149-0x000000013FEA0000-0x00000001401F4000-memory.dmp

memory/2800-150-0x000000013F250000-0x000000013F5A4000-memory.dmp

memory/2052-151-0x000000013F0B0000-0x000000013F404000-memory.dmp

memory/2584-152-0x000000013FB00000-0x000000013FE54000-memory.dmp

memory/2688-153-0x000000013F660000-0x000000013F9B4000-memory.dmp

memory/2620-154-0x000000013FD20000-0x0000000140074000-memory.dmp

memory/2600-155-0x000000013F1B0000-0x000000013F504000-memory.dmp

memory/2652-156-0x000000013FDE0000-0x0000000140134000-memory.dmp

memory/2748-157-0x000000013F1E0000-0x000000013F534000-memory.dmp

memory/2892-158-0x000000013F5C0000-0x000000013F914000-memory.dmp

memory/2548-159-0x000000013F9B0000-0x000000013FD04000-memory.dmp

memory/2868-161-0x000000013F4F0000-0x000000013F844000-memory.dmp

memory/1152-160-0x000000013F210000-0x000000013F564000-memory.dmp

memory/2476-162-0x000000013F6F0000-0x000000013FA44000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-08 07:04

Reported

2024-06-08 07:09

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\rZaCosZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xacYmWA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yOmMuDV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nuDBTrg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UfxlDhr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UrHVZhY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TLDAbdt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XhVDaPf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TdaHuVg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YtJVRuE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kYbUEwZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fSuZkpq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GUrpjBj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QtFfwdg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rPUdZSz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DpJYvdS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NdeOoWH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ShkOjtu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\suPwPEy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NJmhuxr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CqLhvnH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5020 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\rZaCosZ.exe
PID 5020 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\rZaCosZ.exe
PID 5020 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\TLDAbdt.exe
PID 5020 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\TLDAbdt.exe
PID 5020 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\XhVDaPf.exe
PID 5020 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\XhVDaPf.exe
PID 5020 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\DpJYvdS.exe
PID 5020 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\DpJYvdS.exe
PID 5020 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\NdeOoWH.exe
PID 5020 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\NdeOoWH.exe
PID 5020 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\ShkOjtu.exe
PID 5020 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\ShkOjtu.exe
PID 5020 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\fSuZkpq.exe
PID 5020 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\fSuZkpq.exe
PID 5020 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\xacYmWA.exe
PID 5020 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\xacYmWA.exe
PID 5020 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\yOmMuDV.exe
PID 5020 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\yOmMuDV.exe
PID 5020 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\GUrpjBj.exe
PID 5020 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\GUrpjBj.exe
PID 5020 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\suPwPEy.exe
PID 5020 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\suPwPEy.exe
PID 5020 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\QtFfwdg.exe
PID 5020 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\QtFfwdg.exe
PID 5020 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\NJmhuxr.exe
PID 5020 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\NJmhuxr.exe
PID 5020 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\rPUdZSz.exe
PID 5020 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\rPUdZSz.exe
PID 5020 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\nuDBTrg.exe
PID 5020 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\nuDBTrg.exe
PID 5020 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\UfxlDhr.exe
PID 5020 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\UfxlDhr.exe
PID 5020 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\UrHVZhY.exe
PID 5020 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\UrHVZhY.exe
PID 5020 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\CqLhvnH.exe
PID 5020 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\CqLhvnH.exe
PID 5020 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\TdaHuVg.exe
PID 5020 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\TdaHuVg.exe
PID 5020 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\YtJVRuE.exe
PID 5020 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\YtJVRuE.exe
PID 5020 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\kYbUEwZ.exe
PID 5020 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe C:\Windows\System\kYbUEwZ.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_5df16383f9e943639b6bb34484e8005e_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\rZaCosZ.exe

C:\Windows\System\rZaCosZ.exe

C:\Windows\System\TLDAbdt.exe

C:\Windows\System\TLDAbdt.exe

C:\Windows\System\XhVDaPf.exe

C:\Windows\System\XhVDaPf.exe

C:\Windows\System\DpJYvdS.exe

C:\Windows\System\DpJYvdS.exe

C:\Windows\System\NdeOoWH.exe

C:\Windows\System\NdeOoWH.exe

C:\Windows\System\ShkOjtu.exe

C:\Windows\System\ShkOjtu.exe

C:\Windows\System\fSuZkpq.exe

C:\Windows\System\fSuZkpq.exe

C:\Windows\System\xacYmWA.exe

C:\Windows\System\xacYmWA.exe

C:\Windows\System\yOmMuDV.exe

C:\Windows\System\yOmMuDV.exe

C:\Windows\System\GUrpjBj.exe

C:\Windows\System\GUrpjBj.exe

C:\Windows\System\suPwPEy.exe

C:\Windows\System\suPwPEy.exe

C:\Windows\System\QtFfwdg.exe

C:\Windows\System\QtFfwdg.exe

C:\Windows\System\NJmhuxr.exe

C:\Windows\System\NJmhuxr.exe

C:\Windows\System\rPUdZSz.exe

C:\Windows\System\rPUdZSz.exe

C:\Windows\System\nuDBTrg.exe

C:\Windows\System\nuDBTrg.exe

C:\Windows\System\UfxlDhr.exe

C:\Windows\System\UfxlDhr.exe

C:\Windows\System\UrHVZhY.exe

C:\Windows\System\UrHVZhY.exe

C:\Windows\System\CqLhvnH.exe

C:\Windows\System\CqLhvnH.exe

C:\Windows\System\TdaHuVg.exe

C:\Windows\System\TdaHuVg.exe

C:\Windows\System\YtJVRuE.exe

C:\Windows\System\YtJVRuE.exe

C:\Windows\System\kYbUEwZ.exe

C:\Windows\System\kYbUEwZ.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1028 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 13.107.253.67:443 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 26.73.42.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp

Files

memory/5020-0-0x00007FF641780000-0x00007FF641AD4000-memory.dmp

memory/5020-1-0x00000222C6E20000-0x00000222C6E30000-memory.dmp

C:\Windows\System\rZaCosZ.exe

MD5 b16a3a27c549195bee899fbfd962c3b3
SHA1 092a4a7bdac9824ea3d7bc2fcd3238beb92d5c21
SHA256 2f7c4a0a3ece38cb360f81ce0fb39655e83fd7f91345dcfadfd68acf2b948dbc
SHA512 0762bf998163aa9c5c960947b29b68d469523dc44544b92f6fccc1b11b9c516b352a094516a8d56ba0634f1c4f9d48511774e696f2c43e517ca572f77be15c03

memory/448-8-0x00007FF618730000-0x00007FF618A84000-memory.dmp

C:\Windows\System\TLDAbdt.exe

MD5 207f9305f3b2648189d6403d74f53853
SHA1 be38521c6dd86e6a74ea63e4de1e43131672b845
SHA256 eaffd790be4abf02d47ef24cec1512e7891adb6a4f1db5b0fd2a3d47a9061d46
SHA512 dbc8284bf7e0f0580027a9b35d9a1aec37c4b4a17f911735a83900e2d4eb72265fd26e0d075d47ab4a55463dc24eb62816e7b9a3310e0cedb0be71c66072923c

C:\Windows\System\XhVDaPf.exe

MD5 b43521159319c0148406028e2f7bea94
SHA1 f25a391551be10feb9c8d7241dce677baabd8d77
SHA256 b1bcb99072c891bcdff24aa6451279e9220b168ccda1e8b652e9435fcb76679f
SHA512 1d1ca3451c17a94c97a660cd2cb79e855611ab811c487b767b2f2981968d694978807e032ae2a63eddb193ebf72ce6215350a6119d8f158518dfc047d333c106

memory/5036-13-0x00007FF790E40000-0x00007FF791194000-memory.dmp

memory/5068-20-0x00007FF6D1A50000-0x00007FF6D1DA4000-memory.dmp

C:\Windows\System\DpJYvdS.exe

MD5 83dc01f8353045ad1b50b5215b5029c9
SHA1 261935aa4da28e6bf6c8c19d60b4b8aa1f91d606
SHA256 3783f9024186da81bc2461824e428659a8fba909c93f5a4b8e69c949bda0fee6
SHA512 213863e980a5ad9e84ec6b446158e309e823fe809e91dbaa0c541bd564541a4f9b7f1303c0cd8011e9d94b908d6b6474a169887f2ea8d126a4d8697c69300a12

memory/1620-26-0x00007FF779FA0000-0x00007FF77A2F4000-memory.dmp

C:\Windows\System\NdeOoWH.exe

MD5 65b8702d7ce0314a52a678be919a0a4c
SHA1 9e3da4085af891abee5ceacdc2884fdd13173308
SHA256 e5ff01d938149da87ba1bf7b3284d4274f748afa4b1f8d8f29a7ace44d967313
SHA512 7e5ad5d9a94906624cffbbb7ee57b3063614e2beb54195145f74d19fd834da04b4374f96a59363685c23da6152c9028243819ffd01f70b2f6d0dd8b2abd2fd18

memory/3052-30-0x00007FF6390F0000-0x00007FF639444000-memory.dmp

C:\Windows\System\ShkOjtu.exe

MD5 6cbd71eb1243979185d56d333df9adad
SHA1 18053fa7ad128401924379dca2f84d5dbedd29cc
SHA256 87e60ec8b8daa8364dac665f39944d87596a163e4e90cdba6c20f0d837a6eb02
SHA512 daa76334e79da1b977268870bd814c9659b7b68ef49f03f9f43bec165b7b7a2c6455752894ee54d8ad7546f1b9816417454ff125e31b3541a488fdcda822970d

C:\Windows\System\fSuZkpq.exe

MD5 04d007705c8d38c12cd2e4c6006a26f6
SHA1 1d063625d8847f6a5ca7e76ae59f3683c49e99ab
SHA256 4cda961d19cde8184808f822c762a1a6a4728967a1598d307c4893d6f83c6123
SHA512 41f0f14f77f4e81cd615988f24b1eea834078845e063ea046e68e0e54cafd247f9149b6a8ecc880635a0c0c234e90222dfe06107d29f4d9da1c137e083bce355

C:\Windows\System\xacYmWA.exe

MD5 20daa7c7311992888d4e448923d6f528
SHA1 093a0f0f233449cd3a78922d7151020efe8c445b
SHA256 fa5b00ea09bd01301f88536f5547b17f0593870c0b0169b7b545372c84e09e01
SHA512 3ded8a35a8e4188af225a111474116af32a2330883b5c6a6fbbdd729bd79473ad8ea33f23c643dee084855a685c25aa6273d49b98078250dd6101f4b69b0cd03

C:\Windows\System\yOmMuDV.exe

MD5 1cc8b3a430fda581b3eb1d04f9868439
SHA1 4dc59b5c1571a68bc8ce700ee1c7857ac74b10da
SHA256 b05d285dac9bbdf94ab960537447bb7f8e2caa6cec68fe60757f36744505eff0
SHA512 6882427cf107d898b927b30387563ebe6e86246a97017f83044585ec4872e229cfa817e6541b94c093a723c3da3f217b00d9a777b414992d37f6cdef9335e9c7

C:\Windows\System\GUrpjBj.exe

MD5 49dca0cdca0fec4e211d79dca5ba6c48
SHA1 930d7ad29da52af9260e6daae17f31c5898b30cd
SHA256 85512f93949926a06f0f5d024de64b26f112472c7ed1627fdf71efa304ecf7cb
SHA512 e4dadd26b85312d55fb3f099ae466abdd366bdb2a928e98709471dab2265015647ef927fd78f719c449b0c9bf7c0c66fa631618404c6f40919c89257ac68ceb7

C:\Windows\System\suPwPEy.exe

MD5 214f4a4ff9d66316ab2211b13ae6c25d
SHA1 a04a28b4044866231db72cfa9a9b421d0b8e3aa4
SHA256 c2d3acea6a79291ffdd86cf9f07dbb4b79e72262609d299ae4e08182dbf25dac
SHA512 16f8a33ea0d67e09e333c90f6a62d06ef6a3b88c425659cfbe50725b5722d16f559d0a8fb099798ae0b54ffeb8d6a05269fd0fc0c037cb87aebbfd81f6235b74

C:\Windows\System\QtFfwdg.exe

MD5 9d9fe62280a596f81d6c6ae25ade3992
SHA1 d4915f15b753227a10833bdcb887617dec337376
SHA256 80c1128f95fff471effdfa7fd051bc327d1b4203aff10f5437eaa15cc1a6e312
SHA512 903f91c4843f677c128ffe3bde57e9b4a8b6aaf90e30e255f14122f9c3818504402c040c205ea62081ab5aabedef25086c58b08e5ca87c61dbe3511678923e58

C:\Windows\System\NJmhuxr.exe

MD5 a021f064c1a9c188748adfbbae66e038
SHA1 a65899afff666e9dbefcf1737786045c46239465
SHA256 77e8c87a36c396568fb79129476084a6f3f55aafb2d12c2d9a4f183c898bb2e5
SHA512 cc4b8ad0dae49d493a92ea7bf1ac57f5a67d1245eb8a1e565129643a3b722b249a730c461877d792cd00ea7a6404b16e79594e5a477cc5ec47ee608006d5e03d

C:\Windows\System\rPUdZSz.exe

MD5 5956718358a7db6fcfcfcbc5f70e4146
SHA1 c376dafa961a1727b6cb56115966b93cf28b304c
SHA256 7cf1dc537f90a850fdbb3ab65b8a9cb52289aaaab9f79347d8ca428da973036b
SHA512 2cd598470f116d66f5c6e61abd0ddc37ea7fd56c55e9df236561a86398dcac24d25103c5b87edf7a081167bc8ccd3fa4054395a7ff7ef5af08fcb85f82afdc37

C:\Windows\System\nuDBTrg.exe

MD5 3ef655a2fe8a9615724d445317376250
SHA1 b30ab733ad994f32584a1b8ce7a502c21723d4d4
SHA256 0190f291d43b049f274050fb67d1188febf5c5ea5c6849767a9ac4423c6d446e
SHA512 0f29d1c64d8dd617ed28621da03a6b39bca7aae43600495d940c51153a7f1440dfeec2b76e123e7fe15b1afb55425deff0f4472455dc5a34811a96fa9515c935

C:\Windows\System\UfxlDhr.exe

MD5 9ebf627471171082eee9f328a3d7b5ce
SHA1 2c79e67a3b4c54660912c92fa08709346f528e76
SHA256 af9fc0598a15328ae37c7c8271fdcf1a186c2aebef0303f464e8fcab1e00dbbf
SHA512 5a45591a845d8c131bf3b6efde88256360047dcd7be926fda34eb9610891b3c2c019e6783e49b17f9247622bb14a7e2ccdfb996b563980b42b6fd18d182dc8c1

C:\Windows\System\CqLhvnH.exe

MD5 eac5cafa4fcd4d14aa591c797adfc4d2
SHA1 07f7d0e837c04c2a800e7f0823318bd79c93801e
SHA256 13c3e92289da62d51fedb8821b15323ffb94cf8186f555be65eed68210588507
SHA512 1f727c13379e3d6943daea43f52d46d8e264a6a70a3882bcd07d0688e02a43910bcc5c104c4f583a381105098a9a6ac46bf80c503d1f81f9c34b2a0a7fdddcbf

C:\Windows\System\kYbUEwZ.exe

MD5 6686b15fdd22bbb34e1fa2315c272361
SHA1 365c20a19873b66784c4a2abe1041b3354d21086
SHA256 5bf78396ffae00ae28c36b4c8b6bd3a6b652a0f58009c8cb4b8c2313d41f1d54
SHA512 e9c2787d074380b7b63fe0d2b2f843bf13bfb559fe9bc5ad1bfc890129b850c296533f473a873d2004571933488fbe6e337ae4adad9c46212d72491aed937941

C:\Windows\System\YtJVRuE.exe

MD5 5444dd0b9f211dfeda429b000b6eeb7f
SHA1 7d0f4094c17ecb7aec95df14ab974a5938b312f0
SHA256 34b9bcc62f30b0551c49c2c5582a9a14bf8f04fead4f12a58860bb82c206c9c2
SHA512 97f703abc2b51b48ab7a8b4608f833ed3139ee34607fcbccf26549dc2190e53ae916a2ad487a34218d008ad05be752045c9bd01e0e42b6878fe57c6e9169c92c

C:\Windows\System\TdaHuVg.exe

MD5 815342602360f7be137516f639bf1f3b
SHA1 ebac87375fa02d97120b254a8f9791beb04c907e
SHA256 5d2c52b0cd751b1f2b35f80433d2c2a815841ad02d1583b50a77320c92540b25
SHA512 34321227082fce15068e48afc2cb2e856db24d97b32acadecbd3e75790a5b1e317160fa50b4d3feec72c24ab515e67a78b8bad39d999884b884279efb04118d6

C:\Windows\System\UrHVZhY.exe

MD5 1f734523a55e3fe76eb512470d89f9d0
SHA1 b25d8be99b0c2037b6b6d09e493498a97ac60a88
SHA256 e03b05e83bd61025551580ced3a3210dc212e12888a7b91165a9f7ca7e24a7c1
SHA512 494a191d6ba8d9f53656ad47915eeb30d398523bc8ed36f117db4ffd0a94934a06542a7a30a5d30a406c27f27dc58401fc7cc6e1441ce056588fda03de79fa8a

memory/116-112-0x00007FF6F4110000-0x00007FF6F4464000-memory.dmp

memory/3836-113-0x00007FF638C40000-0x00007FF638F94000-memory.dmp

memory/2000-114-0x00007FF785560000-0x00007FF7858B4000-memory.dmp

memory/4492-115-0x00007FF6FCFF0000-0x00007FF6FD344000-memory.dmp

memory/2608-116-0x00007FF74FA20000-0x00007FF74FD74000-memory.dmp

memory/2492-117-0x00007FF707890000-0x00007FF707BE4000-memory.dmp

memory/3204-120-0x00007FF70D610000-0x00007FF70D964000-memory.dmp

memory/2216-121-0x00007FF605D30000-0x00007FF606084000-memory.dmp

memory/1808-122-0x00007FF694D80000-0x00007FF6950D4000-memory.dmp

memory/3860-119-0x00007FF7F22B0000-0x00007FF7F2604000-memory.dmp

memory/432-118-0x00007FF7E3390000-0x00007FF7E36E4000-memory.dmp

memory/1048-123-0x00007FF760E60000-0x00007FF7611B4000-memory.dmp

memory/2176-124-0x00007FF65D9F0000-0x00007FF65DD44000-memory.dmp

memory/1128-125-0x00007FF736590000-0x00007FF7368E4000-memory.dmp

memory/4664-126-0x00007FF7BAAF0000-0x00007FF7BAE44000-memory.dmp

memory/1520-127-0x00007FF7FD250000-0x00007FF7FD5A4000-memory.dmp

memory/5020-128-0x00007FF641780000-0x00007FF641AD4000-memory.dmp

memory/448-129-0x00007FF618730000-0x00007FF618A84000-memory.dmp

memory/5036-130-0x00007FF790E40000-0x00007FF791194000-memory.dmp

memory/5068-131-0x00007FF6D1A50000-0x00007FF6D1DA4000-memory.dmp

memory/1620-132-0x00007FF779FA0000-0x00007FF77A2F4000-memory.dmp

memory/3052-133-0x00007FF6390F0000-0x00007FF639444000-memory.dmp

memory/116-134-0x00007FF6F4110000-0x00007FF6F4464000-memory.dmp

memory/448-135-0x00007FF618730000-0x00007FF618A84000-memory.dmp

memory/5036-136-0x00007FF790E40000-0x00007FF791194000-memory.dmp

memory/5068-137-0x00007FF6D1A50000-0x00007FF6D1DA4000-memory.dmp

memory/1620-138-0x00007FF779FA0000-0x00007FF77A2F4000-memory.dmp

memory/116-139-0x00007FF6F4110000-0x00007FF6F4464000-memory.dmp

memory/3052-140-0x00007FF6390F0000-0x00007FF639444000-memory.dmp

memory/1520-141-0x00007FF7FD250000-0x00007FF7FD5A4000-memory.dmp

memory/3836-142-0x00007FF638C40000-0x00007FF638F94000-memory.dmp

memory/2000-143-0x00007FF785560000-0x00007FF7858B4000-memory.dmp

memory/4492-144-0x00007FF6FCFF0000-0x00007FF6FD344000-memory.dmp

memory/2608-145-0x00007FF74FA20000-0x00007FF74FD74000-memory.dmp

memory/2492-146-0x00007FF707890000-0x00007FF707BE4000-memory.dmp

memory/3204-147-0x00007FF70D610000-0x00007FF70D964000-memory.dmp

memory/432-148-0x00007FF7E3390000-0x00007FF7E36E4000-memory.dmp

memory/3860-149-0x00007FF7F22B0000-0x00007FF7F2604000-memory.dmp

memory/2216-150-0x00007FF605D30000-0x00007FF606084000-memory.dmp

memory/1808-151-0x00007FF694D80000-0x00007FF6950D4000-memory.dmp

memory/1048-152-0x00007FF760E60000-0x00007FF7611B4000-memory.dmp

memory/2176-153-0x00007FF65D9F0000-0x00007FF65DD44000-memory.dmp

memory/4664-155-0x00007FF7BAAF0000-0x00007FF7BAE44000-memory.dmp

memory/1128-154-0x00007FF736590000-0x00007FF7368E4000-memory.dmp