Malware Analysis Report

2024-10-16 03:07

Sample ID 240608-kkxhnsae71
Target 2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike
SHA256 e08c025f7c16d376cc2f4d7468db1eb2e7fd8641abb74a92a7b08815716486b1
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e08c025f7c16d376cc2f4d7468db1eb2e7fd8641abb74a92a7b08815716486b1

Threat Level: Known bad

The file 2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

xmrig

Cobaltstrike family

Cobalt Strike reflective loader

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

Cobaltstrike

Xmrig family

XMRig Miner payload

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-08 08:40

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-08 08:40

Reported

2024-06-08 08:42

Platform

win7-20240215-en

Max time kernel

137s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\CPwrMBa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\numUqLI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mAglsgt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TfgGKAz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aOmVWGT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hZNfncl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zgZrEXs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TFbIvWs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\voAFnGV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lTHNjyq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HyaqsWo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wHGaGAU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MmheHJQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HnNeglf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UHfDUJu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YCyEtMO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZZaNttC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ejxqYja.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IijdXup.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GGLHVob.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vRMHszo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2028 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\numUqLI.exe
PID 2028 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\numUqLI.exe
PID 2028 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\numUqLI.exe
PID 2028 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZZaNttC.exe
PID 2028 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZZaNttC.exe
PID 2028 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZZaNttC.exe
PID 2028 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\lTHNjyq.exe
PID 2028 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\lTHNjyq.exe
PID 2028 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\lTHNjyq.exe
PID 2028 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\ejxqYja.exe
PID 2028 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\ejxqYja.exe
PID 2028 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\ejxqYja.exe
PID 2028 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\HyaqsWo.exe
PID 2028 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\HyaqsWo.exe
PID 2028 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\HyaqsWo.exe
PID 2028 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\wHGaGAU.exe
PID 2028 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\wHGaGAU.exe
PID 2028 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\wHGaGAU.exe
PID 2028 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\IijdXup.exe
PID 2028 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\IijdXup.exe
PID 2028 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\IijdXup.exe
PID 2028 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\mAglsgt.exe
PID 2028 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\mAglsgt.exe
PID 2028 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\mAglsgt.exe
PID 2028 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\TfgGKAz.exe
PID 2028 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\TfgGKAz.exe
PID 2028 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\TfgGKAz.exe
PID 2028 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\aOmVWGT.exe
PID 2028 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\aOmVWGT.exe
PID 2028 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\aOmVWGT.exe
PID 2028 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\hZNfncl.exe
PID 2028 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\hZNfncl.exe
PID 2028 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\hZNfncl.exe
PID 2028 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\zgZrEXs.exe
PID 2028 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\zgZrEXs.exe
PID 2028 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\zgZrEXs.exe
PID 2028 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\HnNeglf.exe
PID 2028 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\HnNeglf.exe
PID 2028 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\HnNeglf.exe
PID 2028 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\TFbIvWs.exe
PID 2028 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\TFbIvWs.exe
PID 2028 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\TFbIvWs.exe
PID 2028 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\MmheHJQ.exe
PID 2028 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\MmheHJQ.exe
PID 2028 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\MmheHJQ.exe
PID 2028 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\GGLHVob.exe
PID 2028 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\GGLHVob.exe
PID 2028 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\GGLHVob.exe
PID 2028 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\vRMHszo.exe
PID 2028 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\vRMHszo.exe
PID 2028 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\vRMHszo.exe
PID 2028 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\UHfDUJu.exe
PID 2028 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\UHfDUJu.exe
PID 2028 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\UHfDUJu.exe
PID 2028 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\YCyEtMO.exe
PID 2028 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\YCyEtMO.exe
PID 2028 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\YCyEtMO.exe
PID 2028 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\CPwrMBa.exe
PID 2028 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\CPwrMBa.exe
PID 2028 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\CPwrMBa.exe
PID 2028 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\voAFnGV.exe
PID 2028 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\voAFnGV.exe
PID 2028 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\voAFnGV.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\numUqLI.exe

C:\Windows\System\numUqLI.exe

C:\Windows\System\ZZaNttC.exe

C:\Windows\System\ZZaNttC.exe

C:\Windows\System\lTHNjyq.exe

C:\Windows\System\lTHNjyq.exe

C:\Windows\System\ejxqYja.exe

C:\Windows\System\ejxqYja.exe

C:\Windows\System\HyaqsWo.exe

C:\Windows\System\HyaqsWo.exe

C:\Windows\System\wHGaGAU.exe

C:\Windows\System\wHGaGAU.exe

C:\Windows\System\IijdXup.exe

C:\Windows\System\IijdXup.exe

C:\Windows\System\mAglsgt.exe

C:\Windows\System\mAglsgt.exe

C:\Windows\System\TfgGKAz.exe

C:\Windows\System\TfgGKAz.exe

C:\Windows\System\aOmVWGT.exe

C:\Windows\System\aOmVWGT.exe

C:\Windows\System\hZNfncl.exe

C:\Windows\System\hZNfncl.exe

C:\Windows\System\zgZrEXs.exe

C:\Windows\System\zgZrEXs.exe

C:\Windows\System\HnNeglf.exe

C:\Windows\System\HnNeglf.exe

C:\Windows\System\TFbIvWs.exe

C:\Windows\System\TFbIvWs.exe

C:\Windows\System\MmheHJQ.exe

C:\Windows\System\MmheHJQ.exe

C:\Windows\System\GGLHVob.exe

C:\Windows\System\GGLHVob.exe

C:\Windows\System\vRMHszo.exe

C:\Windows\System\vRMHszo.exe

C:\Windows\System\UHfDUJu.exe

C:\Windows\System\UHfDUJu.exe

C:\Windows\System\YCyEtMO.exe

C:\Windows\System\YCyEtMO.exe

C:\Windows\System\CPwrMBa.exe

C:\Windows\System\CPwrMBa.exe

C:\Windows\System\voAFnGV.exe

C:\Windows\System\voAFnGV.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2028-1-0x00000000000F0000-0x0000000000100000-memory.dmp

memory/2028-0-0x000000013FF30000-0x0000000140284000-memory.dmp

C:\Windows\system\numUqLI.exe

MD5 9cf0defae9d4b0c19012438f76afd334
SHA1 8045dc64a050dfe5c3c2aa47732833bd627b0268
SHA256 b8137db1b7da643021443d042561e8b9285f12e2669be64c794275def9fd78e1
SHA512 5c6a128ec9bd03379e4e3708e1bfa7f2bf839ed513ba745f25e6e5551ec56ffb84b984b44695a07eece401c40fd0dc7550a46dd159c300ffaf7f575a1d3e6c99

\Windows\system\ZZaNttC.exe

MD5 261c2b4ee7c97f65a7c4e52ddfd47d4c
SHA1 598fb0b239ddd23c6a643ba20235d0a79b0bbb2b
SHA256 a2b761a565295fba34b812e30bb975ae72054369b4442baaae97567ef59fc96e
SHA512 5ea8787caaa7f055e5b6a7e1cae2a535926a42ab103dbc410f6d4c4d26cf0a7a99106ef0dd1fd4276936fa3b8ef55da6762c0c4e2253450d6e4a0c842816fbae

memory/2092-16-0x000000013F3E0000-0x000000013F734000-memory.dmp

memory/2028-15-0x000000013F3E0000-0x000000013F734000-memory.dmp

memory/2392-9-0x000000013FAE0000-0x000000013FE34000-memory.dmp

memory/2028-8-0x000000013FAE0000-0x000000013FE34000-memory.dmp

C:\Windows\system\lTHNjyq.exe

MD5 547585a39a4ae8b099348314ca49a2d8
SHA1 0bf51bd7fc89ee49a3922d5d873f5e252cb29703
SHA256 7d17380976ed16b292e6263fec5248c6a186e78d9766c6bdb87a890ecfc14af3
SHA512 d22f114cf9b9495efdc935ad5eed626486e2f34904d8ac8ca181978b2a4dc1d6b0e1e4044f89f74caa65fbdf5b52e31ad520e352ba7905830e725d3d29deddbb

memory/2544-23-0x000000013F5F0000-0x000000013F944000-memory.dmp

memory/2028-22-0x000000013F5F0000-0x000000013F944000-memory.dmp

C:\Windows\system\ejxqYja.exe

MD5 9f155be81eb9737efc1bc12aaa5acbe3
SHA1 530aee905a5118f4cf55dd91f144c71a2ff7686a
SHA256 e5ebf66fcfc801e1415055f877246aef64769968675db5fe77c4890cc08e91ab
SHA512 b72dba539bf7391484befe56e693bc8f0214f27a8af1a64f1d98cb30ed5dfe80970a7921a2ca8d89de16fa231190ddca8a6e91398e9ff0c38c32103d30e7dead

\Windows\system\HyaqsWo.exe

MD5 3ba5771dc445c6ebf3285a2093cd5050
SHA1 e77cc42341a9347d3aac1aea103d343a4d173cdd
SHA256 ea41cd5595b231930384e28615218018f814b46388d54ad3527c719b5ce1f983
SHA512 67bbc32f5b5920107028c10d6f63d5a791f0389b836cc2f1c148f1bb635ae5d486f058cbd655b937369b012655ebe33b8a7900257878cfa3bb051dfa84f35231

memory/2028-28-0x000000013F650000-0x000000013F9A4000-memory.dmp

memory/2656-32-0x000000013F650000-0x000000013F9A4000-memory.dmp

memory/2744-44-0x000000013FA80000-0x000000013FDD4000-memory.dmp

memory/2596-43-0x000000013F0C0000-0x000000013F414000-memory.dmp

memory/2028-41-0x000000013F0C0000-0x000000013F414000-memory.dmp

memory/2028-37-0x000000013FA80000-0x000000013FDD4000-memory.dmp

\Windows\system\wHGaGAU.exe

MD5 7a9d02062878dfa934dbfcc9ae2b8513
SHA1 9a0c116b62ab0445c262a7daee13969301319da9
SHA256 b6a4d21d0e04d5da4de2f1ef34912fde9f2576f73f912cb0da29268f780d27ca
SHA512 130e0d820661d777b85fa0180e0dc20ce40d185d1da6440b93c866acca3dbdc572bfaaeabb3897ce04dffca705d3ddb15741a054e9e5836f0b43f1d3d24e3c48

C:\Windows\system\IijdXup.exe

MD5 b66f0dd790d3be4ed6860775f5d845f7
SHA1 829aaca5e1061f50459f27c94a514f61b6b018f0
SHA256 e5824c5a785cddb5bcd86914bebad217565d79d13b2d92b2e2d2ea40d1f3d9fc
SHA512 8f0406dc1c3b1f40b14bbf53b0559c0c9487f9228a56d44da2d5b7007435403619268f63c129ab13930ae7043e6b85719d2c30355b8dea91631257b852109b6a

memory/2784-50-0x000000013FFC0000-0x0000000140314000-memory.dmp

C:\Windows\system\mAglsgt.exe

MD5 bb546d945694073aa1cafbfd8a2392f4
SHA1 281ad2f719d19c8da09e941e04e76098614518ce
SHA256 8971a54f29c7fd0055589370d7d4f10eec1edd80cbcfca5abe1df3f658b46f00
SHA512 d167f478e0a2bdb68ffc2b94dfb8daae8132441a7d05ebe57ae99f05452ef518215b97ce9bc1bb7953d22dc39c1d97e42285c119b04ef120adb404dfb4f8690a

memory/2604-57-0x000000013F980000-0x000000013FCD4000-memory.dmp

C:\Windows\system\TfgGKAz.exe

MD5 a1a705d5589e8107b7cfa1e7b5d95464
SHA1 c0d33db015b606ffdcf3d46702b278e26e5a146f
SHA256 6c739eb37fe10162940878f74404653088409071d84be67d60e2ff918eceae62
SHA512 c39e434831a37b383d7589baebe626b2c2f52eee66905461d157fce26ae70523fa6f895b3eb6c2ce7eb2d59424c50ddf88a0e52e76d31146f4989ca908a1f65d

memory/2028-56-0x000000013F980000-0x000000013FCD4000-memory.dmp

memory/2028-62-0x000000013FF30000-0x0000000140284000-memory.dmp

memory/2516-64-0x000000013FD30000-0x0000000140084000-memory.dmp

C:\Windows\system\aOmVWGT.exe

MD5 09194855a46dd1bf0cbff8aafafbd6fa
SHA1 1868b841e2ec0a1b2c8485fc0674b656478be5f7
SHA256 8d09c41edc783c74b6490b611ffa8fbe83ac7e2bb9eb5fd452fed0a6c049de8b
SHA512 b42bd4478526816a37359258bdd3bdbb135627b14732924eb7aea111adc0b033a309aa048b3573effe22365dc6123e74aa3f14ed6d7a728f4320d69f9a9cad60

memory/2028-70-0x000000013FAE0000-0x000000013FE34000-memory.dmp

memory/2028-71-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

memory/1988-72-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

\Windows\system\hZNfncl.exe

MD5 27ca0e6958a3045b11db11c71c2dc60a
SHA1 e521c5470cf1519fcf6f6f804ac4d92d5d461e68
SHA256 45bb24543b477268ef03795e42f185e0d609c282833e52f013af3835673f47ec
SHA512 47bd87639980cd3f377c769427ec974e0ca8fc68ab38d64ce38bd9548badf5bb6662b1d80bcae57dae51ab7f8f1a72fb524c48194d79984d393190d4d4f62964

memory/2028-106-0x000000013F5C0000-0x000000013F914000-memory.dmp

memory/2028-107-0x0000000002390000-0x00000000026E4000-memory.dmp

memory/2168-112-0x000000013FDC0000-0x0000000140114000-memory.dmp

memory/2028-110-0x000000013F680000-0x000000013F9D4000-memory.dmp

C:\Windows\system\YCyEtMO.exe

MD5 02b9efa6a74645b2c1fbbf4a101fa6e0
SHA1 995d54ca89aa15672e40f3a2a7e39836129f4b8d
SHA256 9262fb56c002949d750e9c109a89ce0af5eb573ad645877380c994c56b32df7c
SHA512 145e5ba4f0f68e5db6b9ca20b748849047fa0969701adca5f66b5f001c92cdcf5b68d01515d03561a2725b08d66e099b605434c3c0e91dce9b76a134312ca74f

\Windows\system\voAFnGV.exe

MD5 5aa945cd9205953e9c037758c0ce75a3
SHA1 8631eb96c440082faf7c0c29d37a2b8ff7c3f092
SHA256 a894da42dbe16c81d62cc69478fb4bef0d96b2c5bc329735c2819b861b5b6070
SHA512 6d94bc0065ee89c0cd63d2af182dbaa4ac7d7dcf4c7e1dbf1ad105b02b1de2ad9d08b4bffd84cb42aeae2d08125cee8b8fa2bc9144082210d206037478ed1750

C:\Windows\system\CPwrMBa.exe

MD5 cd4d2da914095454f6f963b84dbc23bc
SHA1 a6c50aa6261a2517fef90982d3cf9e155122e445
SHA256 52552de351378d77a08e8866dc75cb10d8aeb818c36682b2c28c0c83fc0142e1
SHA512 c9a3b05f1cc15cc98158a55963678e032b7e3898b81394d62e85c80258e941d93251a4429d54dac99cfd425fe49c0571fbf7235e153bfbae72051466c9af40df

C:\Windows\system\vRMHszo.exe

MD5 a2b638afe46db2ff3b51600b896fcace
SHA1 7114cd616e717709c45fd326a0cb37e7112d05da
SHA256 dba78055c679f432b2cbbf64b2d322bc84a1198fdfcb8ea6e2a4be7203389771
SHA512 b4accb012ed3250861c35c62c0cf02021a562482944a41cd87246a32129bb73b3fba4b28cb2d5725a06b86a636d2538781743b6e4b0f281ff5f1c8a311c001b1

C:\Windows\system\UHfDUJu.exe

MD5 b1354e0854d3a46605b7605500e28e9a
SHA1 afb24ce1c42e8bffc2c61be7e78d019b4b848e3c
SHA256 962c7befb501ac9de1cc1335f8d114ee101576919165fc3c5e5b905ab04bcead
SHA512 ba3b1d374d8fae4a13b772d38cb1eec0f15b3e6a0417c43c75606bc0f0a60ac02c68bae4550295f195833251302bb856f9cb4d324f1ec61884bab6743f56a3a0

C:\Windows\system\MmheHJQ.exe

MD5 253d23998eea26dc17742e731c5b4751
SHA1 9be351c1e6a6507d936c2c9aed1c20f11fa2ea8d
SHA256 867a95e01ac4c9c8c84828e1ebdd6d4bfe04d7dd36f019b258fbe15dbe88335f
SHA512 6d8c6e9aeeec11d2d2c923a86f24b0013de05dcee9b97d46a3e9160ca021faa01637beb1088a82a70f81ba51e9ecde592c2b5fdc362b094ee14187fd21b603d9

C:\Windows\system\GGLHVob.exe

MD5 280417e09ac488bee9c009a4fb88a5fc
SHA1 c894a4d8bcb1c654d84e829006e5d45510b6e482
SHA256 2b34345164e2cdb09bdf2df60e714dc806ab0dcf26ec7ceffbc31e68b47fed02
SHA512 05805162c5cd17d8c9c17eb776a503046dc0f7c6f296008d1744ee69cb8ca9f1a3152ed10f1ad322f368c59c13f46dec967d3779b6c7e72dabf19b3e7b70b9b7

C:\Windows\system\TFbIvWs.exe

MD5 552f71070891b701bbea56844e4c0a84
SHA1 058f23df44860386c28be0ebe2f1433fd71b89d5
SHA256 070349cdfdfed3e05934721c6d1ff61f44edbbc69e810e817e0780c07a416576
SHA512 510e2f62195e0dabc067a1c8ff8ce10baa4be16400de67c7fc93940e0a2dfd2efea6b1e7f083a157a9fc54ee0fba57089b92a39aed2274b22e336baaa6b7785c

memory/2828-96-0x000000013F500000-0x000000013F854000-memory.dmp

memory/2656-88-0x000000013F650000-0x000000013F9A4000-memory.dmp

C:\Windows\system\HnNeglf.exe

MD5 986d6cd3901be93291f7cac1af845345
SHA1 49dcb40b0cd1d4deca6ef5088fc7e2cabb1c526f
SHA256 c1ad5fb9b55fcf6f963a116b6e97a9fc0393abebf9e98320320525ebea6efdcb
SHA512 1284b1e595ac6f816365e0e5b780dc4e9e0651e75251c546bc8a858a43b55eec697906fac690cfa418c3d9b361ce7f03f1f074ff937b147c9449a930c7903820

memory/2940-104-0x000000013F5C0000-0x000000013F914000-memory.dmp

memory/2864-103-0x000000013F2C0000-0x000000013F614000-memory.dmp

memory/2028-91-0x000000013F500000-0x000000013F854000-memory.dmp

memory/2028-76-0x000000013F2C0000-0x000000013F614000-memory.dmp

C:\Windows\system\zgZrEXs.exe

MD5 189ddf87844aafea6c5e22732e1642bb
SHA1 9a9d767bcd99950d3fe183cfcf9b274ec52775a8
SHA256 1dd385ea5c3503d0bca25741114d97a40cdccf65f1f861c334e69412597967f4
SHA512 c82c7b9c16e4d3ecc3c6b01f14b5c0c060837ed77abfcc4425274b7e72524d1bbfc8cc9b6bf17b5a8d436196216e155d65225c1d75899697af9a062e4ba4489a

memory/2028-137-0x0000000002390000-0x00000000026E4000-memory.dmp

memory/2516-138-0x000000013FD30000-0x0000000140084000-memory.dmp

memory/2028-139-0x000000013F2C0000-0x000000013F614000-memory.dmp

memory/2028-140-0x000000013F500000-0x000000013F854000-memory.dmp

memory/2028-141-0x000000013F5C0000-0x000000013F914000-memory.dmp

memory/2028-142-0x000000013F680000-0x000000013F9D4000-memory.dmp

memory/2392-143-0x000000013FAE0000-0x000000013FE34000-memory.dmp

memory/2092-144-0x000000013F3E0000-0x000000013F734000-memory.dmp

memory/2544-145-0x000000013F5F0000-0x000000013F944000-memory.dmp

memory/2656-146-0x000000013F650000-0x000000013F9A4000-memory.dmp

memory/2596-147-0x000000013F0C0000-0x000000013F414000-memory.dmp

memory/2744-148-0x000000013FA80000-0x000000013FDD4000-memory.dmp

memory/2784-149-0x000000013FFC0000-0x0000000140314000-memory.dmp

memory/2604-150-0x000000013F980000-0x000000013FCD4000-memory.dmp

memory/2516-151-0x000000013FD30000-0x0000000140084000-memory.dmp

memory/1988-152-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

memory/2864-153-0x000000013F2C0000-0x000000013F614000-memory.dmp

memory/2828-154-0x000000013F500000-0x000000013F854000-memory.dmp

memory/2940-155-0x000000013F5C0000-0x000000013F914000-memory.dmp

memory/2168-156-0x000000013FDC0000-0x0000000140114000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-08 08:40

Reported

2024-06-08 08:42

Platform

win10v2004-20240426-en

Max time kernel

138s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\UwTLtYT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nctdtyp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eUXOKnc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DrJawLg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rHNGEOA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DzupwxF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RcPADKx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EQFtIFW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TMKNwCx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AlrwOMz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tbmQOKe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wrCSlgm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MrjejWr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BXgPAtM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hhUUzib.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\njrqZQV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ehbZzHJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qdohjvV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aydDxTC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aaHVzmV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\euBCamz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5068 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\wrCSlgm.exe
PID 5068 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\wrCSlgm.exe
PID 5068 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\aaHVzmV.exe
PID 5068 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\aaHVzmV.exe
PID 5068 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\euBCamz.exe
PID 5068 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\euBCamz.exe
PID 5068 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\MrjejWr.exe
PID 5068 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\MrjejWr.exe
PID 5068 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\DrJawLg.exe
PID 5068 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\DrJawLg.exe
PID 5068 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\DzupwxF.exe
PID 5068 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\DzupwxF.exe
PID 5068 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\ehbZzHJ.exe
PID 5068 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\ehbZzHJ.exe
PID 5068 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\qdohjvV.exe
PID 5068 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\qdohjvV.exe
PID 5068 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\RcPADKx.exe
PID 5068 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\RcPADKx.exe
PID 5068 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\aydDxTC.exe
PID 5068 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\aydDxTC.exe
PID 5068 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\EQFtIFW.exe
PID 5068 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\EQFtIFW.exe
PID 5068 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\rHNGEOA.exe
PID 5068 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\rHNGEOA.exe
PID 5068 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\TMKNwCx.exe
PID 5068 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\TMKNwCx.exe
PID 5068 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\AlrwOMz.exe
PID 5068 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\AlrwOMz.exe
PID 5068 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\BXgPAtM.exe
PID 5068 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\BXgPAtM.exe
PID 5068 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\hhUUzib.exe
PID 5068 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\hhUUzib.exe
PID 5068 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\tbmQOKe.exe
PID 5068 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\tbmQOKe.exe
PID 5068 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\UwTLtYT.exe
PID 5068 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\UwTLtYT.exe
PID 5068 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\njrqZQV.exe
PID 5068 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\njrqZQV.exe
PID 5068 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\nctdtyp.exe
PID 5068 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\nctdtyp.exe
PID 5068 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\eUXOKnc.exe
PID 5068 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe C:\Windows\System\eUXOKnc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_f53c8b5ab64888e73b0cd40f2d9b8276_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\wrCSlgm.exe

C:\Windows\System\wrCSlgm.exe

C:\Windows\System\aaHVzmV.exe

C:\Windows\System\aaHVzmV.exe

C:\Windows\System\euBCamz.exe

C:\Windows\System\euBCamz.exe

C:\Windows\System\MrjejWr.exe

C:\Windows\System\MrjejWr.exe

C:\Windows\System\DrJawLg.exe

C:\Windows\System\DrJawLg.exe

C:\Windows\System\DzupwxF.exe

C:\Windows\System\DzupwxF.exe

C:\Windows\System\ehbZzHJ.exe

C:\Windows\System\ehbZzHJ.exe

C:\Windows\System\qdohjvV.exe

C:\Windows\System\qdohjvV.exe

C:\Windows\System\RcPADKx.exe

C:\Windows\System\RcPADKx.exe

C:\Windows\System\aydDxTC.exe

C:\Windows\System\aydDxTC.exe

C:\Windows\System\EQFtIFW.exe

C:\Windows\System\EQFtIFW.exe

C:\Windows\System\rHNGEOA.exe

C:\Windows\System\rHNGEOA.exe

C:\Windows\System\TMKNwCx.exe

C:\Windows\System\TMKNwCx.exe

C:\Windows\System\AlrwOMz.exe

C:\Windows\System\AlrwOMz.exe

C:\Windows\System\BXgPAtM.exe

C:\Windows\System\BXgPAtM.exe

C:\Windows\System\hhUUzib.exe

C:\Windows\System\hhUUzib.exe

C:\Windows\System\tbmQOKe.exe

C:\Windows\System\tbmQOKe.exe

C:\Windows\System\UwTLtYT.exe

C:\Windows\System\UwTLtYT.exe

C:\Windows\System\njrqZQV.exe

C:\Windows\System\njrqZQV.exe

C:\Windows\System\nctdtyp.exe

C:\Windows\System\nctdtyp.exe

C:\Windows\System\eUXOKnc.exe

C:\Windows\System\eUXOKnc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/5068-0-0x00007FF6AFD10000-0x00007FF6B0064000-memory.dmp

memory/5068-1-0x0000022D07E40000-0x0000022D07E50000-memory.dmp

C:\Windows\System\wrCSlgm.exe

MD5 11bef195edb736d896b563b1fb42bb7c
SHA1 e1a7a9653b18c1b4989c6a1594f94773dee0aea7
SHA256 cecb31ddced2d7370b2cd1bddfb89384564ed77a01cc55cd5e9c6e32a8a3c9b6
SHA512 af6644f72b9587050e305af9c1d30647930a2d521ca5d99f48862e52fac1a543596998531e2199ad97c8c01d9e4ffa98d0ae387473502fdb7ddf68764ce10749

memory/3228-8-0x00007FF65F080000-0x00007FF65F3D4000-memory.dmp

C:\Windows\System\euBCamz.exe

MD5 dc8f6f840f5805457211d03c4f3bfb2f
SHA1 44b831d714b9a2834d1d1e86517558f9d204c507
SHA256 7b9e74b3da7123eba6e685ff75c71c3959c956e0b95c5825296822a5819e79a4
SHA512 f51fcc78d6b67f6debb619f47e67b4604f5c95da4926a7dc04f134f694c6d00a905d6c2d0790b8728cdd2b0ff24dd5d58962fdfd1d055687b18e070779c2e4f2

C:\Windows\System\MrjejWr.exe

MD5 2ed641aed46fa3a75c98fc5049ae421d
SHA1 4f111aa9652ebf5da3f0323c8220a09edfd50a73
SHA256 fdfdccccf16bb014051b87e219b993a4a8796990d7ee2efcd9112c55b4ebfb6c
SHA512 8e82146864cf3d95c1141cbc6e967423e34abbe073384c2e6519c30d2596299e7c3de4e917b129bf01db8f95ca6e7c22120e6a609ea89bd23ccd1b1d224756c5

C:\Windows\System\DrJawLg.exe

MD5 02861b33e5136496a92d9f27bc4e276e
SHA1 570bb27b28f71301049b3de5dead6e5df5f3a3d2
SHA256 956a8f8d099e75122f4edb9a649cb2f6a45f6de6e5ec042564e9a3f75dbb59de
SHA512 9e3628c257e5bc704a9e02ef2dcd69683c6ce29f674bccb0e976081ab5a778342664d219077f3490c409fb3c50d86205024cc879429f85b0868923ac5da27368

memory/660-30-0x00007FF79D450000-0x00007FF79D7A4000-memory.dmp

memory/4244-23-0x00007FF7A8C80000-0x00007FF7A8FD4000-memory.dmp

memory/3692-25-0x00007FF7B0330000-0x00007FF7B0684000-memory.dmp

memory/5012-19-0x00007FF7D7020000-0x00007FF7D7374000-memory.dmp

C:\Windows\System\aaHVzmV.exe

MD5 ed6768df87f290d4c04f58e3e26b232a
SHA1 a7254c72c254645fe665eb9b41465c8180d3c70b
SHA256 22c0104826a08bfccca885252169927be1d2e14964eb8a692b50df574c3b33da
SHA512 afc72144096a94b2f754819262d8c112dce0685e42458579934059c1300e5404adcc6bdca2d721c8c107b75e3e113cb66a3c4f05ea7757a04eb84b88df162c14

C:\Windows\System\DzupwxF.exe

MD5 c7936fe55568d3e28f16916be240755a
SHA1 e682592951f38e47d1f24f63b9db66e083b7030a
SHA256 1f9cfcedc5f8f6e7221a966f776ddc8adbd5de1f108c539b90528663069871b6
SHA512 537657613a9114b6b60da36d509844aaf4d56ddd76c9ae4b1aa812fd286ba747d96244ba508d3c182d100268ed51d83d363d38f7bf7f3145c2a952cdd2ac7f53

memory/4460-38-0x00007FF6A62D0000-0x00007FF6A6624000-memory.dmp

C:\Windows\System\ehbZzHJ.exe

MD5 1c04153c08a3aa619bf74aad0e0d6d86
SHA1 a9dbe6ed9234974eaf8920d783117e8d3f4b88d0
SHA256 e42e3f72749a10c86dac8e2ddf5dd3988a9abfaed996782795dbe91c0144b7b9
SHA512 606287de48fa8faa3e4ea5e4817d8301bab208696196961778efbdc145fadab25a17f7ae0c1599c5db2159a99467c7b1ba18c71348bed01682d250893f1fba02

memory/3696-45-0x00007FF63A6E0000-0x00007FF63AA34000-memory.dmp

C:\Windows\System\RcPADKx.exe

MD5 48c93fe3ebd65a1c9ac11da55dac317e
SHA1 3435a42ddea4c82e38546cfef758c56aeea3d0d3
SHA256 f912e7f444b32c35073d90b6267cd3bf57b8079ce38876e8e5c0b11829cb93df
SHA512 c1248bcedb30b28593a20a118b2aae165c739902f6e18a3ab5c30085a71135836b4a826dad4e35c6bac8a55d26b473a70b398cd81a157c132a8ffe274b6a1865

C:\Windows\System\EQFtIFW.exe

MD5 a518ee92222e6ed7c89989a48acfc74a
SHA1 8b11de0bed926ee1c14400030fbddbe43127a825
SHA256 e3a3cd7853d4eb79c56f6be0740f10dcba4120db0dde48bdd4a17eaca744edc3
SHA512 f90edc3acc409cbbc4daf25cb77dc1066976900c0788b6006b4b781cd1a28eed22aaaf9b264f3161ed5af1c2d05e1b82a190fa4e66d618d85ee50bde8484ba9d

memory/2120-67-0x00007FF783DA0000-0x00007FF7840F4000-memory.dmp

C:\Windows\System\rHNGEOA.exe

MD5 3728e0b19644892621f4822066b5d057
SHA1 501ba5f12a18f72aac3cda83a27660a6dec88313
SHA256 10747b617e0d4ffc92232559b418b67c903b2e5a6cb1e35f45b4aa586f6e6f97
SHA512 12cc314c38862243f1cbe550427cfac87f56fcd7c7afd759016e2c5ba5d3ff92f4952931830ded51b8e8d2ab58c1bcf48456b545ea8ee2ea0642606664e12021

C:\Windows\System\TMKNwCx.exe

MD5 d9f3dd86bbf8989b4e36671e2e9904ca
SHA1 9f7c532218da8941a2e6f2fbf8384aadd65f6c10
SHA256 49eca836fdc94b0bf74d3ef1a8050b2cbea0dadfaf8aef34911ecb1008879822
SHA512 85c5e50d81fbda2708fced9583006a4839a522b0b0aa9ebfdbbdde7cb22b6e8e87d2aafe1e3776610550e1131e5378e8000803ab7703737cbe47f0c907ac43c9

memory/2084-82-0x00007FF697C30000-0x00007FF697F84000-memory.dmp

memory/5012-91-0x00007FF7D7020000-0x00007FF7D7374000-memory.dmp

C:\Windows\System\BXgPAtM.exe

MD5 6647577fcb2988dc90ac94427e32a37e
SHA1 f12b2850a856025e45b190285c856e0aa656550c
SHA256 b3dc2c01b8d13ab3c366fc33dfa6d2f2746037ddaabbedd7f7e0dae0c5ac4e7a
SHA512 4851e00e409c3756ac63d1f893538144366a92b4998221ca0b79c2f4f266af38a6188a10cdc20d9fb462af02e7198af67e4d2433a4e230ffb4d5115b2dc387b5

memory/1400-92-0x00007FF7442C0000-0x00007FF744614000-memory.dmp

C:\Windows\System\AlrwOMz.exe

MD5 1e6d07efc1cc74716ceeada9b46ae854
SHA1 e68122e6f1eaf3c756aa02e57b40da5766b0cf59
SHA256 fab94043ee2d4da26f7774bfc9c49f8fb5377e96ad8a421aba79c90842c36b7d
SHA512 e7b04d50ddc3c1d54b09c2c756492935ff4e75651ec86d5bee7558c568076f0482865e8197c33f297102e417d6f0659e8f0a4357af3f6b094487b9590e07415a

memory/3540-88-0x00007FF6FDE90000-0x00007FF6FE1E4000-memory.dmp

memory/3228-87-0x00007FF65F080000-0x00007FF65F3D4000-memory.dmp

memory/5068-79-0x00007FF6AFD10000-0x00007FF6B0064000-memory.dmp

memory/2784-78-0x00007FF64C0D0000-0x00007FF64C424000-memory.dmp

memory/4988-72-0x00007FF61F200000-0x00007FF61F554000-memory.dmp

memory/4600-69-0x00007FF696D50000-0x00007FF6970A4000-memory.dmp

C:\Windows\System\aydDxTC.exe

MD5 e28c7e0144160530df09f657fa6d7664
SHA1 beed5edd6766eec5903aac30b1a2cd56639c0f3c
SHA256 3d4ccf3063206358c7a498d2b101493ff1af46ea846e29f25efb9c7be4c5edee
SHA512 6e0517710d171e58902c31c879e0798da94c61b19ece2a78ede722eea0cd5ca4a5ea477cf0f98a8228e015a7803e9919f6e741274b6f93b73d74c9d8bc391b27

memory/3052-53-0x00007FF670B90000-0x00007FF670EE4000-memory.dmp

C:\Windows\System\qdohjvV.exe

MD5 85344f225682620239ba54d8881aa381
SHA1 a9f981d754042621094e75ccd1cb1602dfee4539
SHA256 4f23e4ba198c507aacecc578579b085200e635593333e0206d2b636a15936678
SHA512 d8af1bc38eff621ae15db9790e2686360713a17f1972731e9d85da15f2a3c94543e8486fde787c550a4e137343ca8b93a9df15ee760d343d5afd52fbc0f5786d

C:\Windows\System\hhUUzib.exe

MD5 91970d931bd794a3d9d96513a09ce271
SHA1 fd3f2f62868c1479c07aa029bacab06a663865a3
SHA256 a906bee7b560cf4d7709692efcc8348975a976aa2318d359c1707f1829290d54
SHA512 7bf9a3bb9e0bee2a60ac08f951b3837c77163e20cfdaacfd9d4f30815a83857de5cb0ded07f522be2035a6997734bed04a690adb8274c4d87ff3fe86dca60ceb

C:\Windows\System\UwTLtYT.exe

MD5 9ed950f7e1405b1ba310c9bc605b3760
SHA1 f0d756e8bd5650c4adb3df51002612b6d06ed04e
SHA256 0285c27938d1a28a5046726c17a90a3979a79e4abffbb66fed937f08e22073b5
SHA512 6bdec658c4847d3788ada1c81a5c0d1609b6e6d7966ee0dfb273880673c8e0a80aa79c4ffc648a141cf29d728962698a4677956c16341431b1c36063de1111fa

memory/4452-115-0x00007FF7F8E40000-0x00007FF7F9194000-memory.dmp

C:\Windows\System\njrqZQV.exe

MD5 eb9fbb61cd5866715d6f0d4a4914ba60
SHA1 8532fae148291e85f308ec9a5c82a442862e0c8b
SHA256 9fcec08ffbc6d2a964d38edcf6d037dd9fa2ea5d62f35964858e03a21099c018
SHA512 b3a82110a420412cda74dd4a4dcc3159fbaea153d3dbcd51152f8773d718f4528cf40cb010647e4b81ccc867a438768647ed47989b34bfda3fafa69b3c873698

C:\Windows\System\eUXOKnc.exe

MD5 b5a5c16cb32766c40f22acad90313f4e
SHA1 9b2f44b795ee2ffaa2dae4e6001e1987d994b677
SHA256 7995daf88dcd75c715d20ea8c45d2a25779b00c7282539209e4342806a6aeb12
SHA512 71f7d41aefcf7f9e1498f286187f914a6f5942c81b437aee743e21776118c9f8c7b128e2602a0dc4a4bc31a305a5e67385b054b903f09ca20d4ea7baea4c256d

C:\Windows\System\nctdtyp.exe

MD5 bc414437579f09870b121ab59e6d4e5a
SHA1 cffd733c6f77b8221072b978dd438ccb9ecb12f8
SHA256 20ad5934c45caa43fcdabaec3bb9155e2930be8dc51d3be18015f264b6c24ab6
SHA512 fbd29ad823bb19e235d0bbe4a87719bf27a6774e2ced8bd6434429108de7c9eedb8a4791ffb330317762f30aac72359b2c463d5c29e762104aad6069dcd90766

C:\Windows\System\tbmQOKe.exe

MD5 9b6af5e40d5590614972f9229e706cad
SHA1 2c35ef5443ce066d8fd8d21774c1ba839af31d13
SHA256 b9d15bee4bfc2cf7559ae75887ca21659d6cbbafe2e79a8f6fce65c756010ec9
SHA512 9af218dca99b9debc87973de3e4befa590297b4bf80a7fd5bce81c108142e0570b49de77fa63244cfd2dba2246546b9f3ea12995a11a97baafee8760962409ee

memory/4020-129-0x00007FF6CF7B0000-0x00007FF6CFB04000-memory.dmp

memory/2708-128-0x00007FF6AC830000-0x00007FF6ACB84000-memory.dmp

memory/4684-127-0x00007FF705630000-0x00007FF705984000-memory.dmp

memory/2772-126-0x00007FF667200000-0x00007FF667554000-memory.dmp

memory/3692-130-0x00007FF7B0330000-0x00007FF7B0684000-memory.dmp

memory/3368-131-0x00007FF6B5D80000-0x00007FF6B60D4000-memory.dmp

memory/660-132-0x00007FF79D450000-0x00007FF79D7A4000-memory.dmp

memory/3696-133-0x00007FF63A6E0000-0x00007FF63AA34000-memory.dmp

memory/4988-134-0x00007FF61F200000-0x00007FF61F554000-memory.dmp

memory/2084-135-0x00007FF697C30000-0x00007FF697F84000-memory.dmp

memory/3540-136-0x00007FF6FDE90000-0x00007FF6FE1E4000-memory.dmp

memory/1400-137-0x00007FF7442C0000-0x00007FF744614000-memory.dmp

memory/3228-138-0x00007FF65F080000-0x00007FF65F3D4000-memory.dmp

memory/5012-140-0x00007FF7D7020000-0x00007FF7D7374000-memory.dmp

memory/4244-139-0x00007FF7A8C80000-0x00007FF7A8FD4000-memory.dmp

memory/3692-141-0x00007FF7B0330000-0x00007FF7B0684000-memory.dmp

memory/660-142-0x00007FF79D450000-0x00007FF79D7A4000-memory.dmp

memory/4460-143-0x00007FF6A62D0000-0x00007FF6A6624000-memory.dmp

memory/3052-144-0x00007FF670B90000-0x00007FF670EE4000-memory.dmp

memory/3696-145-0x00007FF63A6E0000-0x00007FF63AA34000-memory.dmp

memory/2120-146-0x00007FF783DA0000-0x00007FF7840F4000-memory.dmp

memory/4600-147-0x00007FF696D50000-0x00007FF6970A4000-memory.dmp

memory/4988-148-0x00007FF61F200000-0x00007FF61F554000-memory.dmp

memory/2784-149-0x00007FF64C0D0000-0x00007FF64C424000-memory.dmp

memory/2084-150-0x00007FF697C30000-0x00007FF697F84000-memory.dmp

memory/3540-151-0x00007FF6FDE90000-0x00007FF6FE1E4000-memory.dmp

memory/1400-152-0x00007FF7442C0000-0x00007FF744614000-memory.dmp

memory/4452-153-0x00007FF7F8E40000-0x00007FF7F9194000-memory.dmp

memory/2772-154-0x00007FF667200000-0x00007FF667554000-memory.dmp

memory/4684-155-0x00007FF705630000-0x00007FF705984000-memory.dmp

memory/4020-157-0x00007FF6CF7B0000-0x00007FF6CFB04000-memory.dmp

memory/2708-156-0x00007FF6AC830000-0x00007FF6ACB84000-memory.dmp

memory/3368-158-0x00007FF6B5D80000-0x00007FF6B60D4000-memory.dmp