Malware Analysis Report

2024-10-16 03:07

Sample ID 240608-kngavsae9s
Target 2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike
SHA256 f3a0c739cc0c5978c1dae2a0e57e9274dd4882c49e0769050dba3acd402d149f
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f3a0c739cc0c5978c1dae2a0e57e9274dd4882c49e0769050dba3acd402d149f

Threat Level: Known bad

The file 2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobaltstrike

xmrig

XMRig Miner payload

UPX dump on OEP (original entry point)

Cobalt Strike reflective loader

Xmrig family

Cobaltstrike family

Detects Reflective DLL injection artifacts

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-08 08:44

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-08 08:44

Reported

2024-06-08 08:47

Platform

win7-20240508-en

Max time kernel

144s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\wWANIoT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bipqyst.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SSyrYwQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hDqbDDb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TAJnwRO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TngTAtl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WLIMOdD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RoNpfKD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AagTaed.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EJUjQJK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YRUBbFq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cKVZCVf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YRJraxu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AbgjHLv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dmigPRO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BNgmcjV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yNIYiDW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rgQOmyj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JPyIRct.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VrQawxO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CtAIKVs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2052 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\rgQOmyj.exe
PID 2052 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\rgQOmyj.exe
PID 2052 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\rgQOmyj.exe
PID 2052 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\JPyIRct.exe
PID 2052 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\JPyIRct.exe
PID 2052 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\JPyIRct.exe
PID 2052 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\cKVZCVf.exe
PID 2052 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\cKVZCVf.exe
PID 2052 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\cKVZCVf.exe
PID 2052 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\YRJraxu.exe
PID 2052 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\YRJraxu.exe
PID 2052 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\YRJraxu.exe
PID 2052 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\AbgjHLv.exe
PID 2052 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\AbgjHLv.exe
PID 2052 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\AbgjHLv.exe
PID 2052 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\EJUjQJK.exe
PID 2052 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\EJUjQJK.exe
PID 2052 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\EJUjQJK.exe
PID 2052 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\TAJnwRO.exe
PID 2052 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\TAJnwRO.exe
PID 2052 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\TAJnwRO.exe
PID 2052 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\TngTAtl.exe
PID 2052 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\TngTAtl.exe
PID 2052 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\TngTAtl.exe
PID 2052 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\VrQawxO.exe
PID 2052 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\VrQawxO.exe
PID 2052 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\VrQawxO.exe
PID 2052 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\YRUBbFq.exe
PID 2052 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\YRUBbFq.exe
PID 2052 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\YRUBbFq.exe
PID 2052 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\wWANIoT.exe
PID 2052 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\wWANIoT.exe
PID 2052 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\wWANIoT.exe
PID 2052 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\WLIMOdD.exe
PID 2052 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\WLIMOdD.exe
PID 2052 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\WLIMOdD.exe
PID 2052 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\RoNpfKD.exe
PID 2052 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\RoNpfKD.exe
PID 2052 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\RoNpfKD.exe
PID 2052 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\CtAIKVs.exe
PID 2052 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\CtAIKVs.exe
PID 2052 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\CtAIKVs.exe
PID 2052 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\bipqyst.exe
PID 2052 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\bipqyst.exe
PID 2052 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\bipqyst.exe
PID 2052 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\SSyrYwQ.exe
PID 2052 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\SSyrYwQ.exe
PID 2052 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\SSyrYwQ.exe
PID 2052 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\AagTaed.exe
PID 2052 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\AagTaed.exe
PID 2052 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\AagTaed.exe
PID 2052 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\dmigPRO.exe
PID 2052 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\dmigPRO.exe
PID 2052 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\dmigPRO.exe
PID 2052 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\BNgmcjV.exe
PID 2052 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\BNgmcjV.exe
PID 2052 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\BNgmcjV.exe
PID 2052 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\hDqbDDb.exe
PID 2052 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\hDqbDDb.exe
PID 2052 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\hDqbDDb.exe
PID 2052 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\yNIYiDW.exe
PID 2052 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\yNIYiDW.exe
PID 2052 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\yNIYiDW.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\rgQOmyj.exe

C:\Windows\System\rgQOmyj.exe

C:\Windows\System\JPyIRct.exe

C:\Windows\System\JPyIRct.exe

C:\Windows\System\cKVZCVf.exe

C:\Windows\System\cKVZCVf.exe

C:\Windows\System\YRJraxu.exe

C:\Windows\System\YRJraxu.exe

C:\Windows\System\AbgjHLv.exe

C:\Windows\System\AbgjHLv.exe

C:\Windows\System\EJUjQJK.exe

C:\Windows\System\EJUjQJK.exe

C:\Windows\System\TAJnwRO.exe

C:\Windows\System\TAJnwRO.exe

C:\Windows\System\TngTAtl.exe

C:\Windows\System\TngTAtl.exe

C:\Windows\System\VrQawxO.exe

C:\Windows\System\VrQawxO.exe

C:\Windows\System\YRUBbFq.exe

C:\Windows\System\YRUBbFq.exe

C:\Windows\System\wWANIoT.exe

C:\Windows\System\wWANIoT.exe

C:\Windows\System\WLIMOdD.exe

C:\Windows\System\WLIMOdD.exe

C:\Windows\System\RoNpfKD.exe

C:\Windows\System\RoNpfKD.exe

C:\Windows\System\CtAIKVs.exe

C:\Windows\System\CtAIKVs.exe

C:\Windows\System\bipqyst.exe

C:\Windows\System\bipqyst.exe

C:\Windows\System\SSyrYwQ.exe

C:\Windows\System\SSyrYwQ.exe

C:\Windows\System\AagTaed.exe

C:\Windows\System\AagTaed.exe

C:\Windows\System\dmigPRO.exe

C:\Windows\System\dmigPRO.exe

C:\Windows\System\BNgmcjV.exe

C:\Windows\System\BNgmcjV.exe

C:\Windows\System\hDqbDDb.exe

C:\Windows\System\hDqbDDb.exe

C:\Windows\System\yNIYiDW.exe

C:\Windows\System\yNIYiDW.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2052-0-0x00000000000F0000-0x0000000000100000-memory.dmp

memory/2052-1-0x000000013F2B0000-0x000000013F604000-memory.dmp

\Windows\system\rgQOmyj.exe

MD5 fbdeffe992bc218bd51321390167dbd2
SHA1 7f6dc1cd32fd184d43e5c8ecd0aab266b786b189
SHA256 ccf7748d577f68cc2ecb23669fdf1c9709eed01a0d6f3132ef3dc75e697b24da
SHA512 113a4387c76aa2ba0db08604eb922e1dbf2d9662a44fd4fade8b0ac51849a7eb872f1693025d8280effe591ed7232a39ac875a352c260f1e86da169fbccf1990

\Windows\system\JPyIRct.exe

MD5 61aa4bc553149f2d6c69d3193e762893
SHA1 a566f10e16a6eaa48cf67b8186cf24ea2565970e
SHA256 b3cf3515d16bb80dfc87ad153d24be36603638064e8e676268cf227d7c2730a8
SHA512 65680dffd9bd264d2313318f46d3f8ee9281d6716a314c4be2b2d5317365c04ece6ad19a19cf29f309a0a6f873b4374080fde15e92377cd334d6d83600610983

memory/2052-6-0x0000000002390000-0x00000000026E4000-memory.dmp

C:\Windows\system\cKVZCVf.exe

MD5 2972e592128d7758659440fd03e249b2
SHA1 2fed66c9d1fcb16ce97fd4ac1c7020b379a96e5e
SHA256 2229755d4ddc726f572f25a8cbad6612787eca5c11ab46e936f8b0dfa2899b9b
SHA512 2941f419306c5d586a58215e1d0abb6291ad8eae99980c3ae2e37ad83f0dee2dace4a1d63a24a80b7a23900d81f5b0e0d2dd3a25798724216f7be6b2756b9000

memory/2620-18-0x000000013F490000-0x000000013F7E4000-memory.dmp

memory/2564-27-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

memory/2052-29-0x0000000002390000-0x00000000026E4000-memory.dmp

memory/2052-30-0x000000013F780000-0x000000013FAD4000-memory.dmp

memory/2660-28-0x000000013F780000-0x000000013FAD4000-memory.dmp

memory/2996-26-0x000000013F770000-0x000000013FAC4000-memory.dmp

memory/2052-23-0x000000013F770000-0x000000013FAC4000-memory.dmp

C:\Windows\system\YRJraxu.exe

MD5 43323a5ca8f856845010f18dbce4bde6
SHA1 87a278c3b4808564b6e66aae366d4902b3a06054
SHA256 a8027315b9f92224c99919257aed09069da8fe4610c24957f30d87eeddf42157
SHA512 c15397389382cd67233caa0480b1db68f79362074a4c8052a8a25870f998a351e925705df398b30b3889fc3e8cea54bde750aff7bf422f6b71ac18cb4196a54b

memory/2744-36-0x000000013F680000-0x000000013F9D4000-memory.dmp

C:\Windows\system\AbgjHLv.exe

MD5 0ad23cc2f24a7ac49296002681355a87
SHA1 4be2c44b3dea65e1f5c1682cbb7f6934faa15873
SHA256 37cbd88699fd502a7084d2529dbce34950b1280cf4dfaac4c0377b057f8aed29
SHA512 971d18d250c10632fe8ac11fbac379dfa3a3f55333b28552ffee832132a7383298e938adaae9279c47afc14809e1c76ace85ccc47595460d04fb1a63c749bd15

C:\Windows\system\EJUjQJK.exe

MD5 6053f6b20a734d76cd4e18430e3a88c7
SHA1 2dd87fbebb5239a63060340f3b5186bf19e6db6c
SHA256 4bb164698dd1333cf0850309d3f33ffc40ae976e017589c4b4dbc4c61703cd35
SHA512 ccab6ee08ea84eba685717d3f833fdcca64bd0684f6b40d2b036e695bbcd093e83bf62d7b9637099a9ef0f3c4eec5a23b1a5db41ec5010cd7ffd9d6bda1dcf27

memory/2052-41-0x000000013F920000-0x000000013FC74000-memory.dmp

memory/2460-43-0x000000013F920000-0x000000013FC74000-memory.dmp

\Windows\system\TAJnwRO.exe

MD5 20ba7e1c1d2b40dffcfc81f173ad5bc7
SHA1 71f4d89e3c07b8fed9719107c27f324b717157d8
SHA256 4407c4eaa3efef91542073779edc5e8341518ba3441f10a8bcd3ade65020c419
SHA512 8ce742d075a53dad0bea43fd6ec66cee9f9af57b158e0ec79c1826fb2c84a8e0ae52d8f66c5bed1b112fd0c4576a9b0eae67bcb19d1fdabff781d67126f4aa86

memory/2072-50-0x000000013F6A0000-0x000000013F9F4000-memory.dmp

memory/2052-48-0x000000013F6A0000-0x000000013F9F4000-memory.dmp

C:\Windows\system\TngTAtl.exe

MD5 fb98ab03a904a0baf377c59b1074f655
SHA1 38729c268f41a1450b82e19f0416a90658df9076
SHA256 2c9c39b30cf81e49f483ac9637d9ed28117063dd2f807cc5ec00b56d46dd1450
SHA512 f6a5cfd474f325fa023b4911a9049342bced1b3f0ee6b82427a6781f2327ab114c635c4daf62e5855103648774e8ba676917d641e43af9a33b40c4bdace57c31

memory/2052-56-0x000000013FF30000-0x0000000140284000-memory.dmp

memory/2456-57-0x000000013FF30000-0x0000000140284000-memory.dmp

\Windows\system\YRUBbFq.exe

MD5 eecea3304bbb16ebad9bb30f8cc00de0
SHA1 2b78cc74396616287b7519a1ebb5706eb1cad821
SHA256 cd41142cb90f821ff0071396a29f2dc002e49142a2459618379dadddbd1105ba
SHA512 c847d67e8953ca6f88b6a20e754556205729a4e165c032d53b7db017c9881aafbd94c61b09bac7d94e3d47a3f3d55d8a9103786fb762c5dbfb17740c8d04eb49

memory/2052-71-0x0000000002390000-0x00000000026E4000-memory.dmp

memory/2896-64-0x000000013FD40000-0x0000000140094000-memory.dmp

memory/2620-63-0x000000013F490000-0x000000013F7E4000-memory.dmp

memory/2248-72-0x000000013F5D0000-0x000000013F924000-memory.dmp

C:\Windows\system\VrQawxO.exe

MD5 80d3e267682eea3e7e6806c1f27a747d
SHA1 59cf6ef47ed87c08c37ee5c8576380176b5ef17e
SHA256 795b23c9ed1324c81328757377667c6a67269e7dc6f3866340647e22375581c1
SHA512 f6defed3f09a01e0149865a3d13930f0eef210622368ad3301e09a2243c0bf79e13f00f540642ae05538b84233b78749ef2363c8e185a5717c1a3d847a0cbd82

memory/2052-61-0x000000013F2B0000-0x000000013F604000-memory.dmp

C:\Windows\system\WLIMOdD.exe

MD5 0b4fa423e4ccadf0cd766f883be57723
SHA1 be1f58bd2bdd8fd651ea05d36ce368f0d903796b
SHA256 a5e74b6c7bc30c5f3f7af9b069da9066a5477c588b2da83c1437575dd6ffb78d
SHA512 f81d6aa0211a4feaad983fe0a8d2dbb7bc5d763757af17864a478b828f100cbda2216ea57ebea97d7d67777a98cda7a4602e3d65cf56667100d23843d1f8bc6d

memory/2052-85-0x000000013FBF0000-0x000000013FF44000-memory.dmp

memory/2412-86-0x000000013FBF0000-0x000000013FF44000-memory.dmp

memory/848-78-0x000000013F240000-0x000000013F594000-memory.dmp

memory/2052-76-0x0000000002390000-0x00000000026E4000-memory.dmp

C:\Windows\system\wWANIoT.exe

MD5 4b962652000161543f99a0b7682a9216
SHA1 16f51ee0844457ba2c92c71aca83458dc3f5eb5f
SHA256 bfa4720827693108168e458265efe191108afaf2c09cf5bb2ab8c236a3adbbec
SHA512 317100dafa4ef9f0d686e4027464312757b76bc12c1dbe1dd5d57485fd29ec0f227c0fb866a56242d22a5204d99b28d2dac4a26261a55571d907415f213f673c

C:\Windows\system\CtAIKVs.exe

MD5 ba1533bf953ff387b30d5c5848cb1672
SHA1 b4e056363198d4e8cb689d97a135f2c2b775f394
SHA256 fdde31206417be709c4d48b1d445eb70606db11f48c9f8d94547cf2c8cc13758
SHA512 c8c5b4c0d948c76d514f736c996322d379f1292a318d57c7cd445f99fa95a1d7e59b4cfd2309a876dd4eab0966a1f0e549cf20348199cb2bc23e5dece5a61576

memory/1484-97-0x000000013F1F0000-0x000000013F544000-memory.dmp

memory/2536-92-0x000000013FC90000-0x000000013FFE4000-memory.dmp

C:\Windows\system\bipqyst.exe

MD5 792a12e569bcebed0797d01a0b70d70a
SHA1 b8662b1643bb34e190b7defe839715de1796dc98
SHA256 12bdb9d21cb1a50c08320f6ffd77af1124f2067f00b2b4ac3985e3dc53f5e313
SHA512 f4fd33d4a05cd4f006ea20470269f9e35c00a2e04db2a3945ade8498651c60d91c16f403008c5b50f37cbf5feace98fcde104aac64f0c841bb02f04715e9e06c

C:\Windows\system\dmigPRO.exe

MD5 c4dd2c25db28d2e6cb0b9912cc2aeb3d
SHA1 e15176c92e45e41206462e53342d66b8966ed48f
SHA256 12bf72f27b703edfc9d760fb27bed8f7876d411ce99bb961189d8881912aa10a
SHA512 4470161103a8081fc1adada07daae298ed46388aa80db264bdc8e8e0cb92c9867fc28092b2c0c8cd3ea0ffad630c61a5686b97f1017b2a59478170011252d3fd

C:\Windows\system\BNgmcjV.exe

MD5 95bfbd29ef5e90df1716fa50971af1c4
SHA1 82d9c36aedff610fa6fc39c6706ab7e4b9c896fa
SHA256 12df9c3c554bfd60a7c74bdcfff3c04c08d254f497ba1d4fb4cd925b0cece880
SHA512 16613fca2bf1ed7752893f40f150a32a073990cfd64fdb2197d98210e96652dd2f7c5a9f4658d4ab73ec3153757dd859edf2f1927ce1516fb7ec892dd4c58b9a

\Windows\system\yNIYiDW.exe

MD5 615cf43c0105249bbebf7aa5344ea56f
SHA1 2035804cfe178628ffd7c7b0e4a28fde0cbf22bc
SHA256 1b3f7519fa35f0fee826030b19e6d2174825f4dfc5340333c41ec58c8ac4979d
SHA512 597ba3c35c65a773f93fd6af32588bfe5701c8fca5c39c946e82b81987ce0768d05d03fbcd11bfd1790338c4bcbc70f852340f09044f2338d5afc2e0731faa09

C:\Windows\system\hDqbDDb.exe

MD5 9a4f12f8e123264204ff987332941130
SHA1 8a5b6a37ad82650e8681e7a4a62c1aef53e837ec
SHA256 afa43acf66a6b41a27cc88e249e5fa8fa813233be7de83ba1a8529a953bf0c42
SHA512 a56ac49bb50d9b2410ef0849f0b07939c08661f93a81b9675321add5e4d3cc6c4eef30e00be7644da8cd4b657654ace35da6d18dadb8ddb58190a26fa8207f93

C:\Windows\system\AagTaed.exe

MD5 aca8f4929e1321f287dded701c3be3bd
SHA1 0786812166a1c1c5da048397f29c6496782abba3
SHA256 de6fbcb7b0a6199774bc45b23a7a206c8bca42f4ba88c3291db10c6447e03b60
SHA512 7008f6ffde6fccd2f430452344c48a920fd457b008d351c6e40cbf200934609cda9083fd2e24ddf3fe37737a070653b860553a05b3beb5537a6e2d5a29ea1a3e

memory/2052-101-0x000000013FEF0000-0x0000000140244000-memory.dmp

C:\Windows\system\SSyrYwQ.exe

MD5 c8032e1300debcab1d2cd3772b6b5008
SHA1 2f7cd9bffab3c7c19985b48f56739ef2a9d34d8c
SHA256 ff482b53044556684d134e41e5ba84a2fc0316a7aeab724c7f38b5b24c6d9a98
SHA512 517bb774f676d005933861c0a10b9024fb019238c170ee34e8e36bad1962947027f209c19d2d25fed99c33fc8cf300026b6d244afba0185e25758806a63172ed

memory/2460-91-0x000000013F920000-0x000000013FC74000-memory.dmp

C:\Windows\system\RoNpfKD.exe

MD5 d04d5c638b841a589412a8a85cf09c10
SHA1 4e92c76c632ec24b1e556ad3c9d4c72126ba5205
SHA256 6cefd90254f1f2f74e83b7469c81f3d882a7e0d0afced01d7b8f2d081d642103
SHA512 903e2ed350c79c8668f97ac86b8ac03df047336c392412d1cf920a9b509c354058bfa24c79d03198853c90ff683c3c52160fc194c36ccd9a2cbec5a017c1583f

memory/2896-135-0x000000013FD40000-0x0000000140094000-memory.dmp

memory/2052-136-0x0000000002390000-0x00000000026E4000-memory.dmp

memory/848-137-0x000000013F240000-0x000000013F594000-memory.dmp

memory/2052-138-0x000000013FBF0000-0x000000013FF44000-memory.dmp

memory/2536-139-0x000000013FC90000-0x000000013FFE4000-memory.dmp

memory/1484-140-0x000000013F1F0000-0x000000013F544000-memory.dmp

memory/2052-141-0x000000013FEF0000-0x0000000140244000-memory.dmp

memory/2996-142-0x000000013F770000-0x000000013FAC4000-memory.dmp

memory/2620-143-0x000000013F490000-0x000000013F7E4000-memory.dmp

memory/2660-144-0x000000013F780000-0x000000013FAD4000-memory.dmp

memory/2564-145-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

memory/2744-146-0x000000013F680000-0x000000013F9D4000-memory.dmp

memory/2460-147-0x000000013F920000-0x000000013FC74000-memory.dmp

memory/2072-148-0x000000013F6A0000-0x000000013F9F4000-memory.dmp

memory/2456-149-0x000000013FF30000-0x0000000140284000-memory.dmp

memory/2248-150-0x000000013F5D0000-0x000000013F924000-memory.dmp

memory/2896-151-0x000000013FD40000-0x0000000140094000-memory.dmp

memory/848-152-0x000000013F240000-0x000000013F594000-memory.dmp

memory/2412-153-0x000000013FBF0000-0x000000013FF44000-memory.dmp

memory/1484-154-0x000000013F1F0000-0x000000013F544000-memory.dmp

memory/2536-155-0x000000013FC90000-0x000000013FFE4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-08 08:44

Reported

2024-06-08 08:47

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\mFrGFIx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dxBhjvw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QgkPTWP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IORALia.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pKQDPSe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pJSqUDv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HJYXBXR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WsVxOnw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hjsQqWG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ghcTItH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KYGKEKf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jjkkKqV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xRhUSMR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rrpWvuQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mYnAxXN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wqspVOM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EqxyvWD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PuiYEnQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hfHHnLi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FXIGPll.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dVkcjgl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2284 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\hjsQqWG.exe
PID 2284 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\hjsQqWG.exe
PID 2284 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\IORALia.exe
PID 2284 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\IORALia.exe
PID 2284 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\jjkkKqV.exe
PID 2284 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\jjkkKqV.exe
PID 2284 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\pKQDPSe.exe
PID 2284 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\pKQDPSe.exe
PID 2284 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\EqxyvWD.exe
PID 2284 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\EqxyvWD.exe
PID 2284 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\xRhUSMR.exe
PID 2284 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\xRhUSMR.exe
PID 2284 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\pJSqUDv.exe
PID 2284 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\pJSqUDv.exe
PID 2284 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\HJYXBXR.exe
PID 2284 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\HJYXBXR.exe
PID 2284 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\PuiYEnQ.exe
PID 2284 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\PuiYEnQ.exe
PID 2284 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\ghcTItH.exe
PID 2284 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\ghcTItH.exe
PID 2284 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\hfHHnLi.exe
PID 2284 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\hfHHnLi.exe
PID 2284 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\WsVxOnw.exe
PID 2284 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\WsVxOnw.exe
PID 2284 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\FXIGPll.exe
PID 2284 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\FXIGPll.exe
PID 2284 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\dVkcjgl.exe
PID 2284 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\dVkcjgl.exe
PID 2284 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\mFrGFIx.exe
PID 2284 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\mFrGFIx.exe
PID 2284 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\rrpWvuQ.exe
PID 2284 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\rrpWvuQ.exe
PID 2284 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\KYGKEKf.exe
PID 2284 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\KYGKEKf.exe
PID 2284 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\dxBhjvw.exe
PID 2284 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\dxBhjvw.exe
PID 2284 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\mYnAxXN.exe
PID 2284 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\mYnAxXN.exe
PID 2284 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\wqspVOM.exe
PID 2284 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\wqspVOM.exe
PID 2284 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\QgkPTWP.exe
PID 2284 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe C:\Windows\System\QgkPTWP.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\hjsQqWG.exe

C:\Windows\System\hjsQqWG.exe

C:\Windows\System\IORALia.exe

C:\Windows\System\IORALia.exe

C:\Windows\System\jjkkKqV.exe

C:\Windows\System\jjkkKqV.exe

C:\Windows\System\pKQDPSe.exe

C:\Windows\System\pKQDPSe.exe

C:\Windows\System\EqxyvWD.exe

C:\Windows\System\EqxyvWD.exe

C:\Windows\System\xRhUSMR.exe

C:\Windows\System\xRhUSMR.exe

C:\Windows\System\pJSqUDv.exe

C:\Windows\System\pJSqUDv.exe

C:\Windows\System\HJYXBXR.exe

C:\Windows\System\HJYXBXR.exe

C:\Windows\System\PuiYEnQ.exe

C:\Windows\System\PuiYEnQ.exe

C:\Windows\System\ghcTItH.exe

C:\Windows\System\ghcTItH.exe

C:\Windows\System\hfHHnLi.exe

C:\Windows\System\hfHHnLi.exe

C:\Windows\System\WsVxOnw.exe

C:\Windows\System\WsVxOnw.exe

C:\Windows\System\FXIGPll.exe

C:\Windows\System\FXIGPll.exe

C:\Windows\System\dVkcjgl.exe

C:\Windows\System\dVkcjgl.exe

C:\Windows\System\mFrGFIx.exe

C:\Windows\System\mFrGFIx.exe

C:\Windows\System\rrpWvuQ.exe

C:\Windows\System\rrpWvuQ.exe

C:\Windows\System\KYGKEKf.exe

C:\Windows\System\KYGKEKf.exe

C:\Windows\System\dxBhjvw.exe

C:\Windows\System\dxBhjvw.exe

C:\Windows\System\mYnAxXN.exe

C:\Windows\System\mYnAxXN.exe

C:\Windows\System\wqspVOM.exe

C:\Windows\System\wqspVOM.exe

C:\Windows\System\QgkPTWP.exe

C:\Windows\System\QgkPTWP.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp

Files

memory/2284-0-0x00007FF63E450000-0x00007FF63E7A4000-memory.dmp

memory/2284-1-0x00000210F7460000-0x00000210F7470000-memory.dmp

C:\Windows\System\hjsQqWG.exe

MD5 15c3c86811c1a018ea9c474bbe1d730c
SHA1 c73b8174b08c3bfd46c98d0610df01e63b3a58a4
SHA256 a6468322518ae3b9a04a305e206ed6877c916d9195b4cdc22c370686dd682432
SHA512 68281a2b2ee2cc3f57975a07d3f56bad576ff64f6bc48c5f9ffc5ddd2f14d41e6e91de73492b2e3e3477b8a703782c8bde409acb5c9c5edd2793bf0242fa852d

C:\Windows\System\IORALia.exe

MD5 98577eda0e7c3132bd47962932f8e918
SHA1 f50c863052cfda182f0973dafe95b549cd2d417a
SHA256 35b046710efa0080996a5db8f9d97119f36936aea2fe2aabb1c962c4f0c4186c
SHA512 568a406af673b7841f52f21672460eb27d4b8c54396545ad8b38ed1ae570e9be13c934a4fafea96a517647b01984a70d1990f53482c474f0e1bdf809804e3499

memory/4184-14-0x00007FF7A9C00000-0x00007FF7A9F54000-memory.dmp

C:\Windows\System\jjkkKqV.exe

MD5 8c75ec4bd1a54b1d324dec558e6b10aa
SHA1 e085fa2de61686c28e793755cb0976e5d82bdd85
SHA256 afbca9175a5c58ae39f2d579e211e2d2f6680674a6f72e61d51e731962bfa60d
SHA512 b59212d2e2a875f348c43b04a1c3a08dba4982680a81543494a065b650a00b6aca1a61ed051ea5a850f2004c83ef9c9982a23401b6db64ee35bf9cbaad7462fe

memory/436-20-0x00007FF7E4E10000-0x00007FF7E5164000-memory.dmp

memory/1472-8-0x00007FF773F80000-0x00007FF7742D4000-memory.dmp

C:\Windows\System\pKQDPSe.exe

MD5 9830984b0bfa32d32ab00c00f1a471ca
SHA1 dfc41aa66dccdf230cfd892268fd3796c53031eb
SHA256 78cdaf6734e3ee050f0f1b50a69cbcc64e2de9d986d932bbbca83f6759cb1b46
SHA512 0253f2b3cab4de6eb02dfe4559556f0ab1d336f3ced723f7809bceda46733f243e053873ec14760d0f138e0de6c7b0a2e383424cca85c6d2d732fbb8fa91f9db

memory/2448-26-0x00007FF76B550000-0x00007FF76B8A4000-memory.dmp

C:\Windows\System\EqxyvWD.exe

MD5 6c34ee28c1475d6ca9ee2ff93ebee425
SHA1 c23f8db2f1538cc4d9e2f4d235fdf3281ee91054
SHA256 4a5a20fed867baa11137f26c7b3e43ac1f227f5d944ac4662268037111cd5de5
SHA512 07d21503ad226b7498e912520b106478201c53dfbfaf10e496df98b4b1e41b16514d9689347884df44def1a39bf936d6961436c6b1adf716d36e9c9a520bd9ef

C:\Windows\System\xRhUSMR.exe

MD5 a037fa2d3d0facb3b3c879dc532f69d8
SHA1 109e298aa42258623e4c7bb6a6099c1aa286684d
SHA256 8738775d426f280e34403bb262f38878e0c6d8fca3e0971b4507837628faf077
SHA512 b9f1581e70d5255116196073554e735a65f7845b6ae8a447e92cd2368a77471c201e967a0aa2649146da92262b0b7b63106961cc50cf579c2646ba7d0692bc9f

memory/3084-42-0x00007FF6CECA0000-0x00007FF6CEFF4000-memory.dmp

memory/4008-45-0x00007FF7A47B0000-0x00007FF7A4B04000-memory.dmp

C:\Windows\System\HJYXBXR.exe

MD5 9b2c9e733be43af2c9f44a987d304ff1
SHA1 b792d2f2ae9da62f446eb6b20a3f0859fdee317f
SHA256 d95c15cc0234db0c775eaad993558734f445ee2d204c23cf0db18f426f4cef48
SHA512 072cd077194a70f292c830be7e4dac4f1d64441cf139f419a0e7401a5fceca267b218f5cd68bf867f1f3a041c185d389089d0467b5c98e342e3f1b652629d98f

memory/3260-48-0x00007FF659680000-0x00007FF6599D4000-memory.dmp

C:\Windows\System\pJSqUDv.exe

MD5 6a737dc7787c75e756d8fe63a58145db
SHA1 b5f882e54150a3ad8c1d3249ddff7e0b5e19eeeb
SHA256 146f9780a2e59b1a1d7b4b6a97cc20e8bd9e95a218fc6a847e8f7718211c787f
SHA512 89f9eeb79a75471c981664fcd128b2bbf713b0f1afeffef56d2929f231c53fb4bd91843372d5d366d53412d55051caf76eab1fac1cfed34727ade0e5a6b69256

memory/464-32-0x00007FF67EB80000-0x00007FF67EED4000-memory.dmp

C:\Windows\System\PuiYEnQ.exe

MD5 187178b44f32857631effccc027f7c7b
SHA1 1e58f22420b71e96df97831b9e79bb91239a65c7
SHA256 e973a31de8188f6676970abeda1563bad9d07a9f18d923906b1670b387f14807
SHA512 2144f33e00edefb4df86d1b306f7933ba92c44865fe18bd2e6754ee5de7eb1120ac61e4e2f7eefb35cafcc2b05b481083a97e52666081bfa5decf2b335572a75

memory/2284-62-0x00007FF63E450000-0x00007FF63E7A4000-memory.dmp

memory/2168-64-0x00007FF6DAFB0000-0x00007FF6DB304000-memory.dmp

C:\Windows\System\hfHHnLi.exe

MD5 a9e58c43b40305fe46d891f6b2f77fc5
SHA1 8e14bf0190a22222674f443c831fd6b8182e3360
SHA256 4f3184cedf2e172e9a720b04c1cfbbdda14814f1859ee4531a16b17db4c4d68d
SHA512 51e49231d6037e820e35074bb3404af1fceb7e7470df654194a7aa2f07884c91c76e9aefd5db9ddf452de6011af4030993c1d142de611443370af538b3498760

C:\Windows\System\ghcTItH.exe

MD5 e9730f9a915949bce9ce20c45f65ec67
SHA1 f57485c6973783334edcf652d2845554e81c23fd
SHA256 44ce656d66b35261ffb87c11b7b328f5ab974aad1f3e02700b0becbd39936dc0
SHA512 e8976177408af55598494dfa9ec2cf989ecc6807618b47a80fa39ff1df2a78a4a20e9b7b5f33a58c4ef556d90bda99107cf9479f6dc962a2f81fe155d78e11fc

memory/3292-54-0x00007FF72CDD0000-0x00007FF72D124000-memory.dmp

memory/1472-69-0x00007FF773F80000-0x00007FF7742D4000-memory.dmp

memory/3236-70-0x00007FF77AE70000-0x00007FF77B1C4000-memory.dmp

C:\Windows\System\WsVxOnw.exe

MD5 f8c8edd8d81ee224b00cee0fa39ea718
SHA1 1868aa26eb9d2f2ecf9763d6e4ec27c9429d723d
SHA256 1da97fbb8686cf83acf70109031f5713f5c4eb5966fe269e8e2b332ed0f1f214
SHA512 ab54c85b2b19b2cc1e9aa9faf8f2a4d11032818c77f2ef6abc2ea4ba80f036e8fba81d1bd4f381b3d6739b5ca81d6e4daed96b83da0a10cf446554c6850006a1

C:\Windows\System\FXIGPll.exe

MD5 370be38f869a1626c08b43242b9f21ae
SHA1 93770fcc480aba007f1a94aab024c037eb7c1538
SHA256 6f3ae2d4acc7cc93db7f98ec1202532b21fa8a80e7c6b0d26e61bbe821a2562e
SHA512 699bd1dce7404115c52e61f8e01f7cda0e7f63c6e2e8cb7d53871bd8da46101938dcca3aaa39f2b570baa48f31f9837a9d37656bc346c22196193651d53ea58d

memory/3596-74-0x00007FF6FECE0000-0x00007FF6FF034000-memory.dmp

C:\Windows\System\dVkcjgl.exe

MD5 d4174cfa55bac41b538f56498306cc19
SHA1 ca3cbf79f5ffc9fcd541d2f9aff541092c5dafa1
SHA256 6681a7d30b775f4ecfd2c9ada339a9df05be34a397df7c145da30166832813d4
SHA512 b1f1763fd358b4ad534566b65f68c2346a42f11df8ac979c588560cd02f8b007d9ae4fbb7af2c125f9e325709b32120c46ba6c3149c1e0210d77d469939383fd

C:\Windows\System\mFrGFIx.exe

MD5 37f96b2f359084a6f09670c564564928
SHA1 ded314a57ec3f5116868a35ce9f9230bb083ab92
SHA256 322317ea0a4a44dcf8aaf65170b62bf35690c609e124635c4ce00969a7eea63e
SHA512 53dada7635290a76c0da69588248f4714943550dfa5e82d87d1c6d354573d6fa718ba5caa9a36386ec5daf3c409863970857b0afbd97aa7408f33292f36c1496

memory/3204-91-0x00007FF6B2100000-0x00007FF6B2454000-memory.dmp

memory/2448-90-0x00007FF76B550000-0x00007FF76B8A4000-memory.dmp

C:\Windows\System\rrpWvuQ.exe

MD5 05f26f25135561f62423b26add1067cc
SHA1 66f32fb134e53f66b3cfc27f8a8a6f77b830f609
SHA256 7221959604558899b76de17b7adb69ef145b2b0f1b473a4efb41a20bf5015b90
SHA512 019d8aa7e33c812a7c94056e008750e6743d27dfef0e3229c2b032582282df544356ed00065c0fc6f4f82340986c705f2b5416ed8eab3adae93ef0b0c62cb1ed

memory/4132-97-0x00007FF706BE0000-0x00007FF706F34000-memory.dmp

memory/1116-82-0x00007FF7614C0000-0x00007FF761814000-memory.dmp

memory/4008-101-0x00007FF7A47B0000-0x00007FF7A4B04000-memory.dmp

memory/3320-102-0x00007FF65B4A0000-0x00007FF65B7F4000-memory.dmp

C:\Windows\System\KYGKEKf.exe

MD5 4023285ea9878208a881ab83582dbdcd
SHA1 9f5dac1dea96d5108cbce2e2d8cc31a39541682f
SHA256 699b5763c2ea7b3daff25451d2ec85a6d54fae9894290f56f89b741bcce19302
SHA512 5c6ac3147c65cc88583a49140d9e8ed9a855ad9be4cf45a909d4e57c3ca160d3328596584e89a947a9557c2280b7849fdb7cc900d40f4430e9d9e48a92c196ba

C:\Windows\System\dxBhjvw.exe

MD5 7b8cffc313464a37701b372f13b1d0f0
SHA1 b15d1d76b1ed07b510aaf5dd3a29ea0b255452c5
SHA256 7fc8cc91333ea056241dc73d86f29e0367ca756f37086eadaacdfe77f3d1de47
SHA512 9405980e93f3807518ea2073dc973f3598bd83a4475d32c8d1641a4d51c34a5006649b0db5ebcd82a4089e74c417dc474936b948096194783d292f2f8c4f5dd9

C:\Windows\System\mYnAxXN.exe

MD5 7334040c775f9fd2e489b3613084c923
SHA1 04a5a0fde362bbf37f342e8427a1d0a729f3882d
SHA256 716ab8f380139ff1596e9cfd57533f9392ff310ea39762164cb08f86bdd70cbc
SHA512 fbc7fc0572006c5497b7629b02c0359ee695935798790ec535b1a120d0189250883cf11481403dec368d285d2126c9adf1cd72bcf0ec21b13b8eca5c0c81bfb4

memory/1896-117-0x00007FF627080000-0x00007FF6273D4000-memory.dmp

memory/3260-116-0x00007FF659680000-0x00007FF6599D4000-memory.dmp

memory/2852-107-0x00007FF66AAD0000-0x00007FF66AE24000-memory.dmp

C:\Windows\System\wqspVOM.exe

MD5 b6d0284ed89fd9ca2dd81e70c5c34339
SHA1 a4e42c3c5583d28842480b92f33cf0ea7cbe31df
SHA256 29012109323c5c24d8e566d5ff1f5b251911acfad8f2421b7e24510bb9fdad5e
SHA512 1d136158de60f7b437359ccbc6c81e48442d2b4c7b51628ad00d5c102528cae56e90e384f2a9b6f039d0bb84f1db07c1d2aefdab8a925691e0c5cad4dd4f54a7

memory/2144-126-0x00007FF66FAC0000-0x00007FF66FE14000-memory.dmp

C:\Windows\System\QgkPTWP.exe

MD5 b0d841f29cbc0abd6e74d18f18650bd1
SHA1 7186b141d95458eec4816834e0fde41fc178c1f4
SHA256 a6d7b669f99630fd8adfbe30d29cea9c556344b8c598ba5383673eb34aa09e59
SHA512 9a07ddefdd62b1dc6e02c4e3e23e8c6c7f4bbb9d6a66c975240d7118e9a0754f22b823b4f8d2a75a96e620eddc33b10178e1f402844d1128522330b3b05f4f9a

memory/4088-125-0x00007FF6CCCA0000-0x00007FF6CCFF4000-memory.dmp

memory/3292-124-0x00007FF72CDD0000-0x00007FF72D124000-memory.dmp

memory/4304-133-0x00007FF65FEB0000-0x00007FF660204000-memory.dmp

memory/3596-134-0x00007FF6FECE0000-0x00007FF6FF034000-memory.dmp

memory/1116-135-0x00007FF7614C0000-0x00007FF761814000-memory.dmp

memory/2852-136-0x00007FF66AAD0000-0x00007FF66AE24000-memory.dmp

memory/2144-137-0x00007FF66FAC0000-0x00007FF66FE14000-memory.dmp

memory/1472-138-0x00007FF773F80000-0x00007FF7742D4000-memory.dmp

memory/4184-139-0x00007FF7A9C00000-0x00007FF7A9F54000-memory.dmp

memory/436-140-0x00007FF7E4E10000-0x00007FF7E5164000-memory.dmp

memory/2448-141-0x00007FF76B550000-0x00007FF76B8A4000-memory.dmp

memory/464-142-0x00007FF67EB80000-0x00007FF67EED4000-memory.dmp

memory/3084-143-0x00007FF6CECA0000-0x00007FF6CEFF4000-memory.dmp

memory/4008-144-0x00007FF7A47B0000-0x00007FF7A4B04000-memory.dmp

memory/3260-145-0x00007FF659680000-0x00007FF6599D4000-memory.dmp

memory/3292-146-0x00007FF72CDD0000-0x00007FF72D124000-memory.dmp

memory/2168-147-0x00007FF6DAFB0000-0x00007FF6DB304000-memory.dmp

memory/3236-148-0x00007FF77AE70000-0x00007FF77B1C4000-memory.dmp

memory/3596-149-0x00007FF6FECE0000-0x00007FF6FF034000-memory.dmp

memory/1116-150-0x00007FF7614C0000-0x00007FF761814000-memory.dmp

memory/3204-151-0x00007FF6B2100000-0x00007FF6B2454000-memory.dmp

memory/4132-152-0x00007FF706BE0000-0x00007FF706F34000-memory.dmp

memory/3320-153-0x00007FF65B4A0000-0x00007FF65B7F4000-memory.dmp

memory/2852-154-0x00007FF66AAD0000-0x00007FF66AE24000-memory.dmp

memory/1896-155-0x00007FF627080000-0x00007FF6273D4000-memory.dmp

memory/4088-156-0x00007FF6CCCA0000-0x00007FF6CCFF4000-memory.dmp

memory/2144-157-0x00007FF66FAC0000-0x00007FF66FE14000-memory.dmp

memory/4304-158-0x00007FF65FEB0000-0x00007FF660204000-memory.dmp